The problem was that the x86 assembly based atomic CAS
(compare and swap) implementation could copy the wrong
value to the ebx register, where the cmpxchg8b expects
to see part of the "comparand" value. Since the original
value in the ebx register is saved in the stack (that is,
the push instruction causes the stack pointer to change),
a wrong offset could be used if the compiler decides to
put the source of the comparand value in the stack.
The solution is to copy the comparand value directly from
memory. Since the comparand value is 64-bits wide, it is
copied in two steps over to the ebx and ecx registers.
include/atomic/x86-gcc.h:
For reference, an excerpt from a faulty binary follows.
It is a disassembly of my_atomic-t, compiled at -O3 with
ICC 11.0. Most of the code deals with preparations for
a atomic cmpxchg8b operation. This instruction compares
the value in edx:eax with the destination operand. If the
values are equal, the value in ecx:ebx is stored in the
destination, otherwise the value in the destination operand
is copied into edx:eax.
In this case, my_atomic_add64 is implemented as a compare
and exchange. The addition is done over temporary storage
and loaded into the destination if the original term value
is still valid.
volatile int64 a64;
int64 b=0x1000200030004000LL;
a64=0;
mov 0xfffffda8(%ebx),%eax
xor %ebp,%ebp
mov %ebp,(%eax)
mov %ebp,0x4(%eax)
my_atomic_add64(&a64, b);
mov 0xfffffda8(%ebx),%ebp # Load address of a64
mov 0x0(%ebp),%edx # Copy value
mov 0x4(%ebp),%ecx
mov %edx,0xc(%esp) # Assign to tmp var in the stack
mov %ecx,0x10(%esp)
add $0x30004000,%edx # Sum values
adc $0x10002000,%ecx
mov %edx,0x8(%esp) # Save part of result for later
mov 0x0(%ebp),%esi # Copy value of a64 again
mov 0x4(%ebp),%edi
mov 0xc(%esp),%eax # Load the value of a64 used
mov 0x10(%esp),%edx # for comparison
mov %esi,(%esp)
mov %edi,0x4(%esp)
push %ebx # Push %ebx into stack. Changes esp.
mov 0x8(%esp),%ebx # Wrong restore of the result.
lock cmpxchg8b 0x0(%ebp)
sete %cl
pop %ebx
CHECKSUM TABLE for performance schema tables could cause uninitialized
memory reads.
The root cause is a design flaw in the implementation of
mysql_checksum_table(), which do not honor null fields.
However, fixing this bug in CHECKSUM TABLE is risky, as it can cause the
checksum value to change.
This fix implements a work around, to systematically reset fields values
even for null fields, so that the field memory representation is always
initialized with a known value.
Before this fix, the test output for perfschema.server_init would
vary between executions, because some of the objects tested were
not guaranteed to exist in all configurations / code paths.
This fix removes these weak tests.
Also, comments referring to abandonned code have been cleaned up.
tree for embedded server
Test case for bug #56251 "Deadlock with INSERT
DELAYED and MERGE tables" can't be run against
embedded server. Embedded server converts all
DELAYED INSERTs into ordinary INSERTs and this
test can't work properly if such conversion
happens.
Moved this test from merge.test to delayed.test
which is skipped if test suite is run with
--embedded-server option.
Subselect executes twice, at JOIN::optimize stage
and at JOIN::execute stage. At optimize stage
Innodb prebuilt struct which is used for the
retrieval of column values is initialized in.
ha_innobase::index_read(), prebuilt->sql_stat_start is true.
After QUICK_ROR_INTERSECT_SELECT finished his job it
restores read_set/write_set bitmaps with initial values
and deactivates one of the handlers used by
QUICK_ROR_INTERSECT_SELECT in JOIN::cleanup
(it's the case when we reuse original handler as one of
handlers required by QUICK_ROR_INTERSECT_SELECT object).
On second subselect execution inactive handler is activated
in QUICK_RANGE_SELECT::reset, file->ha_index_init().
In ha_index_init Innodb prebuilt struct is reinitialized
with inappropriate read_set/write_set bitmaps. Further
reinitialization in ha_innobase::index_read() does not
happen as prebuilt->sql_stat_start is false.
It leads to partial retrieval of required field values
and we get a mix of field values from different records
in the record buffer.
The fix is to reset
read_set/write_set bitmaps as these values
are required for proper intialization of
internal InnoDB struct which is used for
the retrieval of column values
(see build_template(), ha_innodb.cc)
mysql-test/include/index_merge_ror_cpk.inc:
test case
mysql-test/r/index_merge_innodb.result:
test case
mysql-test/r/index_merge_myisam.result:
test case
sql/opt_range.cc:
if ROR merge scan is used we need to reset
read_set/write_set bitmaps as these values
are required for proper intialization of
internal InnoDB struct which is used for
the retrieval of column values
(see build_template(), ha_innodb.cc)
adding new indexes
A fast alter table requires that the existing (old) table
and indices are unchanged (i.e only new indices can be
added). To verify this, the layout and flags of the old
table/indices are compared for equality with the new.
The PACK_KEYS option is a no-op in InnoDB, but the flag
exists, and is used in the table compare. We need to
check this (table) option flag before deciding whether an
index should be packed or not. If the table has
explicitly set PACK_KEYS to 0, the created indices should
not be marked as packed/packable.
compression protocol.
The loss of connection was caused by a malformed packet
sent by the server in case when query cache was in use.
When storing data in the query cache, the query cache
memory allocation algorithm had a tendency to reduce
the amount of memory block necessary to store a result
set, up to finally storing the entire result set in a single
block. With a significant result set, this memory block
could turn out to be quite large - 30, 40 MB and on.
When such a result set was sent to the client, the entire
memory block was compressed and written to network as a
single network packet. However, the length of the
network packet is limited by 0xFFFFFF (16MB), since
the packet format only allows 3 bytes for packet length.
As a result, a malformed, overly large packet
with truncated length would be sent to the client
and break the client/server protocol.
The solution is, when sending result sets from the query
cache, to ensure that the data is chopped into
network packets of size <= 16MB, so that there
is no corruption of packet length. This solution,
however, has a shortcoming: since the result set
is still stored in the query cache as a single block,
at the time of sending, we've lost boundaries of individual
logical packets (one logical packet = one row of the result
set) and thus can end up sending a truncated logical
packet in a compressed network packet.
As a result, on the client we may require more memory than
max_allowed_packet to keep, both, the truncated
last logical packet, and the compressed next packet.
This never (or in practice never) happens without compression,
since without compression it's very unlikely that
a) a truncated logical packet would remain on the client
when it's time to read the next packet
b) a subsequent logical packet that is being read would be
so large that size-of-new-packet + size-of-old-packet-tail >
max_allowed_packet.
To remedy this issue, we send data in 1MB sized packets,
that's below the current client default of 16MB for
max_allowed_packet, but large enough to ensure there is no
unnecessary overhead from too many syscalls per result set.
sql/net_serv.cc:
net_realloc() modified: consider already used memory
when compare packet buffer length
sql/sql_cache.cc:
modified Query_cache::send_result_to_client: send result to client
in chunks limited by 1 megabyte.
The problem was that RENAME TABLE caused an assert if the system variable
lower_case_table_names was 2 (default on Mac OS X) and the old table name
was given in upper case. This caused lowercase_table2.test to fail.
The assert checks that an exclusive metadata lock is held by the connection
trying to do RENAME TABLE - specificially during updates of table triggers.
The assert was triggered since the check is case sensitive and the lock
was held on the normalized (lower case) version of the table name.
This patch fixes the problem by making sure a normalized version of the
table name is used for the metadata lock check, while using a non-normalized
version of the table name for the rename of trigger files. The same is done
for ALTER TABLE ... RENAME.
Regression testing for the bug itself is already covered by
lowercase_table2.test. Additional coverage added to lowercase_fs_off.test.
Before this fix, the server could crash inside a memcpy when reading data
from the EVENTS_WAITS_CURRENT / HISTORY / HISTORY_LONG tables.
The root cause is that the length used in a memcpy could be corrupted,
when another thread writes data in the wait record being read.
Reading unsafe data is ok, per design choice, and the code does sanitize
the data in general, but did not sanitize the length given to memcpy.
The fix is to also sanitize the schema name / object name / file name
length when extracting the data to produce a row.
Fix compiler warning:
trx/trx0undo.c: In function 'trx_undo_truncate_end':
trx/trx0undo.c:1069:14: error: variable 'rseg' set but not used [-Werror=unused-but-set-variable]
Fix compiler warning:
trx/trx0undo.c: In function 'trx_undo_set_state_at_prepare':
trx/trx0undo.c:1871:16: error: variable 'page_hdr' set but not used [-Werror=unused-but-set-variable]
Fix compiler warning:
trx/trx0trx.c: In function 'trx_prepare_off_kernel':
trx/trx0trx.c:1808:11: error: variable 'update_hdr_page' set but not used [-Werror=unused-but-set-variable]
Fix compiler warning:
trx/trx0sys.c: In function 'trx_sys_create_doublewrite_buf':
trx/trx0sys.c:244:15: error: variable 'new_block' set but not used [-Werror=unused-but-set-variable]
Fix compiler warnings:
trx/trx0roll.c: In function 'trx_undo_arr_remove_info':
trx/trx0roll.c:744:9: error: variable 'n' set but not used [-Werror=unused-but-set-variable]
trx/trx0roll.c:743:9: error: variable 'n_used' set but not used [-Werror=unused-but-set-variable]
Fix compiler warning:
trx/trx0purge.c: In function 'trx_purge_rec_release':
trx/trx0purge.c:1071:18: error: variable 'arr' set but not used [-Werror=unused-but-set-variable]
Fix compiler warning:
trx/trx0purge.c: In function 'trx_purge_rseg_get_next_history_log':
trx/trx0purge.c:660:15: error: variable 'seg_hdr' set but not used [-Werror=unused-but-set-variable]
Fix compiler warning:
trx/trx0purge.c: In function 'trx_purge_add_update_undo_to_history':
trx/trx0purge.c:307:15: error: variable 'seg_header' set but not used [-Werror=unused-but-set-variable]
Fix compiler warning:
trx/trx0purge.c: In function 'trx_purge_add_update_undo_to_history':
trx/trx0purge.c:309:16: error: variable 'page_header' set but not used [-Werror=unused-but-set-variable]
Fix compiler warning:
row/row0vers.c: In function 'row_vers_impl_x_locked_off_kernel':
row/row0vers.c:74:9: error: variable 'err' set but not used [-Werror=unused-but-set-variable]
Fix compiler warning:
row/row0umod.c: In function 'row_undo_mod_clust_low':
row/row0umod.c:117:9: error: variable 'success' set but not used [-Werror=unused-but-set-variable]
Fix compiler warning:
row/row0purge.c: In function 'row_purge_step':
row/row0purge.c:687:9: error: variable 'err' set but not used [-Werror=unused-but-set-variable]
Fix compiler warning:
que/que0que.c: In function 'que_run_threads_low':
que/que0que.c:1287:9: error: variable 'cumul_resource' set but not used [-Werror=unused-but-set-variable]
Fix compiler warnings:
os/os0file.c: In function 'os_file_create':
os/os0file.c:1371:14: error: variable 'purpose_str' set but not used [-Werror=unused-but-set-variable]
os/os0file.c:1370:14: error: variable 'type_str' set but not used [-Werror=unused-but-set-variable]
Fix compiler warning:
log/log0recv.c: In function 'recv_synchronize_groups':
log/log0recv.c:562:14: error: variable 'limit_lsn' set but not used [-Werror=unused-but-set-variable]
Fix compiler warning:
log/log0recv.c: In function 'recv_recovery_from_checkpoint_start_func':
log/log0recv.c:2894:14: error: variable 'archived_lsn' set but not used [-Werror=unused-but-set-variable]
Fix compiler warning:
handler/i_s.cc: In function 'int trx_i_s_common_fill_table(THD*, TABLE_LIST*, COND*)':
handler/i_s.cc:931:8: error: variable 'ret' set but not used [-Werror=unused-but-set-variable]
Fix compiler warning:
handler/ha_innodb.cc: In function 'void innobase_drop_database(handlerton*, char*)':
handler/ha_innodb.cc:7010:6: error: variable 'error' set but not used [-Werror=unused-but-set-variable]
Fix compiler warning:
handler/ha_innodb.cc: In function 'bool innodb_show_status(handlerton*, THD*, bool (*)(THD*, const char*, uint, const char*, uint, const char*, uint))':
handler/ha_innodb.cc:8851:7: error: variable 'result' set but not used [-Werror=unused-but-set-variable]
Fix compiler warning:
eval/eval0eval.c: In function 'eval_notfound':
eval/eval0eval.c:388:14: error: variable 'arg2' set but not used [-Werror=unused-but-set-variable]
Fix compiler warning:
dict/dict0dict.c: In function 'dict_index_print_low':
dict/dict0dict.c:4444:14: error: variable 'type_string' set but not used [-Werror=unused-but-set-variable]
