1
0
mirror of https://github.com/MariaDB/server.git synced 2025-10-25 18:38:00 +03:00
Commit Graph

1364 Commits

Author SHA1 Message Date
Sergey Glukhov
cd36a6a5d5 Fixed following problems:
--Bug#52157 various crashes and assertions with multi-table update, stored function
--Bug#54475 improper error handling causes cascading crashing failures in innodb/ndb
--Bug#57703 create view cause Assertion failed: 0, file .\item_subselect.cc, line 846
--Bug#57352 valgrind warnings when creating view
--Recently discovered problem when a nested materialized derived table is used
  before being populated and it leads to incorrect result

We have several modes when we should disable subquery evaluation.
The reasons for disabling are different. It could be
uselessness of the evaluation as in case of 'CREATE VIEW'
or 'PREPARE stmt', or we should disable subquery evaluation
if tables are not locked yet as it happens in bug#54475, or
too early evaluation of subqueries can lead to wrong result
as it happened in Bug#19077.
Main problem is that if subquery items are treated as const
they are evaluated in ::fix_fields(), ::fix_length_and_dec()
of the parental items as a lot of these methods have
Item::val_...() calls inside.
We have to make subqueries non-const to prevent unnecessary
subquery evaluation. At the moment we have different methods
for this. Here is a list of these modes:

1. PREPARE stmt;
We use UNCACHEABLE_PREPARE flag.
It is set during parsing in sql_parse.cc, mysql_new_select() for
each SELECT_LEX object and cleared at the end of PREPARE in
sql_prepare.cc, init_stmt_after_parse(). If this flag is set
subquery becomes non-const and evaluation does not happen.

2. CREATE|ALTER VIEW, SHOW CREATE VIEW, I_S tables which
   process FRM files
We use LEX::view_prepare_mode field. We set it before
view preparation and check this flag in
::fix_fields(), ::fix_length_and_dec().
Some bugs are fixed using this approach,
some are not(Bug#57352, Bug#57703). The problem here is
that we have a lot of ::fix_fields(), ::fix_length_and_dec()
where we use Item::val_...() calls for const items.

3. Derived tables with subquery = wrong result(Bug19077)
The reason of this bug is too early subquery evaluation.
It was fixed by adding Item::with_subselect field
The check of this field in appropriate places prevents
const item evaluation if the item have subquery.
The fix for Bug19077 fixes only the problem with
convert_constant_item() function and does not cover
other places(::fix_fields(), ::fix_length_and_dec() again)
where subqueries could be evaluated.

Example:
CREATE TABLE t1 (i INT, j BIGINT);
INSERT INTO t1 VALUES (1, 2), (2, 2), (3, 2);
SELECT * FROM (SELECT MIN(i) FROM t1
WHERE j = SUBSTRING('12', (SELECT * FROM (SELECT MIN(j) FROM t1) t2))) t3;
DROP TABLE t1;

4. Derived tables with subquery where subquery
   is evaluated before table locking(Bug#54475, Bug#52157)

Suggested solution is following:

-Introduce new field LEX::context_analysis_only with the following
 possible flags:
 #define CONTEXT_ANALYSIS_ONLY_PREPARE 1
 #define CONTEXT_ANALYSIS_ONLY_VIEW    2
 #define CONTEXT_ANALYSIS_ONLY_DERIVED 4
-Set/clean these flags when we perform
 context analysis operation
-Item_subselect::const_item() returns
 result depending on LEX::context_analysis_only.
 If context_analysis_only is set then we return
 FALSE that means that subquery is non-const.
 As all subquery types are wrapped by Item_subselect
 it allow as to make subquery non-const when
 it's necessary.
2010-12-14 12:33:03 +03:00
Sergey Glukhov
a2aa73d92a 5.1-bugteam->5.5-bugteam merge 2010-12-14 13:46:00 +03:00
Gleb Shchepa
92f09cd1d3 automerge 5.1-security --> 5.5-security (bug 57187) 2010-12-08 17:36:52 +03:00
Gleb Shchepa
a44b544498 Bug #57187: more user variable fun with multiple
assignments and comparison in query

A query that compares assignments of the same
user variable caused Valgrind warnings: access
to freed memory region.

In case of a DECIMAL argument the assignment
operator (:=) may return a pointer to a stored
value instead of its copy when evaluated.
The next assignment to the same variable may:
 a) overwrite the stored value with a new one
    and return the same pointer or even
 b) reallocate stored value.

Thus, if we evaluate an assignment and keep
the result pointer and then evaluate another
assignment to the same variable, then the
kept result pointer of the first assignment
will point to unexpectedly changed data or
it may be a dead pointer.

That may cause wrong data or crash.

The user_var_entry::val_decimal method has
been modified to copy user variable data.
2010-12-06 23:38:31 +03:00
Georgi Kodinov
96d45ed2f6 merge 2010-11-26 16:32:51 +02:00
Georgi Kodinov
c5987223db merge 2010-11-26 14:51:48 +02:00
Tatiana A. Nurnberg
eda8b1feeb merge 2010-11-24 08:50:04 +00:00
Ramil Kalimullin
1b897ad1d8 Auto-merge with mysql-5.5-bugteam. 2010-11-23 16:44:26 +03:00
Ramil Kalimullin
743fd50d62 Auto-merge with mysql-5.1-bugteam. 2010-11-23 16:08:10 +03:00
Guilhem Bichot
b5586c67ec Fix for Bug#56138 "valgrind errors about overlapping memory when double-assigning same variable",
and related small fixes.
2010-11-22 09:57:59 +01:00
Guilhem Bichot
b3232453a1 merge of 5.1-bugteam 2010-11-22 10:13:46 +01:00
Ramil Kalimullin
aab0c52976 Manual-merge from 5.5-bugfixing. 2010-11-18 15:01:50 +03:00
Ramil Kalimullin
7a4708cfd7 Auto-merge from mysql-5.1-bugteam. 2010-11-18 13:40:57 +03:00
Tatiana A. Nurnberg
58f5b9c0cc Bug#43233: Some server variables are clipped during "update," not "check" stage
Bug#55794: ulonglong options of mysqld show wrong values.

Port the few remaining system variables to the correct mechanism --
range-check in check-stage (and throw error or warning at that point
as needed and depending on STRICTness), update in update stage.
Fix some signedness errors when retrieving sysvar values for display.
2010-11-11 11:35:48 +00:00
Dmitry Shulga
64b897b0ce Auto-merge from 5.1-bugteam for bug#57386. 2010-11-10 11:58:50 +06:00
Dmitry Shulga
5b3e668af8 Fixed Bug#57386 - main.execution_constants segfault on MIPS64EL. 2010-11-10 11:49:37 +06:00
Georgi Kodinov
97a06e4d9a merge 2010-10-29 15:25:18 +03:00
Mikael Ronstrom
1c0d998a12 Added more wait states for THD wait service 2010-10-27 20:29:09 +02:00
Sergey Glukhov
5bf148fccd Bug#57477 SIGFPE when dividing a huge number a negative number
The problem is dividing by const value when
the result is out of supported range.
The fix:
-return LONGLONG_MIN if the result is out of supported range for DIV operator.
-return 0 if divisor is -1 for MOD operator.
2010-10-27 18:12:10 +04:00
Sergey Glukhov
c77992cd5f 5.1-security->5.5-security merge 2010-10-18 15:06:15 +04:00
Sergey Glukhov
9a8f22fa2d Bug#54484 explain + prepared statement: crash and Got error -1 from storage engine
Subquery executes twice, at top level JOIN::optimize and ::execute stages.
At first execution create_sort_index() function is called and
FT_SELECT object is created and destroyed. HANDLER::ft_handler is cleaned up
in the object destructor and at second execution FT_SELECT::get_next() method
returns error.
The fix is to reinit HANDLER::ft_handler field before re-execution of subquery.
2010-10-18 14:47:26 +04:00
Davi Arnaut
7d64c36486 Bug#56096: STOP SLAVE hangs if executed in parallel with user sleep
The root of the problem is that to interrupt a slave SQL thread
wait, the STOP SLAVE implementation uses thd->awake(THD::NOT_KILLED).
This appears as a spurious wakeup (e.g. from a sleep on a
condition variable) to the code that the slave SQL thread is
executing at the time of the STOP. If the code is not written
to be spurious-wakeup safe, unexpected behavior can occur. For
the reported case, this problem led to an infinite loop around
the interruptible_wait() function in item_func.cc (SLEEP()
function implementation).  The loop was not being properly
restarted and, consequently, would not come to an end. Since the
SLEEP function sleeps on a timed event in order to be killable
and to perform periodic checks until the requested time has
elapsed, the spurious wake up was causing the requested sleep
time to be reset every two seconds.

The solution is to calculate the requested absolute time only
once and to ensure that the thread only sleeps until this
time is elapsed. In case of a spurious wake up, the sleep is
restarted using the previously calculated absolute time. This
restores the behavior present in previous releases. If a slave
thread is executing a SLEEP function, a STOP SLAVE statement
will wait until the time requested in the sleep function
has elapsed.
2010-10-13 22:54:07 -03:00
Georgi Kodinov
539291cde9 merged mysql-5.1 into mysql-5.1-bugteam 2010-10-05 11:11:56 +03:00
Georgi Kodinov
b2437d07e6 merge 2010-09-30 14:06:50 +03:00
Georgi Kodinov
684c3e9e3d merge from 5.5-merge 2010-09-02 16:57:59 +03:00
Alexander Nozdrin
593c6db299 Auto-merge from mysql-5.5-merge. 2010-08-25 14:22:34 +04:00
Georgi Kodinov
bd62942ec1 merge 2010-08-20 16:10:49 +03:00
Georgi Kodinov
a54c3dd5c0 merge 2010-08-20 14:22:46 +03:00
Georgi Kodinov
352f2ada7b merge 2010-08-20 13:23:47 +03:00
Georgi Kodinov
3b36a677ba Bug #55826: create table .. select crashes with when
KILL_BAD_DATA is returned

Two problems discovered with the LEAST()/GREATEST() 
functions:
1. The check for a null value should happen even 
after the second call to val_str() in the args. This is
important because two subsequent calls to the same
Item::val_str() may yield different results.
Fixed by checking for NULL value before dereferencing
the string result.

2. While looping over the arguments and evaluating them 
the loop should stop if there was an error evaluating so far
or the statement was killed. Fixed by checking for error
and bailing out.
2010-08-20 11:52:16 +03:00
Alexander Barkov
6e9298bddc Bug#54916 GROUP_CONCAT + IFNULL truncates output
Problem: a few functions did not calculate their max_length correctly.
This is an after-fix for WL#2649 Number-to-string conversions".

Fix: changing the buggy functions to calculate max_length
using fix_char_length() introduced in WL#2649,
instead of setting max_length directly

  mysql-test/include/ctype_numconv.inc
     Adding new tests

  mysql-test/r/ctype_binary.result
     Adding new tests

  mysql-test/r/ctype_cp1251.result
     Adding new tests

  mysql-test/r/ctype_latin1.result
     Adding new tests

  mysql-test/r/ctype_ucs.result
     Adding new tests

  mysql-test/r/ctype_utf8.result
     Adding new tests

  mysql-test/t/ctype_utf8.test
    Including ctype_numconv

  sql/item.h
    - Introducing new method fix_char_length_ulonglong(),
    for the cases when length is potentially greater
    than UINT_MAX32. This method removes a few
    instances of duplicate code, e.g. in item_strfunc.cc.
    - Setting collation in Item_copy properly. This change
    fixes wrong metadata on client side in some cases, when
    "binary" instead of the real character set was reported.

  sql/item_cmpfunc.cc
    - Using fix_char_length() and max_char_length() methods,
    instead of direct access to max_length, to calculate
    item length properly.
    - Moving count_only_length() in COALESCE after
    agg_arg_charsets_for_string_result(). The old
    order was incorrect and led to wrong length
    calucation in case of multi-byte character sets.
    
  sql/item_func.cc
    Fixing that count_only_length() didn't work
    properly for multi-byte character sets.
    Using fix_char_length() and max_char_length()
    instead of direct access to max_length.

  sql/item_strfunc.cc
    - Using fix_char_length(), fix_char_length_ulonglong(),
    max_char_length() instead of direct access to max_length.
    - Removing wierd condition: "if (collation.collation->mbmaxlen > 0)",
    which is never FALSE.
2010-08-19 15:55:35 +04:00
Georgi Kodinov
a22056e846 Bug #53296: LONG BLOB value types are not recognized
Fixed the length of system variables to be 2^24 - 1 
as it is documented for MEDIUMBLOB instead of 
2^24.
2010-08-16 16:43:21 +03:00
Georgi Kodinov
2ecc81cb30 merge 2010-08-13 14:20:49 +03:00
Georgi Kodinov
a557509653 Bug #55615 and bug #55564
An user assignment variable expression that's 
evaluated in a logical expression context 
(Item::val_bool()) can be pre-calculated in a 
temporary table for GROUP BY.
However when the expression value is used after the
temp table creation it was re-evaluated instead of
being read from the temp table due to a missing 
val_bool_result() method.
Fixed by implementing the method.
2010-08-13 14:18:46 +03:00
Georgi Kodinov
05e88a5bbf merge 2010-08-02 11:17:47 +03:00
Gleb Shchepa
38165ce4a3 Bug #54461: crash with longblob and union or update with subquery
Queries may crash, if
  1) the GREATEST or the LEAST function has a mixed list of
     numeric and LONGBLOB arguments and
  2) the result of such a function goes through an intermediate
     temporary table.

An Item that references a LONGBLOB field has max_length of
UINT_MAX32 == (2^32 - 1).

The current implementation of GREATEST/LEAST returns REAL
result for a mixed list of numeric and string arguments (that
contradicts with the current documentation, this contradiction
was discussed and it was decided to update the documentation).

The max_length of such a function call was calculated as a
maximum of argument max_length values (i.e. UINT_MAX32).

That max_length value of UINT_MAX32 was used as a length for
the intermediate temporary table Field_double to hold
GREATEST/LEAST function result.

The Field_double::val_str() method call on that field
allocates a String value.

Since an allocation of String reserves an additional byte
for a zero-termination, the size of String buffer was
set to (UINT_MAX32 + 1), that caused an integer overflow:
actually, an empty buffer of size 0 was allocated.

An initialization of the "first" byte of that zero-size
buffer with '\0' caused a crash.

The Item_func_min_max::fix_length_and_dec() has been
modified to calculate max_length for the REAL result like
we do it for arithmetical operators.


******
Bug #54461: crash with longblob and union or update with subquery

Queries may crash, if
  1) the GREATEST or the LEAST function has a mixed list of
     numeric and LONGBLOB arguments and
  2) the result of such a function goes through an intermediate
     temporary table.

An Item that references a LONGBLOB field has max_length of
UINT_MAX32 == (2^32 - 1).

The current implementation of GREATEST/LEAST returns REAL
result for a mixed list of numeric and string arguments (that
contradicts with the current documentation, this contradiction
was discussed and it was decided to update the documentation).

The max_length of such a function call was calculated as a
maximum of argument max_length values (i.e. UINT_MAX32).

That max_length value of UINT_MAX32 was used as a length for
the intermediate temporary table Field_double to hold
GREATEST/LEAST function result.

The Field_double::val_str() method call on that field
allocates a String value.

Since an allocation of String reserves an additional byte
for a zero-termination, the size of String buffer was
set to (UINT_MAX32 + 1), that caused an integer overflow:
actually, an empty buffer of size 0 was allocated.

An initialization of the "first" byte of that zero-size
buffer with '\0' caused a crash.

The Item_func_min_max::fix_length_and_dec() has been
modified to calculate max_length for the REAL result like
we do it for arithmetical operators.
2010-08-01 22:12:36 +04:00
Davi Arnaut
649390ac81 Merge of mysql-trunk-bugfixing into mysql-trunk-merge. 2010-07-15 10:47:50 -03:00
Georgi Kodinov
a1414d519f merge 2010-07-14 15:05:20 +03:00
Georgi Kodinov
b4766fc36a Bug #51876: crash/memory underrun when loading data with ucs2
and reverse() function
      
3 problems fixed : 
1. The reported problem : caused by incorrect parsing of 
the file as ucs data resulting in wrong length of the parsed
string. Fixed by truncating the invalid trailing bytes 
(non-complete multibyte characters) when reading from the file
2. LOAD DATA when reading from a proper UCS2 file wasn't 
recognizing the new line characters. Fixed by first looking 
if a byte is a new line (or any other special) character before
reading it as a part of a multibyte character.
3. When using user variables to hold the column data in LOAD
DATA the character set of the user variable was set incorrectly
to the database charset. Fixed by setting it to the charset
specified by LOAD DATA (if any).
2010-07-14 14:54:51 +03:00
Davi Arnaut
a10ae35328 Bug#34043: Server loops excessively in _checkchunk() when safemalloc is enabled
Essentially, the problem is that safemalloc is excruciatingly
slow as it checks all allocated blocks for overrun at each
memory management primitive, yielding a almost exponential
slowdown for the memory management functions (malloc, realloc,
free). The overrun check basically consists of verifying some
bytes of a block for certain magic keys, which catches some
simple forms of overrun. Another minor problem is violation
of aliasing rules and that its own internal list of blocks
is prone to corruption.

Another issue with safemalloc is rather the maintenance cost
as the tool has a significant impact on the server code.
Given the magnitude of memory debuggers available nowadays,
especially those that are provided with the platform malloc
implementation, maintenance of a in-house and largely obsolete
memory debugger becomes a burden that is not worth the effort
due to its slowness and lack of support for detecting more
common forms of heap corruption.

Since there are third-party tools that can provide the same
functionality at a lower or comparable performance cost, the
solution is to simply remove safemalloc. Third-party tools
can provide the same functionality at a lower or comparable
performance cost. 

The removal of safemalloc also allows a simplification of the
malloc wrappers, removing quite a bit of kludge: redefinition
of my_malloc, my_free and the removal of the unused second
argument of my_free. Since free() always check whether the
supplied pointer is null, redudant checks are also removed.

Also, this patch adds unit testing for my_malloc and moves
my_realloc implementation into the same file as the other
memory allocation primitives.
2010-07-08 18:20:08 -03:00
Alexander Nozdrin
514b9b25d2 Backport of revid:ingo.struewing@sun.com-20091223200354-r2uzbdkj2v6yv111
Bug#47633 - assert in ha_myisammrg::info during OPTIMIZE
 
   The server crashed on an attempt to optimize a MERGE table with
   non-existent child table.
 
   mysql_admin_table() relied on the table to be successfully open
   if a table object had been allocated.
 
   Changed code to check return value of the open function before
   calling a handler:: function on it.
2010-06-25 19:32:59 +04:00
Alexander Nozdrin
7752ccec48 Patch for Bug#21818 (Return value of ROW_COUNT() is incorrect
for ALTER TABLE, LOAD DATA).

ROW_COUNT is now assigned according to the following rules:

  - In my_ok():
    - for DML statements: to the number of affected rows;
    - for DDL statements: to 0.

  - In my_eof(): to -1 to indicate that there was a result set.

    We derive this semantics from the JDBC specification, where int
    java.sql.Statement.getUpdateCount() is defined to (sic) "return the
    current result as an update count; if the result is a ResultSet
    object or there are no more results, -1 is returned".

  - In my_error(): to -1 to be compatible with the MySQL C API and
    MySQL ODBC driver.

  - For SIGNAL statements: to 0 per WL#2110 specification. Zero is used
    since that's the "default" value of ROW_COUNT in the diagnostics area.
2010-05-14 09:28:51 +04:00
Mats Kindahl
0768deeb27 WL#5030: Splitting mysql_priv.h
Adding my_global.h first in all files using
NO_EMBEDDED_ACCESS_CHECKS.

Correcting a merge problem resulting from a changed definition
of check_some_access compared to the original patches.
2010-04-07 13:58:40 +02:00
Mats Kindahl
e409d6f69c WL#5030: Split and remove mysql_priv.h
This patch:

- Moves all definitions from the mysql_priv.h file into
  header files for the component where the variable is
  defined
- Creates header files if the component lacks one
- Eliminates all include directives from mysql_priv.h
- Eliminates all circular include cycles
- Rename time.cc to sql_time.cc
- Rename mysql_priv.h to sql_priv.h
2010-03-31 16:05:33 +02:00
Alexey Kopytov
f10885675c Manual merge of mysql-trunk into mysql-trunk-merge.
Conflicts:

Text conflict in client/mysqlbinlog.cc
Text conflict in mysql-test/Makefile.am
Text conflict in mysql-test/collections/default.daily
Text conflict in mysql-test/r/mysqlbinlog_row_innodb.result
Text conflict in mysql-test/suite/rpl/r/rpl_typeconv_innodb.result
Text conflict in mysql-test/suite/rpl/t/rpl_get_master_version_and_clock.test
Text conflict in mysql-test/suite/rpl/t/rpl_row_create_table.test
Text conflict in mysql-test/suite/rpl/t/rpl_slave_skip.test
Text conflict in mysql-test/suite/rpl/t/rpl_typeconv_innodb.test
Text conflict in mysys/charset.c
Text conflict in sql/field.cc
Text conflict in sql/field.h
Text conflict in sql/item.h
Text conflict in sql/item_func.cc
Text conflict in sql/log.cc
Text conflict in sql/log_event.cc
Text conflict in sql/log_event_old.cc
Text conflict in sql/mysqld.cc
Text conflict in sql/rpl_utility.cc
Text conflict in sql/rpl_utility.h
Text conflict in sql/set_var.cc
Text conflict in sql/share/Makefile.am
Text conflict in sql/sql_delete.cc
Text conflict in sql/sql_plugin.cc
Text conflict in sql/sql_select.cc
Text conflict in sql/sql_table.cc
Text conflict in storage/example/ha_example.h
Text conflict in storage/federated/ha_federated.cc
Text conflict in storage/myisammrg/ha_myisammrg.cc
Text conflict in storage/myisammrg/myrg_open.c
2010-03-24 18:03:44 +03:00
Alexey Kopytov
7ac059ba8f Manual merge of mysql-5.1-bugteam into mysql-trunk-merge.
Conflicts:

Text conflict in mysql-test/suite/rpl/t/rpl_get_master_version_and_clock.test
Text conflict in sql/item_func.cc
2010-03-22 16:28:51 +03:00
Andrei Elkin
30df18909c Bug #51648 DBUG_SYNC_POINT is not defined on all platforms and mtr cant pre-check that
DBUG_SYNC_POINT has at least one strong limitation that it's not defined
on all platforms. It has issues cooperating with @@debug.
All in all its functionality is superseded by DEBUG_SYNC facility and
there is no reason to maintain the old less flexible one.

Fixed with adding debug_sync_set_action() function as a facility to set up
a sync-action in the server sources code and re-writing existing simulations
(found 3) to use it.
Couple of tests have been reworked as well.

The patch offers a pattern for setting sync-points in replication threads
where the standard DEBUG_SYNC does not suffice to reach goals.
2010-03-19 11:06:40 +02:00
Alexey Kopytov
53afccc829 Manual merge. 2010-03-19 11:29:12 +03:00
Alexey Kopytov
aef97cadfa Bug #8433: Overflow must be an error
All numeric operators and functions on integer, floating point 
and DECIMAL values now throw an 'out of range' error rather 
than returning an incorrect value or NULL,  when the result is 
out of supported range for the corresponding data type. 
 
Some test cases in the test suite had to be updated 
accordingly either because the test case itself relied on a 
value returned in case of a numeric overflow, or because a 
numeric overflow was the root cause of the corresponding bugs. 
The latter tests are no longer relevant, since the expressions 
used to trigger the corresponding bugs are not valid anymore. 
However, such test cases have been adjusted and kept "for the 
record".
2010-03-18 13:38:29 +03:00
Luis Soares
229da7c0dd BUG#51426: overflow for auto_increment column causes slave to stop
In BUG#49562 we fixed the case where numeric user var events
would not serialize the flag stating whether the value was signed
or unsigned (unsigned_flag). This fixed the case that the slave
would get an overflow while treating the unsigned values as
signed.
      
In this bug, we find that the unsigned_flag can sometimes change
between the moment that the user value is recorded for binlogging
purposes and the actual binlogging time. Since we take the
unsigned_flag from the runtime variable data, at binlogging time,
and the variable value is comes from the copy taken earlier in
the execution, there may be inconsistency in the
User_var_log_event between the variable value and its
unsigned_flag.
      
We fix this by also copying the unsigned_flag of the
user_var_entry when its value is copied, for binlogging
purposes. Later, at binlogging time, we use the copied
unsigned_flag and not the one in the runtime user_var_entry
instance.
2010-03-17 00:06:13 +00:00