Bug #14500557 CRASH WHEN USING LONG INNODB INDEXES

The ha_innobase table handler contained two search key buffers (srch_key_val1, srch_key_val2) of fixed size used to store the search key. The size of these buffers where fixed at REC_VERSION_56_MAX_INDEX_COL_LEN + 2. But this size is not sufficient to hold the search key. Hence the following assert in row_sel_convert_mysql_key_to_innobase() failed. 2438 /* Storing may use at most data_len bytes of buf */ 2439 2440 if (UNIV_LIKELY(!is_null)) { 2441 ut_a(buf + data_len <= original_buf + buf_len); 2442 row_mysql_store_col_in_innobase_format( 2443 dfield, buf, 2444 FALSE, /* MySQL key value format col */ 2445 key_ptr + data_offset, data_len, 2446 dict_table_is_comp(index->table)); 2447 buf += data_len; 2448 } The buffer size is now calculated with the formula MAX_KEY_LENGTH + MAX_REF_PARTS*2. This properly takes into account the extra bytes needed to store the length for each column. An index can contain a maximum of MAX_REF_PARTS columns in it, and for each column 2 bytes are needed to store length. rb://1238 approved by Marko and Vasil Dimov.

Bug #14500557 CRASH WHEN USING LONG INNODB INDEXES
The ha_innobase table handler contained two search key buffers (srch_key_val1, srch_key_val2) of fixed size used to store the search key. The size of these buffers where fixed at REC_VERSION_56_MAX_INDEX_COL_LEN + 2. But this size is not sufficient to hold the search key. Hence the following assert in row_sel_convert_mysql_key_to_innobase() failed. 2438 /* Storing may use at most data_len bytes of buf */ 2439 2440 if (UNIV_LIKELY(!is_null)) { 2441 ut_a(buf + data_len <= original_buf + buf_len); 2442 row_mysql_store_col_in_innobase_format( 2443 dfield, buf, 2444 FALSE, /* MySQL key value format col */ 2445 key_ptr + data_offset, data_len, 2446 dict_table_is_comp(index->table)); 2447 buf += data_len; 2448 } The buffer size is now calculated with the formula MAX_KEY_LENGTH + MAX_REF_PARTS*2. This properly takes into account the extra bytes needed to store the length for each column. An index can contain a maximum of MAX_REF_PARTS columns in it, and for each column 2 bytes are needed to store length. rb://1238 approved by Marko and Vasil Dimov.
dde12745 · Annamalai Gurusami · 86e3a597 · dde12745 · dde12745
Commit dde12745 authored Sep 04, 2012 by Annamalai Gurusami
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 4 deletions

storage/innobase/handler/ha_innodb.h storage/innobase/handler/ha_innodb.h +5 -4

storage/innobase/row/row0sel.c storage/innobase/row/row0sel.c +3 -0

No files found.
--- a/storage/innobase/handler/ha_innodb.h
+++ b/storage/innobase/handler/ha_innodb.h
@@ -80,12 +80,13 @@ class ha_innobase: public handler

 	uchar*		upd_buf;	/*!< buffer used in updates */
 	ulint		upd_buf_size;	/*!< the size of upd_buf in bytes */
-	uchar		srch_key_val1[REC_VERSION_56_MAX_INDEX_COL_LEN + 2];
-	uchar		srch_key_val2[REC_VERSION_56_MAX_INDEX_COL_LEN + 2];
+	uchar		srch_key_val1[MAX_KEY_LENGTH + MAX_REF_PARTS*2];
+	uchar		srch_key_val2[MAX_KEY_LENGTH + MAX_REF_PARTS*2];
 					/*!< buffers used in converting
 					search key values from MySQL format
-					to InnoDB format. "+ 2" for the two
-					bytes where the length is stored */
+					to InnoDB format. For each column
+					2 bytes are used to store length,
+					hence MAX_REF_PARTS*2. */
 	Table_flags	int_table_flags;
 	uint		primary_key;
 	ulong		start_of_scan;	/*!< this is set to 1 when we are

--- a/storage/innobase/row/row0sel.c
+++ b/storage/innobase/row/row0sel.c
@@ -2487,6 +2487,9 @@ row_sel_convert_mysql_key_to_innobase(
 		dfield++;
 	}

+	DBUG_EXECUTE_IF("innodb_srch_key_buffer_full",
+		ut_a(buf == (original_buf + buf_len)););
+
 	ut_a(buf <= original_buf + buf_len);

 	/* We set the length of tuple to n_fields: we assume that the memory