1
0
mirror of https://github.com/MariaDB/server.git synced 2025-08-26 01:44:06 +03:00
Commit Graph

18906 Commits

Author SHA1 Message Date
Georgi Kodinov
666d84c006 automerge 2011-01-07 15:30:42 +02:00
Jon Olav Hauglid
78df8c4fba Bug #50619 assert in handler::update_auto_increment
This assert could be triggered if -1 was inserted into
an auto increment column by a statement writing more than
one row.

Unless explicitly given, an interval of auto increment values
is generated when a statement first needs an auto increment
value. The triggered assert checks that the auto increment
counter is equal to or higher than the lower bound of this
interval.

Generally, the auto increment counter starts at 1 and is
incremented by 1 each time it is used. However, inserting an
explicit value into the auto increment column, sets the auto
increment counter to this value + 1 if this value is higher
than the current value of the auto increment counter.

This bug was triggered if the explicit value was -1. Since the
value was converted to unsigned before any comparisons were made,
it was found to be higher than the current vale of the auto
increment counter and the counter was set to -1 + 1. This value
was below the reserved interval and caused the assert to be
triggered the next time the statement tried to write a row.

With the patch for Bug#39828, this bug is no longer repeatable.
Now, -1 + 1 is detected as an "overflow" which causes the auto
increment counter to be set to ULONGLONG_MAX. This avoids hitting
the assert for the next insert and causes a new interval of
auto increment values to be generated. This resolves the issue.

This patch therefore only contains a regression test and no code
changes. Test case added to auto_increment.test.
2011-01-04 14:36:37 +01:00
dbb832c02e Bug #50914 mysqlbinlog not handling drop of current default database
mysqlbinlog only prints "use $database" statements to its output stream
when the active default database changes between events. This will cause
"No Database Selected" error when dropping and recreating that database.

To fix the problem, we clear print_event_info->db when printing an event
of CREATE/DROP/ALTER database statements, so that the Query_log_event
after such statements will be printed with the use 'db' anyway except
transaction keywords.
2010-12-29 11:52:57 +08:00
Sergey Glukhov
b69b46c775 Bug#57810 case/when/then : Assertion failed: length || !scale
ASSERT happens due to improper calculation of the max_length
in Item_func_div object, if dividend has max_length == 0 then
Item_func_div::max_length is set to 0 under some circumstances.
The fix:
If decimals == NOT_FIXED_DEC then set
Item_func_div::max_length to max possible
DOUBLE length value.
2010-12-24 14:05:04 +03:00
Georgi Kodinov
959cb0af9e merge 2010-12-23 12:49:08 +02:00
Sergey Glukhov
42bed4be56 test case fix 2010-12-21 15:30:07 +03:00
Sergey Glukhov
c4b2906939 Bug#58030 crash in Item_func_geometry_from_text::val_str
Item_sum_max/Item_sum_min incorrectly set null_value flag and
attempt to get result in parent functions leads to crash.
This happens due to double evaluation of the function argumet.
First evaluation happens in the comparator and second one
happens in Item_cache::cache_value().
The fix is to introduce new Item_cache object which
holds result of the argument and use this cached value
as an argument of the comparator.
2010-12-21 14:34:11 +03:00
Sven Sandberg
09c80e12c5 BUG#49978: Replication tests don't clean up replication state at the end
Major replication test framework cleanup. This does the following:
 - Ensure that all tests clean up the replication state when they
   finish, by making check-testcase check the output of SHOW SLAVE STATUS.
   This implies:
    - Slave must not be running after test finished. This is good
      because it removes the risk for sporadic errors in subsequent
      tests when a test forgets to sync correctly.
    - Slave SQL and IO errors must be cleared when test ends. This is
      good because we will notice if a test gets an unexpected error in
      the slave threads near the end.
    - We no longer have to clean up before a test starts.
 - Ensure that all tests that wait for an error in one of the slave
   threads waits for a specific error. It is no longer possible to
   source wait_for_slave_[sql|io]_to_stop.inc when there is an error
   in one of the slave threads. This is good because:
    - If a test expects an error but there is a bug that causes
      another error to happen, or if it stops the slave thread without
      an error, then we will notice.
    - When developing tests, wait_for_*_to_[start|stop].inc will fail
      immediately if there is an error in the relevant slave thread.
      Before this patch, we had to wait for the timeout.
 - Remove duplicated and repeated code for setting up unusual replication
   topologies. Now, there is a single file that is capable of setting
   up arbitrary topologies (include/rpl_init.inc, but
   include/master-slave.inc is still available for the most common
   topology). Tests can now end with include/rpl_end.inc, which will clean
   up correctly no matter what topology is used. The topology can be
   changed with include/rpl_change_topology.inc.
 - Improved debug information when tests fail. This includes:
    - debug info is printed on all servers configured by include/rpl_init.inc
    - User can set $rpl_debug=1, which makes auxiliary replication files
      print relevant debug info.
 - Improved documentation for all auxiliary replication files. Now they
   describe purpose, usage, parameters, and side effects.
 - Many small code cleanups:
    - Made have_innodb.inc output a sensible error message.
    - Moved contents of rpl000017-slave.sh into rpl000017.test
    - Added mysqltest variables that expose the current state of
      disable_warnings/enable_warnings and friends.
    - Too many to list here: see per-file comments for details.
2010-12-19 18:07:28 +01:00
Georgi Kodinov
c8853ae5e5 merge 2010-12-17 15:05:50 +02:00
Georgi Kodinov
7bdecb1d4a merge 2010-12-16 16:40:52 +02:00
Alexander Nozdrin
0e275f89f7 Auto-merge from mysql-5.0-security. 2010-12-15 19:08:21 +03:00
Alexander Nozdrin
39036ca618 Patch for Bug#57952 (privilege change is not taken into account by EXECUTE).
The user-visible problem was that changes to column-level privileges,
happened in between of PREPARE and EXECUTE of a prepared statement, were
neglected. I.e. a prepared statement could be executed with the
column-level privileges as of PREPARE-time. The problem existed for
column-level privileges only.

A similar problem existed for stored programs: the changes between
executions didn't have an effect.

Technically the thing is that table references are cached in
Prepared_statement::prepare() call. In subsequent
Prepared_statement::execute() calls those cached values are used.
There are two functions to get a field by name: find_field_in_table() and
find_field_in_table_ref(). On prepare-phase find_field_in_table_ref() is
called, on execute-phase -- find_field_in_table() because the table is
cached. find_field_in_table() does not check column-level privileges and
expects the caller to do that. The problem was that this check was
forgotten.

The fix is to check them there as it happens in find_field_in_table_ref().
2010-12-15 19:00:01 +03:00
Sergey Glukhov
622ae4184c Bug#57818 string conversion function died
Bug#57913 large negative number to string conversion functions crash
String object which is used as result container of the item
has uninitialized 'str_charset' field. This object
might be used later to preform some internal operations
and str_charset field is involved in these operations.
It leads to crash.
The fix is to intialize str_charset in my_decimal2string() func.
2010-12-14 19:08:25 +03:00
Sergey Glukhov
cd36a6a5d5 Fixed following problems:
--Bug#52157 various crashes and assertions with multi-table update, stored function
--Bug#54475 improper error handling causes cascading crashing failures in innodb/ndb
--Bug#57703 create view cause Assertion failed: 0, file .\item_subselect.cc, line 846
--Bug#57352 valgrind warnings when creating view
--Recently discovered problem when a nested materialized derived table is used
  before being populated and it leads to incorrect result

We have several modes when we should disable subquery evaluation.
The reasons for disabling are different. It could be
uselessness of the evaluation as in case of 'CREATE VIEW'
or 'PREPARE stmt', or we should disable subquery evaluation
if tables are not locked yet as it happens in bug#54475, or
too early evaluation of subqueries can lead to wrong result
as it happened in Bug#19077.
Main problem is that if subquery items are treated as const
they are evaluated in ::fix_fields(), ::fix_length_and_dec()
of the parental items as a lot of these methods have
Item::val_...() calls inside.
We have to make subqueries non-const to prevent unnecessary
subquery evaluation. At the moment we have different methods
for this. Here is a list of these modes:

1. PREPARE stmt;
We use UNCACHEABLE_PREPARE flag.
It is set during parsing in sql_parse.cc, mysql_new_select() for
each SELECT_LEX object and cleared at the end of PREPARE in
sql_prepare.cc, init_stmt_after_parse(). If this flag is set
subquery becomes non-const and evaluation does not happen.

2. CREATE|ALTER VIEW, SHOW CREATE VIEW, I_S tables which
   process FRM files
We use LEX::view_prepare_mode field. We set it before
view preparation and check this flag in
::fix_fields(), ::fix_length_and_dec().
Some bugs are fixed using this approach,
some are not(Bug#57352, Bug#57703). The problem here is
that we have a lot of ::fix_fields(), ::fix_length_and_dec()
where we use Item::val_...() calls for const items.

3. Derived tables with subquery = wrong result(Bug19077)
The reason of this bug is too early subquery evaluation.
It was fixed by adding Item::with_subselect field
The check of this field in appropriate places prevents
const item evaluation if the item have subquery.
The fix for Bug19077 fixes only the problem with
convert_constant_item() function and does not cover
other places(::fix_fields(), ::fix_length_and_dec() again)
where subqueries could be evaluated.

Example:
CREATE TABLE t1 (i INT, j BIGINT);
INSERT INTO t1 VALUES (1, 2), (2, 2), (3, 2);
SELECT * FROM (SELECT MIN(i) FROM t1
WHERE j = SUBSTRING('12', (SELECT * FROM (SELECT MIN(j) FROM t1) t2))) t3;
DROP TABLE t1;

4. Derived tables with subquery where subquery
   is evaluated before table locking(Bug#54475, Bug#52157)

Suggested solution is following:

-Introduce new field LEX::context_analysis_only with the following
 possible flags:
 #define CONTEXT_ANALYSIS_ONLY_PREPARE 1
 #define CONTEXT_ANALYSIS_ONLY_VIEW    2
 #define CONTEXT_ANALYSIS_ONLY_DERIVED 4
-Set/clean these flags when we perform
 context analysis operation
-Item_subselect::const_item() returns
 result depending on LEX::context_analysis_only.
 If context_analysis_only is set then we return
 FALSE that means that subquery is non-const.
 As all subquery types are wrapped by Item_subselect
 it allow as to make subquery non-const when
 it's necessary.
2010-12-14 12:33:03 +03:00
Sergey Glukhov
0e77c3295a Bug#39828 : Autoinc wraps around when offset and increment > 1
Auto increment value wraps when performing a bulk insert with
auto_increment_increment and auto_increment_offset greater than
one.
The fix:
If overflow happened then return MAX_ULONGLONG value as an
indication of overflow and check this before storing the
value into the field in update_auto_increment().
2010-12-13 14:48:12 +03:00
Sergey Glukhov
4096f35a39 Bug#58396 group_concat and explain extended are still crashy
Explain fails at fix_fields stage and some items are left unfixed,
particulary Item_group_concat. Item_group_concat::orig_args field
is uninitialized in this case and Item_group_concat::print call 
leads to crash.
The fix:
move the initialization of Item_group_concat::orig_args
into constructor.
2010-12-13 13:39:26 +03:00
Georgi Kodinov
7e8ddb6b03 Backport of the 5.1 fix for bug #55826 to 5.0 2010-12-08 16:05:26 +02:00
Bjorn Munch
7a404214e0 merge from 5.1-mtr 2010-12-09 20:32:47 +01:00
Gleb Shchepa
a44b544498 Bug #57187: more user variable fun with multiple
assignments and comparison in query

A query that compares assignments of the same
user variable caused Valgrind warnings: access
to freed memory region.

In case of a DECIMAL argument the assignment
operator (:=) may return a pointer to a stored
value instead of its copy when evaluated.
The next assignment to the same variable may:
 a) overwrite the stored value with a new one
    and return the same pointer or even
 b) reallocate stored value.

Thus, if we evaluate an assignment and keep
the result pointer and then evaluate another
assignment to the same variable, then the
kept result pointer of the first assignment
will point to unexpectedly changed data or
it may be a dead pointer.

That may cause wrong data or crash.

The user_var_entry::val_decimal method has
been modified to copy user variable data.
2010-12-06 23:38:31 +03:00
Georgi Kodinov
5df7f9bc26 Backport of bug #55564 to 5.0-security 2010-12-03 16:56:36 +02:00
Mats Kindahl
afb8f0f882 BUG#58246: INSTALL PLUGIN not secure & crashable
Fixing test case that fails on Windows because .dll is used.
2010-12-02 09:13:31 +01:00
Mats Kindahl
bfb43fb44f Merging patch for BUG#58246 with mysql-5.1-bugteam. 2010-12-01 20:33:31 +01:00
Mats Kindahl
91a4a8aba6 BUG#58246: INSTALL PLUGIN not secure & crashable
When installing plugins, there is a missing check
for slash (/) in the path on Windows. Note that on
Windows, both / and \ can be used to separate
directories.

This patch fixes the issue by:
- Adding a FN_DIRSEP symbol for all platforms
  consisting of a string of legal directory
  separators.
- Adding a charset-aware version of strcspn().
- Adding a check_valid_path() function that uses
  my_strcspn() to check if any FN_DIRSEP character
  is in the supplied string.
- Using the check_valid_path() function in
  sql_plugin.cc and sql_udf.cc (which means
  replacing the existing test there).
2010-12-01 13:54:50 +01:00
Bjorn Munch
9dca123d02 Bug #58092 Test "rpl_cross_version" has "copy_file" failing
I am not fixing the test failure
Adds printing of my_errno when commands fail, could hopefully help
2010-12-01 11:11:16 +01:00
Nirbhay Choubey
c8310653b4 Additional fix for bug#54899
Fixing the testcase to use the database name
as connected_db instead of 'test' database.
2010-12-01 12:25:31 +05:30
Georgi Kodinov
534ba9c98a merge 2010-11-26 17:27:41 +02:00
Alexander Barkov
bd3a5831f6 Bug#56639 Character Euro (0x88) not converted from cp1251 to utf8
Problem: MySQL cp1251 did not support 'U+20AC EURO SIGN'
which was assigned a few years ago to 0x88.

Fix: adding mapping: 0x88 <-> U+20AC 

  @ mysql-test/include/ctype_8bit.inc
  New shared file to test 8bit character sets.

  @ mysql-test/r/ctype_cp1251.result
  @ mysql-test/t/ctype_cp1251.test
  Adding tests

  @ sql/share/charsets/cp1251.xml
  Adding mapping

  @ strings/ctype-extra.c
  Regenerating ctype-extra.c using strings/conf_to_src
  according to new cp1251.xml
2010-11-26 16:58:54 +03:00
Nirbhay Choubey
8629024b23 Bug #54899 : --one-database option cannot handle DROP/CREATE DATABASE commands
After dropping and recreating the database specified along with --one-database
option at command line, mysql client keeps filtering the statements even after
the execution of a 'USE' command on the same database.

--one-database option enables the filtering of statements when the current
database is not the one specified at the command line. However, when the same
database is dropped and recreated the variable (current_db) that holds the
inital database name gets altered. This bug exploits the fact that current_db
initially gets set to null value (0) when a 'use db_name' follows the recreation
of same database db_name (speficied at the command line) and hence skip_updates
gets set to 1, which inturn triggers the further filtering of statements.

Fixed by making get_current_db() a no-op function when one_database is set,
and hence, under that condition current_db will not get altered.
Note, however the value of current_db can change when we execute 'connect'
command with a differnet database to reconnect to the server, in which case,
the behavior of --one-database will be formulated using this new database.
2010-11-26 19:27:59 +05:30
Georgi Kodinov
c5987223db merge 2010-11-26 14:51:48 +02:00
Tatiana A. Nurnberg
3a15cb6ce9 Assorted post-merge fixes, clean-up, integration, compat with 5.6.
43233/55794.
2010-11-25 03:11:05 +00:00
Gleb Shchepa
d85c305362 backport of bug #54461 from 5.1-security to 5.0-security
> revision-id: gshchepa@mysql.com-20100801181236-uyuq6ewaq43rw780
 > parent: alexey.kopytov@sun.com-20100723115254-jjwmhq97b9wl932l
 > committer: Gleb Shchepa <gshchepa@mysql.com>
 > branch nick: mysql-5.1-security
 > timestamp: Sun 2010-08-01 22:12:36 +0400
 > Bug #54461: crash with longblob and union or update with subquery
 >
 > Queries may crash, if
 >   1) the GREATEST or the LEAST function has a mixed list of
 >      numeric and LONGBLOB arguments and
 >   2) the result of such a function goes through an intermediate
 >      temporary table.
 >
 > An Item that references a LONGBLOB field has max_length of
 > UINT_MAX32 == (2^32 - 1).
 >
 > The current implementation of GREATEST/LEAST returns REAL
 > result for a mixed list of numeric and string arguments (that
 > contradicts with the current documentation, this contradiction
 > was discussed and it was decided to update the documentation).
 >
 > The max_length of such a function call was calculated as a
 > maximum of argument max_length values (i.e. UINT_MAX32).
 >
 > That max_length value of UINT_MAX32 was used as a length for
 > the intermediate temporary table Field_double to hold
 > GREATEST/LEAST function result.
 >
 > The Field_double::val_str() method call on that field
 > allocates a String value.
 >
 > Since an allocation of String reserves an additional byte
 > for a zero-termination, the size of String buffer was
 > set to (UINT_MAX32 + 1), that caused an integer overflow:
 > actually, an empty buffer of size 0 was allocated.
 >
 > An initialization of the "first" byte of that zero-size
 > buffer with '\0' caused a crash.
 >
 > The Item_func_min_max::fix_length_and_dec() has been
 > modified to calculate max_length for the REAL result like
 > we do it for arithmetical operators.
2010-11-24 23:03:16 +03:00
Tatiana A. Nurnberg
9ab7421b10 merge 2010-11-24 10:02:46 +00:00
Tatiana A. Nurnberg
eda8b1feeb merge 2010-11-24 08:50:04 +00:00
Ramil Kalimullin
743fd50d62 Auto-merge with mysql-5.1-bugteam. 2010-11-23 16:08:10 +03:00
Gleb Shchepa
3586f7727f backport: Bug #55568 from 5.1-security to 5.0-security
> revision-id: alexey.kopytov@sun.com-20100824103548-ikm79qlfrvggyj9h
> parent: sunny.bains@oracle.com-20100816001222-xqc447tr6jwh8c53
> committer: Alexey Kopytov <Alexey.Kopytov@Sun.com>
> branch nick: 5.1-security
> timestamp: Tue 2010-08-24 14:35:48 +0400
> message:
>   Bug #55568: user variable assignments crash server when used
>               within query
>   
>   The server could crash after materializing a derived table
>   which requires a temporary table for grouping.
>   
>   When destroying the temporary table used to execute a query for
>   a derived table, JOIN::destroy() did not clean up Item_fields
>   pointing to fields in the temporary table. This led to
>   dereferencing a dangling pointer when printing out the items
>   tree later in the outer SELECT.
>   
>   The solution is an addendum to the patch for bug37362: in
>   addition to cleaning up items in tmp_all_fields3, do the same
>   for items in tmp_all_fields1, since now we have an example
>   where this is necessary.
2010-11-23 00:29:47 +03:00
Ramil Kalimullin
0628752fe9 Manual-merge from mysql-5.1-bugteam. 2010-11-22 12:21:10 +03:00
Guilhem Bichot
b5586c67ec Fix for Bug#56138 "valgrind errors about overlapping memory when double-assigning same variable",
and related small fixes.
2010-11-22 09:57:59 +01:00
Bjorn Munch
b295a25109 merge from 5.1-mtr 2010-11-19 10:29:08 +01:00
Alexander Barkov
d720c49188 Bug#57279 updatexml dies with: Assertion failed: str_arg[length] == 0
Problem: crash in Item_float constructor on DBUG_ASSERT due
to not null-terminated string parameter.

Fix: making Item_float::Item_float non-null-termintated parameter safe:
- Using temporary buffer when generating error

modified:
  @ mysql-test/r/xml.result
  @ mysql-test/t/xml.test
  @ sql/item.cc
2010-11-18 16:11:18 +03:00
Ramil Kalimullin
7a4708cfd7 Auto-merge from mysql-5.1-bugteam. 2010-11-18 13:40:57 +03:00
Sergey Glukhov
594a599247 Bug#58022 ... like ... escape export_set ( ... ) crashes when export_set returns warnings
ESCAPE argument might be empty string. It leads
to server crash under some circumstances.
The fix:
-added check if ESCAPE argument result is not empty string
2010-11-18 11:53:08 +03:00
Bjorn Munch
d718af063e Bug #58257 mysqltest: in if(), ! $var with space is always false
Evaluation would start with the space and thus ignore the $
Added while() to skip past white space
2010-11-17 16:05:52 +01:00
Mattias Jonsson
d25e3389f4 post-push fix, backported --replace_result patch
for --list_files in mysqltest.
2010-11-17 10:13:57 +01:00
Mattias Jonsson
67f640fd50 post-push fix for test to pass on windows 2010-11-15 23:27:37 +01:00
Mattias Jonsson
59849b2bc8 merge 2010-11-15 16:32:21 +01:00
Bjorn Munch
9142f7462b Bug #58087 mysqltest re-evaluates 'let' expressions infinitely
Results from query is sent for evaluation
Break recursion by asking for ` to be ignored
2010-11-15 14:23:02 +01:00
Bjorn Munch
2ab2426104 merge from 5.1 up to rev 3471 2010-11-14 12:23:51 +01:00
Alexander Barkov
0e1c167e16 Bug#58005 utf8 + get_format causes failed assertion: !str || str != Ptr'
Problem: When GET_FORMAT() is called two times from the upper
level function (e.g. LEAST in the bug report), on the second
call "res= args[0]->val_str(...)" and str point to the same
String object.

1. Fix: changing the order from
- get val_str into tmp_value then convert to str
to
- get val_str into str then convert to tmp_value

The new order is more correct: the purpose of "str" parameter
is exactly to call val_str() for arguments.
The purpose of String class members (like tmp_value) is to do further
actions on the result.
Doing it in the other way around give unexpected surprises.

2. Using str_value instead of str to do padding, for the same reason.
2010-11-12 13:12:15 +03:00
Tatiana A. Nurnberg
58f5b9c0cc Bug#43233: Some server variables are clipped during "update," not "check" stage
Bug#55794: ulonglong options of mysqld show wrong values.

Port the few remaining system variables to the correct mechanism --
range-check in check-stage (and throw error or warning at that point
as needed and depending on STRICTness), update in update stage.
Fix some signedness errors when retrieving sysvar values for display.
2010-11-11 11:35:48 +00:00
Alexander Barkov
771137b50e Bug#57257 Replace(ExtractValue(...)) causes MySQL crash
Bug#57820 extractvalue crashes

Problem: ExtractValue and Replace crashed in some cases
due to invalid handling of empty and NULL arguments.

Per file comments:

  @mysql-test/r/ctype_ujis.result
  @mysql-test/r/xml.result
  @mysql-test/t/ctype_ujis.test
  @mysql-test/t/xml.test
  Adding tests

  @sql/item_strfunc.cc
  Make sure Item_func_replace::val_str safely handles empty strings.

  @sql/item_xmlfunc.cc
  set null_value if nodeset_func returned NULL,
  which is possible when the second argument is an
  unset user variable.
2010-11-11 13:25:23 +03:00