From 068f1f7dbf6178fae5089ae8add2facbe415c73b Mon Sep 17 00:00:00 2001 From: "gluh@mysql.com/eagle.(none)" <> Date: Sat, 9 Jun 2007 17:46:09 +0500 Subject: [PATCH 1/6] Bug#28149 overflow in some "SHOW STATUS"-variables changed bytes_received, bytes_sent status variables to longlong --- sql/mysqld.cc | 4 ++-- sql/sql_class.h | 4 ++-- sql/sql_show.cc | 2 ++ sql/structs.h | 3 ++- 4 files changed, 8 insertions(+), 5 deletions(-) diff --git a/sql/mysqld.cc b/sql/mysqld.cc index 5dfb191c142..ca6bcff3b45 100644 --- a/sql/mysqld.cc +++ b/sql/mysqld.cc @@ -6190,8 +6190,8 @@ struct show_var_st status_vars[]= { {"Aborted_connects", (char*) &aborted_connects, SHOW_LONG}, {"Binlog_cache_disk_use", (char*) &binlog_cache_disk_use, SHOW_LONG}, {"Binlog_cache_use", (char*) &binlog_cache_use, SHOW_LONG}, - {"Bytes_received", (char*) offsetof(STATUS_VAR, bytes_received), SHOW_LONG_STATUS}, - {"Bytes_sent", (char*) offsetof(STATUS_VAR, bytes_sent), SHOW_LONG_STATUS}, + {"Bytes_received", (char*) offsetof(STATUS_VAR, bytes_received), SHOW_LONGLONG_STATUS}, + {"Bytes_sent", (char*) offsetof(STATUS_VAR, bytes_sent), SHOW_LONGLONG_STATUS}, {"Com_admin_commands", (char*) offsetof(STATUS_VAR, com_other), SHOW_LONG_STATUS}, {"Com_alter_db", (char*) offsetof(STATUS_VAR, com_stat[(uint) SQLCOM_ALTER_DB]), SHOW_LONG_STATUS}, {"Com_alter_table", (char*) offsetof(STATUS_VAR, com_stat[(uint) SQLCOM_ALTER_TABLE]), SHOW_LONG_STATUS}, diff --git a/sql/sql_class.h b/sql/sql_class.h index 2ff5448f3e4..50c45d461e0 100644 --- a/sql/sql_class.h +++ b/sql/sql_class.h @@ -606,8 +606,8 @@ struct system_variables typedef struct system_status_var { - ulong bytes_received; - ulong bytes_sent; + ulonglong bytes_received; + ulonglong bytes_sent; ulong com_other; ulong com_stat[(uint) SQLCOM_END]; ulong created_tmp_disk_tables; diff --git a/sql/sql_show.cc b/sql/sql_show.cc index a0db458be78..902b298e423 100644 --- a/sql/sql_show.cc +++ b/sql/sql_show.cc @@ -1463,6 +1463,8 @@ static bool show_status_array(THD *thd, const char *wild, case SHOW_LONG_CONST: end= int10_to_str(*(long*) value, buff, 10); break; + case SHOW_LONGLONG_STATUS: + value= ((char *) status_var + (ulonglong) value); case SHOW_LONGLONG: end= longlong10_to_str(*(longlong*) value, buff, 10); break; diff --git a/sql/structs.h b/sql/structs.h index de4cc25db9f..28bdd8c1519 100644 --- a/sql/structs.h +++ b/sql/structs.h @@ -190,7 +190,8 @@ enum SHOW_TYPE SHOW_NET_COMPRESSION, SHOW_RPL_STATUS, SHOW_SLAVE_RUNNING, SHOW_SLAVE_RETRIED_TRANS, SHOW_KEY_CACHE_LONG, SHOW_KEY_CACHE_CONST_LONG, SHOW_KEY_CACHE_LONGLONG, - SHOW_LONG_STATUS, SHOW_LONG_CONST_STATUS, SHOW_SLAVE_SKIP_ERRORS + SHOW_LONG_STATUS, SHOW_LONG_CONST_STATUS, SHOW_SLAVE_SKIP_ERRORS, + SHOW_LONGLONG_STATUS }; enum SHOW_COMP_OPTION { SHOW_OPTION_YES, SHOW_OPTION_NO, SHOW_OPTION_DISABLED}; From c25c178112daba614bac8ca3f09abc95418b7999 Mon Sep 17 00:00:00 2001 From: "gluh@mysql.com/eagle.(none)" <> Date: Sat, 9 Jun 2007 18:18:34 +0500 Subject: [PATCH 2/6] compiler warning fix --- sql/item_strfunc.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sql/item_strfunc.cc b/sql/item_strfunc.cc index f9a0f715985..33e9b8de823 100644 --- a/sql/item_strfunc.cc +++ b/sql/item_strfunc.cc @@ -3334,7 +3334,7 @@ String *Item_func_uuid::val_str(String *str) *--s=_dig_vec_lower[mac[i] >> 4]; } randominit(&uuid_rand, tmp + (ulong) server_start_time, - tmp + thd->status_var.bytes_sent); + tmp + (ulong) thd->status_var.bytes_sent); set_clock_seq_str(); } From 4cdbe25a6b3f3f47b245a15ed7ce4d584c8ef9b1 Mon Sep 17 00:00:00 2001 From: "evgen@moonbone.local" <> Date: Tue, 12 Jun 2007 01:41:23 +0400 Subject: [PATCH 3/6] Bug#28904: INSERT .. ON DUPLICATE was silently updating rows when it shouldn't. When the INSERT .. ON DUPLICATE KEY UPDATE has to update a matched row but the new data is the same as in the record then it returns as if no rows were inserted or updated. Nevertheless the row is silently updated. This leads to a situation when zero updated rows are reported in the case when data has actually been changed. Now the write_record function updates a row only if new data differs from that in the record. --- mysql-test/r/insert_update.result | 14 ++++++++++++++ mysql-test/t/insert_update.test | 16 ++++++++++++++++ sql/sql_insert.cc | 28 ++++++++++++++-------------- 3 files changed, 44 insertions(+), 14 deletions(-) diff --git a/mysql-test/r/insert_update.result b/mysql-test/r/insert_update.result index b3bca7517f3..20cde86101e 100644 --- a/mysql-test/r/insert_update.result +++ b/mysql-test/r/insert_update.result @@ -393,3 +393,17 @@ id c1 cnt 1 0 3 2 2 1 DROP TABLE t1; +create table t1(f1 int primary key, +f2 timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP); +insert into t1(f1) values(1); +select @stamp1:=f2 from t1; +@stamp1:=f2 +# +insert into t1(f1) values(1) on duplicate key update f1=1; +select @stamp2:=f2 from t1; +@stamp2:=f2 +# +select if( @stamp1 = @stamp2, "correct", "wrong"); +if( @stamp1 = @stamp2, "correct", "wrong") +correct +drop table t1; diff --git a/mysql-test/t/insert_update.test b/mysql-test/t/insert_update.test index 725fbdb25d7..67108744ec6 100644 --- a/mysql-test/t/insert_update.test +++ b/mysql-test/t/insert_update.test @@ -290,3 +290,19 @@ INSERT IGNORE INTO t1 (id,c1) SELECT * FROM t2 SELECT * FROM t1; DROP TABLE t1; + +# +# Bug#28904: INSERT .. ON DUPLICATE was silently updating rows when it +# shouldn't. +# +create table t1(f1 int primary key, + f2 timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP); +insert into t1(f1) values(1); +--replace_column 1 # +select @stamp1:=f2 from t1; +--sleep 2 +insert into t1(f1) values(1) on duplicate key update f1=1; +--replace_column 1 # +select @stamp2:=f2 from t1; +select if( @stamp1 = @stamp2, "correct", "wrong"); +drop table t1; diff --git a/sql/sql_insert.cc b/sql/sql_insert.cc index f3ed3ebab24..228fc8860ae 100644 --- a/sql/sql_insert.cc +++ b/sql/sql_insert.cc @@ -1404,23 +1404,18 @@ int write_record(THD *thd, TABLE *table,COPY_INFO *info) goto before_trg_err; table->file->restore_auto_increment(); - if ((error=table->file->update_row(table->record[1],table->record[0]))) - { - if ((error == HA_ERR_FOUND_DUPP_KEY) && info->ignore) - { - goto ok_or_after_trg_err; - } - goto err; - } - - if (table->next_number_field) - table->file->adjust_next_insert_id_after_explicit_value( - table->next_number_field->val_int()); - info->touched++; - if ((table->file->table_flags() & HA_PARTIAL_COLUMN_READ) || compare_record(table, thd->query_id)) { + if ((error=table->file->update_row(table->record[1],table->record[0]))) + { + if ((error == HA_ERR_FOUND_DUPP_KEY) && info->ignore) + { + goto ok_or_after_trg_err; + } + goto err; + } + info->updated++; trg_error= (table->triggers && table->triggers->process_triggers(thd, TRG_EVENT_UPDATE, @@ -1429,6 +1424,11 @@ int write_record(THD *thd, TABLE *table,COPY_INFO *info) info->copied++; } + if (table->next_number_field) + table->file->adjust_next_insert_id_after_explicit_value( + table->next_number_field->val_int()); + info->touched++; + goto ok_or_after_trg_err; } else /* DUP_REPLACE */ From b9876c6e9c45114f02138b9a30f796a9b5562956 Mon Sep 17 00:00:00 2001 From: "gkodinov/kgeorge@magare.gmz" <> Date: Tue, 12 Jun 2007 11:02:34 +0300 Subject: [PATCH 4/6] Bug #28934: server crash when receiving malformed com_execute packets Sometimes a parameter slot may not get a value because of the protocol data being plain wrong. Such cases should be detected and handled by returning an error. Fixed by checking data stream constraints where possible (like maximum length) and reacting to the case where a value cannot be constructed. --- sql/sql_prepare.cc | 10 +++++ tests/mysql_client_test.c | 83 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 93 insertions(+) diff --git a/sql/sql_prepare.cc b/sql/sql_prepare.cc index 42655608196..1453a377600 100644 --- a/sql/sql_prepare.cc +++ b/sql/sql_prepare.cc @@ -562,6 +562,8 @@ void set_param_date(Item_param *param, uchar **pos, ulong len) static void set_param_str(Item_param *param, uchar **pos, ulong len) { ulong length= get_param_length(pos, len); + if (length > len) + length= len; param->set_str((const char *)*pos, length); *pos+= length; } @@ -731,6 +733,8 @@ static bool insert_params_withlog(Prepared_statement *stmt, uchar *null_array, if (read_pos >= data_end) DBUG_RETURN(1); param->set_param_func(param, &read_pos, data_end - read_pos); + if (param->state == Item_param::NO_VALUE) + DBUG_RETURN(1); } } res= param->query_val_str(&str); @@ -767,6 +771,8 @@ static bool insert_params(Prepared_statement *stmt, uchar *null_array, if (read_pos >= data_end) DBUG_RETURN(1); param->set_param_func(param, &read_pos, data_end - read_pos); + if (param->state == Item_param::NO_VALUE) + DBUG_RETURN(1); } } if (param->convert_str_value(stmt->thd)) @@ -849,6 +855,8 @@ static bool emb_insert_params(Prepared_statement *stmt, String *expanded_query) client_param->length ? *client_param->length : client_param->buffer_length); + if (param->state == Item_param::NO_VALUE) + DBUG_RETURN(1); } } if (param->convert_str_value(thd)) @@ -890,6 +898,8 @@ static bool emb_insert_params_withlog(Prepared_statement *stmt, String *query) client_param->length ? *client_param->length : client_param->buffer_length); + if (param->state == Item_param::NO_VALUE) + DBUG_RETURN(1); } } res= param->query_val_str(&str); diff --git a/tests/mysql_client_test.c b/tests/mysql_client_test.c index 54d29dbd683..7fc45b89b82 100644 --- a/tests/mysql_client_test.c +++ b/tests/mysql_client_test.c @@ -15686,6 +15686,88 @@ end: } +/* + Bug#28934: server crash when receiving malformed com_execute packets +*/ + +static void test_bug28934() +{ + MYSQL *l_mysql; + my_bool error= 0; + my_ulonglong res; + MYSQL_BIND bind[5]; + MYSQL_STMT *stmt; + int cnt; + + if (!(l_mysql= mysql_init(NULL))) + { + myerror("mysql_init() failed"); + DIE_UNLESS(1); + } + if (!(mysql_real_connect(l_mysql, opt_host, opt_user, + opt_password, current_db, opt_port, + opt_unix_socket, CLIENT_FOUND_ROWS))) + { + myerror("connection failed"); + error= 1; + goto end; + } + l_mysql->reconnect= 1; + if (mysql_query(l_mysql, "drop table if exists t1")) + { + myerror(NULL); + error= 1; + goto end; + } + if (mysql_query(l_mysql, "create table t1(id int)")) + { + myerror(NULL); + error= 1; + goto end; + } + if (mysql_query(l_mysql, "insert into t1 values(1),(2),(3),(4),(5)")) + { + myerror(NULL); + error= 1; + goto end; + } + if (!(stmt= mysql_simple_prepare(l_mysql, + "select * from t1 where id in(?,?,?,?,?)"))) + { + myerror(NULL); + error= 1; + goto end; + } + + memset (&bind, 0, sizeof (bind)); + for (cnt= 0; cnt < 5; cnt++) + { + bind[cnt].buffer_type= MYSQL_TYPE_LONG; + bind[cnt].buffer= (char*)&cnt; + bind[cnt].buffer_length= 0; + } + if(mysql_stmt_bind_param(stmt, bind)) + { + myerror(NULL); + error= 1; + goto end; + } + stmt->param_count=2; + error= mysql_stmt_execute(stmt); + DIE_UNLESS (error != 0); + myerror(NULL); + error= 0; + if (mysql_query(l_mysql, "drop table t1")) + { + myerror(NULL); + error= 1; + } +end: + mysql_close(l_mysql); + DIE_UNLESS(error == 0); +} + + /* Read and parse arguments and MySQL options from my.cnf */ @@ -15968,6 +16050,7 @@ static struct my_tests_st my_tests[]= { { "test_bug24179", test_bug24179 }, { "test_bug27876", test_bug27876 }, { "test_bug28505", test_bug28505 }, + { "test_bug28934", test_bug28934 }, { 0, 0 } }; From 5ea9964b9fb397e3c38ab5fc69db3ff103f9aa9e Mon Sep 17 00:00:00 2001 From: "gkodinov/kgeorge@magare.gmz" <> Date: Tue, 12 Jun 2007 14:35:36 +0300 Subject: [PATCH 5/6] Bug #28992: trigger fails in pushbuild - fixed wrong test case for bug 20903 - closed the dangling connections in trigger.test - GET_LOCK() and RELEASE_LOCK() now produce more detailed log - fixed an omission in GET_LOCK() : assign the thread_id when acquiring the lock. --- mysql-test/r/trigger.result | 15 ++++++++------ mysql-test/t/trigger.test | 21 ++++++++++++++----- sql/item_func.cc | 41 +++++++++++++++++++++++++------------ 3 files changed, 53 insertions(+), 24 deletions(-) diff --git a/mysql-test/r/trigger.result b/mysql-test/r/trigger.result index fd9b15ab8ed..5405a632aa4 100644 --- a/mysql-test/r/trigger.result +++ b/mysql-test/r/trigger.result @@ -1454,19 +1454,22 @@ CREATE TABLE t2 (id INTEGER); INSERT INTO t2 VALUES (1),(2); CREATE TRIGGER t1_test AFTER INSERT ON t1 FOR EACH ROW INSERT INTO t2 VALUES (new.id); -SELECT GET_LOCK('B26162',20); -GET_LOCK('B26162',20) +SELECT GET_LOCK('B26162',120); +GET_LOCK('B26162',120) 1 -SELECT 'rl_acquirer', GET_LOCK('B26162',5), id FROM t2 WHERE id = 1; +SELECT 'rl_acquirer', GET_LOCK('B26162',120), id FROM t2 WHERE id = 1; SET SESSION LOW_PRIORITY_UPDATES=1; SET GLOBAL LOW_PRIORITY_UPDATES=1; INSERT INTO t1 VALUES (5); SELECT 'rl_contender', id FROM t2 WHERE id > 1; SELECT RELEASE_LOCK('B26162'); RELEASE_LOCK('B26162') -0 -rl_acquirer GET_LOCK('B26162',5) id -rl_acquirer 0 1 +1 +rl_acquirer GET_LOCK('B26162',120) id +rl_acquirer 1 1 +SELECT RELEASE_LOCK('B26162'); +RELEASE_LOCK('B26162') +1 rl_contender id rl_contender 2 DROP TRIGGER t1_test; diff --git a/mysql-test/t/trigger.test b/mysql-test/t/trigger.test index 363df94eeb3..7158d02956e 100644 --- a/mysql-test/t/trigger.test +++ b/mysql-test/t/trigger.test @@ -1763,6 +1763,9 @@ select * from t1; select * from t3; drop table t1, t2, t3; +disconnect addconroot1; +disconnect addconroot2; +disconnect addconwithoutdb; # # Bug #26162: Trigger DML ignores low_priority_updates setting # @@ -1776,19 +1779,23 @@ INSERT INTO t2 VALUES (1),(2); CREATE TRIGGER t1_test AFTER INSERT ON t1 FOR EACH ROW INSERT INTO t2 VALUES (new.id); +CONNECT (rl_holder, localhost, root,,); CONNECT (rl_acquirer, localhost, root,,); CONNECT (wl_acquirer, localhost, root,,); CONNECT (rl_contender, localhost, root,,); -SELECT GET_LOCK('B26162',20); +CONNECTION rl_holder; +SELECT GET_LOCK('B26162',120); CONNECTION rl_acquirer; --send -SELECT 'rl_acquirer', GET_LOCK('B26162',5), id FROM t2 WHERE id = 1; +SELECT 'rl_acquirer', GET_LOCK('B26162',120), id FROM t2 WHERE id = 1; CONNECTION wl_acquirer; SET SESSION LOW_PRIORITY_UPDATES=1; SET GLOBAL LOW_PRIORITY_UPDATES=1; +#need to wait for rl_acquirer to lock on the B26162 lock +sleep 2; --send INSERT INTO t1 VALUES (5); @@ -1798,13 +1805,16 @@ CONNECTION rl_contender; --send SELECT 'rl_contender', id FROM t2 WHERE id > 1; -CONNECTION default; +CONNECTION rl_holder; +#need to wait for wl_acquirer and rl_contender to lock on t2 +sleep 2; SELECT RELEASE_LOCK('B26162'); -CONNECTION wl_acquirer; ---reap CONNECTION rl_acquirer; --reap +SELECT RELEASE_LOCK('B26162'); +CONNECTION wl_acquirer; +--reap CONNECTION rl_contender; --reap @@ -1812,6 +1822,7 @@ CONNECTION default; DISCONNECT rl_acquirer; DISCONNECT wl_acquirer; DISCONNECT rl_contender; +DISCONNECT rl_holder; DROP TRIGGER t1_test; DROP TABLE t1,t2; diff --git a/sql/item_func.cc b/sql/item_func.cc index 580d19fbd4e..cc8830c6d6f 100644 --- a/sql/item_func.cc +++ b/sql/item_func.cc @@ -3449,6 +3449,7 @@ longlong Item_func_get_lock::val_int() THD *thd=current_thd; User_level_lock *ull; int error; + DBUG_ENTER("Item_func_get_lock::val_int"); /* In slave thread no need to get locks, everything is serialized. Anyway @@ -3458,7 +3459,7 @@ longlong Item_func_get_lock::val_int() it's not guaranteed to be same as on master. */ if (thd->slave_thread) - return 1; + DBUG_RETURN(1); pthread_mutex_lock(&LOCK_user_locks); @@ -3466,8 +3467,10 @@ longlong Item_func_get_lock::val_int() { pthread_mutex_unlock(&LOCK_user_locks); null_value=1; - return 0; + DBUG_RETURN(0); } + DBUG_PRINT("info", ("lock %.*s, thd=%ld", res->length(), res->ptr(), + (long) thd->real_id)); null_value=0; if (thd->ull) @@ -3486,14 +3489,17 @@ longlong Item_func_get_lock::val_int() delete ull; pthread_mutex_unlock(&LOCK_user_locks); null_value=1; // Probably out of memory - return 0; + DBUG_RETURN(0); } ull->thread=thd->real_id; + ull->thread_id=thd->thread_id; thd->ull=ull; pthread_mutex_unlock(&LOCK_user_locks); - return 1; // Got new lock + DBUG_PRINT("info", ("made new lock")); + DBUG_RETURN(1); // Got new lock } ull->count++; + DBUG_PRINT("info", ("ull->count=%d", ull->count)); /* Structure is now initialized. Try to get the lock. @@ -3507,9 +3513,13 @@ longlong Item_func_get_lock::val_int() error= 0; while (ull->locked && !thd->killed) { + DBUG_PRINT("info", ("waiting on lock")); error= pthread_cond_timedwait(&ull->cond,&LOCK_user_locks,&abstime); if (error == ETIMEDOUT || error == ETIME) + { + DBUG_PRINT("info", ("lock wait timeout")); break; + } error= 0; } @@ -3533,6 +3543,7 @@ longlong Item_func_get_lock::val_int() ull->thread_id= thd->thread_id; thd->ull=ull; error=0; + DBUG_PRINT("info", ("got the lock")); } pthread_mutex_unlock(&LOCK_user_locks); @@ -3542,7 +3553,7 @@ longlong Item_func_get_lock::val_int() thd->mysys_var->current_cond= 0; pthread_mutex_unlock(&thd->mysys_var->mutex); - return !error ? 1 : 0; + DBUG_RETURN(!error ? 1 : 0); } @@ -3560,11 +3571,14 @@ longlong Item_func_release_lock::val_int() String *res=args[0]->val_str(&value); User_level_lock *ull; longlong result; + THD *thd=current_thd; + DBUG_ENTER("Item_func_release_lock::val_int"); if (!res || !res->length()) { null_value=1; - return 0; + DBUG_RETURN(0); } + DBUG_PRINT("info", ("lock %.*s", res->length(), res->ptr())); null_value=0; result=0; @@ -3577,19 +3591,20 @@ longlong Item_func_release_lock::val_int() } else { -#ifdef EMBEDDED_LIBRARY - if (ull->locked && pthread_equal(current_thd->real_id,ull->thread)) -#else - if (ull->locked && pthread_equal(pthread_self(),ull->thread)) -#endif + DBUG_PRINT("info", ("ull->locked=%d ull->thread=%ld thd=%ld", + (int) ull->locked, + (long)ull->thread, + (long)thd->real_id)); + if (ull->locked && pthread_equal(thd->real_id,ull->thread)) { + DBUG_PRINT("info", ("release lock")); result=1; // Release is ok item_user_lock_release(ull); - current_thd->ull=0; + thd->ull=0; } } pthread_mutex_unlock(&LOCK_user_locks); - return result; + DBUG_RETURN(result); } From 2a6ac40e11addd29a010f21c1203ddd091454e5c Mon Sep 17 00:00:00 2001 From: "gkodinov/kgeorge@magare.gmz" <> Date: Tue, 12 Jun 2007 14:45:30 +0300 Subject: [PATCH 6/6] removed compilation warning --- tests/mysql_client_test.c | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/mysql_client_test.c b/tests/mysql_client_test.c index 7fc45b89b82..ed1f2d58278 100644 --- a/tests/mysql_client_test.c +++ b/tests/mysql_client_test.c @@ -15694,7 +15694,6 @@ static void test_bug28934() { MYSQL *l_mysql; my_bool error= 0; - my_ulonglong res; MYSQL_BIND bind[5]; MYSQL_STMT *stmt; int cnt;