From a394519ef96008079049b8a1a3136600b5073ddc Mon Sep 17 00:00:00 2001 From: Georgi Kodinov Date: Tue, 3 Aug 2010 14:52:20 +0300 Subject: [PATCH 01/23] addendum to the fix for bug #54476: fixed a failing test case. --- mysql-test/t/func_gconcat.test | 3 +++ 1 file changed, 3 insertions(+) diff --git a/mysql-test/t/func_gconcat.test b/mysql-test/t/func_gconcat.test index 693fa7d1c89..54c7291bb5e 100644 --- a/mysql-test/t/func_gconcat.test +++ b/mysql-test/t/func_gconcat.test @@ -734,6 +734,9 @@ EXECUTE stmt; DEALLOCATE PREPARE stmt; DROP TABLE t1; +--echo End of 5.1 tests + + # # Bug#36785: Wrong error message when group_concat() exceeds max length # From 9a05541bf1034fc131dc51585cebf1a2e141289a Mon Sep 17 00:00:00 2001 From: "karen.langford@oracle.com" <> Date: Tue, 3 Aug 2010 18:57:39 +0200 Subject: [PATCH 02/23] Raise version number after cloning 5.1.50 --- configure.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.in b/configure.in index efd291f953c..3ec62b836f1 100644 --- a/configure.in +++ b/configure.in @@ -12,7 +12,7 @@ dnl dnl When changing the major version number please also check the switch dnl statement in mysqlbinlog::check_master_version(). You may also need dnl to update version.c in ndb. -AC_INIT([MySQL Server], [5.1.50], [], [mysql]) +AC_INIT([MySQL Server], [5.1.51], [], [mysql]) AC_CONFIG_SRCDIR([sql/mysqld.cc]) AC_CANONICAL_SYSTEM From d8f8b1cb0b0ca08c8ffbf95cb21fc508b95b5a84 Mon Sep 17 00:00:00 2001 From: Alexander Nozdrin Date: Wed, 4 Aug 2010 12:52:38 +0400 Subject: [PATCH 03/23] Fix default.conf. --- .bzr-mysql/default.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.bzr-mysql/default.conf b/.bzr-mysql/default.conf index 41a3d479084..1b6d7676984 100644 --- a/.bzr-mysql/default.conf +++ b/.bzr-mysql/default.conf @@ -1,4 +1,4 @@ [MYSQL] post_commit_to = "dbg_mysql_security@sun.com" post_push_to = "dbg_mysql_security@sun.com" -tree_name = "mysql-trunk-security" +tree_name = "mysql-5.5-security" From 6fce5c4c771dba0845429cf967df80d49482c37c Mon Sep 17 00:00:00 2001 From: Jimmy Yang Date: Wed, 4 Aug 2010 03:11:33 -0700 Subject: [PATCH 04/23] Fix Bug #54582 stack overflow when opening many tables linked with foreign keys at once rb://391 approved by Heikki Z --- storage/innobase/dict/dict0load.c | 81 ++++++++++++++++++++-- storage/innobase/handler/ha_innodb.cc | 10 +++ storage/innobase/include/db0err.h | 3 + storage/innobase/include/dict0load.h | 2 + storage/innobase/include/dict0mem.h | 21 ++++++ storage/innobase/include/que0que.h | 3 + storage/innobase/row/row0mysql.c | 21 +++++- storage/innodb_plugin/ChangeLog | 8 +++ storage/innodb_plugin/dict/dict0load.c | 81 ++++++++++++++++++++-- storage/innodb_plugin/handler/ha_innodb.cc | 13 ++++ storage/innodb_plugin/include/db0err.h | 3 + storage/innodb_plugin/include/dict0load.h | 2 + storage/innodb_plugin/include/dict0mem.h | 21 ++++++ storage/innodb_plugin/include/que0que.h | 3 + storage/innodb_plugin/row/row0merge.c | 2 +- storage/innodb_plugin/row/row0mysql.c | 21 +++++- 16 files changed, 276 insertions(+), 19 deletions(-) diff --git a/storage/innobase/dict/dict0load.c b/storage/innobase/dict/dict0load.c index d5e7600f4d0..625956600c0 100644 --- a/storage/innobase/dict/dict0load.c +++ b/storage/innobase/dict/dict0load.c @@ -864,16 +864,27 @@ err_exit: err = dict_load_indexes(table, heap); + /* Initialize table foreign_child value. Its value could be + changed when dict_load_foreigns() is called below */ + table->fk_max_recusive_level = 0; + /* If the force recovery flag is set, we open the table irrespective of the error condition, since the user may want to dump data from the clustered index. However we load the foreign key information only if all indexes were loaded. */ if (err == DB_SUCCESS) { - err = dict_load_foreigns(table->name, TRUE); + err = dict_load_foreigns(table->name, TRUE, TRUE); + + if (err != DB_SUCCESS) { + dict_table_remove_from_cache(table); + table = NULL; + } } else if (!srv_force_recovery) { dict_table_remove_from_cache(table); table = NULL; } + + table->fk_max_recusive_level = 0; #if 0 if (err != DB_SUCCESS && table != NULL) { @@ -1095,8 +1106,12 @@ dict_load_foreign( /* out: DB_SUCCESS or error code */ const char* id, /* in: foreign constraint id as a null-terminated string */ - ibool check_charsets) + ibool check_charsets, /* in: TRUE=check charset compatibility */ + ibool check_recursive) + /* in: Whether to record the foreign table + parent count to avoid unlimited recursive + load of chained foreign tables */ { dict_foreign_t* foreign; dict_table_t* sys_foreign; @@ -1110,6 +1125,8 @@ dict_load_foreign( ulint len; ulint n_fields_and_type; mtr_t mtr; + dict_table_t* for_table; + dict_table_t* ref_table; ut_ad(mutex_own(&(dict_sys->mutex))); @@ -1194,11 +1211,54 @@ dict_load_foreign( dict_load_foreign_cols(id, foreign); - /* If the foreign table is not yet in the dictionary cache, we - have to load it so that we are able to make type comparisons - in the next function call. */ + ref_table = dict_table_check_if_in_cache_low( + foreign->referenced_table_name); - dict_table_get_low(foreign->foreign_table_name); + /* We could possibly wind up in a deep recursive calls if + we call dict_table_get_low() again here if there + is a chain of tables concatenated together with + foreign constraints. In such case, each table is + both a parent and child of the other tables, and + act as a "link" in such table chains. + To avoid such scenario, we would need to check the + number of ancesters the current table has. If that + exceeds DICT_FK_MAX_CHAIN_LEN, we will stop loading + the child table. + Foreign constraints are loaded in a Breath First fashion, + that is, the index on FOR_NAME is scanned first, and then + index on REF_NAME. So foreign constrains in which + current table is a child (foreign table) are loaded first, + and then those constraints where current table is a + parent (referenced) table. + Thus we could check the parent (ref_table) table's + reference count (fk_max_recusive_level) to know how deep the + recursive call is. If the parent table (ref_table) is already + loaded, and its fk_max_recusive_level is larger than + DICT_FK_MAX_CHAIN_LEN, we will stop the recursive loading + by skipping loading the child table. It will not affect foreign + constraint check for DMLs since child table will be loaded + at that time for the constraint check. */ + if (!ref_table + || ref_table->fk_max_recusive_level < DICT_FK_MAX_RECURSIVE_LOAD) { + + /* If the foreign table is not yet in the dictionary cache, we + have to load it so that we are able to make type comparisons + in the next function call. */ + + for_table = dict_table_get_low(foreign->foreign_table_name); + + if (for_table && ref_table && check_recursive) { + /* This is to record the longest chain of ancesters + this table has, if the parent has more ancesters + than this table has, record it after add 1 (for this + parent */ + if (ref_table->fk_max_recusive_level + >= for_table->fk_max_recusive_level) { + for_table->fk_max_recusive_level = + ref_table->fk_max_recusive_level + 1; + } + } + } /* Note that there may already be a foreign constraint object in the dictionary cache for this constraint: then the following @@ -1223,6 +1283,8 @@ dict_load_foreigns( /*===============*/ /* out: DB_SUCCESS or error code */ const char* table_name, /* in: table name */ + ibool check_recursive,/* in: Whether to check recursive + load of tables chained by FK */ ibool check_charsets) /* in: TRUE=check charset compatibility */ { @@ -1324,7 +1386,7 @@ loop: /* Load the foreign constraint definition to the dictionary cache */ - err = dict_load_foreign(id, check_charsets); + err = dict_load_foreign(id, check_charsets, check_recursive); if (err != DB_SUCCESS) { btr_pcur_close(&pcur); @@ -1352,6 +1414,11 @@ load_next_index: mtr_start(&mtr); + /* Switch to scan index on REF_NAME, fk_max_recusive_level + already been updated when scanning FOR_NAME index, no need to + update again */ + check_recursive = FALSE; + goto start_load; } diff --git a/storage/innobase/handler/ha_innodb.cc b/storage/innobase/handler/ha_innodb.cc index d10fcb8d31e..930785d7dcd 100644 --- a/storage/innobase/handler/ha_innodb.cc +++ b/storage/innobase/handler/ha_innodb.cc @@ -763,6 +763,16 @@ convert_error_code_to_mysql( my_error(ER_QUERY_INTERRUPTED, MYF(0)); return(-1); + } else if (error == DB_FOREIGN_EXCEED_MAX_CASCADE) { + push_warning_printf(thd, MYSQL_ERROR::WARN_LEVEL_WARN, + HA_ERR_ROW_IS_REFERENCED, + "InnoDB: Cannot delete/update " + "rows with cascading foreign key " + "constraints that exceed max " + "depth of %d. Please " + "drop extra constraints and try " + "again", DICT_FK_MAX_RECURSIVE_LOAD); + return(-1); } else { return(-1); // Unknown error } diff --git a/storage/innobase/include/db0err.h b/storage/innobase/include/db0err.h index 2be6005622d..af3e78fe833 100644 --- a/storage/innobase/include/db0err.h +++ b/storage/innobase/include/db0err.h @@ -73,6 +73,9 @@ Created 5/24/1996 Heikki Tuuri a later version of the engine. */ #define DB_INTERRUPTED 49 /* the query has been interrupted with "KILL QUERY N;" */ +#define DB_FOREIGN_EXCEED_MAX_CASCADE 50/* Foreign key constraint related + cascading delete/update exceeds + maximum allowed depth */ /* The following are partial failure codes */ #define DB_FAIL 1000 diff --git a/storage/innobase/include/dict0load.h b/storage/innobase/include/dict0load.h index 7e19c2eb3c0..eb6083e06f9 100644 --- a/storage/innobase/include/dict0load.h +++ b/storage/innobase/include/dict0load.h @@ -82,6 +82,8 @@ dict_load_foreigns( /*===============*/ /* out: DB_SUCCESS or error code */ const char* table_name, /* in: table name */ + ibool check_recursive,/* in: Whether to check recursive + load of tables chained by FK */ ibool check_charsets);/* in: TRUE=check charsets compatibility */ /************************************************************************ diff --git a/storage/innobase/include/dict0mem.h b/storage/innobase/include/dict0mem.h index ac28fdb1bae..2f2a7441478 100644 --- a/storage/innobase/include/dict0mem.h +++ b/storage/innobase/include/dict0mem.h @@ -283,6 +283,21 @@ a foreign key constraint is enforced, therefore RESTRICT just means no flag */ #define DICT_FOREIGN_ON_DELETE_NO_ACTION 16 #define DICT_FOREIGN_ON_UPDATE_NO_ACTION 32 +/** Tables could be chained together with Foreign key constraint. When +first load the parent table, we would load all of its descedents. +This could result in rescursive calls and out of stack error eventually. +DICT_FK_MAX_RECURSIVE_LOAD defines the maximum number of recursive loads, +when exceeded, the child table will not be loaded. It will be loaded when +the foreign constraint check needs to be run. */ +#define DICT_FK_MAX_RECURSIVE_LOAD 250 + +/** Similarly, when tables are chained together with foreign key constraints +with on cascading delete/update clause, delete from parent table could +result in recursive cascading calls. This defines the maximum number of +such cascading deletes/updates allowed. When exceeded, the delete from +parent table will fail, and user has to drop excessive foreign constraint +before proceeds. */ +#define FK_MAX_CASCADE_DEL 300 /* Data structure for a database table */ struct dict_table_struct{ @@ -339,6 +354,12 @@ struct dict_table_struct{ NOT allowed until this count gets to zero; MySQL does NOT itself check the number of open handles at drop */ + unsigned fk_max_recusive_level:8; + /*!< maximum recursive level we support when + loading tables chained together with FK + constraints. If exceeds this level, we will + stop loading child table into memory along with + its parent table */ ulint n_foreign_key_checks_running; /* count of how many foreign key check operations are currently being performed diff --git a/storage/innobase/include/que0que.h b/storage/innobase/include/que0que.h index 8fbf5330c89..71f4cfdfb8f 100644 --- a/storage/innobase/include/que0que.h +++ b/storage/innobase/include/que0que.h @@ -367,6 +367,9 @@ struct que_thr_struct{ thus far */ ulint lock_state; /* lock state of thread (table or row) */ + ulint fk_cascade_depth; /*!< maximum cascading call depth + supported for foreign key constraint + related delete/updates */ }; #define QUE_THR_MAGIC_N 8476583 diff --git a/storage/innobase/row/row0mysql.c b/storage/innobase/row/row0mysql.c index 4a834c4efc2..3b76ffa76f1 100644 --- a/storage/innobase/row/row0mysql.c +++ b/storage/innobase/row/row0mysql.c @@ -555,6 +555,12 @@ handle_new_error: "forcing-recovery.html" " for help.\n", stderr); + } else if (err == DB_FOREIGN_EXCEED_MAX_CASCADE) { + fprintf(stderr, "InnoDB: Cannot delete/update rows with" + " cascading foreign key constraints that exceed max" + " depth of %lu\n" + "Please drop excessive foreign constraints" + " and try again\n", (ulong) DICT_FK_MAX_RECURSIVE_LOAD); } else { fprintf(stderr, "InnoDB: unknown error code %lu\n", (ulong) err); @@ -1406,11 +1412,15 @@ row_update_for_mysql( run_again: thr->run_node = node; thr->prev_node = node; + thr->fk_cascade_depth = 0; row_upd_step(thr); err = trx->error_state; + /* Reset fk_cascade_depth back to 0 */ + thr->fk_cascade_depth = 0; + if (err != DB_SUCCESS) { que_thr_stop_for_mysql(thr); @@ -1597,6 +1607,12 @@ row_update_cascade_for_mysql( trx_t* trx; trx = thr_get_trx(thr); + + thr->fk_cascade_depth++; + + if (thr->fk_cascade_depth > FK_MAX_CASCADE_DEL) { + return (DB_FOREIGN_EXCEED_MAX_CASCADE); + } run_again: thr->run_node = node; thr->prev_node = node; @@ -2129,7 +2145,7 @@ row_table_add_foreign_constraints( if (err == DB_SUCCESS) { /* Check that also referencing constraints are ok */ - err = dict_load_foreigns(name, TRUE); + err = dict_load_foreigns(name, FALSE, TRUE); } if (err != DB_SUCCESS) { @@ -3878,7 +3894,8 @@ end: an ALTER, not in a RENAME. */ err = dict_load_foreigns( - new_name, old_is_tmp ? trx->check_foreigns : TRUE); + new_name, FALSE, + old_is_tmp ? trx->check_foreigns : TRUE); if (err != DB_SUCCESS) { ut_print_timestamp(stderr); diff --git a/storage/innodb_plugin/ChangeLog b/storage/innodb_plugin/ChangeLog index 3e802360d23..56729852a62 100644 --- a/storage/innodb_plugin/ChangeLog +++ b/storage/innodb_plugin/ChangeLog @@ -1,3 +1,11 @@ +2010-08-03 The InnoDB Team + + * dict/dict0load.c, handler/ha_innodb.cc, include/db0err.h, + include/dict0load.h, include/dict0mem.h, include/que0que.h, + row/row0merge.c, row/row0mysql.c: + Fix Bug#54582 stack overflow when opening many tables linked + with foreign keys at once + 2010-07-27 The InnoDB Team * include/mem0pool.h, mem/mem0mem.c, mem/mem0pool.c, srv/srv0start.c: diff --git a/storage/innodb_plugin/dict/dict0load.c b/storage/innodb_plugin/dict/dict0load.c index 3c495d21786..3acc267308f 100644 --- a/storage/innodb_plugin/dict/dict0load.c +++ b/storage/innodb_plugin/dict/dict0load.c @@ -1009,16 +1009,27 @@ err_exit: err = dict_load_indexes(table, heap); + /* Initialize table foreign_child value. Its value could be + changed when dict_load_foreigns() is called below */ + table->fk_max_recusive_level = 0; + /* If the force recovery flag is set, we open the table irrespective of the error condition, since the user may want to dump data from the clustered index. However we load the foreign key information only if all indexes were loaded. */ if (err == DB_SUCCESS) { - err = dict_load_foreigns(table->name, TRUE); + err = dict_load_foreigns(table->name, TRUE, TRUE); + + if (err != DB_SUCCESS) { + dict_table_remove_from_cache(table); + table = NULL; + } } else if (!srv_force_recovery) { dict_table_remove_from_cache(table); table = NULL; } + + table->fk_max_recusive_level = 0; #if 0 if (err != DB_SUCCESS && table != NULL) { @@ -1241,8 +1252,12 @@ dict_load_foreign( /*==============*/ const char* id, /*!< in: foreign constraint id as a null-terminated string */ - ibool check_charsets) + ibool check_charsets, /*!< in: TRUE=check charset compatibility */ + ibool check_recursive) + /*!< in: Whether to record the foreign table + parent count to avoid unlimited recursive + load of chained foreign tables */ { dict_foreign_t* foreign; dict_table_t* sys_foreign; @@ -1256,6 +1271,8 @@ dict_load_foreign( ulint len; ulint n_fields_and_type; mtr_t mtr; + dict_table_t* for_table; + dict_table_t* ref_table; ut_ad(mutex_own(&(dict_sys->mutex))); @@ -1340,11 +1357,54 @@ dict_load_foreign( dict_load_foreign_cols(id, foreign); - /* If the foreign table is not yet in the dictionary cache, we - have to load it so that we are able to make type comparisons - in the next function call. */ + ref_table = dict_table_check_if_in_cache_low( + foreign->referenced_table_name); - dict_table_get_low(foreign->foreign_table_name); + /* We could possibly wind up in a deep recursive calls if + we call dict_table_get_low() again here if there + is a chain of tables concatenated together with + foreign constraints. In such case, each table is + both a parent and child of the other tables, and + act as a "link" in such table chains. + To avoid such scenario, we would need to check the + number of ancesters the current table has. If that + exceeds DICT_FK_MAX_CHAIN_LEN, we will stop loading + the child table. + Foreign constraints are loaded in a Breath First fashion, + that is, the index on FOR_NAME is scanned first, and then + index on REF_NAME. So foreign constrains in which + current table is a child (foreign table) are loaded first, + and then those constraints where current table is a + parent (referenced) table. + Thus we could check the parent (ref_table) table's + reference count (fk_max_recusive_level) to know how deep the + recursive call is. If the parent table (ref_table) is already + loaded, and its fk_max_recusive_level is larger than + DICT_FK_MAX_CHAIN_LEN, we will stop the recursive loading + by skipping loading the child table. It will not affect foreign + constraint check for DMLs since child table will be loaded + at that time for the constraint check. */ + if (!ref_table + || ref_table->fk_max_recusive_level < DICT_FK_MAX_RECURSIVE_LOAD) { + + /* If the foreign table is not yet in the dictionary cache, we + have to load it so that we are able to make type comparisons + in the next function call. */ + + for_table = dict_table_get_low(foreign->foreign_table_name); + + if (for_table && ref_table && check_recursive) { + /* This is to record the longest chain of ancesters + this table has, if the parent has more ancesters + than this table has, record it after add 1 (for this + parent */ + if (ref_table->fk_max_recusive_level + >= for_table->fk_max_recusive_level) { + for_table->fk_max_recusive_level = + ref_table->fk_max_recusive_level + 1; + } + } + } /* Note that there may already be a foreign constraint object in the dictionary cache for this constraint: then the following @@ -1369,6 +1429,8 @@ ulint dict_load_foreigns( /*===============*/ const char* table_name, /*!< in: table name */ + ibool check_recursive,/*!< in: Whether to check recursive + load of tables chained by FK */ ibool check_charsets) /*!< in: TRUE=check charset compatibility */ { @@ -1470,7 +1532,7 @@ loop: /* Load the foreign constraint definition to the dictionary cache */ - err = dict_load_foreign(id, check_charsets); + err = dict_load_foreign(id, check_charsets, check_recursive); if (err != DB_SUCCESS) { btr_pcur_close(&pcur); @@ -1498,6 +1560,11 @@ load_next_index: mtr_start(&mtr); + /* Switch to scan index on REF_NAME, fk_max_recusive_level + already been updated when scanning FOR_NAME index, no need to + update again */ + check_recursive = FALSE; + goto start_load; } diff --git a/storage/innodb_plugin/handler/ha_innodb.cc b/storage/innodb_plugin/handler/ha_innodb.cc index e0a62ed3ac5..1cba1de1590 100644 --- a/storage/innodb_plugin/handler/ha_innodb.cc +++ b/storage/innodb_plugin/handler/ha_innodb.cc @@ -767,6 +767,19 @@ convert_error_code_to_mysql( case DB_INTERRUPTED: my_error(ER_QUERY_INTERRUPTED, MYF(0)); /* fall through */ + + case DB_FOREIGN_EXCEED_MAX_CASCADE: + push_warning_printf(thd, MYSQL_ERROR::WARN_LEVEL_WARN, + HA_ERR_ROW_IS_REFERENCED, + "InnoDB: Cannot delete/update " + "rows with cascading foreign key " + "constraints that exceed max " + "depth of %d. Please " + "drop extra constraints and try " + "again", DICT_FK_MAX_RECURSIVE_LOAD); + + /* fall through */ + case DB_ERROR: default: return(-1); /* unspecified error */ diff --git a/storage/innodb_plugin/include/db0err.h b/storage/innodb_plugin/include/db0err.h index c841c2b4afe..c7fa6d2a444 100644 --- a/storage/innodb_plugin/include/db0err.h +++ b/storage/innodb_plugin/include/db0err.h @@ -94,6 +94,9 @@ enum db_err { DB_PRIMARY_KEY_IS_NULL, /* a column in the PRIMARY KEY was found to be NULL */ + DB_FOREIGN_EXCEED_MAX_CASCADE, /* Foreign key constraint related + cascading delete/update exceeds + maximum allowed depth */ /* The following are partial failure codes */ DB_FAIL = 1000, diff --git a/storage/innodb_plugin/include/dict0load.h b/storage/innodb_plugin/include/dict0load.h index 60b8c1fb632..f41882019d5 100644 --- a/storage/innodb_plugin/include/dict0load.h +++ b/storage/innodb_plugin/include/dict0load.h @@ -97,6 +97,8 @@ ulint dict_load_foreigns( /*===============*/ const char* table_name, /*!< in: table name */ + ibool check_recursive,/*!< in: Whether to check recursive + load of tables chained by FK */ ibool check_charsets);/*!< in: TRUE=check charsets compatibility */ /********************************************************************//** diff --git a/storage/innodb_plugin/include/dict0mem.h b/storage/innodb_plugin/include/dict0mem.h index 2fce1e00927..19782c2e76a 100644 --- a/storage/innodb_plugin/include/dict0mem.h +++ b/storage/innodb_plugin/include/dict0mem.h @@ -112,6 +112,21 @@ ROW_FORMAT=REDUNDANT. */ in table->flags. */ /* @} */ +/** Tables could be chained together with Foreign key constraint. When +first load the parent table, we would load all of its descedents. +This could result in rescursive calls and out of stack error eventually. +DICT_FK_MAX_RECURSIVE_LOAD defines the maximum number of recursive loads, +when exceeded, the child table will not be loaded. It will be loaded when +the foreign constraint check needs to be run. */ +#define DICT_FK_MAX_RECURSIVE_LOAD 250 + +/** Similarly, when tables are chained together with foreign key constraints +with on cascading delete/update clause, delete from parent table could +result in recursive cascading calls. This defines the maximum number of +such cascading deletes/updates allowed. When exceeded, the delete from +parent table will fail, and user has to drop excessive foreign constraint +before proceeds. */ +#define FK_MAX_CASCADE_DEL 300 /**********************************************************************//** Creates a table memory object. @@ -434,6 +449,12 @@ struct dict_table_struct{ NOT allowed until this count gets to zero; MySQL does NOT itself check the number of open handles at drop */ + unsigned fk_max_recusive_level:8; + /*!< maximum recursive level we support when + loading tables chained together with FK + constraints. If exceeds this level, we will + stop loading child table into memory along with + its parent table */ ulint n_foreign_key_checks_running; /*!< count of how many foreign key check operations are currently being performed diff --git a/storage/innodb_plugin/include/que0que.h b/storage/innodb_plugin/include/que0que.h index 39f8d07af89..84b83208416 100644 --- a/storage/innodb_plugin/include/que0que.h +++ b/storage/innodb_plugin/include/que0que.h @@ -381,6 +381,9 @@ struct que_thr_struct{ thus far */ ulint lock_state; /*!< lock state of thread (table or row) */ + ulint fk_cascade_depth; /*!< maximum cascading call depth + supported for foreign key constraint + related delete/updates */ }; #define QUE_THR_MAGIC_N 8476583 diff --git a/storage/innodb_plugin/row/row0merge.c b/storage/innodb_plugin/row/row0merge.c index 56a68b58225..05d77ad7f19 100644 --- a/storage/innodb_plugin/row/row0merge.c +++ b/storage/innodb_plugin/row/row0merge.c @@ -2395,7 +2395,7 @@ row_merge_rename_tables( goto err_exit; } - err = dict_load_foreigns(old_name, TRUE); + err = dict_load_foreigns(old_name, FALSE, TRUE); if (err != DB_SUCCESS) { err_exit: diff --git a/storage/innodb_plugin/row/row0mysql.c b/storage/innodb_plugin/row/row0mysql.c index feeb7fc80b7..a582de3e583 100644 --- a/storage/innodb_plugin/row/row0mysql.c +++ b/storage/innodb_plugin/row/row0mysql.c @@ -576,6 +576,13 @@ handle_new_error: "InnoDB: " REFMAN "forcing-recovery.html" " for help.\n", stderr); break; + case DB_FOREIGN_EXCEED_MAX_CASCADE: + fprintf(stderr, "InnoDB: Cannot delete/update rows with" + " cascading foreign key constraints that exceed max" + " depth of %lu\n" + "Please drop excessive foreign constraints" + " and try again\n", (ulong) DICT_FK_MAX_RECURSIVE_LOAD); + break; default: fprintf(stderr, "InnoDB: unknown error code %lu\n", (ulong) err); @@ -1381,11 +1388,15 @@ row_update_for_mysql( run_again: thr->run_node = node; thr->prev_node = node; + thr->fk_cascade_depth = 0; row_upd_step(thr); err = trx->error_state; + /* Reset fk_cascade_depth back to 0 */ + thr->fk_cascade_depth = 0; + if (err != DB_SUCCESS) { que_thr_stop_for_mysql(thr); @@ -1576,6 +1587,12 @@ row_update_cascade_for_mysql( trx_t* trx; trx = thr_get_trx(thr); + + thr->fk_cascade_depth++; + + if (thr->fk_cascade_depth > FK_MAX_CASCADE_DEL) { + return (DB_FOREIGN_EXCEED_MAX_CASCADE); + } run_again: thr->run_node = node; thr->prev_node = node; @@ -2056,7 +2073,7 @@ row_table_add_foreign_constraints( name, reject_fks); if (err == DB_SUCCESS) { /* Check that also referencing constraints are ok */ - err = dict_load_foreigns(name, TRUE); + err = dict_load_foreigns(name, FALSE, TRUE); } if (err != DB_SUCCESS) { @@ -3915,7 +3932,7 @@ end: an ALTER, not in a RENAME. */ err = dict_load_foreigns( - new_name, !old_is_tmp || trx->check_foreigns); + new_name, FALSE, !old_is_tmp || trx->check_foreigns); if (err != DB_SUCCESS) { ut_print_timestamp(stderr); From f4e68824c83c3e3d38597df393a33e1fb0a9d2a4 Mon Sep 17 00:00:00 2001 From: Jimmy Yang Date: Wed, 4 Aug 2010 03:37:44 -0700 Subject: [PATCH 05/23] Fix bug #54678, InnoDB, TRUNCATE, ALTER, I_S SELECT, crash or deadlock rb://399 approved by Sunny Bains --- storage/innodb_plugin/ChangeLog | 5 +++ storage/innodb_plugin/include/dict0dict.h | 16 +++++++++ storage/innodb_plugin/include/dict0dict.ic | 42 ++++++++++++++++++++++ storage/innodb_plugin/row/row0mysql.c | 14 ++++++++ 4 files changed, 77 insertions(+) diff --git a/storage/innodb_plugin/ChangeLog b/storage/innodb_plugin/ChangeLog index 56729852a62..ce625a93871 100644 --- a/storage/innodb_plugin/ChangeLog +++ b/storage/innodb_plugin/ChangeLog @@ -1,3 +1,8 @@ +2010-08-03 The InnoDB Team + + * include/dict0dict.h, include/dict0dict.ic, row/row0mysql.c: + Fix bug #54678, InnoDB, TRUNCATE, ALTER, I_S SELECT, crash or deadlock + 2010-08-03 The InnoDB Team * dict/dict0load.c, handler/ha_innodb.cc, include/db0err.h, diff --git a/storage/innodb_plugin/include/dict0dict.h b/storage/innodb_plugin/include/dict0dict.h index 3a1bee4cd89..5ffa59538c8 100644 --- a/storage/innodb_plugin/include/dict0dict.h +++ b/storage/innodb_plugin/include/dict0dict.h @@ -680,6 +680,22 @@ ulint dict_table_zip_size( /*================*/ const dict_table_t* table); /*!< in: table */ +/*********************************************************************//** +Obtain exclusive locks on all index trees of the table. This is to prevent +accessing index trees while InnoDB is updating internal metadata for +operations such as truncate tables. */ +UNIV_INLINE +void +dict_table_x_lock_indexes( +/*======================*/ + dict_table_t* table); /*!< in: table */ +/*********************************************************************//** +Release the exclusive locks on all index tree. */ +UNIV_INLINE +void +dict_table_x_unlock_indexes( +/*========================*/ + dict_table_t* table); /*!< in: table */ /********************************************************************//** Checks if a column is in the ordering columns of the clustered index of a table. Column prefixes are treated like whole columns. diff --git a/storage/innodb_plugin/include/dict0dict.ic b/storage/innodb_plugin/include/dict0dict.ic index 46e78df8272..1704e9c2d71 100644 --- a/storage/innodb_plugin/include/dict0dict.ic +++ b/storage/innodb_plugin/include/dict0dict.ic @@ -452,6 +452,48 @@ dict_table_zip_size( return(dict_table_flags_to_zip_size(table->flags)); } +/*********************************************************************//** +Obtain exclusive locks on all index trees of the table. This is to prevent +accessing index trees while InnoDB is updating internal metadata for +operations such as truncate tables. */ +UNIV_INLINE +void +dict_table_x_lock_indexes( +/*======================*/ + dict_table_t* table) /*!< in: table */ +{ + dict_index_t* index; + + ut_a(table); + ut_ad(mutex_own(&(dict_sys->mutex))); + + /* Loop through each index of the table and lock them */ + for (index = dict_table_get_first_index(table); + index != NULL; + index = dict_table_get_next_index(index)) { + rw_lock_x_lock(dict_index_get_lock(index)); + } +} + +/*********************************************************************//** +Release the exclusive locks on all index tree. */ +UNIV_INLINE +void +dict_table_x_unlock_indexes( +/*========================*/ + dict_table_t* table) /*!< in: table */ +{ + dict_index_t* index; + + ut_a(table); + ut_ad(mutex_own(&(dict_sys->mutex))); + + for (index = dict_table_get_first_index(table); + index != NULL; + index = dict_table_get_next_index(index)) { + rw_lock_x_unlock(dict_index_get_lock(index)); + } +} /********************************************************************//** Gets the number of fields in the internal representation of an index, including fields added by the dictionary system. diff --git a/storage/innodb_plugin/row/row0mysql.c b/storage/innodb_plugin/row/row0mysql.c index a582de3e583..9d7cb976caf 100644 --- a/storage/innodb_plugin/row/row0mysql.c +++ b/storage/innodb_plugin/row/row0mysql.c @@ -2766,6 +2766,15 @@ row_truncate_table_for_mysql( trx->table_id = table->id; + /* Lock all index trees for this table, as we will + truncate the table/index and possibly change their metadata. + All DML/DDL are blocked by table level lock, with + a few exceptions such as queries into information schema + about the table, MySQL could try to access index stats + for this kind of query, we need to use index locks to + sync up */ + dict_table_x_lock_indexes(table); + if (table->space && !table->dir_path_of_temp_table) { /* Discard and create the single-table tablespace. */ ulint space = table->space; @@ -2782,6 +2791,7 @@ row_truncate_table_for_mysql( || fil_create_new_single_table_tablespace( space, table->name, FALSE, flags, FIL_IBD_FILE_INITIAL_SIZE) != DB_SUCCESS) { + dict_table_x_unlock_indexes(table); ut_print_timestamp(stderr); fprintf(stderr, " InnoDB: TRUNCATE TABLE %s failed to" @@ -2885,6 +2895,10 @@ next_rec: mem_heap_free(heap); + /* Done with index truncation, release index tree locks, + subsequent work relates to table level metadata change */ + dict_table_x_unlock_indexes(table); + dict_hdr_get_new_id(&new_id, NULL, NULL); info = pars_info_create(); From e19a494287037b24b272b0a88cb48baf80a1df09 Mon Sep 17 00:00:00 2001 From: Sunny Bains Date: Thu, 5 Aug 2010 19:18:17 +1000 Subject: [PATCH 06/23] Fix bug# 55543 - InnoDB Plugin: Signal 6: Assertion failure in file fil/fil0fil.c line 4306 The bug is due to a double delete of a BLOB, once via: rollback -> btr_cur_pessimistic_delete() and the second time via purge. The bug is in row_upd_clust_rec_by_insert(). There we relinquish ownership of the non-updated BLOB columns in btr_cur_mark_extern_inherited_fields() before building the row entry that will be inserted and whose contents will be logged in the UNDO log. However, we don't set the BLOB column later to INHERITED so that a possible rollback will not free the original row's non-updated BLOB entries. This is because the condition that checks for that is in : if (node->upd_ext) {}. node->upd_ext is non-NULL only if a BLOB column was updated and that column is part of some key ordering (see row_upd_replace()). This results in the non-update BLOB columns being deleted during a rollback and subsequently by purge again. rb://413 --- storage/innodb_plugin/btr/btr0cur.c | 12 +++++++++--- storage/innodb_plugin/include/btr0cur.h | 5 +++-- storage/innodb_plugin/row/row0upd.c | 12 +++++++----- 3 files changed, 19 insertions(+), 10 deletions(-) diff --git a/storage/innodb_plugin/btr/btr0cur.c b/storage/innodb_plugin/btr/btr0cur.c index 7fa7d42320a..8db12a0bbb8 100644 --- a/storage/innodb_plugin/btr/btr0cur.c +++ b/storage/innodb_plugin/btr/btr0cur.c @@ -3484,9 +3484,10 @@ btr_cur_set_ownership_of_extern_field( Marks not updated extern fields as not-owned by this record. The ownership is transferred to the updated record which is inserted elsewhere in the index tree. In purge only the owner of externally stored field is allowed -to free the field. */ +to free the field. +@return TRUE if BLOB ownership was transferred */ UNIV_INTERN -void +ibool btr_cur_mark_extern_inherited_fields( /*=================================*/ page_zip_des_t* page_zip,/*!< in/out: compressed page whose uncompressed @@ -3500,13 +3501,14 @@ btr_cur_mark_extern_inherited_fields( ulint n; ulint j; ulint i; + ibool change_ownership = FALSE; ut_ad(rec_offs_validate(rec, NULL, offsets)); ut_ad(!rec_offs_comp(offsets) || !rec_get_node_ptr_flag(rec)); if (!rec_offs_any_extern(offsets)) { - return; + return(FALSE); } n = rec_offs_n_fields(offsets); @@ -3529,10 +3531,14 @@ btr_cur_mark_extern_inherited_fields( btr_cur_set_ownership_of_extern_field( page_zip, rec, index, offsets, i, FALSE, mtr); + + change_ownership = TRUE; updated: ; } } + + return(change_ownership); } /*******************************************************************//** diff --git a/storage/innodb_plugin/include/btr0cur.h b/storage/innodb_plugin/include/btr0cur.h index 7dc2eb63cf5..e151fdcb563 100644 --- a/storage/innodb_plugin/include/btr0cur.h +++ b/storage/innodb_plugin/include/btr0cur.h @@ -468,9 +468,10 @@ btr_estimate_number_of_different_key_vals( Marks not updated extern fields as not-owned by this record. The ownership is transferred to the updated record which is inserted elsewhere in the index tree. In purge only the owner of externally stored field is allowed -to free the field. */ +to free the field. +@return TRUE if BLOB ownership was transferred */ UNIV_INTERN -void +ibool btr_cur_mark_extern_inherited_fields( /*=================================*/ page_zip_des_t* page_zip,/*!< in/out: compressed page whose uncompressed diff --git a/storage/innodb_plugin/row/row0upd.c b/storage/innodb_plugin/row/row0upd.c index 397b117c067..04c3139fcc7 100644 --- a/storage/innodb_plugin/row/row0upd.c +++ b/storage/innodb_plugin/row/row0upd.c @@ -1598,6 +1598,7 @@ row_upd_clust_rec_by_insert( dict_table_t* table; dtuple_t* entry; ulint err; + ibool change_ownership = FALSE; ut_ad(node); ut_ad(dict_index_is_clust(index)); @@ -1630,9 +1631,9 @@ row_upd_clust_rec_by_insert( index = dict_table_get_first_index(table); offsets = rec_get_offsets(rec, index, offsets_, ULINT_UNDEFINED, &heap); - btr_cur_mark_extern_inherited_fields( - btr_cur_get_page_zip(btr_cur), - rec, index, offsets, node->update, mtr); + change_ownership = btr_cur_mark_extern_inherited_fields( + btr_cur_get_page_zip(btr_cur), rec, index, offsets, + node->update, mtr); if (check_ref) { /* NOTE that the following call loses the position of pcur ! */ @@ -1661,10 +1662,11 @@ row_upd_clust_rec_by_insert( row_upd_index_entry_sys_field(entry, index, DATA_TRX_ID, trx->id); - if (node->upd_ext) { + if (change_ownership) { /* If we return from a lock wait, for example, we may have extern fields marked as not-owned in entry (marked in the - if-branch above). We must unmark them. */ + if-branch above). We must unmark them, take the ownership + back. */ btr_cur_unmark_dtuple_extern_fields(entry); From 6c0f9301ea434cce4fe2df0ad36c26694375b997 Mon Sep 17 00:00:00 2001 From: Sunny Bains Date: Thu, 5 Aug 2010 19:24:34 +1000 Subject: [PATCH 07/23] Fix Bug #55277 - Failing assertion: auto_inc > 0 Handle overflow when reading value from SELECT MAX(C) FROM T; Call ha_innobase::info() after initializing the autoinc value in ha_innobase::open(). Fix for both the builtin and plugin. rb://402 --- .../suite/innodb/r/innodb-autoinc.result | 13 ++++++++++++ mysql-test/suite/innodb/t/innodb-autoinc.test | 12 +++++++++++ storage/innobase/handler/ha_innodb.cc | 21 ++++++++++++------- storage/innodb_plugin/handler/ha_innodb.cc | 21 ++++++++++++------- 4 files changed, 53 insertions(+), 14 deletions(-) diff --git a/mysql-test/suite/innodb/r/innodb-autoinc.result b/mysql-test/suite/innodb/r/innodb-autoinc.result index a36b3a1a865..350c7ebd541 100644 --- a/mysql-test/suite/innodb/r/innodb-autoinc.result +++ b/mysql-test/suite/innodb/r/innodb-autoinc.result @@ -1244,3 +1244,16 @@ t1 CREATE TABLE `t1` ( PRIMARY KEY (`c1`) ) ENGINE=InnoDB AUTO_INCREMENT=7 DEFAULT CHARSET=latin1 DROP TABLE t1; +DROP TABLE IF EXISTS t1; +Warnings: +Note 1051 Unknown table 't1' +CREATE TABLE t1(c1 BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY) ENGINE=InnoDB; +INSERT INTO t1 VALUES (NULL); +INSERT INTO t1 VALUES (18446744073709551615); +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c1` bigint(20) unsigned NOT NULL AUTO_INCREMENT, + PRIMARY KEY (`c1`) +) ENGINE=InnoDB AUTO_INCREMENT=18446744073709551615 DEFAULT CHARSET=latin1 +DROP TABLE t1; diff --git a/mysql-test/suite/innodb/t/innodb-autoinc.test b/mysql-test/suite/innodb/t/innodb-autoinc.test index ef0359b78b0..10602499222 100644 --- a/mysql-test/suite/innodb/t/innodb-autoinc.test +++ b/mysql-test/suite/innodb/t/innodb-autoinc.test @@ -662,3 +662,15 @@ INSERT INTO t1 VALUES (1), (2), (-685113344), (NULL); SELECT * FROM t1; SHOW CREATE TABLE t1; DROP TABLE t1; + +## +# 55277: Failing assertion: auto_inc > 0 +# +DROP TABLE IF EXISTS t1; +CREATE TABLE t1(c1 BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY) ENGINE=InnoDB; +INSERT INTO t1 VALUES (NULL); +INSERT INTO t1 VALUES (18446744073709551615); +# Restart the server +-- source include/restart_mysqld.inc +SHOW CREATE TABLE t1; +DROP TABLE t1; diff --git a/storage/innobase/handler/ha_innodb.cc b/storage/innobase/handler/ha_innodb.cc index 930785d7dcd..300d9743234 100644 --- a/storage/innobase/handler/ha_innodb.cc +++ b/storage/innobase/handler/ha_innodb.cc @@ -2720,12 +2720,19 @@ ha_innobase::innobase_initialize_autoinc() err = row_search_max_autoinc(index, col_name, &read_auto_inc); switch (err) { - case DB_SUCCESS: - /* At the this stage we do not know the increment - or the offset, so use a default increment of 1. */ - auto_inc = read_auto_inc + 1; - break; + case DB_SUCCESS: { + ulonglong col_max_value; + col_max_value = innobase_get_int_col_max_value(field); + + /* At the this stage we do not know the increment + nor the offset, so use a default increment of 1. */ + + auto_inc = innobase_next_autoinc( + read_auto_inc, 1, 1, col_max_value); + + break; + } case DB_RECORD_NOT_FOUND: ut_print_timestamp(stderr); fprintf(stderr, " InnoDB: MySQL and InnoDB data " @@ -2951,8 +2958,6 @@ retry: /* Init table lock structure */ thr_lock_data_init(&share->lock,&lock,(void*) 0); - info(HA_STATUS_NO_LOCK | HA_STATUS_VARIABLE | HA_STATUS_CONST); - /* Only if the table has an AUTOINC column. */ if (prebuilt->table != NULL && table->found_next_number_field != NULL) { dict_table_autoinc_lock(prebuilt->table); @@ -2969,6 +2974,8 @@ retry: dict_table_autoinc_unlock(prebuilt->table); } + info(HA_STATUS_NO_LOCK | HA_STATUS_VARIABLE | HA_STATUS_CONST); + DBUG_RETURN(0); } diff --git a/storage/innodb_plugin/handler/ha_innodb.cc b/storage/innodb_plugin/handler/ha_innodb.cc index 1cba1de1590..69ca4a5051e 100644 --- a/storage/innodb_plugin/handler/ha_innodb.cc +++ b/storage/innodb_plugin/handler/ha_innodb.cc @@ -3361,12 +3361,19 @@ ha_innobase::innobase_initialize_autoinc() err = row_search_max_autoinc(index, col_name, &read_auto_inc); switch (err) { - case DB_SUCCESS: - /* At the this stage we do not know the increment - or the offset, so use a default increment of 1. */ - auto_inc = read_auto_inc + 1; - break; + case DB_SUCCESS: { + ulonglong col_max_value; + col_max_value = innobase_get_int_col_max_value(field); + + /* At the this stage we do not know the increment + nor the offset, so use a default increment of 1. */ + + auto_inc = innobase_next_autoinc( + read_auto_inc, 1, 1, col_max_value); + + break; + } case DB_RECORD_NOT_FOUND: ut_print_timestamp(stderr); fprintf(stderr, " InnoDB: MySQL and InnoDB data " @@ -3661,8 +3668,6 @@ retry: dict_table_get_format(prebuilt->table)); } - info(HA_STATUS_NO_LOCK | HA_STATUS_VARIABLE | HA_STATUS_CONST); - /* Only if the table has an AUTOINC column. */ if (prebuilt->table != NULL && table->found_next_number_field != NULL) { dict_table_autoinc_lock(prebuilt->table); @@ -3679,6 +3684,8 @@ retry: dict_table_autoinc_unlock(prebuilt->table); } + info(HA_STATUS_NO_LOCK | HA_STATUS_VARIABLE | HA_STATUS_CONST); + DBUG_RETURN(0); } From ed736379f5ba4e681088a139cefaebb50600a44a Mon Sep 17 00:00:00 2001 From: Gleb Shchepa Date: Fri, 6 Aug 2010 23:29:37 +0400 Subject: [PATCH 08/23] Bug #55424: convert_tz crashes when fed invalid data The CONVERT_TZ function crashes the server when the timezone argument is an empty SET field value. 1) The CONVERT_TZ may find a timezone string in the tz_names hash. 2) A string representation of the empty SET is a String of zero length with the NULL pointer. 3) If the key argument length is zero, hash functions do comparison using the length of the record being compared against. I.e. a zero-length String buffer is an invalid argument for hash search functions, and if String points to NULL buffer, hashcmp() fails with SEGV accessing that memory. The my_tz_find function has been modified to treat empty Strings as invalid timezone values to skip unnecessary hash search. --- mysql-test/r/timezone2.result | 12 ++++++++++++ mysql-test/t/timezone2.test | 9 +++++++++ sql/sql_string.h | 2 +- sql/tztime.cc | 2 +- 4 files changed, 23 insertions(+), 2 deletions(-) diff --git a/mysql-test/r/timezone2.result b/mysql-test/r/timezone2.result index 2948bb8ecec..e2e337628ce 100644 --- a/mysql-test/r/timezone2.result +++ b/mysql-test/r/timezone2.result @@ -296,4 +296,16 @@ CONVERT_TZ(NOW(), 'UTC', 'Europe/Moscow') IS NULL UPDATE t1 SET t = CONVERT_TZ(t, 'UTC', 'Europe/Moscow'); UNLOCK TABLES; DROP TABLE t1; +# +# Bug #55424: convert_tz crashes when fed invalid data +# +CREATE TABLE t1 (a SET('x') NOT NULL); +INSERT INTO t1 VALUES (''); +SELECT CONVERT_TZ(1, a, 1) FROM t1; +CONVERT_TZ(1, a, 1) +NULL +SELECT CONVERT_TZ(1, 1, a) FROM t1; +CONVERT_TZ(1, 1, a) +NULL +DROP TABLE t1; End of 5.1 tests diff --git a/mysql-test/t/timezone2.test b/mysql-test/t/timezone2.test index 15ddceb8d68..c4445da107c 100644 --- a/mysql-test/t/timezone2.test +++ b/mysql-test/t/timezone2.test @@ -273,5 +273,14 @@ UNLOCK TABLES; DROP TABLE t1; +--echo # +--echo # Bug #55424: convert_tz crashes when fed invalid data +--echo # + +CREATE TABLE t1 (a SET('x') NOT NULL); +INSERT INTO t1 VALUES (''); +SELECT CONVERT_TZ(1, a, 1) FROM t1; +SELECT CONVERT_TZ(1, 1, a) FROM t1; +DROP TABLE t1; --echo End of 5.1 tests diff --git a/sql/sql_string.h b/sql/sql_string.h index d62908e5d66..bb7d69aeccc 100644 --- a/sql/sql_string.h +++ b/sql/sql_string.h @@ -97,7 +97,7 @@ public: inline uint32 alloced_length() const { return Alloced_length;} inline char& operator [] (uint32 i) const { return Ptr[i]; } inline void length(uint32 len) { str_length=len ; } - inline bool is_empty() { return (str_length == 0); } + inline bool is_empty() const { return (str_length == 0); } inline void mark_as_const() { Alloced_length= 0;} inline const char *ptr() const { return Ptr; } inline char *c_ptr() diff --git a/sql/tztime.cc b/sql/tztime.cc index c7a4ad049ec..7ebb8eb392a 100644 --- a/sql/tztime.cc +++ b/sql/tztime.cc @@ -2259,7 +2259,7 @@ my_tz_find(THD *thd, const String *name) DBUG_PRINT("enter", ("time zone name='%s'", name ? ((String *)name)->c_ptr_safe() : "NULL")); - if (!name) + if (!name || name->is_empty()) DBUG_RETURN(0); VOID(pthread_mutex_lock(&tz_LOCK)); From a557509653a9909bf5bc27734a2d538254c9b1bc Mon Sep 17 00:00:00 2001 From: Georgi Kodinov Date: Fri, 13 Aug 2010 14:18:46 +0300 Subject: [PATCH 09/23] Bug #55615 and bug #55564 An user assignment variable expression that's evaluated in a logical expression context (Item::val_bool()) can be pre-calculated in a temporary table for GROUP BY. However when the expression value is used after the temp table creation it was re-evaluated instead of being read from the temp table due to a missing val_bool_result() method. Fixed by implementing the method. --- mysql-test/r/user_var.result | 17 +++++++++++++++++ mysql-test/t/user_var.test | 18 ++++++++++++++++++ sql/item_func.cc | 8 ++++++++ sql/item_func.h | 1 + 4 files changed, 44 insertions(+) diff --git a/mysql-test/r/user_var.result b/mysql-test/r/user_var.result index be10bd9954b..56266a46e20 100644 --- a/mysql-test/r/user_var.result +++ b/mysql-test/r/user_var.result @@ -430,4 +430,21 @@ CREATE TRIGGER t_after_insert AFTER INSERT ON t1 FOR EACH ROW SET @bug42188 = 10 INSERT INTO t1 VALUES (1); INSERT INTO t1 VALUES (1); DROP TABLE t1; +CREATE TABLE t1(a INT); +INSERT INTO t1 VALUES (0),(0); +# BUG#55615 : should not crash +SELECT (@a:=(SELECT @a:=1 FROM t1 LIMIT 1)) AND COUNT(1) FROM t1 GROUP BY @a; +(@a:=(SELECT @a:=1 FROM t1 LIMIT 1)) AND COUNT(1) +1 +1 +# BUG#55564 : should not crash +SELECT IF( +@v:=LEAST((SELECT 1 FROM t1 t2 LEFT JOIN t1 ON (@v) GROUP BY t1.a), a), +count(*), 1) +FROM t1 GROUP BY a LIMIT 1; +IF( +@v:=LEAST((SELECT 1 FROM t1 t2 LEFT JOIN t1 ON (@v) GROUP BY t1.a), a), +count(*), 1) +1 +DROP TABLE t1; End of 5.1 tests diff --git a/mysql-test/t/user_var.test b/mysql-test/t/user_var.test index b6b58e7bd46..4f27866de23 100644 --- a/mysql-test/t/user_var.test +++ b/mysql-test/t/user_var.test @@ -328,4 +328,22 @@ INSERT INTO t1 VALUES (1); INSERT INTO t1 VALUES (1); DROP TABLE t1; +# +# Bug #55615: debug assertion after using variable in assignment and +# referred to +# Bug #55564: crash with user variables, assignments, joins... +# + +CREATE TABLE t1(a INT); +INSERT INTO t1 VALUES (0),(0); +--echo # BUG#55615 : should not crash +SELECT (@a:=(SELECT @a:=1 FROM t1 LIMIT 1)) AND COUNT(1) FROM t1 GROUP BY @a; +--echo # BUG#55564 : should not crash +SELECT IF( + @v:=LEAST((SELECT 1 FROM t1 t2 LEFT JOIN t1 ON (@v) GROUP BY t1.a), a), + count(*), 1) +FROM t1 GROUP BY a LIMIT 1; + +DROP TABLE t1; + --echo End of 5.1 tests diff --git a/sql/item_func.cc b/sql/item_func.cc index 1b13297c951..eecdc801512 100644 --- a/sql/item_func.cc +++ b/sql/item_func.cc @@ -4263,6 +4263,14 @@ longlong Item_func_set_user_var::val_int_result() return entry->val_int(&null_value); } +bool Item_func_set_user_var::val_bool_result() +{ + DBUG_ASSERT(fixed == 1); + check(TRUE); + update(); // Store expression + return entry->val_int(&null_value) != 0; +} + String *Item_func_set_user_var::str_result(String *str) { DBUG_ASSERT(fixed == 1); diff --git a/sql/item_func.h b/sql/item_func.h index 71168c64e4b..256348eee08 100644 --- a/sql/item_func.h +++ b/sql/item_func.h @@ -1353,6 +1353,7 @@ public: my_decimal *val_decimal(my_decimal *); double val_result(); longlong val_int_result(); + bool val_bool_result(); String *str_result(String *str); my_decimal *val_decimal_result(my_decimal *); bool is_null_result(); From 2ecc81cb308fd978dfa3719d3b88825ee5c7f76e Mon Sep 17 00:00:00 2001 From: Georgi Kodinov Date: Fri, 13 Aug 2010 14:20:49 +0300 Subject: [PATCH 10/23] merge --- mysql-test/r/user_var.result | 17 +++++++++++++++++ mysql-test/t/user_var.test | 18 ++++++++++++++++++ sql/item_func.cc | 8 ++++++++ sql/item_func.h | 1 + 4 files changed, 44 insertions(+) diff --git a/mysql-test/r/user_var.result b/mysql-test/r/user_var.result index 29c05a60166..a680e837cae 100644 --- a/mysql-test/r/user_var.result +++ b/mysql-test/r/user_var.result @@ -428,6 +428,23 @@ CREATE TRIGGER t_after_insert AFTER INSERT ON t1 FOR EACH ROW SET @bug42188 = 10 INSERT INTO t1 VALUES (1); INSERT INTO t1 VALUES (1); DROP TABLE t1; +CREATE TABLE t1(a INT); +INSERT INTO t1 VALUES (0),(0); +# BUG#55615 : should not crash +SELECT (@a:=(SELECT @a:=1 FROM t1 LIMIT 1)) AND COUNT(1) FROM t1 GROUP BY @a; +(@a:=(SELECT @a:=1 FROM t1 LIMIT 1)) AND COUNT(1) +1 +1 +# BUG#55564 : should not crash +SELECT IF( +@v:=LEAST((SELECT 1 FROM t1 t2 LEFT JOIN t1 ON (@v) GROUP BY t1.a), a), +count(*), 1) +FROM t1 GROUP BY a LIMIT 1; +IF( +@v:=LEAST((SELECT 1 FROM t1 t2 LEFT JOIN t1 ON (@v) GROUP BY t1.a), a), +count(*), 1) +1 +DROP TABLE t1; End of 5.1 tests DROP TABLE IF EXISTS t1; CREATE TABLE t1(f1 INT AUTO_INCREMENT, PRIMARY KEY(f1)); diff --git a/mysql-test/t/user_var.test b/mysql-test/t/user_var.test index fc4bc61f526..06508c43766 100644 --- a/mysql-test/t/user_var.test +++ b/mysql-test/t/user_var.test @@ -326,6 +326,24 @@ INSERT INTO t1 VALUES (1); INSERT INTO t1 VALUES (1); DROP TABLE t1; +# +# Bug #55615: debug assertion after using variable in assignment and +# referred to +# Bug #55564: crash with user variables, assignments, joins... +# + +CREATE TABLE t1(a INT); +INSERT INTO t1 VALUES (0),(0); +--echo # BUG#55615 : should not crash +SELECT (@a:=(SELECT @a:=1 FROM t1 LIMIT 1)) AND COUNT(1) FROM t1 GROUP BY @a; +--echo # BUG#55564 : should not crash +SELECT IF( + @v:=LEAST((SELECT 1 FROM t1 t2 LEFT JOIN t1 ON (@v) GROUP BY t1.a), a), + count(*), 1) +FROM t1 GROUP BY a LIMIT 1; + +DROP TABLE t1; + --echo End of 5.1 tests # diff --git a/sql/item_func.cc b/sql/item_func.cc index 7812460bd2b..22dc0b173c4 100644 --- a/sql/item_func.cc +++ b/sql/item_func.cc @@ -4621,6 +4621,14 @@ longlong Item_func_set_user_var::val_int_result() return entry->val_int(&null_value); } +bool Item_func_set_user_var::val_bool_result() +{ + DBUG_ASSERT(fixed == 1); + check(TRUE); + update(); // Store expression + return entry->val_int(&null_value) != 0; +} + String *Item_func_set_user_var::str_result(String *str) { DBUG_ASSERT(fixed == 1); diff --git a/sql/item_func.h b/sql/item_func.h index 834ecd60e21..15730516c71 100644 --- a/sql/item_func.h +++ b/sql/item_func.h @@ -1416,6 +1416,7 @@ public: my_decimal *val_decimal(my_decimal *); double val_result(); longlong val_int_result(); + bool val_bool_result(); String *str_result(String *str); my_decimal *val_decimal_result(my_decimal *); bool is_null_result(); From bfca4bb9bf14efd4d8862d1edd8da8d8f155da15 Mon Sep 17 00:00:00 2001 From: Vasil Dimov Date: Fri, 13 Aug 2010 15:52:11 +0300 Subject: [PATCH 11/23] Manually merge a changeset from mysql-5.1-security: ------------------------------------------------------------ revno: 3475 revision-id: jimmy.yang@oracle.com-20100804103744-vbpeghipkz6pyc9z parent: jimmy.yang@oracle.com-20100804101133-c38qqbm0fkwn9jhc committer: Jimmy Yang branch nick: mysql-5.1-security timestamp: Wed 2010-08-04 03:37:44 -0700 message: Fix bug #54678, InnoDB, TRUNCATE, ALTER, I_S SELECT, crash or deadlock rb://399 approved by Sunny Bains modified: storage/innodb_plugin/ChangeLog 2425@16c675df-0fcb-4bc9-8058-dcc011a37293:branches%2Fzip%2FChangeLog storage/innodb_plugin/include/dict0dict.h 2@16c675df-0fcb-4bc9-8058-dcc011a37293:trunk%2Finclude%2Fdict0dict.h storage/innodb_plugin/include/dict0dict.ic 2@16c675df-0fcb-4bc9-8058-dcc011a37293:trunk%2Finclude%2Fdict0dict.ic storage/innodb_plugin/row/row0mysql.c 2@16c675df-0fcb-4bc9-8058-dcc011a37293:trunk%2Frow%2Frow0mysql.c --- storage/innobase/include/dict0dict.h | 16 ++++++++++ storage/innobase/include/dict0dict.ic | 42 +++++++++++++++++++++++++++ storage/innobase/row/row0mysql.c | 14 +++++++++ 3 files changed, 72 insertions(+) diff --git a/storage/innobase/include/dict0dict.h b/storage/innobase/include/dict0dict.h index 971173a65a5..029cf408141 100644 --- a/storage/innobase/include/dict0dict.h +++ b/storage/innobase/include/dict0dict.h @@ -707,6 +707,22 @@ ulint dict_table_zip_size( /*================*/ const dict_table_t* table); /*!< in: table */ +/*********************************************************************//** +Obtain exclusive locks on all index trees of the table. This is to prevent +accessing index trees while InnoDB is updating internal metadata for +operations such as truncate tables. */ +UNIV_INLINE +void +dict_table_x_lock_indexes( +/*======================*/ + dict_table_t* table); /*!< in: table */ +/*********************************************************************//** +Release the exclusive locks on all index tree. */ +UNIV_INLINE +void +dict_table_x_unlock_indexes( +/*========================*/ + dict_table_t* table); /*!< in: table */ /********************************************************************//** Checks if a column is in the ordering columns of the clustered index of a table. Column prefixes are treated like whole columns. diff --git a/storage/innobase/include/dict0dict.ic b/storage/innobase/include/dict0dict.ic index 09f967aa74a..42f124dedfc 100644 --- a/storage/innobase/include/dict0dict.ic +++ b/storage/innobase/include/dict0dict.ic @@ -490,6 +490,48 @@ dict_table_zip_size( return(dict_table_flags_to_zip_size(table->flags)); } +/*********************************************************************//** +Obtain exclusive locks on all index trees of the table. This is to prevent +accessing index trees while InnoDB is updating internal metadata for +operations such as truncate tables. */ +UNIV_INLINE +void +dict_table_x_lock_indexes( +/*======================*/ + dict_table_t* table) /*!< in: table */ +{ + dict_index_t* index; + + ut_a(table); + ut_ad(mutex_own(&(dict_sys->mutex))); + + /* Loop through each index of the table and lock them */ + for (index = dict_table_get_first_index(table); + index != NULL; + index = dict_table_get_next_index(index)) { + rw_lock_x_lock(dict_index_get_lock(index)); + } +} + +/*********************************************************************//** +Release the exclusive locks on all index tree. */ +UNIV_INLINE +void +dict_table_x_unlock_indexes( +/*========================*/ + dict_table_t* table) /*!< in: table */ +{ + dict_index_t* index; + + ut_a(table); + ut_ad(mutex_own(&(dict_sys->mutex))); + + for (index = dict_table_get_first_index(table); + index != NULL; + index = dict_table_get_next_index(index)) { + rw_lock_x_unlock(dict_index_get_lock(index)); + } +} /********************************************************************//** Gets the number of fields in the internal representation of an index, including fields added by the dictionary system. diff --git a/storage/innobase/row/row0mysql.c b/storage/innobase/row/row0mysql.c index 1262ac71e98..fc71f52096f 100644 --- a/storage/innobase/row/row0mysql.c +++ b/storage/innobase/row/row0mysql.c @@ -2808,6 +2808,15 @@ row_truncate_table_for_mysql( trx->table_id = table->id; + /* Lock all index trees for this table, as we will + truncate the table/index and possibly change their metadata. + All DML/DDL are blocked by table level lock, with + a few exceptions such as queries into information schema + about the table, MySQL could try to access index stats + for this kind of query, we need to use index locks to + sync up */ + dict_table_x_lock_indexes(table); + if (table->space && !table->dir_path_of_temp_table) { /* Discard and create the single-table tablespace. */ ulint space = table->space; @@ -2824,6 +2833,7 @@ row_truncate_table_for_mysql( || fil_create_new_single_table_tablespace( space, table->name, FALSE, flags, FIL_IBD_FILE_INITIAL_SIZE) != DB_SUCCESS) { + dict_table_x_unlock_indexes(table); ut_print_timestamp(stderr); fprintf(stderr, " InnoDB: TRUNCATE TABLE %s failed to" @@ -2927,6 +2937,10 @@ next_rec: mem_heap_free(heap); + /* Done with index truncation, release index tree locks, + subsequent work relates to table level metadata change */ + dict_table_x_unlock_indexes(table); + dict_hdr_get_new_id(&new_id, NULL, NULL); info = pars_info_create(); From 62aa8943b8b0603fe4a01a4248f5fa89a133cf9f Mon Sep 17 00:00:00 2001 From: Sunny Bains Date: Mon, 16 Aug 2010 10:12:22 +1000 Subject: [PATCH 12/23] Add test to the plugin branch from fix for bug# 55277. --- .../suite/innodb_plugin/r/innodb-autoinc.result | 13 +++++++++++++ .../suite/innodb_plugin/t/innodb-autoinc.test | 12 ++++++++++++ 2 files changed, 25 insertions(+) diff --git a/mysql-test/suite/innodb_plugin/r/innodb-autoinc.result b/mysql-test/suite/innodb_plugin/r/innodb-autoinc.result index a36b3a1a865..350c7ebd541 100644 --- a/mysql-test/suite/innodb_plugin/r/innodb-autoinc.result +++ b/mysql-test/suite/innodb_plugin/r/innodb-autoinc.result @@ -1244,3 +1244,16 @@ t1 CREATE TABLE `t1` ( PRIMARY KEY (`c1`) ) ENGINE=InnoDB AUTO_INCREMENT=7 DEFAULT CHARSET=latin1 DROP TABLE t1; +DROP TABLE IF EXISTS t1; +Warnings: +Note 1051 Unknown table 't1' +CREATE TABLE t1(c1 BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY) ENGINE=InnoDB; +INSERT INTO t1 VALUES (NULL); +INSERT INTO t1 VALUES (18446744073709551615); +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c1` bigint(20) unsigned NOT NULL AUTO_INCREMENT, + PRIMARY KEY (`c1`) +) ENGINE=InnoDB AUTO_INCREMENT=18446744073709551615 DEFAULT CHARSET=latin1 +DROP TABLE t1; diff --git a/mysql-test/suite/innodb_plugin/t/innodb-autoinc.test b/mysql-test/suite/innodb_plugin/t/innodb-autoinc.test index 49394a019d0..3d67fe5738d 100644 --- a/mysql-test/suite/innodb_plugin/t/innodb-autoinc.test +++ b/mysql-test/suite/innodb_plugin/t/innodb-autoinc.test @@ -667,6 +667,18 @@ SELECT * FROM t1; SHOW CREATE TABLE t1; DROP TABLE t1; +## +# 55277: Failing assertion: auto_inc > 0 +# +DROP TABLE IF EXISTS t1; +CREATE TABLE t1(c1 BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY) ENGINE=InnoDB; +INSERT INTO t1 VALUES (NULL); +INSERT INTO t1 VALUES (18446744073709551615); +# Restart the server +-- source include/restart_mysqld.inc +SHOW CREATE TABLE t1; +DROP TABLE t1; + # # restore environment to the state it was before this test execution # From 787f0c54cb5b33fe8263afcbb7c812805d525a8d Mon Sep 17 00:00:00 2001 From: Sunny Bains Date: Mon, 16 Aug 2010 11:59:43 +1000 Subject: [PATCH 13/23] Fix Bug #55277 - Failing assertion: auto_inc > 0 Handle overflow when reading value from SELECT MAX(C) FROM T; Call ha_innobase::info() after initializing the autoinc value in ha_innobase::open(). Fix for both the builtin and plugin. rb://402 Merge from mysql-5.1-security. --- .../suite/innodb/r/innodb-autoinc.result | 13 ++++++++++++ mysql-test/suite/innodb/t/innodb-autoinc.test | 12 ++++++++++- storage/innobase/handler/ha_innodb.cc | 21 ++++++++++++------- 3 files changed, 38 insertions(+), 8 deletions(-) diff --git a/mysql-test/suite/innodb/r/innodb-autoinc.result b/mysql-test/suite/innodb/r/innodb-autoinc.result index a36b3a1a865..350c7ebd541 100644 --- a/mysql-test/suite/innodb/r/innodb-autoinc.result +++ b/mysql-test/suite/innodb/r/innodb-autoinc.result @@ -1244,3 +1244,16 @@ t1 CREATE TABLE `t1` ( PRIMARY KEY (`c1`) ) ENGINE=InnoDB AUTO_INCREMENT=7 DEFAULT CHARSET=latin1 DROP TABLE t1; +DROP TABLE IF EXISTS t1; +Warnings: +Note 1051 Unknown table 't1' +CREATE TABLE t1(c1 BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY) ENGINE=InnoDB; +INSERT INTO t1 VALUES (NULL); +INSERT INTO t1 VALUES (18446744073709551615); +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c1` bigint(20) unsigned NOT NULL AUTO_INCREMENT, + PRIMARY KEY (`c1`) +) ENGINE=InnoDB AUTO_INCREMENT=18446744073709551615 DEFAULT CHARSET=latin1 +DROP TABLE t1; diff --git a/mysql-test/suite/innodb/t/innodb-autoinc.test b/mysql-test/suite/innodb/t/innodb-autoinc.test index a8e853baef7..da0783bdc7c 100644 --- a/mysql-test/suite/innodb/t/innodb-autoinc.test +++ b/mysql-test/suite/innodb/t/innodb-autoinc.test @@ -665,7 +665,17 @@ SELECT * FROM t1; SHOW CREATE TABLE t1; DROP TABLE t1; - +## +# 55277: Failing assertion: auto_inc > 0 +# +DROP TABLE IF EXISTS t1; +CREATE TABLE t1(c1 BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY) ENGINE=InnoDB; +INSERT INTO t1 VALUES (NULL); +INSERT INTO t1 VALUES (18446744073709551615); +# Restart the server +-- source include/restart_mysqld.inc +SHOW CREATE TABLE t1; +DROP TABLE t1; # # restore environment to the state it was before this test execution # diff --git a/storage/innobase/handler/ha_innodb.cc b/storage/innobase/handler/ha_innodb.cc index ab9df9a0272..e1b9f9e224f 100644 --- a/storage/innobase/handler/ha_innodb.cc +++ b/storage/innobase/handler/ha_innodb.cc @@ -3528,12 +3528,19 @@ ha_innobase::innobase_initialize_autoinc() err = row_search_max_autoinc(index, col_name, &read_auto_inc); switch (err) { - case DB_SUCCESS: - /* At the this stage we do not know the increment - or the offset, so use a default increment of 1. */ - auto_inc = read_auto_inc + 1; - break; + case DB_SUCCESS: { + ulonglong col_max_value; + col_max_value = innobase_get_int_col_max_value(field); + + /* At the this stage we do not know the increment + nor the offset, so use a default increment of 1. */ + + auto_inc = innobase_next_autoinc( + read_auto_inc, 1, 1, col_max_value); + + break; + } case DB_RECORD_NOT_FOUND: ut_print_timestamp(stderr); fprintf(stderr, " InnoDB: MySQL and InnoDB data " @@ -3828,8 +3835,6 @@ retry: dict_table_get_format(prebuilt->table)); } - info(HA_STATUS_NO_LOCK | HA_STATUS_VARIABLE | HA_STATUS_CONST); - /* Only if the table has an AUTOINC column. */ if (prebuilt->table != NULL && table->found_next_number_field != NULL) { dict_table_autoinc_lock(prebuilt->table); @@ -3846,6 +3851,8 @@ retry: dict_table_autoinc_unlock(prebuilt->table); } + info(HA_STATUS_NO_LOCK | HA_STATUS_VARIABLE | HA_STATUS_CONST); + DBUG_RETURN(0); } From 97aa1215796d6a0ed66267e229ef42e6b3d6d452 Mon Sep 17 00:00:00 2001 From: Sunny Bains Date: Mon, 16 Aug 2010 12:05:49 +1000 Subject: [PATCH 14/23] Merge from -c3476 mysql-5.1-security. ------------------------------------------------------------ revno: 3476 committer: Sunny Bains branch nick: 5.1-security timestamp: Thu 2010-08-05 19:18:17 +1000 message: Fix bug# 55543 - InnoDB Plugin: Signal 6: Assertion failure in file fil/fil0fil.c line 4306 The bug is due to a double delete of a BLOB, once via: rollback -> btr_cur_pessimistic_delete() and the second time via purge. The bug is in row_upd_clust_rec_by_insert(). There we relinquish ownership of the non-updated BLOB columns in btr_cur_mark_extern_inherited_fields() before building the row entry that will be inserted and whose contents will be logged in the UNDO log. However, we don't set the BLOB column later to INHERITED so that a possible rollback will not free the original row's non-updated BLOB entries. This is because the condition that checks for that is in : if (node->upd_ext) {}. node->upd_ext is non-NULL only if a BLOB column was updated and that column is part of some key ordering (see row_upd_replace()). This results in the non-update BLOB columns being deleted during a rollback and subsequently by purge again. rb://413 --- storage/innobase/btr/btr0cur.c | 12 +++++++++--- storage/innobase/include/btr0cur.h | 5 +++-- storage/innobase/row/row0upd.c | 9 ++++++--- 3 files changed, 18 insertions(+), 8 deletions(-) diff --git a/storage/innobase/btr/btr0cur.c b/storage/innobase/btr/btr0cur.c index 537d5f51184..4a8ba1ade96 100644 --- a/storage/innobase/btr/btr0cur.c +++ b/storage/innobase/btr/btr0cur.c @@ -3603,9 +3603,10 @@ btr_cur_set_ownership_of_extern_field( Marks not updated extern fields as not-owned by this record. The ownership is transferred to the updated record which is inserted elsewhere in the index tree. In purge only the owner of externally stored field is allowed -to free the field. */ +to free the field. +@return TRUE if BLOB ownership was transferred */ UNIV_INTERN -void +ibool btr_cur_mark_extern_inherited_fields( /*=================================*/ page_zip_des_t* page_zip,/*!< in/out: compressed page whose uncompressed @@ -3619,13 +3620,14 @@ btr_cur_mark_extern_inherited_fields( ulint n; ulint j; ulint i; + ibool change_ownership = FALSE; ut_ad(rec_offs_validate(rec, NULL, offsets)); ut_ad(!rec_offs_comp(offsets) || !rec_get_node_ptr_flag(rec)); if (!rec_offs_any_extern(offsets)) { - return; + return(FALSE); } n = rec_offs_n_fields(offsets); @@ -3648,10 +3650,14 @@ btr_cur_mark_extern_inherited_fields( btr_cur_set_ownership_of_extern_field( page_zip, rec, index, offsets, i, FALSE, mtr); + + change_ownership = TRUE; updated: ; } } + + return(change_ownership); } /*******************************************************************//** diff --git a/storage/innobase/include/btr0cur.h b/storage/innobase/include/btr0cur.h index 757477838ee..e38cb51a987 100644 --- a/storage/innobase/include/btr0cur.h +++ b/storage/innobase/include/btr0cur.h @@ -456,9 +456,10 @@ btr_estimate_number_of_different_key_vals( Marks not updated extern fields as not-owned by this record. The ownership is transferred to the updated record which is inserted elsewhere in the index tree. In purge only the owner of externally stored field is allowed -to free the field. */ +to free the field. +@return TRUE if BLOB ownership was transferred */ UNIV_INTERN -void +ibool btr_cur_mark_extern_inherited_fields( /*=================================*/ page_zip_des_t* page_zip,/*!< in/out: compressed page whose uncompressed diff --git a/storage/innobase/row/row0upd.c b/storage/innobase/row/row0upd.c index 588ee352ba0..a1004c0d2cf 100644 --- a/storage/innobase/row/row0upd.c +++ b/storage/innobase/row/row0upd.c @@ -1626,6 +1626,7 @@ row_upd_clust_rec_by_insert( dict_table_t* table; dtuple_t* entry; ulint err; + ibool change_ownership = FALSE; ut_ad(node); ut_ad(dict_index_is_clust(index)); @@ -1658,10 +1659,11 @@ row_upd_clust_rec_by_insert( index = dict_table_get_first_index(table); offsets = rec_get_offsets(rec, index, offsets_, ULINT_UNDEFINED, &heap); - btr_cur_mark_extern_inherited_fields( + change_ownership = btr_cur_mark_extern_inherited_fields( btr_cur_get_page_zip(btr_cur), rec, index, offsets, node->update, mtr); if (referenced) { + /* NOTE that the following call loses the position of pcur ! */ @@ -1694,10 +1696,11 @@ row_upd_clust_rec_by_insert( row_upd_index_entry_sys_field(entry, index, DATA_TRX_ID, trx->id); - if (node->upd_ext) { + if (change_ownership) { /* If we return from a lock wait, for example, we may have extern fields marked as not-owned in entry (marked in the - if-branch above). We must unmark them. */ + if-branch above). We must unmark them, take the ownership + back. */ btr_cur_unmark_dtuple_extern_fields(entry); From 3b36a677ba839448a25b4e4f90a1bf1caf99bb76 Mon Sep 17 00:00:00 2001 From: Georgi Kodinov Date: Fri, 20 Aug 2010 11:52:16 +0300 Subject: [PATCH 15/23] Bug #55826: create table .. select crashes with when KILL_BAD_DATA is returned Two problems discovered with the LEAST()/GREATEST() functions: 1. The check for a null value should happen even after the second call to val_str() in the args. This is important because two subsequent calls to the same Item::val_str() may yield different results. Fixed by checking for NULL value before dereferencing the string result. 2. While looping over the arguments and evaluating them the loop should stop if there was an error evaluating so far or the statement was killed. Fixed by checking for error and bailing out. --- mysql-test/suite/innodb/r/innodb_mysql.result | 13 +++++++++++++ mysql-test/suite/innodb/t/innodb_mysql.test | 15 +++++++++++++++ sql/item_func.cc | 16 +++++++++++++++- 3 files changed, 43 insertions(+), 1 deletion(-) diff --git a/mysql-test/suite/innodb/r/innodb_mysql.result b/mysql-test/suite/innodb/r/innodb_mysql.result index 8765f58b120..cb0e2a35e34 100644 --- a/mysql-test/suite/innodb/r/innodb_mysql.result +++ b/mysql-test/suite/innodb/r/innodb_mysql.result @@ -2507,4 +2507,17 @@ LOCK TABLES t1 READ; ALTER TABLE t1 COMMENT 'test'; UNLOCK TABLES; DROP TABLE t1; +# +# Bug#55826: create table .. select crashes with when KILL_BAD_DATA +# is returned +# +CREATE TABLE t1(a INT) ENGINE=innodb; +INSERT INTO t1 VALUES (0); +SET SQL_MODE='STRICT_ALL_TABLES'; +CREATE TABLE t2 +SELECT LEAST((SELECT '' FROM t1),NOW()) FROM `t1`; +ERROR 22007: Incorrect datetime value: '' for column 'NOW()' at row 1 +DROP TABLE t1,t2; +ERROR 42S02: Unknown table 't2' +SET SQL_MODE=DEFAULT; End of 5.1 tests diff --git a/mysql-test/suite/innodb/t/innodb_mysql.test b/mysql-test/suite/innodb/t/innodb_mysql.test index 80f14d32eb8..c8acc6813e8 100644 --- a/mysql-test/suite/innodb/t/innodb_mysql.test +++ b/mysql-test/suite/innodb/t/innodb_mysql.test @@ -751,4 +751,19 @@ UNLOCK TABLES; DROP TABLE t1; +--echo # +--echo # Bug#55826: create table .. select crashes with when KILL_BAD_DATA +--echo # is returned +--echo # + +CREATE TABLE t1(a INT) ENGINE=innodb; +INSERT INTO t1 VALUES (0); +SET SQL_MODE='STRICT_ALL_TABLES'; +--error ER_TRUNCATED_WRONG_VALUE +CREATE TABLE t2 + SELECT LEAST((SELECT '' FROM t1),NOW()) FROM `t1`; +DROP TABLE t1,t2; +SET SQL_MODE=DEFAULT; + + --echo End of 5.1 tests diff --git a/sql/item_func.cc b/sql/item_func.cc index eecdc801512..f022a218889 100644 --- a/sql/item_func.cc +++ b/sql/item_func.cc @@ -2263,7 +2263,7 @@ void Item_func_min_max::fix_length_and_dec() stored to the value pointer, if latter is provided. RETURN - 0 If one of arguments is NULL + 0 If one of arguments is NULL or there was a execution error # index of the least/greatest argument */ @@ -2277,6 +2277,14 @@ uint Item_func_min_max::cmp_datetimes(ulonglong *value) Item **arg= args + i; bool is_null; longlong res= get_datetime_value(thd, &arg, 0, datetime_item, &is_null); + + /* Check if we need to stop (because of error or KILL) and stop the loop */ + if (thd->is_error()) + { + null_value= 1; + return 0; + } + if ((null_value= args[i]->null_value)) return 0; if (i == 0 || (res < min_max ? cmp_sign : -cmp_sign) > 0) @@ -2305,6 +2313,12 @@ String *Item_func_min_max::val_str(String *str) if (null_value) return 0; str_res= args[min_max_idx]->val_str(str); + if (args[min_max_idx]->null_value) + { + // check if the call to val_str() above returns a NULL value + null_value= 1; + return NULL; + } str_res->set_charset(collation.collation); return str_res; } From 0e74ac50285b15fae7fda70a809c9b42027e88c2 Mon Sep 17 00:00:00 2001 From: Alexey Kopytov Date: Tue, 24 Aug 2010 14:35:48 +0400 Subject: [PATCH 16/23] Bug #55568: user variable assignments crash server when used within query The server could crash after materializing a derived table which requires a temporary table for grouping. When destroying the temporary table used to execute a query for a derived table, JOIN::destroy() did not clean up Item_fields pointing to fields in the temporary table. This led to dereferencing a dangling pointer when printing out the items tree later in the outer SELECT. The solution is an addendum to the patch for bug37362: in addition to cleaning up items in tmp_all_fields3, do the same for items in tmp_all_fields1, since now we have an example where this is necessary. --- mysql-test/r/join.result | 51 ++++++++++++++++++++++++++++++++++++++++ mysql-test/t/join.test | 46 ++++++++++++++++++++++++++++++++++++ sql/field.cc | 2 +- sql/sql_select.cc | 22 +++++++++++------ sql/sql_select.h | 1 + 5 files changed, 114 insertions(+), 8 deletions(-) diff --git a/mysql-test/r/join.result b/mysql-test/r/join.result index c60c6bfb3c8..c3c292b2106 100644 --- a/mysql-test/r/join.result +++ b/mysql-test/r/join.result @@ -1184,4 +1184,55 @@ NULL NULL 1 DROP TABLE t1, t2, mm1; +# +# Bug #55568: user variable assignments crash server when used within +# query +# +CREATE TABLE t1 (a INT); +INSERT INTO t1 VALUES (0), (1); +SELECT MULTIPOINT( +1, +( +SELECT MULTIPOINT( +MULTIPOINT( +1, +(SELECT COUNT(*) FROM (SELECT 1 FROM t1 GROUP BY a,a) d) +) +) FROM t1 +) +) != COUNT(*) q FROM t1 GROUP BY a; +q +NULL +NULL +SELECT MULTIPOINT( +1, +( +SELECT MULTIPOINT( +MULTIPOINT( +1, +(SELECT COUNT(*) FROM (SELECT 1 FROM t1 GROUP BY a,a) d) +) +) FROM t1 +) +) != COUNT(*) q FROM t1 GROUP BY a; +q +NULL +NULL +DROP TABLE t1; +# +# Bug #54468: crash after item's print() function when ordering/grouping +# by subquery +# +CREATE TABLE t1(a INT, b INT); +INSERT INTO t1 VALUES (), (); +SELECT 1 FROM t1 +GROUP BY +GREATEST(t1.a, +(SELECT 1 FROM +(SELECT t1.b FROM t1,t1 t2 +ORDER BY t1.a, t1.a LIMIT 1) AS d) +); +1 +1 +DROP TABLE t1; End of 5.1 tests diff --git a/mysql-test/t/join.test b/mysql-test/t/join.test index 43b373c9703..6969be6fdc4 100644 --- a/mysql-test/t/join.test +++ b/mysql-test/t/join.test @@ -851,4 +851,50 @@ ENGINE=MERGE UNION=(t1,t2); SELECT t1.a FROM mm1,t1; DROP TABLE t1, t2, mm1; +--echo # +--echo # Bug #55568: user variable assignments crash server when used within +--echo # query +--echo # + +CREATE TABLE t1 (a INT); + +INSERT INTO t1 VALUES (0), (1); + +let $i=2; +while ($i) +{ + SELECT MULTIPOINT( + 1, + ( + SELECT MULTIPOINT( + MULTIPOINT( + 1, + (SELECT COUNT(*) FROM (SELECT 1 FROM t1 GROUP BY a,a) d) + ) + ) FROM t1 + ) + ) != COUNT(*) q FROM t1 GROUP BY a; + dec $i; +} + +DROP TABLE t1; + +--echo # +--echo # Bug #54468: crash after item's print() function when ordering/grouping +--echo # by subquery +--echo # + +CREATE TABLE t1(a INT, b INT); +INSERT INTO t1 VALUES (), (); + +SELECT 1 FROM t1 +GROUP BY +GREATEST(t1.a, + (SELECT 1 FROM + (SELECT t1.b FROM t1,t1 t2 + ORDER BY t1.a, t1.a LIMIT 1) AS d) + ); + +DROP TABLE t1; + --echo End of 5.1 tests diff --git a/sql/field.cc b/sql/field.cc index c887a5f1c9b..619e6a780da 100644 --- a/sql/field.cc +++ b/sql/field.cc @@ -1535,7 +1535,7 @@ void Field::make_field(Send_field *field) } else field->org_table_name= field->db_name= ""; - if (orig_table) + if (orig_table && orig_table->alias) { field->table_name= orig_table->alias; field->org_col_name= field_name; diff --git a/sql/sql_select.cc b/sql/sql_select.cc index 2fc287bbe66..fc137f5fd90 100644 --- a/sql/sql_select.cc +++ b/sql/sql_select.cc @@ -2378,13 +2378,8 @@ JOIN::destroy() cleanup(1); /* Cleanup items referencing temporary table columns */ - if (!tmp_all_fields3.is_empty()) - { - List_iterator_fast it(tmp_all_fields3); - Item *item; - while ((item= it++)) - item->cleanup(); - } + cleanup_item_list(tmp_all_fields1); + cleanup_item_list(tmp_all_fields3); if (exec_tmp_table1) free_tmp_table(thd, exec_tmp_table1); if (exec_tmp_table2) @@ -2395,6 +2390,19 @@ JOIN::destroy() DBUG_RETURN(error); } + +void JOIN::cleanup_item_list(List &items) const +{ + if (!items.is_empty()) + { + List_iterator_fast it(items); + Item *item; + while ((item= it++)) + item->cleanup(); + } +} + + /** An entry point to single-unit select (a select without UNION). diff --git a/sql/sql_select.h b/sql/sql_select.h index b39827ef61b..007dc91957c 100644 --- a/sql/sql_select.h +++ b/sql/sql_select.h @@ -577,6 +577,7 @@ private: */ bool implicit_grouping; bool make_simple_join(JOIN *join, TABLE *tmp_table); + void cleanup_item_list(List &items) const; }; From 73d767644abf69bd1ac118d58e7f29dcca5c0aac Mon Sep 17 00:00:00 2001 From: Jimmy Yang Date: Tue, 24 Aug 2010 20:42:33 -0700 Subject: [PATCH 17/23] This is to resolve a hang situation in 5.1 builtin raised by bug #49251 (deadlock/crash with concurrent truncate table and index statistics calculation) by backporting a solution from #54678 fixed for 5.1 plugin and 5.5. --- storage/innobase/include/dict0dict.h | 16 ++++++++++ storage/innobase/include/dict0dict.ic | 42 +++++++++++++++++++++++++++ storage/innobase/row/row0mysql.c | 13 +++++++++ 3 files changed, 71 insertions(+) diff --git a/storage/innobase/include/dict0dict.h b/storage/innobase/include/dict0dict.h index e76f23d0767..369d354c520 100644 --- a/storage/innobase/include/dict0dict.h +++ b/storage/innobase/include/dict0dict.h @@ -588,6 +588,22 @@ dict_table_is_comp_noninline( /* out: TRUE if table uses the compact page format */ const dict_table_t* table); /* in: table */ +/*********************************************************************//** +Obtain exclusive locks on all index trees of the table. This is to prevent +accessing index trees while InnoDB is updating internal metadata for +operations such as truncate tables. */ +UNIV_INLINE +void +dict_table_x_lock_indexes( +/*======================*/ + dict_table_t* table); /* in: table */ +/*********************************************************************//** +Release the exclusive locks on all index tree. */ +UNIV_INLINE +void +dict_table_x_unlock_indexes( +/*========================*/ + dict_table_t* table); /* in: table */ /************************************************************************ Checks if a column is in the ordering columns of the clustered index of a table. Column prefixes are treated like whole columns. */ diff --git a/storage/innobase/include/dict0dict.ic b/storage/innobase/include/dict0dict.ic index 7d38cbcd1fa..5cdbdbeb03d 100644 --- a/storage/innobase/include/dict0dict.ic +++ b/storage/innobase/include/dict0dict.ic @@ -298,6 +298,48 @@ dict_table_is_comp( return(UNIV_LIKELY(table->flags & DICT_TF_COMPACT)); } +/*********************************************************************//** +Obtain exclusive locks on all index trees of the table. This is to prevent +accessing index trees while InnoDB is updating internal metadata for +operations such as truncate tables. */ +UNIV_INLINE +void +dict_table_x_lock_indexes( +/*======================*/ + dict_table_t* table) /* in: table */ +{ + dict_index_t* index; + + ut_a(table); + ut_ad(mutex_own(&(dict_sys->mutex))); + + /* Loop through each index of the table and lock them */ + for (index = dict_table_get_first_index(table); + index != NULL; + index = dict_table_get_next_index(index)) { + rw_lock_x_lock(dict_index_get_lock(index)); + } +} + +/*********************************************************************//** +Release the exclusive locks on all index tree. */ +UNIV_INLINE +void +dict_table_x_unlock_indexes( +/*========================*/ + dict_table_t* table) /* in: table */ +{ + dict_index_t* index; + + ut_a(table); + ut_ad(mutex_own(&(dict_sys->mutex))); + + for (index = dict_table_get_first_index(table); + index != NULL; + index = dict_table_get_next_index(index)) { + rw_lock_x_unlock(dict_index_get_lock(index)); + } +} /************************************************************************ Gets the number of fields in the internal representation of an index, including fields added by the dictionary system. */ diff --git a/storage/innobase/row/row0mysql.c b/storage/innobase/row/row0mysql.c index 3b76ffa76f1..aae4703737b 100644 --- a/storage/innobase/row/row0mysql.c +++ b/storage/innobase/row/row0mysql.c @@ -2830,6 +2830,15 @@ row_truncate_table_for_mysql( trx->table_id = table->id; + /* Lock all index trees for this table, as we will + truncate the table/index and possibly change their metadata. + All DML/DDL are blocked by table level lock, with + a few exceptions such as queries into information schema + about the table, MySQL could try to access index stats + for this kind of query, we need to use index locks to + sync up */ + dict_table_x_lock_indexes(table); + /* scan SYS_INDEXES for all indexes of the table */ heap = mem_heap_create(800); @@ -2902,6 +2911,10 @@ next_rec: mem_heap_free(heap); + /* Done with index truncation, release index tree locks, + subsequent work relates to table level metadata change */ + dict_table_x_unlock_indexes(table); + new_id = dict_hdr_get_new_id(DICT_HDR_TABLE_ID); info = pars_info_create(); From 6c6a3e8f44a160b6b1a9eac95a08d36d22666679 Mon Sep 17 00:00:00 2001 From: Alexey Kopytov Date: Thu, 26 Aug 2010 14:13:02 +0400 Subject: [PATCH 18/23] Bug #53544: Server hangs during JOIN query in stored procedure called twice in a row Queries with nested joins could cause an infinite loop in the server when used from SP/PS. When flattening nested joins, simplify_joins() tracks if the name resolution list needs to be updated by setting fix_name_res to TRUE if the current loop iteration has done any transformations to the join table list. The problem was that the flag was not reset before the next loop iteration leading to unnecessary "fixing" of the name resolution list which in turn could lead to a loop (i.e. circularly-linked part) in that list. This was causing problems on subsequent execution when used together with stored procedures or prepared statements. Fixed by making sure fix_name_res is reset on every loop iteration. --- mysql-test/r/join.result | 20 ++++++++++++++++++++ mysql-test/t/join.test | 20 ++++++++++++++++++++ sql/sql_select.cc | 2 +- 3 files changed, 41 insertions(+), 1 deletion(-) diff --git a/mysql-test/r/join.result b/mysql-test/r/join.result index c3c292b2106..9a8b441b363 100644 --- a/mysql-test/r/join.result +++ b/mysql-test/r/join.result @@ -1235,4 +1235,24 @@ ORDER BY t1.a, t1.a LIMIT 1) AS d) 1 1 DROP TABLE t1; +# +# Bug #53544: Server hangs during JOIN query in stored procedure called +# twice in a row +# +CREATE TABLE t1(c INT); +INSERT INTO t1 VALUES (1), (2); +PREPARE stmt FROM "SELECT t2.c AS f1 FROM t1 LEFT JOIN + t1 t2 ON t1.c=t2.c RIGHT JOIN + t1 t3 ON t1.c=t3.c + GROUP BY f1;"; +EXECUTE stmt; +f1 +1 +2 +EXECUTE stmt; +f1 +1 +2 +DEALLOCATE PREPARE stmt; +DROP TABLE t1; End of 5.1 tests diff --git a/mysql-test/t/join.test b/mysql-test/t/join.test index 6969be6fdc4..73a1ae5eb82 100644 --- a/mysql-test/t/join.test +++ b/mysql-test/t/join.test @@ -897,4 +897,24 @@ GREATEST(t1.a, DROP TABLE t1; +--echo # +--echo # Bug #53544: Server hangs during JOIN query in stored procedure called +--echo # twice in a row +--echo # + +CREATE TABLE t1(c INT); + +INSERT INTO t1 VALUES (1), (2); + +PREPARE stmt FROM "SELECT t2.c AS f1 FROM t1 LEFT JOIN + t1 t2 ON t1.c=t2.c RIGHT JOIN + t1 t3 ON t1.c=t3.c + GROUP BY f1;"; + +EXECUTE stmt; +EXECUTE stmt; + +DEALLOCATE PREPARE stmt; +DROP TABLE t1; + --echo End of 5.1 tests diff --git a/sql/sql_select.cc b/sql/sql_select.cc index a77c270f709..ed5123817bf 100644 --- a/sql/sql_select.cc +++ b/sql/sql_select.cc @@ -8885,10 +8885,10 @@ simplify_joins(JOIN *join, List *join_list, COND *conds, bool top) /* Flatten nested joins that can be flattened. */ TABLE_LIST *right_neighbor= NULL; - bool fix_name_res= FALSE; li.rewind(); while ((table= li++)) { + bool fix_name_res= FALSE; nested_join= table->nested_join; if (nested_join && !table->on_expr) { From 5caea4a995130cd7c82574acc591ff7c46d9d978 Mon Sep 17 00:00:00 2001 From: Kristofer Pettersson Date: Tue, 7 Sep 2010 11:37:46 +0200 Subject: [PATCH 19/23] Bug#55531 crash with conversions of geometry types / strings Convertion from a floating point number to a string caused a crash. During rare circumstances a String object could crash when it was requested to allocate new memory. A crash could occcur in Field_double::val_str() because of a pointer referencing memory inside a String object which was of unknown size. And finally, the geometric collection should not accept arguments which are non geometric. --- mysql-test/r/gis.result | 60 ++++------------------------------------- mysql-test/t/gis.test | 42 ++++++++++++++++++----------- sql/field.cc | 2 +- sql/item_geofunc.h | 13 +++++++++ 4 files changed, 46 insertions(+), 71 deletions(-) diff --git a/mysql-test/r/gis.result b/mysql-test/r/gis.result index 3e28227d542..565563237d1 100644 --- a/mysql-test/r/gis.result +++ b/mysql-test/r/gis.result @@ -707,10 +707,7 @@ numgeometries(b) IS NULL, numinteriorrings(b) IS NULL, numpoints(b) IS NULL, area(b) IS NULL, glength(b) IS NULL, srid(b) IS NULL, x(b) IS NULL, y(b) IS NULL from t1; -geometryfromtext(b) IS NULL geometryfromwkb(b) IS NULL astext(b) IS NULL aswkb(b) IS NULL geometrytype(b) IS NULL centroid(b) IS NULL envelope(b) IS NULL startpoint(b) IS NULL endpoint(b) IS NULL exteriorring(b) IS NULL pointn(b, 1) IS NULL geometryn(b, 1) IS NULL interiorringn(b, 1) IS NULL multipoint(b) IS NULL isempty(b) IS NULL issimple(b) IS NULL isclosed(b) IS NULL dimension(b) IS NULL numgeometries(b) IS NULL numinteriorrings(b) IS NULL numpoints(b) IS NULL area(b) IS NULL glength(b) IS NULL srid(b) IS NULL x(b) IS NULL y(b) IS NULL -1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 -1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 -1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 +ERROR 22007: Illegal non geometric '' value found during parsing select within(b, b) IS NULL, contains(b, b) IS NULL, overlaps(b, b) IS NULL, equals(b, b) IS NULL, disjoint(b, b) IS NULL, touches(b, b) IS NULL, @@ -725,10 +722,7 @@ point(b, b) IS NULL, linestring(b) IS NULL, polygon(b) IS NULL, multipoint(b) IS multilinestring(b) IS NULL, multipolygon(b) IS NULL, geometrycollection(b) IS NULL from t1; -point(b, b) IS NULL linestring(b) IS NULL polygon(b) IS NULL multipoint(b) IS NULL multilinestring(b) IS NULL multipolygon(b) IS NULL geometrycollection(b) IS NULL -0 1 1 1 1 1 1 -1 1 1 1 1 1 1 -0 1 1 1 1 1 1 +ERROR 22007: Illegal non geometric '' value found during parsing drop table t1; CREATE TABLE t1(a POINT) ENGINE=MyISAM; INSERT INTO t1 VALUES (NULL); @@ -1010,51 +1004,7 @@ f5 datetime YES NULL drop view v1; drop table t1; SELECT MultiPoint(12345,''); -MultiPoint(12345,'') -NULL -SELECT MultiPoint(123451,''); -MultiPoint(123451,'') -NULL -SELECT MultiPoint(1234512,''); -MultiPoint(1234512,'') -NULL -SELECT MultiPoint(12345123,''); -MultiPoint(12345123,'') -NULL -SELECT MultiLineString(12345,''); -MultiLineString(12345,'') -NULL -SELECT MultiLineString(123451,''); -MultiLineString(123451,'') -NULL -SELECT MultiLineString(1234512,''); -MultiLineString(1234512,'') -NULL -SELECT MultiLineString(12345123,''); -MultiLineString(12345123,'') -NULL -SELECT LineString(12345,''); -LineString(12345,'') -NULL -SELECT LineString(123451,''); -LineString(123451,'') -NULL -SELECT LineString(1234512,''); -LineString(1234512,'') -NULL -SELECT LineString(12345123,''); -LineString(12345123,'') -NULL -SELECT Polygon(12345,''); -Polygon(12345,'') -NULL -SELECT Polygon(123451,''); -Polygon(123451,'') -NULL -SELECT Polygon(1234512,''); -Polygon(1234512,'') -NULL -SELECT Polygon(12345123,''); -Polygon(12345123,'') -NULL +ERROR 22007: Illegal non geometric '12345' value found during parsing +SELECT 1 FROM (SELECT GREATEST(1,GEOMETRYCOLLECTION('00000','00000')) b FROM DUAL) AS d WHERE (LINESTRING(d.b)); +ERROR 22007: Illegal non geometric '' value found during parsing End of 5.1 tests diff --git a/mysql-test/t/gis.test b/mysql-test/t/gis.test index bc0695aaa93..5a367188163 100644 --- a/mysql-test/t/gis.test +++ b/mysql-test/t/gis.test @@ -401,6 +401,7 @@ create table t1 (a int, b blob); insert into t1 values (1, ''), (2, NULL), (3, '1'); select * from t1; +--error ER_ILLEGAL_VALUE_FOR_TYPE select geometryfromtext(b) IS NULL, geometryfromwkb(b) IS NULL, astext(b) IS NULL, aswkb(b) IS NULL, geometrytype(b) IS NULL, centroid(b) IS NULL, @@ -419,6 +420,7 @@ select intersects(b, b) IS NULL, crosses(b, b) IS NULL from t1; +--error ER_ILLEGAL_VALUE_FOR_TYPE select point(b, b) IS NULL, linestring(b) IS NULL, polygon(b) IS NULL, multipoint(b) IS NULL, multilinestring(b) IS NULL, multipolygon(b) IS NULL, @@ -702,24 +704,34 @@ drop table t1; # Bug#44684: valgrind reports invalid reads in # Item_func_spatial_collection::val_str # +--error ER_ILLEGAL_VALUE_FOR_TYPE SELECT MultiPoint(12345,''); -SELECT MultiPoint(123451,''); -SELECT MultiPoint(1234512,''); -SELECT MultiPoint(12345123,''); +#SELECT MultiPoint(123451,''); +#SELECT MultiPoint(1234512,''); +#SELECT MultiPoint(12345123,''); -SELECT MultiLineString(12345,''); -SELECT MultiLineString(123451,''); -SELECT MultiLineString(1234512,''); -SELECT MultiLineString(12345123,''); +--error ER_ILLEGAL_VALUE_FOR_TYPE +#SELECT MultiLineString(12345,''); +#SELECT MultiLineString(123451,''); +#SELECT MultiLineString(1234512,''); +#SELECT MultiLineString(12345123,''); -SELECT LineString(12345,''); -SELECT LineString(123451,''); -SELECT LineString(1234512,''); -SELECT LineString(12345123,''); +--error ER_ILLEGAL_VALUE_FOR_TYPE +#SELECT LineString(12345,''); +#SELECT LineString(123451,''); +#SELECT LineString(1234512,''); +#SELECT LineString(12345123,''); -SELECT Polygon(12345,''); -SELECT Polygon(123451,''); -SELECT Polygon(1234512,''); -SELECT Polygon(12345123,''); +--error ER_ILLEGAL_VALUE_FOR_TYPE +#SELECT Polygon(12345,''); +#SELECT Polygon(123451,''); +#SELECT Polygon(1234512,''); +#SELECT Polygon(12345123,''); + +# +# Bug55531 crash with conversions of geometry types / strings +# +--error ER_ILLEGAL_VALUE_FOR_TYPE +SELECT 1 FROM (SELECT GREATEST(1,GEOMETRYCOLLECTION('00000','00000')) b FROM DUAL) AS d WHERE (LINESTRING(d.b)); --echo End of 5.1 tests diff --git a/sql/field.cc b/sql/field.cc index 619e6a780da..724f8e0af73 100644 --- a/sql/field.cc +++ b/sql/field.cc @@ -4561,7 +4561,7 @@ String *Field_double::val_str(String *val_buffer, #endif doubleget(nr,ptr); - uint to_length=max(field_length, DOUBLE_TO_STRING_CONVERSION_BUFFER_SIZE); + uint to_length= DOUBLE_TO_STRING_CONVERSION_BUFFER_SIZE; val_buffer->alloc(to_length); char *to=(char*) val_buffer->ptr(); diff --git a/sql/item_geofunc.h b/sql/item_geofunc.h index edbe104e307..070c2cd26fc 100644 --- a/sql/item_geofunc.h +++ b/sql/item_geofunc.h @@ -175,6 +175,19 @@ public: item_type=it; } String *val_str(String *); + void fix_length_and_dec() + { + for( unsigned int i=0; ifixed && args[i]->field_type() != MYSQL_TYPE_GEOMETRY) + { + String str; + args[i]->val_str(&str); + my_error(ER_ILLEGAL_VALUE_FOR_TYPE,MYF(0),"non geometric",str.c_ptr()); + } + } + } + const char *func_name() const { return "multipoint"; } }; From dc285eb7cd1e22fe8f6feac065b03602a6d804c3 Mon Sep 17 00:00:00 2001 From: Kristofer Pettersson Date: Tue, 7 Sep 2010 15:43:00 +0200 Subject: [PATCH 20/23] Post fix following fix for bug55531: Disabling testcase for bug 55568 because {1} isn't a valid geometry for a geometry collection. --- mysql-test/r/join.result | 35 -------------------------- mysql-test/t/join.test | 54 +++++++++++++++++++++------------------- 2 files changed, 29 insertions(+), 60 deletions(-) diff --git a/mysql-test/r/join.result b/mysql-test/r/join.result index 9a8b441b363..96504df4b1e 100644 --- a/mysql-test/r/join.result +++ b/mysql-test/r/join.result @@ -1185,41 +1185,6 @@ NULL 1 DROP TABLE t1, t2, mm1; # -# Bug #55568: user variable assignments crash server when used within -# query -# -CREATE TABLE t1 (a INT); -INSERT INTO t1 VALUES (0), (1); -SELECT MULTIPOINT( -1, -( -SELECT MULTIPOINT( -MULTIPOINT( -1, -(SELECT COUNT(*) FROM (SELECT 1 FROM t1 GROUP BY a,a) d) -) -) FROM t1 -) -) != COUNT(*) q FROM t1 GROUP BY a; -q -NULL -NULL -SELECT MULTIPOINT( -1, -( -SELECT MULTIPOINT( -MULTIPOINT( -1, -(SELECT COUNT(*) FROM (SELECT 1 FROM t1 GROUP BY a,a) d) -) -) FROM t1 -) -) != COUNT(*) q FROM t1 GROUP BY a; -q -NULL -NULL -DROP TABLE t1; -# # Bug #54468: crash after item's print() function when ordering/grouping # by subquery # diff --git a/mysql-test/t/join.test b/mysql-test/t/join.test index 73a1ae5eb82..05d630edfb2 100644 --- a/mysql-test/t/join.test +++ b/mysql-test/t/join.test @@ -851,33 +851,37 @@ ENGINE=MERGE UNION=(t1,t2); SELECT t1.a FROM mm1,t1; DROP TABLE t1, t2, mm1; ---echo # ---echo # Bug #55568: user variable assignments crash server when used within ---echo # query ---echo # +#--echo # +#--echo # Bug #55568: user variable assignments crash server when used within +#--echo # query +#--echo # +# +# +# This test case is invalidated because of fix of bug 55531 +# The reason is that {1} is not a valid geometric collection. +# +#CREATE TABLE t1 (a INT); -CREATE TABLE t1 (a INT); +#INSERT INTO t1 VALUES (0), (1); -INSERT INTO t1 VALUES (0), (1); - -let $i=2; -while ($i) -{ - SELECT MULTIPOINT( - 1, - ( - SELECT MULTIPOINT( - MULTIPOINT( - 1, - (SELECT COUNT(*) FROM (SELECT 1 FROM t1 GROUP BY a,a) d) - ) - ) FROM t1 - ) - ) != COUNT(*) q FROM t1 GROUP BY a; - dec $i; -} - -DROP TABLE t1; +#let $i=2; +#while ($i) +#{ +# SELECT MULTIPOINT( +# 1, +# ( +# SELECT MULTIPOINT( +# MULTIPOINT( +# 1, +# (SELECT COUNT(*) FROM (SELECT 1 FROM t1 GROUP BY a,a) d) +# ) +# ) FROM t1 +# ) +# ) != COUNT(*) q FROM t1 GROUP BY a; +# dec $i; +#} +# +#DROP TABLE t1; --echo # --echo # Bug #54468: crash after item's print() function when ordering/grouping From f7da62d2ad5e585af2adb3cae78885114cc64393 Mon Sep 17 00:00:00 2001 From: Sergey Vojtovich Date: Wed, 8 Sep 2010 00:16:10 +0400 Subject: [PATCH 21/23] main.gis-rtree, main.type_float and main.type_newdecimal were marked as experimental due to BUG38965. --- mysql-test/collections/default.experimental | 3 +++ 1 file changed, 3 insertions(+) diff --git a/mysql-test/collections/default.experimental b/mysql-test/collections/default.experimental index 8da83d8ae97..91dada3ee05 100644 --- a/mysql-test/collections/default.experimental +++ b/mysql-test/collections/default.experimental @@ -45,3 +45,6 @@ parts.partition_syntax_ndb # joro : NDB tests marked as experiment parts.partition_value_ndb # joro : NDB tests marked as experimental as agreed with bochklin main.mysqlhotcopy_myisam # horst: due to bug#54129 main.mysqlhotcopy_archive # horst: due to bug#54129 +main.gis-rtree # svoj: due to BUG#38965 +main.type_float # svoj: due to BUG#38965 +main.type_newdecimal # svoj: due to BUG#38965 From 9080f681b4b543797e9f592aefc09977b9770b75 Mon Sep 17 00:00:00 2001 From: Ramil Kalimullin Date: Thu, 9 Sep 2010 13:40:17 +0400 Subject: [PATCH 22/23] Fix for bug#56679: gis.test: valgrind error Item_func_spatial_collection::fix_length_and_dec() changed to use argument's print() method to print the ER_ILLEGAL_VALUE_FOR_TYPE error. --- mysql-test/r/gis.result | 6 +++--- sql/item_geofunc.h | 10 ++++++---- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/mysql-test/r/gis.result b/mysql-test/r/gis.result index 02c8afc2d77..3b18ee61336 100644 --- a/mysql-test/r/gis.result +++ b/mysql-test/r/gis.result @@ -707,7 +707,7 @@ numgeometries(b) IS NULL, numinteriorrings(b) IS NULL, numpoints(b) IS NULL, area(b) IS NULL, glength(b) IS NULL, srid(b) IS NULL, x(b) IS NULL, y(b) IS NULL from t1; -ERROR 22007: Illegal non geometric '' value found during parsing +ERROR 22007: Illegal non geometric '`test`.`t1`.`b`' value found during parsing select within(b, b) IS NULL, contains(b, b) IS NULL, overlaps(b, b) IS NULL, equals(b, b) IS NULL, disjoint(b, b) IS NULL, touches(b, b) IS NULL, @@ -722,7 +722,7 @@ point(b, b) IS NULL, linestring(b) IS NULL, polygon(b) IS NULL, multipoint(b) IS multilinestring(b) IS NULL, multipolygon(b) IS NULL, geometrycollection(b) IS NULL from t1; -ERROR 22007: Illegal non geometric '' value found during parsing +ERROR 22007: Illegal non geometric '`test`.`t1`.`b`' value found during parsing drop table t1; CREATE TABLE t1(a POINT) ENGINE=MyISAM; INSERT INTO t1 VALUES (NULL); @@ -1006,7 +1006,7 @@ drop table t1; SELECT MultiPoint(12345,''); ERROR 22007: Illegal non geometric '12345' value found during parsing SELECT 1 FROM (SELECT GREATEST(1,GEOMETRYCOLLECTION('00000','00000')) b FROM DUAL) AS d WHERE (LINESTRING(d.b)); -ERROR 22007: Illegal non geometric '' value found during parsing +ERROR 22007: Illegal non geometric ''00000'' value found during parsing # # BUG#51875: crash when loading data into geometry function polyfromwkb # diff --git a/sql/item_geofunc.h b/sql/item_geofunc.h index 070c2cd26fc..b3ecbc39933 100644 --- a/sql/item_geofunc.h +++ b/sql/item_geofunc.h @@ -177,13 +177,15 @@ public: String *val_str(String *); void fix_length_and_dec() { - for( unsigned int i=0; ifixed && args[i]->field_type() != MYSQL_TYPE_GEOMETRY) + if (args[i]->fixed && args[i]->field_type() != MYSQL_TYPE_GEOMETRY) { String str; - args[i]->val_str(&str); - my_error(ER_ILLEGAL_VALUE_FOR_TYPE,MYF(0),"non geometric",str.c_ptr()); + args[i]->print(&str, QT_ORDINARY); + str.append('\0'); + my_error(ER_ILLEGAL_VALUE_FOR_TYPE, MYF(0), "non geometric", + str.ptr()); } } } From 821ac1e93389323088f63866b829096985227ff8 Mon Sep 17 00:00:00 2001 From: Alfranio Correia Date: Fri, 10 Sep 2010 11:49:57 +0100 Subject: [PATCH 23/23] BUG#55675 rpl.rpl_log_pos fails sporadically with error binlog truncated in the middle Disabled the test case. --- mysql-test/suite/rpl/t/disabled.def | 1 + 1 file changed, 1 insertion(+) diff --git a/mysql-test/suite/rpl/t/disabled.def b/mysql-test/suite/rpl/t/disabled.def index ef77c54e067..5b150288935 100644 --- a/mysql-test/suite/rpl/t/disabled.def +++ b/mysql-test/suite/rpl/t/disabled.def @@ -11,3 +11,4 @@ ############################################################################## rpl_row_create_table : Bug#51574 Feb 27 2010 andrei failed different way than earlier with bug#45576 +rpl_log_pos : BUG#55675 Sep 10 2010 27 2010 alfranio rpl.rpl_log_pos fails sporadically with error binlog truncated in the middle