1. 01 Aug, 2010 1 commit
    • Gleb Shchepa's avatar
      Bug #54461: crash with longblob and union or update with subquery · 38165ce4
      Gleb Shchepa authored
      Queries may crash, if
        1) the GREATEST or the LEAST function has a mixed list of
           numeric and LONGBLOB arguments and
        2) the result of such a function goes through an intermediate
           temporary table.
      
      An Item that references a LONGBLOB field has max_length of
      UINT_MAX32 == (2^32 - 1).
      
      The current implementation of GREATEST/LEAST returns REAL
      result for a mixed list of numeric and string arguments (that
      contradicts with the current documentation, this contradiction
      was discussed and it was decided to update the documentation).
      
      The max_length of such a function call was calculated as a
      maximum of argument max_length values (i.e. UINT_MAX32).
      
      That max_length value of UINT_MAX32 was used as a length for
      the intermediate temporary table Field_double to hold
      GREATEST/LEAST function result.
      
      The Field_double::val_str() method call on that field
      allocates a String value.
      
      Since an allocation of String reserves an additional byte
      for a zero-termination, the size of String buffer was
      set to (UINT_MAX32 + 1), that caused an integer overflow:
      actually, an empty buffer of size 0 was allocated.
      
      An initialization of the "first" byte of that zero-size
      buffer with '\0' caused a crash.
      
      The Item_func_min_max::fix_length_and_dec() has been
      modified to calculate max_length for the REAL result like
      we do it for arithmetical operators.
      
      
      ******
      Bug #54461: crash with longblob and union or update with subquery
      
      Queries may crash, if
        1) the GREATEST or the LEAST function has a mixed list of
           numeric and LONGBLOB arguments and
        2) the result of such a function goes through an intermediate
           temporary table.
      
      An Item that references a LONGBLOB field has max_length of
      UINT_MAX32 == (2^32 - 1).
      
      The current implementation of GREATEST/LEAST returns REAL
      result for a mixed list of numeric and string arguments (that
      contradicts with the current documentation, this contradiction
      was discussed and it was decided to update the documentation).
      
      The max_length of such a function call was calculated as a
      maximum of argument max_length values (i.e. UINT_MAX32).
      
      That max_length value of UINT_MAX32 was used as a length for
      the intermediate temporary table Field_double to hold
      GREATEST/LEAST function result.
      
      The Field_double::val_str() method call on that field
      allocates a String value.
      
      Since an allocation of String reserves an additional byte
      for a zero-termination, the size of String buffer was
      set to (UINT_MAX32 + 1), that caused an integer overflow:
      actually, an empty buffer of size 0 was allocated.
      
      An initialization of the "first" byte of that zero-size
      buffer with '\0' caused a crash.
      
      The Item_func_min_max::fix_length_and_dec() has been
      modified to calculate max_length for the REAL result like
      we do it for arithmetical operators.
      38165ce4
  2. 23 Jul, 2010 1 commit
    • Alexey Kopytov's avatar
      Bug #54476: crash when group_concat and 'with rollup' in · bb3fbba1
      Alexey Kopytov authored
                           prepared statements
      
      Using GROUP_CONCAT() together with the WITH ROLLUP modifier
      could crash the server.
      
      The reason was a combination of several facts:
      
      1. The Item_func_group_concat class stores pointers to ORDER
      objects representing the columns in the ORDER BY clause of
      GROUP_CONCAT().
      
      2. find_order_in_list() called from
      Item_func_group_concat::setup() modifies the ORDER objects so
      that their 'item' member points to the arguments list
      allocated in the Item_func_group_concat constructor.
      
      3. In some cases (e.g. in JOIN::rollup_make_fields) a copy of
      the original Item_func_group_concat object could be created by
      using the Item_func_group_concat::Item_func_group_concat(THD
      *thd, Item_func_group_concat *item) copy constructor. The
      latter essentially creates a shallow copy of the source
      object. Memory for the arguments array is allocated on
      thd->mem_root, but the pointers for arguments and ORDER are
      copied verbatim.
      
      What happens in the test case is that when executing the query
      for the first time, after a copy of the original
      Item_func_group_concat object has been created by
      JOIN::rollup_make_fields(), find_order_in_list() is called for
      this new object. It then resolves ORDER BY by modifying the
      ORDER objects so that they point to elements of the arguments
      array which is local to the cloned object. When thd->mem_root
      is freed upon completing the execution, pointers in the ORDER
      objects become invalid. Those ORDER objects, however, are also
      shared with the original Item_func_group_concat object which is
      preserved between executions of a prepared statement. So the
      first call to find_order_in_list() for the original object on
      the second execution tries to dereference an invalid pointer.
      
      The solution is to create copies of the ORDER objects when
      copying Item_func_group_concat to not leave any stale pointers
      in other instances with different lifecycles.
      bb3fbba1
  3. 21 Jul, 2010 10 commits
  4. 20 Jul, 2010 3 commits
    • Davi Arnaut's avatar
      Bug#45288: pb2 returns a lot of compilation warnings on linux · c96b249f
      Davi Arnaut authored
      Fix warnings flagged by the new warning option -Wunused-but-set-variable
      that was added to GCC 4.6 and that is enabled by -Wunused and -Wall. The
      option causes a warning whenever a local variable is assigned to but is
      later unused. It also warns about meaningless pointer dereferences.
      c96b249f
    • Davi Arnaut's avatar
      Bug#52514: mysql 5.1 do_abi_check does not compile w/ gcc4.5 · d676c3ff
      Davi Arnaut authored
                 due to GCC preprocessor change
            
      The problem is that newer GCC versions treats missing headers
      as fatal errors. The solution is to use a guard macro to prevent
      the inclusion of system headers when checking the ABI with the
      C Preprocessor.
      
      Reference: http://gcc.gnu.org/bugzilla/show_bug.cgi?id=15638
                 http://gcc.gnu.org/bugzilla/show_bug.cgi?id=44836
      d676c3ff
    • Davi Arnaut's avatar
      Bug#54453: Failing assertion: trx->active_trans when renaming a · 17b9155f
      Davi Arnaut authored
                 table with active trx
      
      Essentially, the problem is that InnoDB does a implicit commit
      when a cursor (table handler) is unlocked/closed, creating
      a dissonance between the transaction state within the server
      layer and the storage engine layer. Theoretically, a statement
      transaction can encompass several table instances in a similar
      manner to a multiple statement transaction, hence it does not
      make sense to limit a statement transaction to the lifetime of
      the table instances (cursors) used within it.
      
      Since this particular instance of the problem is only triggerable
      on 5.1 and is masked on 5.5 due 2PC being skipped (assertion is in
      the prepare phase of a 2PC), the solution (which is less risky) is
      to explicitly end the transaction before the cached table is unlock
      on rename table.
      
      The patch is to be null merged into trunk.
      17b9155f
  5. 19 Jul, 2010 4 commits
  6. 16 Jul, 2010 3 commits
  7. 15 Jul, 2010 1 commit
    • Alexey Kopytov's avatar
      Backport of the fix for bug#25421 to 5.0. · a42108c2
      Alexey Kopytov authored
      Calculating the estimated number of records for a range scan
      may take a significant time, and it was impossible for a user
      to interrupt that process by killing the connection or the
      query.
      
      Fixed by checking the thread's 'killed' status in
      check_quick_keys() and interrupting the calculation process if
      it is set to a non-zero value.
      a42108c2
  8. 12 Jul, 2010 1 commit
    • Alexey Kopytov's avatar
      Bug#55061: Build failing on sol 8 x86 - assembler code vs · e59f4166
      Alexey Kopytov authored
                 compiler problem
      
      GCC-style inline assembly is not supported by the Sun Studio
      compilers prior to version 12.
      
      Added a check for the Sun Studio version to avoid using 
      _FPU_GETCW() / _FPU_SETCW() when inline assembly is
       unsupported. This can lead to some differences in floating
      point calculations on Solaris 8/x86 which, however, is not worth
      bothering with Sun-style assembly .il templates.
      e59f4166
  9. 09 Jul, 2010 10 commits
  10. 08 Jul, 2010 3 commits
  11. 07 Jul, 2010 3 commits
    • sunanda's avatar
      rko Mdkeld change, revision 3351.14.134 add innodb_plugin to mysql-test-run default suites · aff388cd
      sunanda authored
      was not complete. Bootstrap failed to pick up necessary files needed by test and hence
      all tests failed.
      aff388cd
    • Vasil Dimov's avatar
      Merge the fix for Bug#49238 from SVN · 7c6ba7b4
      Vasil Dimov authored
      (without the unrelated whitespace changes):
      
        ------------------------------------------------------------------------
        r7009 | jyang | 2010-04-29 20:44:56 +0300 (Thu, 29 Apr 2010) | 6 lines
        
        branches/5.0: Port fix for bug #49238 (Creating/Dropping a temporary
        table while at 1023 transactions will cause assert) from 5.1 to
        branches/5.1. Separate action for return value DB_TOO_MANY_CONCURRENT_TRXS
        from that of DB_MUST_GET_MORE_FILE_SPACE in row_drop_table_for_mysql().
        
        
        ------------------------------------------------------------------------
      7c6ba7b4
    • Jon Olav Hauglid's avatar
      Bug #54117 crash in thr_multi_unlock, temporary table · 60edcf94
      Jon Olav Hauglid authored
      This crash occured after ALTER TABLE was used on a temporary
      transactional table locked by LOCK TABLES. Any later attempts to
      execute LOCK/UNLOCK TABLES, caused the server to crash.
      
      The reason for the crash was the list of locked tables would
      end up having a pointer to a free'd table instance. This happened
      because ALTER TABLE deleted the table without also removing the
      table reference from the locked tables list.
      
      This patch fixes the problem by making sure ALTER TABLE also
      removes the table from the locked tables list.
      
      Test case added to innodb_mysql.test.
      60edcf94