1. 20 Mar, 2013 1 commit
    • Jorgen Loland's avatar
      Bug#16394084: LOOSE INDEX SCAN WITH QUOTED INT PREDICATE · 30e2a543
      Jorgen Loland authored
                    RETURNS RANDOM DATA
                       
      MySQL 5.5 specific version of bugfix.
            
      When Loose Index Scan Range access is used, MySQL execution needs
      to copy non-aggregated fields. end_send() checked if this was
      necessary by checking if join_tab->select->quick had type
      QS_TYPE_GROUP_MIN_MAX.
            
      In this bug, however, MySQL created a sort index to sort the rows
      read from this range access method. create_sort_index() deletes
      join_tab->select->quick which makes it impossible to inquire
      the join_tab if LIS has been used.
            
      The fix for MySQL 5.5 is to introduce a variable in JOIN_TAB
      that stores whether or not LIS has been used. There is no need
      for this variable in later MySQL versions because the relevant
      code has been refactored.
      30e2a543
  2. 19 Mar, 2013 5 commits
  3. 18 Mar, 2013 1 commit
    • Vasil Dimov's avatar
      Fix Bug#16400412 UNNECESSARY DICT_UPDATE_STATISTICS DURING CONCURRENT · 57059380
      Vasil Dimov authored
      UPDATES
      
      After checking that the table has changed too much in
      row_update_statistics_if_needed() and calling dict_update_statistics(),
      also check if the same condition holds after acquiring the table stats
      latch. This is to avoid multiple threads concurrently entering and
      executing the stats update code.
      
      Approved by:	Marko (rb:2186)
      57059380
  4. 19 Mar, 2013 2 commits
  5. 18 Mar, 2013 5 commits
    • Sujatha Sivakumar's avatar
      merge from mysql-5.1 to mysql-5.5 · f52aa927
      Sujatha Sivakumar authored
      f52aa927
    • Sujatha Sivakumar's avatar
      Bug#14771299 OUT-OF-BOUND READS WRITE IN MYSQLBINLOG · b95d5cda
      Sujatha Sivakumar authored
      Problem:
      =======
      Found using AddressSanitizer testing.
      
      The mysqlbinlog utility may result in out-of-bound heap
      buffer reads and thus, undefined behaviour, when processing
      RBR events in the old (pre-5.1 GA) format.
      
      The following code in process_event() would only be correct
      if Rows_log_event was the base class for
      Write,Update,Delete_rows_log_event_old classes:
      
          case PRE_GA_WRITE_ROWS_EVENT:
          case PRE_GA_DELETE_ROWS_EVENT:
          case PRE_GA_UPDATE_ROWS_EVENT:
      ...
              Rows_log_event *e= (Rows_log_event*) ev;
              Table_map_log_event *ignored_map=
                print_event_info->m_table_map_ignored.get_table(e->get_table_id());
      ...
              if (e->get_flags(Rows_log_event::STMT_END_F))
              {
      ...
              }
      
      However, Rows_log_event is only the base class for the
      Write,Update_Delete_rows_event family of classes, but not
      for their *_old counterparts. So the above typecasts are
      incorrect for the old-format RBR events and may result (and
      do result according to AddressSanitizer reports) in reading
      memory outside of the previously allocated on heap buffer.
      
      Fix:
      ===
      The above mentioned invalid type cast has been replaced with
      appropriate old counterpart.
      
      Note:The above mentioned issue is present only mysql-5.1 and
      5.5. This is fixed in mysql-5.6 and above as part of 
      Bug#55790. Hence few of the relevant changes of Bug#55790 are
      being back ported to fix the current issue.
      
      client/mysqlbinlog.cc:
        The above mentioned invalid type cast of using new event
        object to read old events, has been replaced with
        appropriate old counterpart.
        
        Note:The above mentioned issue is present only mysql-5.1 and
        5.5. This is fixed in mysql-5.6 and above as part of 
        Bug#55790. Hence few of the relevant changes of Bug#55790 are
        being back ported to fix the current issue.
      b95d5cda
    • Neeraj Bisht's avatar
      Bug #16076289 : BACKPORT FIX FOR BUG #14786792 TO 5.5 · 13fdee19
      Neeraj Bisht authored
      	
      	Backport the changes for bug#14786792 which is regression 
      	of fix for bug#11761854.So backported both changes.
      13fdee19
    • Nirbhay Choubey's avatar
      6d6af547
    • Nirbhay Choubey's avatar
      Bug#14685362 : MEMORY LEAKS IN MYSQL CLIENT IN · a6adbd05
      Nirbhay Choubey authored
        INTERACTIVE MODE
      
      In interactive mode, libedit/readline allocates memory
      for every new line entered & later the allocated memory
      never gets freed.
      
      Fixed by freeing the allocated memory blocks appropriately.
      a6adbd05
  6. 15 Mar, 2013 2 commits
  7. 14 Mar, 2013 3 commits
    • Tor Didriksen's avatar
      Bug#16359402 CRASH WITH AGGREGATES: ASSERTION FAILED: N < M_SIZE · c70ea724
      Tor Didriksen authored
      We need to take 'n_sum_items' into the calculation
      when allocating the ref_ptr_array.
      
      
      c70ea724
    • Sergey Glukhov's avatar
      5.1 -> 5.5 merge · 662feebc
      Sergey Glukhov authored
      662feebc
    • Sergey Glukhov's avatar
      Bug#16075310 SERVER CRASH OR VALGRIND ERRORS IN ITEM_FUNC_GROUP_CONCAT::SETUP AND ::ADD · 6077a41a
      Sergey Glukhov authored
      Item_func_group_concat::copy_or_same() creates a copy of original object.
      It also creates a copy of ORDER structure because ORDER struct elements may
      be modified in find_order_in_list() called from Item_func_group_concat::setup().
      As ORDER copy is created using memcpy, ORDER::next elements point to original
      ORDER structs. Thus find_order_in_list() called from EXECUTE stmt modifies
      ordinal ORDER item pointers so they point to runtime items, these items are
      freed after execution, so original ORDER structure becomes invalid.
      The fix is to properly update ORDER::next fields so that they point to
      new ORDER elements.
      
      
      
      sql/item_sum.cc:
        update ORDER::next fields so that they point to new ORDER elements.
      6077a41a
  8. 13 Mar, 2013 5 commits
  9. 12 Mar, 2013 6 commits
    • Venkatesh Duggirala's avatar
      BUG#14593883-REPLICATION BREAKS WHEN SET DATA TYPE · 3883559d
      Venkatesh Duggirala authored
      COLUMNS ARE USED INSIDE A STORED PROCEDURE                                      
                                                                                      
      Problem: When 'SET' type columns are used in a DML                              
      inside a stored procedure and a NULL value is passed                            
      to that column, replication is breaking.                                        
                                                                                      
      Analysis: All stored procedure variables used inside                            
      a DML will be substituted with NAME_CONST functions.                            
      While NAME_CONST are used in this particular scenario,                          
      i.e., when NULL value is passed then charset is copied                          
      from 'empty_set_string' member of Field_set class.                              
      The operator '=' overload method inside 'String' class                          
      is not coping str_charset from R.H.S object to L.H.S object.                    
      Hence charset is wrongly copied in the string assignment                        
                                                                                      
      Fix: Handle coping str_charset member in operator '=' overload                  
      method.
      
      sql/sql_string.h:
        Handled coping str_charset member in operator '=' overload                  
        method.
      3883559d
    • Venkatesh Duggirala's avatar
      BUG#14593883-REPLICATION BREAKS WHEN SET DATA TYPE · 8a49d7a8
      Venkatesh Duggirala authored
      COLUMNS ARE USED INSIDE A STORED PROCEDURE                                      
                                                                                      
      Problem: The operator '=' overload method inside
      'String' class is not coping str_charset member from
      R.H.S object to L.H.S object. Hence charset is wrongly
      set while using string assignments
      
      Analaysis: The above mentioned problem is
      identified while doing the analaysis of bug#14593883.
      Though the test scenario mentioned in the bug page
      is not  an issue in mysql-5.1 code, the actual root cause
      ie., "str_charset member is not copied" exists in the 
      mysql-5.1 code base. 
      
      Fix: Handle coping str_charset member in operator '=' overload                  
      method.
      
      sql/sql_string.h:
        Handled coping str_charset member in operator '=' overload                  
        method.
      8a49d7a8
    • Marko Mäkelä's avatar
      Bug#16409715 ASSERT SYNC_THREAD_LEVELS_G(ARRAY, LEVEL - 1, TRUE), · d910c5ac
      Marko Mäkelä authored
      IBUF, FREE SPACE MANAGEMENT
      
      ibuf_merge_or_delete_for_page(): Declare the user index page latched
      for UNIV_SYNC_DEBUG after opening the change buffer cursor. This
      should avoid the bogus latching order violation.
      
      ibuf_delete_rec(): Add assertions to the callers, checking that the
      mini-transaction was committed when the function returned TRUE. This
      is a non-functional change, just clarifying the code.
      
      rb#2136 approved by Kevin Lewis
      d910c5ac
    • Marko Mäkelä's avatar
      Merge mysql-5.1 to mysql-5.5. · b5f4385e
      Marko Mäkelä authored
      b5f4385e
    • Marko Mäkelä's avatar
      Bug#16463505 PESSIMISTIC PAGE_ZIP_AVAILABLE() MAY CAUSE INFINITE PAGE SPLIT · daa28126
      Marko Mäkelä authored
      For a fresh insert, page_zip_available() was counting some fields twice.
      In the worst case, the compressed page size grows by PAGE_ZIP_DIR_SLOT_SIZE
      plus the size of the record that is being inserted. The size of the record
      already includes the fields that will be stored in the uncompressed portion
      of the compressed page.
      
      page_zip_get_trailer_len(): Remove the output parameter entry_size,
      because no caller is interested in it.
      
      page_zip_max_ins_size(), page_zip_available(): Assume that the page grows
      by PAGE_ZIP_DIR_SLOT_SIZE and the record size (which includes the fields
      that would be stored in the uncompressed portion of the page).
      
      rb#2169 approved by Sunny Bains
      daa28126
    • unknown's avatar
      No commit message · 893a97e4
      unknown authored
      No commit message
      893a97e4
  10. 11 Mar, 2013 2 commits
    • Tor Didriksen's avatar
      Bug#11766815 INVALID SYSTEM CHECK TIME_T_UNSIGNED · 8b50ce72
      Tor Didriksen authored
      The check for unsigned time_t failed, on all platforms, due to missing #include.
      
      from CMakeFiles/CMakeError.log
      with this patch: error: size of array array is negative
      without this patch: error: time_t undeclared (first use in this function)
      8b50ce72
    • unknown's avatar
      No commit message · e4b15e92
      unknown authored
      No commit message
      e4b15e92
  11. 08 Mar, 2013 1 commit
  12. 07 Mar, 2013 1 commit
    • Aditya A's avatar
      BUG#16069598 - SERVER CRASH BY NULL POINTER DEREFERENCING IN · b6b3d6e2
      Aditya A authored
                     MEM_HEAP_CREATE_BLOCK() 
      
      PROBLEM
      -------
      
      If we give start mysqld with the option --innodb_log_buffer_size=50GB
      ,then  mem_area_alloc() function fails to allocate memory and returns
      NULL.In debug version we assert at this point,but there is no check in
      release version and we get a segmentation fault.
      
      FIX
      ---
      Added a log message saying that we are unable to allocate memory.
      After this message we assert.
      
      [Approved by Kevin http://rb.no.oracle.com/rb/r/2065 ]
      b6b3d6e2
  13. 05 Mar, 2013 1 commit
  14. 01 Mar, 2013 1 commit
  15. 07 Mar, 2013 1 commit
    • Ashish Agarwal's avatar
      Bug#16169063: SECURITY CONCERN BECAUSE OF INSUFFICIENT LOGGING · b29fb8c4
      Ashish Agarwal authored
      PROBLEM: If multiple statements are sent by a single
               request then only the last statement was
               getting logged. An attacker can bypass the
               audit log just by sending two comsecutive
               statements in one request.
      
      SOLUTION: Each statements from a single request are
                logged.
      b29fb8c4
  16. 06 Mar, 2013 2 commits
    • Annamalai Gurusami's avatar
      Bug #16133801 UNEXPLAINABLE INNODB UNIQUE INDEX LOCKS ON DELETE + · 775dbed9
      Annamalai Gurusami authored
      INSERT WITH SAME VALUES
      
      Problem:
      
      When a transaction is in READ COMMITTED isolation level, gap locks are still
      taken in the secondary index, when row is inserted.  This happens when the
      secondary index is scanned for duplicate.  
      
      The function row_ins_scan_sec_index_for_duplicate() always calls the 
      function row_ins_set_shared_rec_lock() with LOCK_ORDINARY irrespective of
      the transaction isolation level.
      
      Solution:
      
      The function row_ins_scan_sec_index_for_duplicate() calls the 
      function row_ins_set_shared_rec_lock() with LOCK_ORDINARY or 
      LOCK_REC_NOT_GAP based on the transaction isolation level.
      
      rb://2035 approved by Krunal and Marko
      
      775dbed9
    • unknown's avatar
      NULL Merge for release 5.1.69 · 09f18a7d
      unknown authored
      09f18a7d
  17. 05 Mar, 2013 1 commit