1. 24 Jul, 2013 1 commit
    • Guilhem Bichot's avatar
      Fix for Bug#16614004 CRASH AFTER READING FREED MEMORY AFTER DOING DDL IN STORED ROUTINE · 992a6630
      Guilhem Bichot authored
      Inside a loop in a stored procedure, we create a partitioned
      table. The CREATE statement is thus treated as a prepared statement:
      it is prepared once, and then executed by each iteration. Thus its Lex
      is reused many times. This Lex contains a part_info member, which
      describes how the partitions should be laid out, including the
      partitioning function. Each execution of the CREATE does this, in
      open_table_from_share ():
      
          tmp= mysql_unpack_partition(thd, share->partition_info_str,
                                      share->partition_info_str_len,
                                      outparam, is_create_table,
                                      share->default_part_db_type,
                                      &work_part_info_used);
       ...
            tmp= fix_partition_func(thd, outparam, is_create_table);
      The first line calls init_lex_with_single_table() which creates
      a TABLE_LIST, necessary for the "field fixing" which will be
      done by the second line; this is how it is created:
        if ((!(table_ident= new Table_ident(thd,
                                            table->s->db,
                                            table->s->table_name, TRUE))) ||
            (!(table_list= select_lex->add_table_to_list(thd,
                                                         table_ident,
                                                         NULL,
                                                         0))))
          return TRUE;
      it is allocated in the execution memory root.
      Then the partitioning function ("id", stored in Lex -> part_info)
      is fixed, which calls Item_ident:: fix_fields (), which resolves
      "id" to the table_list above, and stores in the item's
      cached_table a pointer to this table_list. 
      The table is created, later it is dropped by another statement,
      then we execute again the prepared CREATE. This reuses the Lex,
      thus also its part_info, thus also the item representing the
      partitioning function (part_info is cloned but it's a shallow
      cloning); CREATE wants to fix the item again (which is
      normal, every execution fixes items again), fix_fields ()
      sees that the cached_table pointer is set and picks up the
      pointed table_list. But this last object does not exist
      anymore (it was allocated in the execution memory root of
      the previous execution, so it has been freed), so we access
      invalid memory.
      The solution: when creating the table_list, mark that it
      cannot be cached.
      992a6630
  2. 18 Jul, 2013 2 commits
    • Nisha Gopalakrishnan's avatar
      BUG#15844882: MYSQLDUMP FROM 5.5 FAILS WITH AN ERROR WHEN TRYING · 09db23ae
      Nisha Gopalakrishnan authored
                    TO DUMP DATA FROM MYSQL-5.6 
      
      Merge from mysql-5.1 to mysql-5.5.
      09db23ae
    • Nisha Gopalakrishnan's avatar
      BUG#15844882: MYSQLDUMP FROM 5.5 FAILS WITH AN ERROR WHEN TRYING · 30a37ca9
      Nisha Gopalakrishnan authored
                    TO DUMP DATA FROM MYSQL-5.6
      
      Analysis
      --------
      Dumping mysql-5.6 data using mysql-5.1/mysql-5.5 'myqldump'
      utility fails with a syntax error.
      
      Server system variable 'sql_quote_show_create' which quotes the
      identifiers is set in the mysqldump utility. The mysldump utility
      of mysql-5.1/mysql-5.5 uses deprecated syntax 'SET OPTION' to set
      the 'sql_quote_show_create' option. The support for the syntax is
      removed in mysql-5.6. Hence syntax error is reported while taking
      the dump.
      
      Fix:
      ---
      Changed the 'mysqldump' code to use the syntax
      'SET SQL_QUOTE_SHOW_CREATE' to set the 'sql_quote_show_create'
      option. That syntax is supported on mysql-5.1, mysql-5.5 and
      mysql-5.6.
      
      NOTE: I have not added an mtr test case since it is difficult
      to simulate the condition. Also the syntax may not be further
      simplified in the future.
      30a37ca9
  3. 17 Jul, 2013 2 commits
  4. 10 Jul, 2013 2 commits
  5. 09 Jul, 2013 2 commits
  6. 08 Jul, 2013 1 commit
  7. 05 Jul, 2013 1 commit
    • Aditya A's avatar
      Bug#17033706 SINCE 5.5.32 & 5.6.12, INNODB CANT START WITH OWN · eee10f38
      Aditya A authored
                   MULTI-FILE TABLESPACE
      
      ANALYSIS
      --------
      
      When a tablespace has multiple data files, InnoDB fails to 
      open the tablespace.  This is because for each ibd file, 
      the first page is checked.But the first page of all ibd file
      need not be the first page of the tablespace.  Only the first
      page of the tablespace contains the tablespace header. When 
      we check the first page of an ibd file that is not the first
      page of the tablespace, then the "tablespace flags" is not
      really available.This was wrongly used to check if a page is
      corrupt or not.
      
      FIX
      ---
      Use the tablespace flags only if the page number is 0 
      in a tablespace.  
      
      [Approved by Inaam rb#2836 ]
      eee10f38
  8. 04 Jul, 2013 1 commit
    • Venkata Sidagam's avatar
      Bug #16567381 DATETIME FIELD COMPARISONS DO NOT WORK PROPERLY · ae59c577
      Venkata Sidagam authored
                      WITH UTF8_UNICODE_CI COLLATION
      Problem Description:
      When comparing datetime values with strings, the utf8_unicode_ci collation 
      prevents correct comparisons. Consider the below set of queries, it is not 
      showing any results on a table which has tuples that satisfies the query. 
      But for collation utf8_general_ci it shows one tuple.
      set names utf8 collate utf8_unicode_ci;;
      select * from lang where dt='1979-12-09';
      
      Analysis:
      The comparison function is not chosen in case of collation utf8_unicode_ci.
      In agg_item_set_converter() because the collation state is having 
      "MY_CS_NONASCII" for collation type "utf8_unicode_ci". The conversion 
      of the collation is happening for the date field. And because of that 
      it is unable to pickup proper compare function(i.e CMP_DATE_WITH_STR).
      
      Actually the bug is accidentally introduced by the WL#3759 in 5.5. 
      And in 5.6 it is been fixed by the WL#3664.
      
      Fix:
      I have backported the changes from the file strings/ctype-uca.c which 
      are related to "utf8" introduced by the WL#3664.
      This change helps in choosing the correct comparison function for all 
      the collations of utf8 charset.
      ae59c577
  9. 01 Jul, 2013 3 commits
  10. 28 Jun, 2013 2 commits
  11. 27 Jun, 2013 2 commits
  12. 26 Jun, 2013 3 commits
  13. 25 Jun, 2013 1 commit
  14. 24 Jun, 2013 3 commits
    • unknown's avatar
      No commit message · 87015f4c
      unknown authored
      No commit message
      87015f4c
    • Sujatha Sivakumar's avatar
      Bug#16753869:INCORRECT TRUNCATION OF LONG SET EXPRESSION IN · ce29ca8b
      Sujatha Sivakumar authored
      LOAD DATA CAN CAUSE SQL INJECTION
      
      Problem:
      =======
      A long SET expression in LOAD DATA is incorrectly truncated
      when written to the binary log.
      
      Analysis:
      ========
      LOAD DATA statements are reconstructed once again before
      they are written to the binary log. When SET clauses are
      specified as part of LOAD DATA statement, these SET clause
      user command strings need to be stored as it is inorder to
      reconstruct the original user command.  At present these
      strings are stored as part of SET clause item tree's
      top most Item node's name itself which is incorrect. As an
      Item::name can be of MAX_ALIAS_NAME (256) size. Hence the
      name will get truncated to "255".
      
      Because of this the rewritten LOAD DATA statement will be
      terminated incorrectly.  When this statment is read back by
      the mysqlbinlog tool it reads a starting single quote and
      continuos to read till it finds an ending quote. Hence any
      statement written post ending quote will be considered as
      a new statement.
      
      Fix:
      ===
      As name field has length restriction the string value
      should not be stored in Item::name.  A new String list is
      maintained to store the SET expression values and this list
      is read during reconstrution.
      
      sql/sql_lex.cc:
        Clear the load data set string list during each query 
        execution.
      sql/sql_lex.h:
        Added a new String list to store the load data operation's
        SET clause user command strings.
      sql/sql_load.cc:
        Read the SET clause user command strings from load data
        set string list.
      sql/sql_yacc.yy:
        Store the SET caluse user command string as part of load
        data set string list.
      ce29ca8b
    • unknown's avatar
      No commit message · 99c7d1f1
      unknown authored
      No commit message
      99c7d1f1
  15. 21 Jun, 2013 1 commit
    • Tor Didriksen's avatar
      Bug#16945503 ADDRESSSANITIZER BUG IN SYS_VARS · 98ed58ca
      Tor Didriksen authored
      Sys_var_keycache inherits from some variant of Sys_var_integer
      
      Instances of Sys_var_keycache are initialized using the KEYCACHE_VAR macro,
      which takes an offset within st_key_cache.
      However, the Sys_var_integer CTOR treats the offset as if it was within
      global_system_variables (hidden within some layers of macros and fuction
      pointers)
      
      The result is that we write arbitrary data to arbitrary locations in memory.
      This all happens during static initialization of global objects,
      i.e. before we have even entered the main() function.
      
      
      Bug#12325449 TYPO IN CMAKE/DTRACE.CMAKE
      Fix typo in dtrace.cmake
      98ed58ca
  16. 19 Jun, 2013 2 commits
  17. 18 Jun, 2013 4 commits
  18. 17 Jun, 2013 1 commit
  19. 14 Jun, 2013 6 commits