1. 14 Dec, 2010 10 commits
    • Gleb Shchepa's avatar
    • Gleb Shchepa's avatar
      backport of bug #54476 fix from 5.1-bugteam to 5.0-bugteam. · 01521a0a
      Gleb Shchepa authored
      Original revid: alexey.kopytov@sun.com-20100723115254-jjwmhq97b9wl932l
      
       > Bug #54476: crash when group_concat and 'with rollup' in
       >                      prepared statements
       >
       > Using GROUP_CONCAT() together with the WITH ROLLUP modifier
       > could crash the server.
       >
       > The reason was a combination of several facts:
       >
       > 1. The Item_func_group_concat class stores pointers to ORDER
       > objects representing the columns in the ORDER BY clause of
       > GROUP_CONCAT().
       >
       > 2. find_order_in_list() called from
       > Item_func_group_concat::setup() modifies the ORDER objects so
       > that their 'item' member points to the arguments list
       > allocated in the Item_func_group_concat constructor.
       >
       > 3. In some cases (e.g. in JOIN::rollup_make_fields) a copy of
       > the original Item_func_group_concat object could be created by
       > using the Item_func_group_concat::Item_func_group_concat(THD
       > *thd, Item_func_group_concat *item) copy constructor. The
       > latter essentially creates a shallow copy of the source
       > object. Memory for the arguments array is allocated on
       > thd->mem_root, but the pointers for arguments and ORDER are
       > copied verbatim.
       >
       > What happens in the test case is that when executing the query
       > for the first time, after a copy of the original
       > Item_func_group_concat object has been created by
       > JOIN::rollup_make_fields(), find_order_in_list() is called for
       > this new object. It then resolves ORDER BY by modifying the
       > ORDER objects so that they point to elements of the arguments
       > array which is local to the cloned object. When thd->mem_root
       > is freed upon completing the execution, pointers in the ORDER
       > objects become invalid. Those ORDER objects, however, are also
       > shared with the original Item_func_group_concat object which is
       > preserved between executions of a prepared statement. So the
       > first call to find_order_in_list() for the original object on
       > the second execution tries to dereference an invalid pointer.
       >
       > The solution is to create copies of the ORDER objects when
       > copying Item_func_group_concat to not leave any stale pointers
       > in other instances with different lifecycles.
      01521a0a
    • Luis Soares's avatar
      BUG#46697 · e4ad12dc
      Luis Soares authored
      Autmoerging into latest mysql-5.1-bugteam.
      e4ad12dc
    • Luis Soares's avatar
      BUG 46697 · 1d0eae6f
      Luis Soares authored
      Addressing review comments.
      1d0eae6f
    • Luis Soares's avatar
      089327bf
    • Sergey Glukhov's avatar
      Bug#57818 string conversion function died · 622ae418
      Sergey Glukhov authored
      Bug#57913 large negative number to string conversion functions crash
      String object which is used as result container of the item
      has uninitialized 'str_charset' field. This object
      might be used later to preform some internal operations
      and str_charset field is involved in these operations.
      It leads to crash.
      The fix is to intialize str_charset in my_decimal2string() func.
      622ae418
    • Mattias Jonsson's avatar
      merge · 6e3314b0
      Mattias Jonsson authored
      6e3314b0
    • Mattias Jonsson's avatar
      merge · c070dc57
      Mattias Jonsson authored
      c070dc57
    • Mattias Jonsson's avatar
      Bug#45717: A few test cases are disabled due to closed Bug#30577 · cd27e25d
      Mattias Jonsson authored
      Backport from 5.5. OK from Anitha G. to push to 5.1.
      
      Removed floor(float_col) tests, enabled floor(decimal_col) tests
      cd27e25d
    • Sergey Glukhov's avatar
      Fixed following problems: · cd36a6a5
      Sergey Glukhov authored
      --Bug#52157 various crashes and assertions with multi-table update, stored function
      --Bug#54475 improper error handling causes cascading crashing failures in innodb/ndb
      --Bug#57703 create view cause Assertion failed: 0, file .\item_subselect.cc, line 846
      --Bug#57352 valgrind warnings when creating view
      --Recently discovered problem when a nested materialized derived table is used
        before being populated and it leads to incorrect result
      
      We have several modes when we should disable subquery evaluation.
      The reasons for disabling are different. It could be
      uselessness of the evaluation as in case of 'CREATE VIEW'
      or 'PREPARE stmt', or we should disable subquery evaluation
      if tables are not locked yet as it happens in bug#54475, or
      too early evaluation of subqueries can lead to wrong result
      as it happened in Bug#19077.
      Main problem is that if subquery items are treated as const
      they are evaluated in ::fix_fields(), ::fix_length_and_dec()
      of the parental items as a lot of these methods have
      Item::val_...() calls inside.
      We have to make subqueries non-const to prevent unnecessary
      subquery evaluation. At the moment we have different methods
      for this. Here is a list of these modes:
      
      1. PREPARE stmt;
      We use UNCACHEABLE_PREPARE flag.
      It is set during parsing in sql_parse.cc, mysql_new_select() for
      each SELECT_LEX object and cleared at the end of PREPARE in
      sql_prepare.cc, init_stmt_after_parse(). If this flag is set
      subquery becomes non-const and evaluation does not happen.
      
      2. CREATE|ALTER VIEW, SHOW CREATE VIEW, I_S tables which
         process FRM files
      We use LEX::view_prepare_mode field. We set it before
      view preparation and check this flag in
      ::fix_fields(), ::fix_length_and_dec().
      Some bugs are fixed using this approach,
      some are not(Bug#57352, Bug#57703). The problem here is
      that we have a lot of ::fix_fields(), ::fix_length_and_dec()
      where we use Item::val_...() calls for const items.
      
      3. Derived tables with subquery = wrong result(Bug19077)
      The reason of this bug is too early subquery evaluation.
      It was fixed by adding Item::with_subselect field
      The check of this field in appropriate places prevents
      const item evaluation if the item have subquery.
      The fix for Bug19077 fixes only the problem with
      convert_constant_item() function and does not cover
      other places(::fix_fields(), ::fix_length_and_dec() again)
      where subqueries could be evaluated.
      
      Example:
      CREATE TABLE t1 (i INT, j BIGINT);
      INSERT INTO t1 VALUES (1, 2), (2, 2), (3, 2);
      SELECT * FROM (SELECT MIN(i) FROM t1
      WHERE j = SUBSTRING('12', (SELECT * FROM (SELECT MIN(j) FROM t1) t2))) t3;
      DROP TABLE t1;
      
      4. Derived tables with subquery where subquery
         is evaluated before table locking(Bug#54475, Bug#52157)
      
      Suggested solution is following:
      
      -Introduce new field LEX::context_analysis_only with the following
       possible flags:
       #define CONTEXT_ANALYSIS_ONLY_PREPARE 1
       #define CONTEXT_ANALYSIS_ONLY_VIEW    2
       #define CONTEXT_ANALYSIS_ONLY_DERIVED 4
      -Set/clean these flags when we perform
       context analysis operation
      -Item_subselect::const_item() returns
       result depending on LEX::context_analysis_only.
       If context_analysis_only is set then we return
       FALSE that means that subquery is non-const.
       As all subquery types are wrapped by Item_subselect
       it allow as to make subquery non-const when
       it's necessary.
      cd36a6a5
  2. 13 Dec, 2010 3 commits
  3. 09 Dec, 2010 2 commits
  4. 07 Dec, 2010 1 commit
  5. 10 Dec, 2010 1 commit
    • Dmitry Shulga's avatar
      Fixed bug#54486 - assert in my_seek, concurrent · dfb62272
      Dmitry Shulga authored
      DROP/CREATE SCHEMA, CREATE TABLE, REPAIR.
      
      The cause of assert was concurrent execution of
      DROP DATABASE and REPAIR TABLE where first statement
      deleted table's file .TMD at the same time as
      REPAIR TABLE tried to read file details from the old file
      that was just removed.
      
      Additionally was fixed trouble when DROP TABLE try delete
      all files belong to table being dropped at the same time
      when REPAIR TABLE statement has just deleted .TMD file.
      
      No regression test added because this would require adding a
      sync point to mysys/my_redel.c. Since this bug is not present in
      5.5+, adding test coverage was considered unnecessary.
      The patch has been verified using RQG testing.
      dfb62272
  6. 09 Dec, 2010 4 commits
  7. 07 Dec, 2010 1 commit
    • Luis Soares's avatar
      BUG#58416 · a9d18aaf
      Luis Soares authored
      Automerging bzr bundle from bug report into latest 
      mysql-5.1-bugteam.
      a9d18aaf
  8. 03 Dec, 2010 1 commit
    • Luis Soares's avatar
      BUG#46697: Table name in error message is not populated · 8282ddc4
      Luis Soares authored
      When a query fails with a different error on the slave,
      the sql thread outputs a message (M) containing:
      
        1. the error message format for the master error code
        2. the master error code
        3. the error message for the slave's error code
        4. the slave error code
      
      Given that the slave has no information on the error message
      itself that the master outputs, it can only print its own
      version of the message format (but stripped from the 
      additional data if the message format requires). This may
      confuse users.
      
      To fix this we augment the slave's message (M) to explicitly
      state that the master's message is actually an error message 
      format, the one associated with the given master error code 
      and that the slave server knows about.
      8282ddc4
  9. 02 Dec, 2010 3 commits
  10. 01 Dec, 2010 4 commits
    • Mats Kindahl's avatar
      bfb43fb4
    • Mats Kindahl's avatar
      BUG#58246: INSTALL PLUGIN not secure & crashable · 91a4a8ab
      Mats Kindahl authored
      When installing plugins, there is a missing check
      for slash (/) in the path on Windows. Note that on
      Windows, both / and \ can be used to separate
      directories.
      
      This patch fixes the issue by:
      - Adding a FN_DIRSEP symbol for all platforms
        consisting of a string of legal directory
        separators.
      - Adding a charset-aware version of strcspn().
      - Adding a check_valid_path() function that uses
        my_strcspn() to check if any FN_DIRSEP character
        is in the supplied string.
      - Using the check_valid_path() function in
        sql_plugin.cc and sql_udf.cc (which means
        replacing the existing test there).
      91a4a8ab
    • Bjorn Munch's avatar
      Bug #58092 Test "rpl_cross_version" has "copy_file" failing · 9dca123d
      Bjorn Munch authored
      I am not fixing the test failure
      Adds printing of my_errno when commands fail, could hopefully help
      9dca123d
    • Nirbhay Choubey's avatar
      Additional fix for bug#54899 · c8310653
      Nirbhay Choubey authored
      Fixing the testcase to use the database name
      as connected_db instead of 'test' database.
      c8310653
  11. 30 Nov, 2010 3 commits
  12. 29 Nov, 2010 2 commits
  13. 27 Nov, 2010 1 commit
    • Luis Soares's avatar
      BUG#58416: binlog.binlog_row_failure_mixing_engines fails on · 13c9cf26
      Luis Soares authored
      win x86 debug_max
      
      The windows MTR run exhibited a different test execution 
      ordering (due to the fact that in these platforms MTR is invoked
      with --parallel > 1). This uncovered a bug in the aforementioned
      test case, which is triggered by the following conditions:
      
        1. server is not restarted between two different tests;
        2. the test before binlog.binlog_row_failure_mixing_engines
           issues flush logs;
        3. binlog.binlog_row_failure_mixing_engines uses binlog
           positions to limit the output of show_binlog_events;
        4. binlog.binlog_row_failure_mixing_engines does not state which
           binlog file to use, thence it uses a wrong binlog file with
           the correct position.
      
      There are two possible fixes: 1. make sure that the test start 
      from a clean slate - binlog wise; 2. in addition to the position, 
      also state the binary log file before sourcing 
      show_binlog_events.inc .
      
      We go for fix #1, ie, deploy a RESET MASTER before the test is 
      actually started.
      13c9cf26
  14. 26 Nov, 2010 1 commit
    • Davi Arnaut's avatar
      Bug#51817: incorrect assumption: thd->query at 0x2ab2a8360360 is an invalid pointer · 0008e064
      Davi Arnaut authored
      The problem is that the logic which checks if a pointer is
      valid relies on a poor heuristic based on the start and end
      addresses of the data segment and heap.
      
      Apart from miscalculating the heap bounds, this approach also
      suffers from the fact that memory can come from places other
      than the heap. See Bug#58528 for a more detailed explanation.
      
      On Linux, the solution is to access the process's memory
      through /proc/self/task/<tid>/mem, which allows for retrieving
      the contents of pages within the virtual address space of
      the calling process. If a address range is not mapped, a
      input/output error is returned.
      0008e064
  15. 30 Nov, 2010 3 commits
    • Luis Soares's avatar
      a8680a58
    • Christopher Powers's avatar
      Null-merge from mysql-5.0-bugteam · f8c68000
      Christopher Powers authored
      f8c68000
    • Luis Soares's avatar
      BUG#57288: binlog_tmp_table fails sporadically: "Failed to write · 23636330
      Luis Soares authored
      the DROP statement ..."
            
      Problem: When using temporary tables and closing a session, an
      implicit DROP TEMPORARY TABLE IF EXISTS is written to the binary
      log (while cleaning up the context of the session THD - see:
      sql_class.cc:THD::cleanup which calls close_temporary_tables).
           
      close_temporary_tables, first checks if the binary log is opened
      and then proceeds to creating the DROP statements. Then, such
      statements, are written to the binary log through
      MYSQL_BIN_LOG::write(Log_event *). Inside, there is another check
      if the binary log is opened and if not an error is returned. This
      is where the faulty behavior is triggered. Given that the test
      case replays a binary log, with temp tables statements, and right
      after it issues RESET MASTER, there is a chance that is_open will
      report false (when the mysql session is closed and the temporary
      tables are written).
            
      is_open may return false, because MYSQL_BIN_LOG::reset_logs is
      not setting the correct flag (LOG_CLOSE_TO_BE_OPENED), on the
      MYSQL_LOG_BIN::log_state (instead it sets just the
      LOG_CLOSE_INDEX flag, leaving the log_state to
      LOG_CLOSED). Thence, when writing the DROP statement as part of
      the THD::cleanup, the thread could get a return value of false
      for is_open - inside MYSQL_BIN_LOG::write, ultimately reporting
      that it can't write the event to the binary log.
            
      Fix: We fix this by adding the correct flag, missing in the
      second close.
      23636330