IS DROPPED
ANALYSIS:
=========
It is advised not to tamper with the system tables.
When primary key is dropped from a system table, certain
operations on the table which tries to access the table key
information may lead to server exit.
FIX:
====
An appropriate error is now reported in such a case.
ROOT
DESCRIPTION
===========
If the .pid file is created at a world-writable location,
it can be compromised by replacing the server's pid with
another running server's (or some other non-mysql process)
PID causing abnormal behaviour.
ANALYSIS
========
In such a case, user should be warned that .pid file is
being created at a world-writable location.
FIX
===
A new function is_file_or_dir_world_writable() is defined
and it is called in create_pid_file() before .pid file
creation. If the location is world-writable, a relevant
warning is thrown.
NOTE
====
1. PID file is always created with permission bit 0664, so
for outside world its read-only.
2. Ignoring the case when permission is denied to get the
dir stats since the .pid file creation would fail anyway in
such a case.
Issue:
------
VALUES doesn't have a type() function and is considered a
Item_field.
Solution for 5.7:
-----------------
Add a new type() function for Item_values_insert.
On 8.0 and trunk it was fixed by Mithun's Bug#19601973.
Solution for 5.6:
-----------------
Additionally Bug#17458914 is backported.
This will address the problem of using VALUES() in
INSERT ... ON DUPLICATE KEY UPDATE. Create a field object
only if it is in the UPDATE clause, else return a NULL
item.
This will also address the problems mentioned in
Bug#14789787 and Bug#16756402.
Solution for 5.5:
-----------------
As mentioned above Bug#17458914 is backported.
Additionally Bug#14786324 is also backported.
When VALUES() is detected outside its meaningful place,
it should be treated as NULL and is thus replaced with a
Field_null object, with the same name as the original
field.
Fields with type NULL are generally not handled well inside
the server (e.g Innodb will not accept them and it is
impossible to create them in regular tables). So create a
new const NULL item instead.
UNEXPECTED ERROR
ANALYSIS:
=========
Creating many indexes with large amount of index
information causes a server exit.
FIX:
====
A appropriate error is reported when the cumulative index
information length exceeds the 2 byte range (i.e 65535).
AND PARAM IN ORDER BY
Issue:
------
This issue can occur when the ORDER BY list refers to a
column that contains a parameter in the select list.
Solution:
---------
In JOIN::update_depend_map and get_sort_by_table, the
ORDER BY list's used_tables isn't checked for parameters.
This can result in incorrect behavior.
This is a partial backport of Roy's
Building with ninja shows the problem:
cmake .. -G Ninja
ninja
ninja: error: dependency cycle: sql/GenServerSource -> sql/CMakeFiles/GenServerSource -> sql/sql_builtin.cc -> cmake_order_depends_target_sq
sql/GenServerSource
Bug#16877045 5.6-CLUSTER-7.3 WIN32 SQL_YACC.CC BUILD PROBLEM
- Somewhat circular dependency caused by the configured files sql_builtin.cc being included as
part of the files to generate in sql/
- Move sql_builtin.cc out of GEN_SOURCES variable.
- Create new variable CONF_SOURCES to be used for configured files.
COL), NAME_CONST('NAME', NULL))
Backport of Bug#19143243 fix.
NAME_CONST item can return NULL_ITEM type in case of incorrect arguments.
NULL_ITEM has special processing in Item_func_in function.
In Item_func_in::fix_length_and_dec an array of possible comparators is
created. Since NAME_CONST function has NULL_ITEM type, corresponding
array element is empty. Then NAME_CONST is wrapped to ITEM_CACHE.
ITEM_CACHE can not return proper type(NULL_ITEM) in Item_func_in::val_int(),
so the NULL_ITEM is attempted compared with an empty comparator.
The fix is to disable the caching of Item_name_const item.
Analysis
========
CREATE TABLE of InnoDB table with a partition name
which exceeds the path limit can cause the server
to exit.
During the preparation of the partition name,
there was no check to identify whether the complete
path name for partition exceeds the max supported
path length, causing the server to exit during
subsequent processing.
Fix
===
During the preparation of partition name, check and report
an error if the partition path name exceeds the maximum path
name limit.
This is a 5.5 patch.
Problem & Analysis: Slave's Receiver thread, Applier thread and worker
threads are created with LOCAL-INFILE option enabled. As the document
says https://dev.mysql.com/doc/refman/5.7/en/load-data-local.html,
there are some issues if a thread enables local infile.
This flag should be enabled with care. But for the above mentioned
internal threads, server is enabling it at the time of creation.
Fix: Further analysis on the code shows that none of threads really
need this flag to be enabled at any time as Slave never executes
"LOAD DATA LOCAL INFILE" after reading it from Relay log.
Applier thread removes "LOCAL" before start executing the query.
GROUP BY
Issue 1:
--------
This problem occurs in the following conditions:
1) A UNION is present in the subquery of select list and
handles multiple columns.
2) Query has a GROUP BY.
A temporary table is created to handle the UNION.
Item_field objects are based on the expressions of the
result of the UNION (ie. the fake_select_lex). While
checking validity of the columns in the GROUP BY list, the
columns of the temporary table are checked in
Item_ident::local_column. But the Item_field objects
created for the temporary table don't have information like
the Name_resolution_context that they belong to or whether
they are dependent on an outer query. Since these members
are null, incorrect behavior is caused.
This can happen when such Item objects are cached to apply
the IN-to-EXISTS transform for Item_row.
Solution to Issue 1:
--------------------
Context information of the first select in the UNION will
be assigned to the new Item_field objects.
Issue 2:
--------
This problem occurs in the following conditions:
1) A UNION is present in the subquery of select list.
2) A column in the UNION's first SELECT refers to a table
in the outer-query making it a dependent union.
3) GROUP BY column refers to the outer-referencing column.
While resolving the select list with an outer-reference, an
Item_outer_ref object is created to handle the
outer-query's GROUP BY list. The Item_outer_ref object
replaces the Item_field object in the item tree.
Item_outer_ref::fix_fields will be called only while fixing
the inner references of the outer query.
Before resolving the outer-query, an Item_type_holder
object needs to be created to handle the UNION. But as
explained above, the Item_outer_ref object has not been
fixed yet. Having a fixed Item object is a pre-condition
for creating an Item_type_holder.
Solution to Issue 2:
--------------------
Use the reference (real_item()) of an Item_outer_ref object
instead of the object itself while creating an
Item_type_holder.
XML
DESCRIPTION
===========
LOAD XML INFILE performance becomes painfully slow if the
tags' value has any space(s) in between them. They're
usually kept intentionally for indentation purpose.
ANALYSIS
========
The extra spaces are calling clear_level() many a times
which is having overhead of clearing taglist etc. This can
be avoided altogether by skipping all such spaces.
FIX
===
Trim all the starting whitespaces from the value before
passing it to read_value()
PRIVILEGE.
Backport from mysql-5.7 to mysql-5.5 and mysql-5.6.
BUG#13969578: TEMPORARY TABLE IN A DATABASE ON A READ-ONLY
INSTANCE CAN BE OVERWRITTEN
Analysis:
========
Creation or modification of a persistent table by a non-super user
is NOT ALLOWED in read_only mode. Only TEMPORARY tables are allowed
to be created or modified in read_only mode. But the creation of
a persistent table was being allowed when a temporary table of
the same name existed.
The routine which denies updating a non-temporary table in a
read_only mode does not handle the case of creation of a regular
table when a temporary table of the same exists.
Fix:
===
Handled the condition where an attempt is made to create a persistent
table having the same name as that of the temporary table. Hence
the creation of a persistent table by a non-super user when a
temporary table of the same exists is denied under read_only mode.
THREE BYTES ON X86
Analysis:
=========
The macro uint3korr reads 4 bytes of data instead of 3 on
on x86 machines.
Multiple definitions were created for this macro for
optimization in WIN32. The idea was to optimize reading of
3 byte ints by reading an ordinary int and masking away the
unused byte. However this is an undefined behavior. It will
be an issue unless users are aware of allocating an extra
byte for using this macro.
Fix:
====
Removing the definition which reads 4 bytes of data. The
only definition of this macro would now read just 3 bytes
of data thus prohibiting the usage of an extra byte.
Note:
=====
This is a backport of Patches #5 and #6 for Bug#17922198.
Description:
============
If you have a relay log index file that has ended up with
some relay log files that do not exists, then RESET SLAVE
ALL is not enough to get back to a clean state.
Analysis:
=========
In the bug scenario slave server is in stopped state and
some of the relay logs got deleted but the relay log index
file is not updated.
During slave server restart replication initialization fails
as some of the required relay logs are missing. User
executes RESET SLAVE/RESET SLAVE ALL command to start a
clean slave. As per the documentation RESET SLAVE command
clears the master info and relay log info repositories,
deletes all the relay log files, and starts a new relay log
file. But in a scenario where the slave server's
Relay_log_info object is not initialized slave will not
purge the existing relay logs. Hence the index file still
remains in a bad state. Users will not be able to start
the slave unless these files are cleared.
Fix:
===
RESET SLAVE/RESET SLAVE ALL commands should do the cleanup
even in a scenario where Relay_log_info object
initialization failed.
Backported a flag named 'error_on_rli_init_info' which is
required to identify slave's Relay_log_info object
initialization failure. This flag exists in MySQL-5.6
onwards as part of BUG#14021292 fix.
During RESET SLAVE/RESET SLAVE ALL execution this flag
indicates the Relay_log_info initialization failure.
In such a case open the relay log index/relay log files
and do the required clean up.
Problem: CREATE TABLE using a fully qualified name with INDEX DIR/DATA DIR
option reports an error when the current database is not SET.
check_access() was incorrectly called with NULL as the database
argument in a situation where the database name was not needed for
the particular privilege being checked. This will cause the current
database to be used, or an error to be reported if there is no current
database.
Fix: Call check_access() with any_db as the database argument in this situation.
This is backport of WL#7195 to MySQL-5.5. In 5.5, we
offload connection authentication from the acceptor
thread to tp worker threads.
Connection authentication happens in the acceptor thread that
accepts the connection for thread pool plugin. Connection authentication
involves exchanging packets with client and disk I/O
which is time consuming. This can cause other client
connections to starve and wait in the queue possibly increasing the
connect latency and decreasing throughput. In the worst case, some
connections could be dropped. n addition, SSL handshakes are quite
expensive and can stall connections in the accept queue.
This patch offloads connection authentication when thread pool
plugin is used for client connection. Each thread group
shall have a queue of connection_context objects, which represents
new connections that need to be processed by thread group threads.
The connection context is composed of THD object & list pointers
for intrusive queue implementation. Whenever a new connection
arrives, connection context object is created and added to the
queue. A new connect handler thread is created or woken up to handle
the authentication task. The worker thread loop is modified to
process connection events on connect handler threads in addition to
checking for query processing events. The initial number of connect
handler threads is one per thread group and it is restricted to
a maximum of 4 threads per thread group.
Issue:
------
While using the LOAD statement to insert data into an
updateable view, the check to verify whether a column
is actually updatable is missing.
Solution for 5.5 and 5.6:
-------------------------
For a view whose column-list in specified in the LOAD
command, this check is not performed. This fix adds the
check.
This is a partial backport of Bug#21097485.
Solution for 5.7 and trunk:
---------------------------
For a view whose column-list is specified in the LOAD
command, this check is already performed. This fix adds the
same check when no column-list is specified.
The XML parser position stack for each level is with a fixed depth.
So a bounds check was done to ensure that this depth is not exceeded.
But it was off by one (i.e. the size of the array was a valid index).
Fixed by decreasing the allowable depth by one to match the maximum
number of elements in the position stack.
ANALYSIS:
=========
'CREATE TABLE' query with a large value for 'CONNECTION'
string reports an incorrect error.
The length of connection string is stored in .frm in two
bytes (max value= 65535). When the string length exceeds
the max value, the length is truncated to fit the two
bytes limit. Further processing leads to reading only a
part of the string as the length stored is incorrect. The
remaining part of the string is treated as engine type and
hence results in an error.
FIX:
====
We are now restricting the connection string length to 1024.
An appropriate error is reported if the length crosses this
limit.
NOTE:
=====
The 'PASSWORD' table option is documented as unused and
processed within a dead code. Hence it will not cause
similar issue with large strings.
LOAD DATA AT MASTER.
Revert "BUG#23080148 - BACKPORT BUG 14653594 AND BUG 20683959 TO"
This reverts commit 1d31f5b3090d129382b50b95512f2f79305715a1.
The commit causes replication incompatibility between minor revisions
and based on discussion with Srinivasarao, the patch is reverted.
700101
ANALYSIS:
=========
To set the time 'start_time' of query in THD, current time
is obtained by calling 'gettimeofday()'. On Solaris
platform, due to some system level issues, time obtained is
invalid i.e. its either greater than 2038 (max signed value
to hold microseconds since 1970) or 1970 (0 microseconds
since 1970). In these cases, validation checks infer that
the 'start_time' is invalid and mysql server initiates the
shutdown process. But the reason for shutdown is not logged.
FIX:
====
We are now logging appropriate message when shutdown is
triggered in the above mentioned scenarios. Now, even if
the initial validation checks infer that the 'start_time'
is invalid, server shutdown is not initiated immediately.
Before initiating the server shutdown, the process of
setting 'start_time' and validating it is reiterated (for
max 5 times). If correct time is obtained in these 5
iterations then server continues to run.
RESTRICTED IN ALL GA RELEASES
Back port of WL#6782 to 5.5 and 5.6. This also includes
back port of Bug#20771331, Bug#20741572 and Bug#20770671.
Bug#24695274 and Bug#24679907 are also handled along with
this.
ISSUE: Heap corruption occurs and hence mysql server
terminates abnormally in String variable destructor
when ZEROFILL is used for a column.
Though the abnormal termination is observed in the
String destructor, heap corruption occurs at earlier
stage when function Field_num::prepend_zeros() is called.
This function, prepends zeros to the actual data and
works on entire field length. Since the allocated memory
could be less than the field length, heap corruption occurs.
Later, when String destructor tries to free heap, the server
terminates abnormally since the heap is corrupt.
SOLUTION: In Field_num::prepend_zeros() function, if allocated memory
is less than the field length, re-allocate memory enough to
hold field length size data.
SUBSELECT_UNION_ENGINE::NO_ROWS
This patch is specific for mysql-5.5
ISSUE: When max_join_size is used and union query
results in evaluation of tuples greater than
max_join_size, the join object is not created,
and is set to NULL.
However, this join object is further dereferenced
by union logic to determine if query resulted in
any number of rows being returned.
Since, the object is NULL, it results in
program terminating abnormally.
SOLUTION: Added check to verify if join object is created.
If join object is created, it will be used to
determine if query resulted in any number of rows.
Else, when join object is not created, we return
'false' indicating that there were no rows for the
query.
IS USED IN CREATE TABLE
The problem was that using a very long subpartition name could
lead to the server exiting abnormally.
This patch fixes the problem by reporting ER_TOO_LONG_IDENT
if a name with more than 64 characters are used as partition
and subpartition name.
[This is the 5.5/5.6 version of the bugfix].
The problem was that it was possible to write log files ending
in .ini/.cnf that later could be parsed as an options file.
This made it possible for users to specify startup options
without the permissions to do so.
This patch fixes the problem by disallowing general query log
and slow query log to be written to files ending in .ini and .cnf.
Problem:
When build_equal_items_for_cond gets called for a big query
recursively, the specified thread_stack_size exceeds. But
optimizer does not handle this condition. As a result, server
exits.
Solution:
Check if we exceed specified stack size and if yes exit
gracefully by throwing an error.
ISSUE: Queries with mediumint as column when operated with
long long type of data results in buffer overflow in
store_long function.
The merging rule specified for (MYSQL_TYPE_LONGLONG
MYSQL_TYPE_INT24) is MYSQL_TYPE_LONG. Due to this store_long
function was getting called which resulted in buffer overflow.
SOLUTION:
The correct merging rule for (MYSQL_TYPE_LONGLONG,
MYSQL_TYPE_INT24) should be MYSQL_TYPE_LONGLONG.
So, instead of function store_long, function store_longlong
is called which correctly handles the type MYSQL_TYPE_LONGLONG.
External Bug #23645238 is a duplicate of this issue.
DERIVED TABLE IN JOIN
ISSUE:
------
This problem occurs under the following conditions:
1) A parameter is used in the select-list of a derived table.
2) The derived table is part of a JOIN.
SOLUTION:
---------
When a derived table is materialized, a temporary table is
created. This temporary table creates a field each for the
items in the select-list of the derived table. This set of
fields is later used to setup the join.
Currently no field is created in the temporary table if a
parameter is used in the select-list.
Create a field for the parameter. By default Item_param's
result type in a prepared statement is set to
STRING_RESULT. This can change during the execute phase
depending on the user variable. But since the execute phase
creates its own temporary table, it will be handled
separately.
This is a backport of the fix for BUG#22392374.
Problem:
In debug builds, there is a chance that an out-of-bounds
read is performed when tables are locked in
LTM_PRELOCKED_UNDER_LOCK_TABLES mode. It can happen because
the debug code uses enum values as index for an array of
mode descriptions, but it only takes into consideration 3
out of 4 of the enum values.
Fix:
This patch fixes it by implementing a getter for the enum which
returns a string representation of the enum,
effectively removing the out-of-bounds read.
Moreover, it also fixes the lock mode descriptions that
would be print out in debug builds.
Commit#ebd24626ca38e7fa1e3da2acdcf88540be70fabe obsoleted the THREAD and
THREAD_SAFE_CLIENT preprocessor symbols. This is not removed in the
sql/net_serv.cc thereby the code that retries on EINTR became dead code.
Remove the THREAD_SAFE_CLIENT preprocessor directive form sql/net_serv.cc.
Also check errno for EINTR only if there is an error in preceding read call.
GET_SERVER_FROM_TABLE_TO_CACHE
Description:- Server received SIG11 in the function,
"get_server_from_table_to_cache()".
Analysis:- Defining a server with a blank name is not
handled properly.
Fix:- Modified "get_server_from_table_to_cache()" to
take care of blank server name.
FROM I_S
Issue:
------
There is a difference in the field type created when the
following DDLs are used:
1) CREATE TABLE t0 AS SELECT NULL;
2) CREATE TABLE t0 AS SELECT GREATEST(NULL,NULL);
The first statement creates field of type Field_string and
the second one creates a field of type Field_null.
This creates a problem when the query mentioned in this bug
is used. Since the null_ptr is calculated differently for
Field_null.
Solution:
---------
When there is a function returning null in the select list
as mentioned above, the field should be of type
Field_string.
This was fixed in 5.6+ as part of Bug#14021323. This is a
backport to mysql-5.5.
An incorrect comment in innodb_bug54044.test has been
corrected in all versions.
ASSERTION `0' FAILED ON SELECT AREA
Problem:
Optimizer tries to get the points to calculate area without
checking the return value of uint4korr for 0 "points". As a
result server exits.
Solution:
Check the return value from uint4korr().
MYSQL-5.5
The bug asks for a backport of bug#1463594 and bug#20682959. This
is required because of the fact that if replication is enabled, master
transaction can commit whereas slave can't commit due to not exact
'enviroment'. This manifestation is seen in bug#22024200.
NAME_CONST QUERY
ISSUE:
------
Using NAME_CONST with a non-constant negated expression as
value can result in incorrect behavior.
SOLUTION:
---------
The problem can be avoided by checking whether the argument
is a constant value.
The fix is a backport of Bug#12735545.
THAT ACTUALLY EXISTS
ANALYSIS:
=========
Stored functions updating a view where the view table has a
trigger defined that updates another table, fails reporting
an error that the table doesn't exist.
If there is a trigger defined on a table, a variable
'trg_event_map' will be set to a non-zero value after the
parsed tree creation. This indicates what triggers we need to
pre-load for the TABLE_LIST when opening an associated table.
During the prelocking phase, the variable 'trg_event_map'
will not be set for the view table. This value will be set
after the processing of triggers defined on the table. During
the processing of sub-statements, 'locked_tables_mode' will be
set to 'LTM_PRELOCKED' which denotes that further locking
of tables/functions cannot be done. This results in the other
table not being locked and thus further processing results in
an error getting reported.
FIX:
====
During the prelocking of view, the value of 'trg_event_map'
of the view is copied to 'trg_event_map' of the next table
in the TABLE_LIST. This results in the locking of tables
associated with the trigger as well.
Revert following bug fix:
Bug#20685029: SLAVE IO THREAD SHOULD STOP WHEN DISK IS
FULL
Bug#21753696: MAKE SHOW SLAVE STATUS NON BLOCKING IF IO
THREAD WAITS FOR DISK SPACE
This fix results in a deadlock between slave IO thread
and SQL thread.
INSERTS/UPDATES ON TEMPORARY TABLES
Bug#14294223: CHANGES NOT ALLOWED TO TEMPORARY TABLES ON
READ-ONLY SERVERS
Problem:
========
Running 5.5.14 in read only we can create temporary tables
but can not insert or update records in the table. When we
try we get Error 1290 : The MySQL server is running with the
--read-only option so it cannot execute this statement.
Analysis:
=========
This bug is very specific to binlog being enabled and
binlog-format being stmt/mixed. Standalone server without
binlog enabled or with row based binlog-mode works fine.
How standalone server and row based replication work:
=====================================================
Standalone server and row based replication mark the
transactions as read_write only when they are modifying
non temporary tables as part of their current transaction.
Because of this when code enters commit phase it checks
if a transaction is read_write or not. If the transaction
is read_write and global read only mode is enabled those
transaction will fail with 'server is read only mode'
error.
In the case of statement based mode at the time of writing
to binary log a binlog handler is created and it is always
marked as read_write. In case of temporary tables even
though the engine did not mark the transaction as read_write
but the new transaction that is started by binlog handler is
considered as read_write.
Hence in this case when code enters commit phase it finds
one handler which has a read_write transaction even when
we are modifying temporary table. This causes the server
to throw an error when global read-only mode is enabled.
Fix:
====
At the time of commit in "ha_commit_trans" if a read_write
transaction is found, we should check if this transaction is
coming from a handler other than binlog_handler. This will
ensure that there is a genuine read_write transaction being
sent by the engine apart from binlog_handler and only then
it should be blocked.
INCORRECT ERROR.
Analysis
========
INSERT with DUPLICATE KEY UPDATE and REPLACE on a table
where foreign key constraint is defined fails with an
incorrect 'duplicate entry' error rather than foreign
key constraint violation error.
As part of the bug fix for BUG#22037930, a new flag
'HA_CHECK_FK_ERROR' was added while checking for non fatal
errors to manage FK errors based on the 'IGNORE' flag. For
INSERT with DUPLICATE KEY UPDATE and REPLACE queries, the
foreign key constraint violation error was marked as non-fatal,
even though IGNORE was not set. Hence it continued with the
duplicate key processing resulting in an incorrect error.
Fix:
===
Foreign key violation errors are treated as non fatal only when
the IGNORE is not set in the above mentioned queries. Hence reports
the appropriate foreign key violation error.
