A buffer large enough to hold the query _plus_ some additional
data is allocated before parsing is started.   The additional data 
is used by the query cache, and consists of the name of the current 
database and a set of flags.
 
When a packet containing multiple SQL statements is sent to the
server and one of the statements changes the current database
(a "USE <db>" statement), and the name of the new current database 
is longer than of the previous,  there is not enough space in the 
buffer for the new name, and we write out over the buffer boundary.

The fix adds an extra field to store the number of bytes
allocated to the database name in the buffer.  If the current
database name changes, and the new name is longer than the
previous one, we refuse to cache the query.

Bug#11765687 (MySQL58677): No privilege on table / view, but can know #rows / underlying table's name

1 - If a user had SHOW VIEW and SELECT privileges on a view and
this view was referencing another view, EXPLAIN SELECT on the outer
view (that the user had privileges on) could reveal the structure
of the underlying "inner" view as well as the number of rows in
the underlying tables, even if the user had privileges on none of
these referenced objects.

This happened because we used DEFINER's UID ("SUID") not just for
the view given in EXPLAIN, but also when checking privileges on
the underlying views (where we should use the UID of the EXPLAIN's
INVOKER instead).

We no longer run the EXPLAIN SUID (with DEFINER's privileges).
This prevents a possible exploit and makes permissions more
orthogonal.

2 - EXPLAIN SELECT would reveal a view's structure even if the user
did not have SHOW VIEW privileges for that view, as long as they
had SELECT privilege on the underlying tables.

Instead of requiring both SHOW VIEW privilege on a view and SELECT
privilege on all underlying tables, we were checking for presence
of either of them.

We now explicitly require SHOW VIEW and SELECT privileges on
the view we run EXPLAIN SELECT on, as well as all its
underlying views. We also require SELECT on all relevant
tables. 


mysql-test/r/view_grant.result:
  add extensive tests to illustrate desired behavior and
  prevent regressions (as always).
mysql-test/t/view_grant.test:
  add extensive tests to illustrate desired behavior and
  prevent regressions (as always).
sql/sql_view.cc:
  We no longer run the EXPLAIN SUID (with DEFINER's privileges).
  To achieve this, we use a temporary, SUID-less TABLE_LIST for
  the views while checking privileges.

The main problem was that lex_start() was forgotten to be called before processing
COM_REFRESH.

Another problem discovered was that if failures to flush the error log were not properly
handled, which resulted in the server crash.

The user-visible effect of these problems were:
  - if COM_REFRESH command was sent after SQL-queries of some sort,
    the server would crash.
  - if COM_REFRESH was requested with REFRESH_LOG only, and the error log
    failed to flush, the server would crash. The error log fails to flush
    when it points to unavailable file (for example, due to restricted
    permissions).

The fixes are:
  - call lex_start() in the beginning of COM_REFRESH;
  - handle failures to flush the error log properly, i.e. raise ER_UNKNOWN_ERROR.

sql/sql_parse.cc:
  Fix for Bug#13001491: MYSQL_REFRESH CRASHES WHEN STORED ROUTINES ARE RUN CONCURRENTLY.
tests/mysql_client_test.c:
  A test case for Bug#13001491: MYSQL_REFRESH CRASHES WHEN STORED ROUTINES
  ARE RUN CONCURRENTLY.

PARTITONING, ON INDEX CREATE

If the first partition succeeded in adding a index, but a successive partition failed,
then the first partition had still the new index.

The fix reverts the added indexes from previous partitions on failure.

row_sel_field_store_in_mysql_format(): Do not pad the unused part of
the buffer reserved for a True VARCHAR column (introduced in 5.0.3).
Add Valgrind instrumentation ensuring that the unused part will be
flagged uninitialized.

row_sel_copy_cached_field_for_mysql(): New function: Copy a field
that is in the MySQL row format, not copying the unused tail of
VARCHAR columns.

row_sel_pop_cached_row_for_mysql(): Invoke
row_sel_copy_cached_field_for_mysql() for copying fields.
When the row is long, copy it field-by-field.

rb:715 approved by Inaam Rana

for compressed InnoDB tables

ha_innodb::info_low(): For calculating data_length or index_length,
use the compressed page size for compressed tables instead of UNIV_PAGE_SIZE.

rb:714 approved by Sunny Bains

There is an optimization of DISTINCT in JOIN::optimize()
which depends on THD::used_tables value. Each SELECT statement
inside SP resets used_tables value(see mysql_select()) and it
leads to wrong result. The fix is to replace THD::used_tables
with LEX::used_tables.


mysql-test/r/sp.result:
  test case
mysql-test/t/sp.test:
  test case
sql/sql_base.cc:
  THD::used_tables is replaced with LEX::used_tables
sql/sql_class.cc:
  THD::used_tables is replaced with LEX::used_tables
sql/sql_class.h:
  THD::used_tables is replaced with LEX::used_tables
sql/sql_insert.cc:
  THD::used_tables is replaced with LEX::used_tables
sql/sql_lex.cc:
  THD::used_tables is replaced with LEX::used_tables
sql/sql_lex.h:
  THD::used_tables is replaced with LEX::used_tables
sql/sql_prepare.cc:
  THD::used_tables is replaced with LEX::used_tables
sql/sql_select.cc:
  THD::used_tables is replaced with LEX::used_tables

The problem is that TIME_FUZZY_DATE is explicitly used for get_arg0_date()
function in Item_date_typecast::get_date method. The fix is to use real
fuzzy_date value.


mysql-test/r/func_time.result:
  test case
mysql-test/t/func_time.test:
  test case
sql/item_timefunc.cc:
  use real fuzzy_date value

TOOLS

Backport a fix for Bug 57094 from 5.5.
The following revision was backported:

# revision-id: alexander.nozdrin@oracle.com-20101006150613-ls60rb2tq5dpyb5c
# parent: bar@mysql.com-20101006121559-am1e05ykeicwnx48
# committer: Alexander Nozdrin <alexander.nozdrin@oracle.com>
# branch nick: mysql-5.5-bugteam-bug57094
# timestamp: Wed 2010-10-06 19:06:13 +0400
# message:
#   Fix for Bug 57094 (Copyright notice incorrect?).
#   
#   The fix is to:
#     - introduce ORACLE_WELCOME_COPYRIGHT_NOTICE define to have a single place
#       to specify copyright notice;
#     - replace custom copyright notices with ORACLE_WELCOME_COPYRIGHT_NOTICE
#       in programs.

The title of the bug is a little confusing. The actual fix is to
reintroduce random readahead inside InnoDB with a dynamic, global
switch innodb_random_read_ahead [default = off].

Approved by: Sunny Bains
rb://696

Original changeset:
revision-id: alexander.nozdrin@oracle.com-20101221122349-6h8ammcro70a4pac
parent: sven.sandberg@oracle.com-20101221121948-hnivuulyohzch1v4
committer: Alexander Nozdrin <alexander.nozdrin@oracle.com>
branch nick: mysql-trunk-bugfixing
timestamp: Tue 2010-12-21 15:23:49 +0300
message:
  A patch for Bug#59060 (Valgrind warning in Protocol_text::store()).
  
  We should not assume to have zero-terminated strings.

The buffer was simply too small.
In 5.5 and trunk, the size is 311 + 31,
in 5.1 and below, the size is 331


client/sql_string.cc:
  Increase buffer size in String::set(double, ...)
include/m_string.h:
  Increase FLOATING_POINT_BUFFER
mysql-test/r/type_float.result:
  New test cases.
mysql-test/t/type_float.test:
  New test cases.
sql/sql_string.cc:
  Increase buffer size in String::set(double, ...)
sql/unireg.h:
  Move definition of FLOATING_POINT_BUFFER

HA_ERR was returning 0 (null string) when no error happened 
(error=0). Since HA_ERR is used in DBUG_PRINT, regardless there 
was an error or not, the server could crash in solaris debug
builds.

We fix this by:

  - deploying an assertion that ensures that the function 
    is not called when no error has happened;
  - making sure that HA_ERR is only called when an error 
    happened;
  - making HA_ERR return "No Error", instead of 0, for 
    non-debug builds if it is called when no error happened.

This will make HA_ERR return values to work with DBUG_PRINT on
solaris debug builds.

                  
The server crashes if it processes table map events that are
corrupted, especially if they map different tables to the same
identifier. This could happen, for instance, due to BUG 56226.
                  
We fix this by checking whether the table map has already been
mapped before actually applying the event. If it has been mapped
with different settings an error is raised and the slave SQL
thread stops. If it has been mapped with same settings the event
is skipped. If the table is set to be ignored by the filtering
rules, there is no change in behavior: the event is skipped and
ids are not checked.


mysql-test/suite/rpl/t/rpl_row_corruption.test:
  Added a simple test case that checks both cases:
  - multiple table maps with the same identifier
  - multiple table maps with the same identifier, but only one
    is processed (the others are filtered out)

Manually merged from mysql-5.0 into mysql-5.1.

conflicts
=========

include/Makefile.am

Follow-up patch that adds the newly added header file to
Makefile.am noinst_HEADERS.

Manually merged mysql-5.0 into mysql-5.1.

conflicts
=========
client/mysqlibinlog.cc

CLIENT TOOLS
      
The fix is to backport part of revision:
        
  - alexander.nozdrin@oracle.com-20101006150613-ls60rb2tq5dpyb5c
      
from mysql-5.5. In detail, we add the oracle welcome notice
header file proposed in the original patch and include/use it
in client/mysqlbinlog.cc, replacing the existing and obsolete
notice.

We must allocate a larger ref_pointer_array. We failed to account for extra
items allocated here:
#0  find_order_in_list 
  uint el= all_fields.elements;
  all_fields.push_front(order_item); /* Add new field to field list. */
  ref_pointer_array[el]= order_item;
  order->item= ref_pointer_array + el;
#1  setup_order
#2  setup_without_group
#3  JOIN::prepare


mysql-test/r/order_by.result:
  New test case.
mysql-test/r/union.result:
  New test case.
mysql-test/t/order_by.test:
  New test case.
mysql-test/t/union.test:
  New test case.
sql/sql_lex.cc:
  find_order_in_list() may need some extra space, so multiply og_num by two.
sql/sql_union.cc:
  For UNION, the 'n_sum_items' are accumulated in the "global_parameters" select_lex.
  This number must be propagated to setup_ref_array()
  
  When preparing a 'fake_select_lex' we need to use global_parameters->order_list
  rather than fake_select_lex->order_list (see comments inside st_select_lex_unit::cleanup)

bug.  It added this assert;
    ut_ad(ind_field->prefix_len);
before a section of code that assumes there is a prefix_len.  

The patch replaced code that explicitly avoided this with a check for
prefix_len.  It turns out that the purge thread can get to that assert
without a prefix_len because it does not use a row_ext_t* .
When UNIV_DEBUG is not defined, the affect of this is that the purge thread
sets the dfield->len to zero and then cannot find the entry in the index to
purge.  So secondary index entries remain unpurged.

This patch does not do the assert.  Instead, it uses
    'if (ind_field->prefix_len) {...}'
around the section of code that assumes a prefix_len.  This is the way the
patch I provided to Marko did it.

The test case is simply modified to do a sleep(10) in order to give the
purge thread a chance to run. Without the code change to row0row.c, this
modified testcase will assert if InnoDB was compiled with UNIV_DEBUG.
I tried to sleep(5), but it did not always assert.

Let the creation of the "test" database happen only during a new
installation, not in an RPM upgrade.