- 01 Aug, 2010 1 commit
-
-
Gleb Shchepa authored
Queries may crash, if 1) the GREATEST or the LEAST function has a mixed list of numeric and LONGBLOB arguments and 2) the result of such a function goes through an intermediate temporary table. An Item that references a LONGBLOB field has max_length of UINT_MAX32 == (2^32 - 1). The current implementation of GREATEST/LEAST returns REAL result for a mixed list of numeric and string arguments (that contradicts with the current documentation, this contradiction was discussed and it was decided to update the documentation). The max_length of such a function call was calculated as a maximum of argument max_length values (i.e. UINT_MAX32). That max_length value of UINT_MAX32 was used as a length for the intermediate temporary table Field_double to hold GREATEST/LEAST function result. The Field_double::val_str() method call on that field allocates a String value. Since an allocation of String reserves an additional byte for a zero-termination, the size of String buffer was set to (UINT_MAX32 + 1), that caused an integer overflow: actually, an empty buffer of size 0 was allocated. An initialization of the "first" byte of that zero-size buffer with '\0' caused a crash. The Item_func_min_max::fix_length_and_dec() has been modified to calculate max_length for the REAL result like we do it for arithmetical operators. ****** Bug #54461: crash with longblob and union or update with subquery Queries may crash, if 1) the GREATEST or the LEAST function has a mixed list of numeric and LONGBLOB arguments and 2) the result of such a function goes through an intermediate temporary table. An Item that references a LONGBLOB field has max_length of UINT_MAX32 == (2^32 - 1). The current implementation of GREATEST/LEAST returns REAL result for a mixed list of numeric and string arguments (that contradicts with the current documentation, this contradiction was discussed and it was decided to update the documentation). The max_length of such a function call was calculated as a maximum of argument max_length values (i.e. UINT_MAX32). That max_length value of UINT_MAX32 was used as a length for the intermediate temporary table Field_double to hold GREATEST/LEAST function result. The Field_double::val_str() method call on that field allocates a String value. Since an allocation of String reserves an additional byte for a zero-termination, the size of String buffer was set to (UINT_MAX32 + 1), that caused an integer overflow: actually, an empty buffer of size 0 was allocated. An initialization of the "first" byte of that zero-size buffer with '\0' caused a crash. The Item_func_min_max::fix_length_and_dec() has been modified to calculate max_length for the REAL result like we do it for arithmetical operators.
-
- 23 Jul, 2010 1 commit
-
-
Alexey Kopytov authored
prepared statements Using GROUP_CONCAT() together with the WITH ROLLUP modifier could crash the server. The reason was a combination of several facts: 1. The Item_func_group_concat class stores pointers to ORDER objects representing the columns in the ORDER BY clause of GROUP_CONCAT(). 2. find_order_in_list() called from Item_func_group_concat::setup() modifies the ORDER objects so that their 'item' member points to the arguments list allocated in the Item_func_group_concat constructor. 3. In some cases (e.g. in JOIN::rollup_make_fields) a copy of the original Item_func_group_concat object could be created by using the Item_func_group_concat::Item_func_group_concat(THD *thd, Item_func_group_concat *item) copy constructor. The latter essentially creates a shallow copy of the source object. Memory for the arguments array is allocated on thd->mem_root, but the pointers for arguments and ORDER are copied verbatim. What happens in the test case is that when executing the query for the first time, after a copy of the original Item_func_group_concat object has been created by JOIN::rollup_make_fields(), find_order_in_list() is called for this new object. It then resolves ORDER BY by modifying the ORDER objects so that they point to elements of the arguments array which is local to the cloned object. When thd->mem_root is freed upon completing the execution, pointers in the ORDER objects become invalid. Those ORDER objects, however, are also shared with the original Item_func_group_concat object which is preserved between executions of a prepared statement. So the first call to find_order_in_list() for the original object on the second execution tries to dereference an invalid pointer. The solution is to create copies of the ORDER objects when copying Item_func_group_concat to not leave any stale pointers in other instances with different lifecycles.
-
- 21 Jul, 2010 10 commits
-
-
Georgi Kodinov authored
-
Georgi Kodinov authored
-
Georgi Kodinov authored
-
Georgi Kodinov authored
-
Georgi Kodinov authored
-
Georgi Kodinov authored
-
Georgi Kodinov authored
-
Georgi Kodinov authored
SHOW DATABASES LIKE ... was not converting to lowercase on comparison as the documentation is suggesting. Fixed it to behave similarly to SHOW TABLES LIKE ... and updated the failing on MacOSX lowercase_table2 test case.
-
Alexey Kopytov authored
-
Joerg Bruehe authored
-
- 20 Jul, 2010 3 commits
-
-
Davi Arnaut authored
Fix warnings flagged by the new warning option -Wunused-but-set-variable that was added to GCC 4.6 and that is enabled by -Wunused and -Wall. The option causes a warning whenever a local variable is assigned to but is later unused. It also warns about meaningless pointer dereferences.
-
Davi Arnaut authored
due to GCC preprocessor change The problem is that newer GCC versions treats missing headers as fatal errors. The solution is to use a guard macro to prevent the inclusion of system headers when checking the ABI with the C Preprocessor. Reference: http://gcc.gnu.org/bugzilla/show_bug.cgi?id=15638 http://gcc.gnu.org/bugzilla/show_bug.cgi?id=44836
-
Davi Arnaut authored
table with active trx Essentially, the problem is that InnoDB does a implicit commit when a cursor (table handler) is unlocked/closed, creating a dissonance between the transaction state within the server layer and the storage engine layer. Theoretically, a statement transaction can encompass several table instances in a similar manner to a multiple statement transaction, hence it does not make sense to limit a statement transaction to the lifetime of the table instances (cursors) used within it. Since this particular instance of the problem is only triggerable on 5.1 and is masked on 5.5 due 2PC being skipped (assertion is in the prepare phase of a 2PC), the solution (which is less risky) is to explicitly end the transaction before the cached table is unlock on rename table. The patch is to be null merged into trunk.
-
- 19 Jul, 2010 4 commits
-
-
Davi Arnaut authored
-
Georgi Kodinov authored
-
MySQL Build Team authored
-
Jon Olav Hauglid authored
This assert checks that the server does not try to send OK to the client if there has been some error during processing. This is done to make sure that the error is in fact sent to the client. The problem was that view errors during processing of WHERE conditions in UPDATE statements where not detected by the update code. It therefore tried to send OK to the client, triggering the assert. The bug was only noticeable in debug builds. This patch fixes the problem by making sure that the update code checks for errors during condition processing and acts accordingly.
-
- 16 Jul, 2010 3 commits
-
-
Davi Arnaut authored
Bug#47139: Test "merge" crashes in "embedded" run Backport patch for Bug#47139
-
Georgi Kodinov authored
-
Ramil Kalimullin authored
of the "embedded" server Problem: mysqltest_embedded failed to load ha_innodb_plugin library on some platforms (due to some unresolved references). Fix: on FreeBSD use -export-dynamic flag building mysqltest_embedded. That allows to use its global symbols to resolve references in the dynamically loaded plugin library.
-
- 15 Jul, 2010 1 commit
-
-
Alexey Kopytov authored
Calculating the estimated number of records for a range scan may take a significant time, and it was impossible for a user to interrupt that process by killing the connection or the query. Fixed by checking the thread's 'killed' status in check_quick_keys() and interrupting the calculation process if it is set to a non-zero value.
-
- 12 Jul, 2010 1 commit
-
-
Alexey Kopytov authored
compiler problem GCC-style inline assembly is not supported by the Sun Studio compilers prior to version 12. Added a check for the Sun Studio version to avoid using _FPU_GETCW() / _FPU_SETCW() when inline assembly is unsupported. This can lead to some differences in floating point calculations on Solaris 8/x86 which, however, is not worth bothering with Sun-style assembly .il templates.
-
- 09 Jul, 2010 10 commits
-
-
Mattias Jonsson authored
-
Mattias Jonsson authored
-
Davi Arnaut authored
of autoconf and is not strictly needed for now.
-
karen.langford@oracle.com authored
-
Georgi Kodinov authored
-
Davi Arnaut authored
Although the C standard mandates that sprintf return the number of bytes written, some very ancient systems (i.e. SunOS 4) returned a pointer to the buffer instead. Since these systems are not supported anymore and are hopefully long dead by now, simply remove the portability wrapper that dealt with this discrepancy. The autoconf check was causing trouble with GCC.
-
Davi Arnaut authored
Introduce a MySQL maintainer/developer mode that enables a set of warning options for the C/C++ compiler. This mode is intended to help improve the overall quality of the code. The warning options are: C_WARNINGS="-Wall -Wextra -Wunused -Wwrite-strings -Werror" CXX_WARNINGS="$C_WARNINGS -Wno-unused-parameter" Since -Wall is essentially a moving target, autoconf checks are not run with warning options enabled, in particualr -Werror. This decision might be revisited in the future. The patch also fixes a mistake in the makefiles, where automake CXXFLAGS would be set to CFLAGS.
-
Mattias Jonsson authored
In bug-28430 HA_PRIMARY_KEY_REQUIRED_FOR_POSITION was disabled in the partitioning engine in the first patch, That bug was later fixed a second time, but that flag was not removed. No need to disable this flag, as it leads to bad choise in row replication.
-
Sergey Glukhov authored
The problem there is that HAVING condition evaluates const parts of condition despite the condition has references on aggregate functions. Table t1 became const tables after make_join_statistics and table1.pk = 1, HAVING is transformed into MAX(1) < 7 and taken away from HAVING. The fix is to skip evaluation of HAVING conts parts if HAVING condition has references on aggregate functions.
-
Jimmy Yang authored
rb://396, approved by Sunny Bains.
-
- 08 Jul, 2010 3 commits
-
-
Mattias Jonsson authored
The handler function for reading one row from a specific index was not optimized in the partitioning handler since it used the default implementation. No test case since it is performance only, verified by hand.
-
karen.langford@sun.com authored
-
- 07 Jul, 2010 3 commits
-
-
sunanda authored
was not complete. Bootstrap failed to pick up necessary files needed by test and hence all tests failed.
-
Vasil Dimov authored
(without the unrelated whitespace changes): ------------------------------------------------------------------------ r7009 | jyang | 2010-04-29 20:44:56 +0300 (Thu, 29 Apr 2010) | 6 lines branches/5.0: Port fix for bug #49238 (Creating/Dropping a temporary table while at 1023 transactions will cause assert) from 5.1 to branches/5.1. Separate action for return value DB_TOO_MANY_CONCURRENT_TRXS from that of DB_MUST_GET_MORE_FILE_SPACE in row_drop_table_for_mysql(). ------------------------------------------------------------------------
-
Jon Olav Hauglid authored
This crash occured after ALTER TABLE was used on a temporary transactional table locked by LOCK TABLES. Any later attempts to execute LOCK/UNLOCK TABLES, caused the server to crash. The reason for the crash was the list of locked tables would end up having a pointer to a free'd table instance. This happened because ALTER TABLE deleted the table without also removing the table reference from the locked tables list. This patch fixes the problem by making sure ALTER TABLE also removes the table from the locked tables list. Test case added to innodb_mysql.test.
-