Nasty Regression Bug Seems Fixed in 5.5.18

For those who saw my previous post about the crashing (regression) bug with SELECT COUNT(DISTINCT) on InnoDB with Primary Key (PK), you’ll be interested to know my test case does not crash in 5.5.18 (which was just released).

I’ve only tested my test case thus far, but it seems fine.

Unfortunately, the fix is not mentioned in the 5.5.18 changelogs though.

And there is no mention (yet, anyway) of a fix in the bug report I filed (though it was designated a ‘duplicate’, so it wouldn’t necessarily be updated).

I’m trying to get confirmation from the MySQL Dev Team on this (via the bug report), and will update this post if/when I hear anything.

I’ll also perform some of the other tests on my end to see if they all pass as well.

All in all, at least the initial results look very promising! 🙂

MySQL SSL Users: BEWARE This Bug

If you’re using MySQL and SSL, you might want to glance over this article and give your setup a quick test.

** Update: If you are looking for “how-to” set up SSL for MySQL (something much clearer than the MySQL manual that also exposes some hidden facts), then please see this article I’ve written here: Setting Up SSL For MySQL **

I’ve uncovered an alarming bug in 5.5 where one could gain access to your MySQL instance just knowing the username and password (not having any SSL certificate, key, etc.)!

Of course, I’ve filed a bug about it here:

It’s been over 4 days now, and not one comment from the MySQL Bug/Dev Team.

So once again, I feel the need to share this bug with the public, in case you are using SSL with 5.5, and think your connections are secure, or that only users with the certs/key could gain access.

For SSL Users, you’ll already have this set up, but for those who don’t, I’ve simply got mysqld (5.5.15 and 5.5.16 thus far) running with the following options:

ssl-ca	 = "C:/Program Files/MySQL/mysql-5.5.16/certs/ca-cert.pem"
ssl-cert = "C:/Program Files/MySQL/mysql-5.5.16/certs/server-cert.pem"
ssl-key	 = "C:/Program Files/MySQL/mysql-5.5.16/certs/server-key.pem"

In theory, any user connecting should either be specifying the –ssl-ca option, path, and file, or both the –ssl-cert and –ssl-key options.

However, at least in 5.5.15 and 5.5.16 (haven’t tested any others yet), one can connect with *just* the –ssl-key option.

What’s worse, and most important, is that you don’t even have to specify a file here. Just specify some bogus text!

I created 2 users, one local and one remote, using these 2 commands:

GRANT ALL PRIVILEGES ON *.* TO 'ssluser'@'localhost' IDENTIFIED BY 'ssluser' REQUIRE SSL;)
GRANT ALL PRIVILEGES ON *.* TO 'ssluser'@'remote-hostname' IDENTIFIED BY 'ssluser' REQUIRE SSL;

Now, just specify “buggg” for the -ssl-key option (no path, no file, no nothing):

mysql -ussluser -pssluser -P3430 --ssl-key=buggg


The user connects as if it were using an SSL connection. All that was needed to connect to this remote host is the username and password.

Check out the output:


C:\Program Files\MySQL\mysql-5.5.16\bin>mysql -ussluser -pssluser -P3430 --ssl-key=buggg
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 11
Server version: 5.5.16-log MySQL Community Server (GPL)

Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> status
mysql  Ver 14.14 Distrib 5.5.16, for Win32 (x86)

Connection id:          11
Current database:
Current user:           ssluser@localhost
SSL:                    Cipher in use is DHE-RSA-AES256-SHA
Using delimiter:        ;
Server version:         5.5.16-log MySQL Community Server (GPL)
Protocol version:       10
Connection:             localhost via TCP/IP
Server characterset:    latin1
Db     characterset:    latin1
Client characterset:    cp850
Conn.  characterset:    cp850
TCP port:               3430
Uptime:                 35 min 26 sec

Threads: 1  Questions: 24  Slow queries: 0  Opens: 33  Flush tables: 1  Open tables: 0 
Queries per second avg: 0.011

Remote Host:

C:\Documents and Settings>mysql -ussluser -pssluser -h192.168.1.100 -P3430 --ssl-key=buggg
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 6
Server version: 5.5.16-log MySQL Community Server (GPL)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> status
mysql  Ver 14.12 Distrib 5.0.70, for Win32 (ia32)

Connection id:          6
Current database:
Current user:           ssluser@HOST-LAPTOP
SSL:                    Cipher in use is DHE-RSA-AES256-SHA
Using delimiter:        ;
Server version:         5.5.16-log MySQL Community Server (GPL)
Protocol version:       10
Connection:    via TCP/IP
Server characterset:    latin1
Db     characterset:    latin1
Client characterset:    latin1
Conn.  characterset:    latin1
TCP port:               3430
Uptime:                 13 min 13 sec

Threads: 2  Questions: 14  Slow queries: 0  Opens: 33  Flush tables: 1 Open tab
les: 26  Queries per second avg: 0.017

Again, I have no idea how many versions are affected by this yet. I’ve only tested 5.5.15 and 5.5.16 (seen on both Windows and Linux, as well).

In fact, that’s all I thought I would have needed to test, as I thought MySQL would have been all over this bug. But since there’s been no word from them about it, I feel it’s my duty to let the community know about this bug until it gets fixed.

(And I even wonder if the above is secure or not. I mean, it “says” the cipher is in use, but since I didn’t specify a ssl cert or key, how can I be certain this is secure.)

Nasty Regression Bug: SELECT COUNT(DISTINCT) crashes InnoDB when WHERE operand is in Primary Key or Unique Index

In 5.5, a crashing, regression bug exists if you use SELECT COUNT(DISTINCT) *and* one of the WHERE operands is in the Primary Key (or just a unique index).

** Update: This bug may be fixed in 5.5.18. At least initial my initial test (the test case provided below) did not crash in 5.5.18. The MySQL Dev Team has not confirmed if this has been fixed or not, nor is there any mention of a fix in the 5.5.18 changelogs, so proceed with caution.

Note this bug does *not* affect any version of MariaDB – 5.1, 5.2, or 5.3. ** (12/5/2011)

This simple crash (if only one row is in the table) will crash mysqld.

Of course I’ve filed a bug report, but that has been nearly 3 months and no updates yet.

Here is the bug I filed (which you won’t be able to view):

Really, the only thing that happened to my bug report was that it was designated a duplicate of another bug (which we also cannot view):

Based on the id, and the submitted dates of bugs 61100 and 61102, this initial bug (61101) was filed on May 9, 2011. So, in fact, this bug has been present for over 5 months, and not one breath of an update to the public!

Therefore, I felt it necessary to warn others about this bug, (or possibly you’ll run across this if you’re searching on SELECT COUNT(DISTINCT) in the future).

All I can say is please watch out for it!

It is extremely easy to reproduce:

CREATE TABLE t (a int(1), b int(1), PRIMARY KEY (a,b)) ENGINE=InnoDB;

–> crash <-- For those interested, this was filed against 5.5.14. However, with each new release, I've continued testing, and this bug is present in 5.5.15, 5.5.16, and thus far in 5.5.17 (built from the latest bzr tree). Hopefully we don't go too many more months before this is finally fixed. And for reference (and those searching on the stack trace / error log messages), here is my full error log snippet from 5.5.16:

111017 10:54:47 [Note] C:\Program Files\MySQL\MySQL Server 5.5\bin\mysqld: ready for connections.
Version: ‘5.5.16’  socket: ”  port: 3308  MySQL Community Server (GPL)
 len 128; hex f8aec9037d803805f017fc03189ddc030000000…
111017 10:55:12  InnoDB: Assertion failure in thread 5000 in file btr0pcur.c line 236
InnoDB: We intentionally generate a memory trap.
InnoDB: Submit a detailed bug report to
InnoDB: If you get repeated assertion failures or crashes, even
InnoDB: immediately after the mysqld startup, there may be
InnoDB: corruption in the InnoDB tablespace. Please refer to
InnoDB: about forcing recovery.
111017 10:55:12 – mysqld got exception 0xc0000005 ;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.
We will try our best to scrape up some info that will hopefully help diagnose
the problem, but since we have already crashed, something is definitely wrong
and this may fail.

It is possible that mysqld could use up to 
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 58325 K
bytes of memory
Hope that’s ok; if not, decrease some variables in the equation.

Thread pointer: 0x3c98428
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong…
00CE92EC    mysqld.exe!btr_pcur_restore_position_func()[btr0pcur.c:236]
00CA62FB    mysqld.exe!sel_restore_position_for_mysql()[row0sel.c:3081]
00CA6CEA    mysqld.exe!row_search_for_mysql()[row0sel.c:3820]
00C5FE20    mysqld.exe!ha_innobase::general_fetch()[]
00C5FEDD    mysqld.exe!ha_innobase::index_next()[]
00C20DDA    mysqld.exe!index_next_different()[]
00C249BC    mysqld.exe!QUICK_GROUP_MIN_MAX_SELECT::next_prefix()[]
00C26BE7    mysqld.exe!QUICK_GROUP_MIN_MAX_SELECT::get_next()[]
00B68D01    mysqld.exe!rr_quick()[]
00BC1B9A    mysqld.exe!sub_select()[]
00BD10A7    mysqld.exe!do_select()[]
00BD37BD    mysqld.exe!JOIN::exec()[]
00BD3A29    mysqld.exe!mysql_select()[]
00BD3D4B    mysqld.exe!handle_select()[]
00ACD76E    mysqld.exe!execute_sqlcom_select()[]
00ACF816    mysqld.exe!mysql_execute_command()[]
00AD2D1F    mysqld.exe!mysql_parse()[]
00AD3848    mysqld.exe!dispatch_command()[]
00AD43BB    mysqld.exe!do_command()[]
00AF2DB6    mysqld.exe!do_handle_one_connection()[]
00AF2F44    mysqld.exe!handle_one_connection()[]
00C33DE4    mysqld.exe!pthread_start()[my_winthread.c:61]
00D9C6F3    mysqld.exe!_callthreadstartex()[threadex.c:348]
00D9C79B    mysqld.exe!_threadstartex()[threadex.c:326]
765F3823    kernel32.dll!BaseThreadInitThunk()
77CAA9BD    ntdll.dll!LdrInitializeThunk()

Trying to get some variables.
Some pointers may be invalid and cause the dump to abort.
Connection ID (thread ID): 1

The manual page at contains
information that should help you find out what is causing the crash.
InnoDB: Thread 5980 stopped in file os0sync.c line 781
InnoDB: Thread 6820 stopped in file os0sync.c line 474
InnoDB: Thread 7532 stopped in file os0sync.c line 474