Commit graph

71825 commits

Author SHA1 Message Date
Marko Mäkelä
cb253b8687 MDEV-22387: Static_binary_string::q_append() invokes memcpy on NULL
Invoking memcpy() on a NULL pointer is undefined behaviour
(even if the length is 0) and gives the compiler permission to
assume that the pointer is nonnull. Recent versions of GCC
(starting with version 8) are more aggressively optimizing away
checks for NULL pointers. This undefined behaviour would cause
a SIGSEGV in the test main.func_encrypt on an optimized debug build
on GCC 10.2.0.
2020-10-30 13:07:42 +02:00
Varun Gupta
5a0c34e4c2 MDEV-24033: SIGSEGV in __memcmp_avx2_movbe from queue_insert | SIGSEGV in __memcmp_avx2_movbe from native_compare
The issue here was the system variable max_sort_length was being applied
to decimals and it was truncating the value for decimals to the number
of bytes set by max_sort_length.
This was leading to a buffer overflow as the values were written
to the buffer without truncation and then we moved the offset to
the number of bytes(set by max_sort_length), that are needed for comparison.

The fix is to not apply max_sort_length for fixed size types like INT,
DECIMALS and only apply max_sort_length for CHAR, VARCHARS, TEXT and
BLOBS.
2020-10-30 12:22:01 +02:00
Marko Mäkelä
898521e2dd Merge 10.4 into 10.5 2020-10-30 11:15:30 +02:00
Oleksandr Byelkin
a90b15837c MDEV-19838: fix of error messages 2020-10-29 22:20:21 +01:00
Monty
14798d3cd1 MDEV-23159 Assertion `table_share->tmp_table != NO_TMP_TABLE || m_lock_type != 2'...
The problem was that opt_sum_query() was, as part of MIN/MAX optimization,
doing read operations on constant tables that where already closed

Fixed by ensuring we don't try to read from tables that are closed.
2020-10-29 16:22:30 +02:00
Oleksandr Byelkin
2e5450af05 Merge branch '10.1' into 10.2 2020-10-29 15:16:53 +01:00
Vicențiu Ciorbaru
a041b94032 Move vers_type_timestamp within the CC file
It's a virtual method and it can't be inlined anyway. This allows type
plugins (mysql_json in particular) to use Type_handler_blob and / or
subclass it, without needing to explicitly expose the
vers_type_timestamp object.
2020-10-29 15:01:33 +02:00
Vicențiu Ciorbaru
76fabe816f Expose utf8mb4_bin charset for plugins
Cleanup other linker errors
2020-10-29 15:01:33 +02:00
Marko Mäkelä
7b2bb67113 Merge 10.3 into 10.4 2020-10-29 13:38:38 +02:00
Aleksey Midenkov
27b762e23d MDEV-22805 SIGSEGV in check_fields on UPDATE
Additional case for PS protocol: UPDATE is converted to multi-update
in mysql_multi_update_prepare().
2020-10-29 13:47:50 +03:00
Sergei Golubchik
d6302c9a47 MDEV-23702 calculating(auto rounding) issue
Implement a different fix for
"MDEV-19232: Floating point precision / value comparison problem"

Instead of truncating decimal values after every division,
truncate them for comparison purposes.

This reverts commit 62d73df6b2 but keeps the test.
2020-10-29 09:27:56 +01:00
Lawrin Novitsky
4b854d4795 MDEV-19838 Wrong direxec param data caused crash
In case of direct execution(stmtid=-1, mariadb_stmt_execute_direct in C
API) application is in control of how many parameters client sends to
the server. In case this number is not equal to actual query parameters
number, the server may start to interprete packet data incorrectly, e.g.
starting from the size of null bitmap. And that could cause it to crash
at some point. The commit introduces some additional COM_STMT_EXECUTE
packet sanity checks:
- checking that "types sent" byte is set, and the value is equal to 1.
  if it's not direct execution, then that value is 0 or 1.
- checking that parameter type value is a valid type, and parameter
  flags value is 0 or only "unsigned" bit is set
- added more checks that read does not go beyond the end of the packet
2020-10-29 08:04:32 +01:00
Marko Mäkelä
1e778a3b56 MDEV-21201 fixup: GCC 10.2.0 -Wparentheses
An assertion inadvertently contained an assignment and an implicit
comparison to zero. The intention was to test equality.
2020-10-29 08:02:33 +02:00
Vladislav Vaintroub
e451145aa9 MDEV-24040 Named pipe permission issue
Tighten access control - deny FILE_CREATE_PIPE_INSTANCE permission to
everyone except current user (the one that runs mysqld)
2020-10-28 14:24:10 +01:00
Vladislav Vaintroub
cb04c1bc64 MDEV-24040 - fix appveyor build
Old SDK is missing #define SECURITY_MAX_SID_STRING_CHARACTERS
2020-10-28 13:37:49 +01:00
Jan Lindström
d5c9f84dfc MDEV-22707 : galera got stuck after flush tables
Remove unnecessary condition and add necessary include
for non debug Galera library.
2020-10-28 14:00:37 +02:00
Oleksandr Byelkin
65e26bc1ba Merge branch '10.1' into 10.2 2020-10-28 10:56:38 +01:00
Vicențiu Ciorbaru
f6549e9544 MDEV-18323 Convert MySQL JSON type to MariaDB TEXT in mysql_upgrade
This patch solves two key problems.
1. There is a type number clash between MySQL and MariaDB. The number
   245, used for MariaDB Virtual Fields is the same as MySQL's JSON.
   This leads to corrupt FRM errors if unhandled. The code properly
   checks frm table version number and if it matches 5.7+ (until 10.0+)
   it will assume it is dealing with a MySQL table with the JSON
   datatype.
2. MySQL JSON datatype uses a proprietary format to pack JSON data. The
   patch introduces a datatype plugin which parses the format and convers
   it to its string representation.

The intended conversion path is to only use the JSON datatype within
ALTER TABLE <table> FORCE, to force a table recreate. This happens
during mysql_upgrade or via a direct ALTER TABLE <table> FORCE.
2020-10-28 11:38:14 +02:00
Vicențiu Ciorbaru
85c686e2d1 cleanup: Static_binary_string need not take non-const double parameter
Convert the parameter to const as the function won't modify the pointer
value.
2020-10-28 11:38:14 +02:00
Marko Mäkelä
a8de8f261d Merge 10.2 into 10.3 2020-10-28 10:01:50 +02:00
Teemu Ollakka
ec0e9d6f76 MDEV-22681 EXECUTE IMMEDIATE crashes server if wsrep is on.
A wsrep transaction was started for EXECUTE IMMEDIATE, which
caused assertion failure when the executed statement was
CREATE TABLE which should be executed in TOI mode.

As a fix, don't start wsrep transaction for EXECUTE IMMEDIATE
to let the wsrep state logic to be handled from inside stored
procedure codepath.

Reviewed-by: Jan Lindström <jan.lindstrom@mariadb.com>
2020-10-28 09:51:35 +02:00
Varun Gupta
db56f9b852 MDEV-24015: SQL Error (1038): Out of sort memory when enough memory for the sort buffer is provided
For a correlated subquery filesort is executed multiple times.
During each execution, sortlength() computed total sort key length in
Sort_keys::sort_length, without resetting it first.

Eventually Sort_keys::sort_length got larger than @@sort_buffer_size, which
caused filesort() to be aborted with error.

Fixed by making sortlength() to compute lengths only during the first
invocation. Subsequent invocations return pre-computed values.
2020-10-28 10:53:22 +05:30
Vladislav Vaintroub
3829b408d6 MDEV-24040 Named pipe permission issue
Tighten access control - deny FILE_CREATE_PIPE_INSTANCE permission to
everyone except current user (the one that runs mysqld)
2020-10-27 22:39:21 +01:00
Alexey Botchkov
8761571a71 MDEV-22524 SIGABRT in safe_mutex_unlock with
session_track_system_variables and max_relay_log_size.

lock LOCK_global_system_variables around the get_one_variable() call
in the Session_sysvars_tracker::store_variable().
2020-10-27 16:44:11 +04:00
Dmitry Shulga
97b10b7fdc MDEV-22805: SIGSEGV in check_fields on UPDATE
For debug build of MariaDB server running of the following test case
will hit the assert `thd->lex->sql_command == SQLCOM_UPDATE' in the function
check_fields() on attempt to execute the UPDATE statement.

  CREATE TABLE t1 (a INT);
  UPDATE t1 FOR PORTION OF APPTIME FROM (SELECT 1 FROM t1) TO 2 SET a = 1;

Stack trace to the fired assert statement
  DBUG_ASSERT(thd->lex->sql_command == SQLCOM_UPDATE)
listed below:
  mysql_execute_command() ->
    mysql_multi_update_prepare() -->
      Multiupdate_prelocking_strategy::handle_end() -->
        check_fiels()

It's worth to note that this stack trace looks like a multi update
statement is being executed. The fired assert is checked inside the
function check_fields() in case table->has_period() returns the value
true that in turns happens when temporal period specified in the UPDATE
statement. Condition specified in the DEBUG_ASSERT statement returns
the false value since the data member thd->lex->sql_command have the
value SQLCOM_UPDATE_MULTI. So, the main question is why a program control
flow go to the path prescribed for handling MULTI update statement
despite of the fact that the ordinary UPDATE statement being executed.

The answer is a way that SQL grammar rules written.

When the statement
  UPDATE t1 FOR PORTION OF APPTIME FROM (SELECT 1 FROM t1) TO 2 SET a = 1;
being parsed an action for the rule 'table_primary_ident' (part of this action
is listed below to simplify description) is  invoked to handle the table
name 't1' specified in the clause 'SELECT 1 FROM t1'.

table_primary_ident:
  table_ident opt_use_partition opt_for_system_time_clause
  opt_table_alias_clause opt_key_definition
  {
    SELECT_LEX *sel= Select;
    sel->table_join_options= 0;
    if (!($$= Select->add_table_to_list(thd, $1, $4,

This action calls the method st_select_lex::add_table_to_list()
to add the table name 't1' to the list of tables being used by the statement.

Later, an action for the following grammar rule
update_table_list:
  table_ident opt_use_partition for_portion_of_time_clause
  opt_table_alias_clause opt_key_definition
  {
    SELECT_LEX *sel= Select;
    sel->table_join_options= 0;
    if (!($$= Select->add_table_to_list(thd, $1, $4,

is invoked to handle the clause 't1 FOR PORTION OF APPTIME FROM ... TO 2'.
This action also calls the method st_select_lex::add_table_to_list()
to add the table name 't1' to the list of tables being used by the statement.

In result the table name 't1' contained twice in this list.

Presence of duplicate names for the table 't1' in a list of table used by
a statement leads to the fact that the function unique_table() called
from the function mysql_update() returns the value true that forces
implementation of the function mysql_update() to return the value 2 as
a signal to fall through the case boundary of the switch statement placed
in the function mysql_execute_statement() and start handling of the case
for sql_command SQLCOM_UPDATE_MULTI. The compound statement block for the
case SQLCOM_UPDATE_MULTI invokes the function mysql_multi_update_prepare()
that executes the statement
  set thd->lex->sql_command= SQLCOM_UPDATE_MULTI;
and after that calls the method
  Multiupdate_prelocking_strategy::handle_end(). Finally, this method
invokes the check_field() function and assert is fired.

The above analysis shows that update for a table that simultaneously specified
both as a destination table of UPDATE statement and as a table taking part in
subquery is actually treated by MariaDB server as multi-update statement.
Taking into account that multi-update statement for temporal period
table is not supported yet by MariaDB, correct way to fix the bug is to return
the error ER_NOT_SUPPORTED_YET for this case.
2020-10-27 18:55:22 +07:00
mkaruza
6a614d6934 MDEV-22707: galera got stuck after flush tables
Deadlock is possible between applier thread and local committing thread with active FLUSH TABLE.
Applier thread should skip table share checks and locks when opening table.

Reviewed-by: Jan Lindström <jan.lindstrom@mariadb.com>
2020-10-27 11:28:45 +02:00
Karthik Kamath
1269fd420d BUG#31650096: MYSQL SERVER HEAP-USE-AFTER-FREE IN TRANS_SAVEPOINT
ANALYSIS:
=========
During Bootstrap, while executing the statements from sql
file passed to the init-file server option, transaction
mem_root was being freed for every statement. This creates
an issue with multi statement transactions especially when a
statement in the transaction has to access the memory used
by the previous statement in the transaction.

FIX:
====
Transaction mem_root is freed whenever a transaction is
committed or rolled-back. Hence explicitly freeing it is not
necessary in the bootstrap implementation.

Change-Id: I40f71d49781bf7ad32d474bb176bd6060c9377dc
2020-10-27 09:24:15 +01:00
Sergei Golubchik
0c3723e1d5 Bug#31304432 "INSUFFICIENT PRIVILEGE CHECK BY LOCK TABLES"
`LOCK TABLES view_name` should require
* invoker to have SELECT and LOCK TABLES privileges on the view
* either invoker or definer (only if sql security definer) to
  have SELECT and LOCK TABLES privileges on the used tables/views.
2020-10-27 09:24:15 +01:00
Sergei Golubchik
320a73f6a2 cleanup: PRIV_LOCK_TABLES (10.5 style) 2020-10-27 09:24:14 +01:00
Anel Husakovic
4e987b1c6b MDEV-22313: Neither SHOW CREATE USER nor SHOW GRANTS prints a user's default role
Reviewed-by: serg@mariadb.com
2020-10-24 16:32:07 +02:00
Sergei Golubchik
73a2ae9f89 MDEV-23764 Slave crashes in ha_storage_engine_is_enabled upon rename of view
view_pseudo_hton cannot be dereferenced
2020-10-24 11:15:51 +02:00
Sergei Golubchik
3cd4d8ddba parser optimization
first try to resolve the function name as a native function,
and only then look within pluggable data types
2020-10-24 11:15:51 +02:00
Alexey Botchkov
9df99151da MDEV-23437 Item_func_json_objectagg::print is not implemented.
Fix the Item_func_json_objectagg::fix_fields to save the orig_args.
2020-10-24 00:16:56 +04:00
Varun Gupta
b94e8e4b25 MDEV-23867: insert... select crash in compute_window_func
There are 2 issues here:

Issue : memory allocation.
An IO_CACHE that uses encryption uses a larger buffer (it needs space for the encrypted data,
decrypted data, IO_CACHE_CRYPT struct to describe encryption parameters etc).

Issue : IO_CACHE::seek_not_done
When IO_CACHE objects are cloned, they still share the file descriptor.
This means, operation on one IO_CACHE may change the file read position
which will confuse other IO_CACHEs using it.

The fix of these issues would be:
Allocate the buffer to also include the extra size needed for encryption.
Perform seek again after one IO_CACHE reads the file.
2020-10-23 22:36:47 +05:30
Sergei Golubchik
05a878c139 precedence bugfixing
fix printing precedence for BETWEEN, LIKE/ESCAPE, REGEXP, IN
don't use precedence for printing CASE/WHEN/THEN/ELSE/END

fix parsing precedence of BETWEEN, LIKE/ESCAPE, REGEXP, IN
support predicate arguments for IN, BETWEEN, SOUNDS LIKE, LIKE/ESCAPE,
REGEXP

use %nonassoc for unary operators

fix parsing of IS TRUE/FALSE/UNKNOWN/NULL

remove parser_precedence test as superseded by the precedence test
2020-10-23 15:53:41 +02:00
Sergei Golubchik
7f974e5ad3 cleanup: remove redundant BANG_PRECEDENCE
prefix unary operators don't need to have different precedence,
the syntax unambiguously specifies in what order they apply
2020-10-23 15:53:41 +02:00
Sergei Golubchik
8c83e6eadf cleanup: remove redundant ADDINTERVAL_PRECEDENCE
expression between INTERVAL and the unit doesns not need any
precedence rules, there's no ambiguity there
2020-10-23 15:53:41 +02:00
Sergei Golubchik
2cd5df8c83 MDEV-23656 view: removal of parentheses results in wrong result
Item_ref should have the precedence of the item it's referencing
2020-10-23 15:53:41 +02:00
Sergei Golubchik
15f03c2041 MDEV-23492 performance_schema_digests_size changing from default to 5000 when enabling performance_schema
max allowed value limit should be larger than any auto-sized value
2020-10-23 15:53:41 +02:00
Sergei Golubchik
e64084d5a3 MDEV-21201 No records produced in information_schema query, depending on projection
Reimplement MDEV-14275 Improving memory utilization for information schema

Postpone temp table instantiation until after setup_fields().

Replace all unused (not marked in read_set) columns in an I_S table
with CHAR(0). This can drastically reduce the footprint of a MEMORY
table (a TABLE_CATALOG alone is 1538 bytes per row).

This does not change the engine. If the table was decided to be Aria
(because of, say, blobs) then after optimization it'll stay Aria
even if all blobs were removed.

Note 1: when transforming table structure, share->blob_fields is
preserved, otherwise Aria might switch from DYNAMIC to STATIC row format
and expect a special field for a deleted mark, which create_tmp_tabe
didn't provide.

Note 2: optimizer was doing handler::info() (to know the number of rows)
before the temp table is populated. That didn't make much sense. Now
it's done before the table is even instantiated. Preserve the old
behavior and report 0 rows.

This reverts e2664ee836 and a8458a2345
2020-10-23 13:37:26 +02:00
Sergei Golubchik
6cefe7d31e cleanup: use predefined CMAKE_DL_LIBS
instead of, say, MY_SEARCH_LIBS(dlopen dl LIBDL)
2020-10-23 13:37:26 +02:00
Sergei Golubchik
641f81baf4 cleanup: use my_multi_malloc(), etc 2020-10-23 13:37:26 +02:00
Alexey Botchkov
94b493571a MDEV-20744 SET GLOBAL replicate_do_db = DEFAULT causes crash.
DEFAULT for the replicate_do_db is the "" as our documentation states.
2020-10-23 12:20:17 +04:00
Aleksey Midenkov
0d581562d8 Fix memory leak on Alter_drop allocation
Fixes 7f613ebdb6 (MDEV-7284 INDEX: CREATE OR REPLACE).
2020-10-22 22:00:45 +03:00
Marko Mäkelä
1657b7a583 Merge 10.4 to 10.5 2020-10-22 17:08:49 +03:00
Alexey Botchkov
21ea14db8c MDEV-20593 SIGSEGV in report_json_error_ex (on optimized builds).
When first argument to the JSON_MERGE_PATCH was NULL and second - the
invalid JSON line, the error code was garbage. So it should be set to 0
initially.
2020-10-22 15:51:14 +04:00
Marko Mäkelä
46957a6a77 Merge 10.3 into 10.4 2020-10-22 13:27:18 +03:00
Marko Mäkelä
e3d692aa09 Merge 10.2 into 10.3 2020-10-22 08:26:28 +03:00
Rinat Ibragimov
709ba7dcae MDEV-20945: BACKUP UNLOCK + FTWRL assertion failure
MDEV-20945: BACKUP UNLOCK + FTWRL assertion failure | SIGSEGV in I_P_List
from MDL_context::release_lock on INSERT w/ BACKUP LOCK (on optimized
builds) | Assertion `ticket->m_duration == MDL_EXPLICIT' failed

BACKUP LOCK behavior is modified so it won't be used wrong:
- BACKUP LOCK should commit any active transactions.
- BACKUP LOCK should not be allowed in stored procedures.
- When BACKUP LOCK is active, don't allow any DDL's for that connection.
- FTWRL is forbidden on the same connection while BACKUP LOCK is active.

Reviewed-by: monty@mariadb.com
2020-10-22 00:18:33 +03:00
Kentoku SHIBA
e6f95b23f4 MDEV-20100 MariaDB 13.3.9 Crash "[ERROR] mysqld got signal 11 ;"
Some functions on ha_partition call functions on all partitions, but handler->reset() is only called that pruned by m_partitions_to_reset. So Spider didn't clear pointer on unpruned partitions, if the unpruned partitions are used by next query, Spider reference the pointer that is already freed.
2020-10-22 05:29:03 +09:00