Commit graph

90 commits

Author SHA1 Message Date
Sreeharsha Ramanavarapu
115f08284d Bug #23279858: MYSQLD GOT SIGNAL 11 ON SIMPLE SELECT
NAME_CONST QUERY

ISSUE:
------
Using NAME_CONST with a non-constant negated expression as
value can result in incorrect behavior.

SOLUTION:
---------
The problem can be avoided by checking whether the argument
is a constant value.

The fix is a backport of Bug#12735545.
2016-05-24 07:44:21 +05:30
Georgi Kodinov
c6b904abf8 merge mysql-5.5->mysql-5.5-bugteam 2010-12-16 18:44:17 +02:00
Georgi Kodinov
96d45ed2f6 merge 2010-11-26 16:32:51 +02:00
Ramil Kalimullin
cc5263b223 Manual merge from mysql-5.5-bugteam. 2010-11-22 14:47:28 +03:00
Magne Mahre
64c059b0a8 Bug#58199 name_const in the having clause crashes
NAME_CONST(..) was used wrongly in a HAVING clause, and
should have caused a user error.  Instead, it caused a
segmentation fault.
      
During parsing, the value parameter to NAME_CONST was
specified to be an uninitialized Item_ref object (it
would be resolved later).   During the semantic analysis,
the object is tested, and since it was not initialied,
the server seg.faulted.
      
The fix is to check if the object is initialized
before testing it.  The same pattern has already been
applied to most other methods in the Item_ref class.
      
Bug was introduced by the optimization done as part of
Bug#33546.
2010-11-18 14:02:24 +01:00
Ramil Kalimullin
a9ac3cde49 Merge. 2010-10-13 08:51:37 +04:00
Ramil Kalimullin
9ef7eac2c0 Fix for bug#57283: inet_ntoa() crashes
Problem: some call of INET_NTOA() function may lead 
to a crash due to missing its character set initialization.

Fix: explicitly set the character set.
2010-10-12 23:28:03 +04:00
Georgi Kodinov
bd62942ec1 merge 2010-08-20 16:10:49 +03:00
Georgi Kodinov
a54c3dd5c0 merge 2010-08-20 14:22:46 +03:00
Georgi Kodinov
05e88a5bbf merge 2010-08-02 11:17:47 +03:00
Gleb Shchepa
38165ce4a3 Bug #54461: crash with longblob and union or update with subquery
Queries may crash, if
  1) the GREATEST or the LEAST function has a mixed list of
     numeric and LONGBLOB arguments and
  2) the result of such a function goes through an intermediate
     temporary table.

An Item that references a LONGBLOB field has max_length of
UINT_MAX32 == (2^32 - 1).

The current implementation of GREATEST/LEAST returns REAL
result for a mixed list of numeric and string arguments (that
contradicts with the current documentation, this contradiction
was discussed and it was decided to update the documentation).

The max_length of such a function call was calculated as a
maximum of argument max_length values (i.e. UINT_MAX32).

That max_length value of UINT_MAX32 was used as a length for
the intermediate temporary table Field_double to hold
GREATEST/LEAST function result.

The Field_double::val_str() method call on that field
allocates a String value.

Since an allocation of String reserves an additional byte
for a zero-termination, the size of String buffer was
set to (UINT_MAX32 + 1), that caused an integer overflow:
actually, an empty buffer of size 0 was allocated.

An initialization of the "first" byte of that zero-size
buffer with '\0' caused a crash.

The Item_func_min_max::fix_length_and_dec() has been
modified to calculate max_length for the REAL result like
we do it for arithmetical operators.


******
Bug #54461: crash with longblob and union or update with subquery

Queries may crash, if
  1) the GREATEST or the LEAST function has a mixed list of
     numeric and LONGBLOB arguments and
  2) the result of such a function goes through an intermediate
     temporary table.

An Item that references a LONGBLOB field has max_length of
UINT_MAX32 == (2^32 - 1).

The current implementation of GREATEST/LEAST returns REAL
result for a mixed list of numeric and string arguments (that
contradicts with the current documentation, this contradiction
was discussed and it was decided to update the documentation).

The max_length of such a function call was calculated as a
maximum of argument max_length values (i.e. UINT_MAX32).

That max_length value of UINT_MAX32 was used as a length for
the intermediate temporary table Field_double to hold
GREATEST/LEAST function result.

The Field_double::val_str() method call on that field
allocates a String value.

Since an allocation of String reserves an additional byte
for a zero-termination, the size of String buffer was
set to (UINT_MAX32 + 1), that caused an integer overflow:
actually, an empty buffer of size 0 was allocated.

An initialization of the "first" byte of that zero-size
buffer with '\0' caused a crash.

The Item_func_min_max::fix_length_and_dec() has been
modified to calculate max_length for the REAL result like
we do it for arithmetical operators.
2010-08-01 22:12:36 +04:00
Alexey Kopytov
5a274915ec Bug #52165: Assertion failed: file .\dtoa.c, line 465
The failing assertion was written with the assumption that a NULL
string can never be passed to my_strtod(). However, an empty string
may be passed under some circumstances by passing str == NULL and
*end == NULL.

Fixed the assertion to take the above case into account.
2010-04-07 13:59:02 +04:00
Alexey Kopytov
aef97cadfa Bug #8433: Overflow must be an error
All numeric operators and functions on integer, floating point 
and DECIMAL values now throw an 'out of range' error rather 
than returning an incorrect value or NULL,  when the result is 
out of supported range for the corresponding data type. 
 
Some test cases in the test suite had to be updated 
accordingly either because the test case itself relied on a 
value returned in case of a numeric overflow, or because a 
numeric overflow was the root cause of the corresponding bugs. 
The latter tests are no longer relevant, since the expressions 
used to trigger the corresponding bugs are not valid anymore. 
However, such test cases have been adjusted and kept "for the 
record".
2010-03-18 13:38:29 +03:00
Leonard Zhou
dccca9532f Merge 5.0 to 5.1 2009-03-27 10:18:06 +08:00
Leonard Zhou
8c5bba7235 BUG#35515 Aliases of variables in binary log are ignored with NAME_CONST.
When add an aliase name after NAME_CONST, the aliase name will be overwrite.
      
NAME_CONST will re-set the field's name only if there isn't an aliase in the
function fix-fields().
If there is an aliase, NAME_CONST doesn't re-set the field's name and keeps the old
name.
2009-03-26 15:38:17 +08:00
Ramil Kalimullin
909d29ee05 Fix for bug#42014: Crash, name_const with collate
Problem: some queries using NAME_CONST(.. COLLATE ...)
lead to server crash due to failed type cast.

Fix: return the underlying item's type in case of
NAME_CONST(.. COLLATE ...) to avoid wrong casting.
2009-02-05 11:43:39 +04:00
Ramil Kalimullin
fd5084f61d Auto-merge 2009-02-05 11:45:30 +04:00
Tatiana A. Nurnberg
94607a836f Bug#35848: UUID() returns UUIDs with the wrong time
offset for time part in UUIDs was 1/1000 of what it
should be. In other words, offset was off.

Also handle the case where we count into the future
when several UUIDs are generated in one "tick", and
then the next call is late enough for us to unwind
some but not all of those borrowed ticks.

Lastly, handle the case where we keep borrowing and
borrowing until the tick-counter overflows by also
changing into a new "numberspace" by creating a new
random suffix.
2008-07-10 05:24:46 +02:00
Tatiana A. Nurnberg
2d41201c8a Bug#35848: UUID() returns UUIDs with the wrong time
offset for time part in UUIDs was 1/1000 of what it
should be. In other words, offset was off.

Also handle the case where we count into the future
when several UUIDs are generated in one "tick", and
then the next call is late enough for us to unwind
some but not all of those borrowed ticks.

Lastly, handle the case where we keep borrowing and
borrowing until the tick-counter overflows by also
changing into a new "numberspace" by creating a new
random suffix.
2008-07-10 03:58:30 +02:00
Matthias Leich mleich@mysql.com
6fec7fc19a Upmerge of fix for
Bug 36788 Multiple funcs_1 'trig' tests are failing on vanilla builds
2008-06-03 12:21:48 +02:00
Matthias Leich mleich@mysql.com
be574a3a57 Bug#36788 Multiple funcs_1 'trig' tests are failing on vanilla builds
Fix for this bug and additional improvements/fixes
In detail:
- Remove unicode attribute from several columns
  (unicode properties were nowhere needed/tested)
  of the table tb3
  -> The runnability of these tests depends no more on
     the availibility of some optional collations.
- Use a table tb3 with the same layout for all
  engines to be tested and unify the engine name
  within the protocols.
  -> <engine>_trig_<abc>.result have the same content
- Do not load data into tb3 if these rows have no
  impact on result sets
- Add tests for NDB (they exist already in 5.1)
- "--replace_result" at various places because
  NDB variants of tests failed with "random" row
  order in results
  This fixes a till now unknown weakness within the
  funcs_1 NDB tests existing in 5.1 and 6.0
- Fix the expected result of ndb_trig_1011ext
  which suffered from Bug 32656
  + disable this test
- funcs_1 could be executed with the mysql-test-run.pl
  option "--reorder", which saves some runtime by
  optimizing server restarts.
  Runtimes on tmpfs (one attempt only):
  with    reorder 132 seconds
  without reorder 183 seconds
- Adjust two "check" statements within func_misc.test
  which were incorrect (We had one run with result set
  difference though the server worked good.)
- minor fixes in comments
2008-06-02 21:57:11 +02:00
Matthias Leich mleich@mysql.com
7b62ee3ec9 Bug#36345 Test 'func_misc' fails on RHAS3 x86_64
Upmerge of fix for this bug and a second similar problem
found during experimenting.

This replaces the first fix (already pushed to 5.1
and merged to 6.0) which
- failed in runs with the embedded server
- cannot be ported back to 5.0
2008-05-29 22:16:22 +02:00
Matthias Leich mleich@mysql.com
361dcb1a90 Bug#36345 Test 'func_misc' fails on RHAS3 x86_64
Fix for this bug and a second similar problem
found during experimenting.

This replaces the first fix (already pushed to 5.1
and merged to 6.0) which
- failed in runs with the embedded server
- cannot be ported back to 5.0
2008-05-29 18:38:10 +02:00
First_name Last_name mleich@mysql.com
72b623eef0 Fix for
Bug#36345 Test 'func_misc' fails on RHAS3 x86_64
and a second similar problem within this test found
during experimenting.
2008-05-23 17:23:55 +02:00
istruewing@stella.local
eabe082d6f Manual merge 2008-03-14 12:02:11 +01:00
istruewing@stella.local
d0b86d23d7 Merge stella.local:/home2/mydev/mysql-5.0-amain
into  stella.local:/home2/mydev/mysql-5.0-axmrg
2008-03-14 09:48:57 +01:00
tnurnberg@white.intern.koehntopp.de
fd2bae9981 Merge mysql.com:/misc/mysql/34749/50-34749
into  mysql.com:/misc/mysql/34749/51-34749
2008-03-10 07:07:56 +01:00
tnurnberg@mysql.com/white.intern.koehntopp.de
c6b4d7a7c4 Bug#34749: Server crash when using NAME_CONST() with an aggregate function
NAME_CONST('whatever', -1) * MAX(whatever) bombed since -1 was
not seen as constant, but as FUNCTION_UNARY_MINUS(constant)
while we are at the same time pretending it was a basic const
item. This confused the aggregate handlers in exciting ways.
We now make NAME_CONST() behave more consistently.
2008-02-28 14:23:22 +01:00
svoj@june.mysql.com
33ad5a480f Merge mysql.com:/home/svoj/devel/mysql/BUG34289/mysql-5.0-engines
into  mysql.com:/home/svoj/devel/mysql/BUG34289/mysql-5.1-engines
2008-02-20 21:22:21 +04:00
svoj@mysql.com/june.mysql.com
921e1cc4bb BUG#34289 - Incorrect NAME_CONST substitution in stored procedures
breaks replication

NAME_CONST() didn't replicate constant character set and collation
correctly.

With this fix NAME_CONST() inherits collation from the value argument.
2008-02-19 18:16:17 +04:00
gluh@eagle.(none)
d504588e79 Merge mysql.com:/home/gluh/MySQL/Merge/5.0-opt
into  mysql.com:/home/gluh/MySQL/Merge/5.1-opt
2007-12-13 16:10:57 +04:00
gluh@eagle.(none)
4f5868114a Merge mysql.com:/home/gluh/MySQL/Merge/5.1
into  mysql.com:/home/gluh/MySQL/Merge/5.1-opt
2007-12-13 15:56:04 +04:00
gluh@mysql.com/eagle.(none)
9df070ed7c after merge fix 2007-12-13 15:47:23 +04:00
gluh@eagle.(none)
e039595029 Merge mysql.com:/home/gluh/MySQL/Merge/5.0
into  mysql.com:/home/gluh/MySQL/Merge/5.0-opt
2007-12-13 14:52:49 +04:00
istruewing@stella.local
34b317c883 Merge stella.local:/home2/mydev/mysql-5.0-axmrg
into  stella.local:/home2/mydev/mysql-5.1-axmrg
2007-12-11 21:38:50 +01:00
istruewing@stella.local
03d99c5956 Merge stella.local:/home2/mydev/mysql-5.1-amain
into  stella.local:/home2/mydev/mysql-5.1-axmrg
2007-12-11 21:37:33 +01:00
istruewing@stella.local
ba2d58ae5e Merge stella.local:/home2/mydev/mysql-5.0-amain
into  stella.local:/home2/mydev/mysql-5.0-axmrg
2007-12-11 17:09:43 +01:00
igor@olga.mysql.com
c04d3727dc Fixed bug #27545.
Both arguments of the function NAME_CONST must be constant expressions.
This constraint is checked in the Item_name_const::fix_fields method. 
Yet if the argument of the function was not a constant expression no
error message was reported. As a result the client hanged waiting for a
response.
Now the function Item_name_const::fix_fields reports an error message
when any of the additional context conditions imposed on the function
NAME_CONST is not satisfied.
2007-12-07 23:36:58 -08:00
tsmith@ramayana.hindu.god
8fc0bfb6b6 Merge ramayana.hindu.god:/home/tsmith/m/bk/51
into  ramayana.hindu.god:/home/tsmith/m/bk/maint/51-merge
2007-12-05 12:33:36 -07:00
tsmith@ramayana.hindu.god
10cab933b2 Merge tsmith@bk-internal.mysql.com:/home/bk/mysql-5.0
into  ramayana.hindu.god:/home/tsmith/m/bk/maint/50
2007-12-04 20:58:21 -07:00
holyfoot/hf@mysql.com/hfmain.(none)
1446f74d8f Bug #30430 crash:./mtr --embedded-server --ps-protocol cache_innodb func_misc...
PS-protocol data is stored in different format - the MYSQL_RECORDS->data
contains the link to the record content, not to array of the links to
the field's contents. So we have to handle it separately for
embedded-server query cache.
2007-11-30 22:17:11 +04:00
ramil/ram@ramil.myoffice.izhnet.ru
6164613f18 Merge mysql.com:/home/ram/work/b32559/b32559.5.0
into  mysql.com:/home/ram/work/b32559/b32559.5.1
2007-11-29 10:23:30 +04:00
ramil/ram@mysql.com/ramil.myoffice.izhnet.ru
ac034767c0 Fix for bug #32559: connection hangs on query with name_const
Problem: passing a non-constant name to the NAME_CONST function results in a crash.

Fix: check the NAME_CONST name argument; return fake item type if we got
non-constant argument(s).
2007-11-27 09:36:43 +04:00
ramil/ram@ramil.myoffice.izhnet.ru
c7528dff69 Merge mysql.com:/home/ram/work/b31349/b31349.5.0
into  mysql.com:/home/ram/work/b31349/b31349.5.1
2007-10-23 13:55:06 +05:00
ramil/ram@mysql.com/ramil.myoffice.izhnet.ru
b4f558419f Fix for bug #31349: ERROR 1062 (23000): Duplicate entry '' for key 'group_key'
Problem: lying to the optimizer that a function (Item_func_inet_ntoa)
cannot return NULL values leads to unexpected results (in the case group
keys creation/comparison is broken). 

Fix: Item_func_inet_ntoa::maybe_null should be set properly.
2007-10-19 14:54:05 +05:00
mhansson/martin@linux-st28.site
600d2ba0b1 Merge linux-st28.site:/home/martin/mysql/src/bug30832-again/my50-bug30832-again
into  linux-st28.site:/home/martin/mysql/src/bug30832-again/my51-bug30832-again
2007-10-09 11:37:46 +02:00
mhansson/martin@linux-st28.site
d29146f9f4 Bug#30832:Assertion + crash with select name_const('test',now());
Completion of previous patch. Negative number were denied
as the second argument to NAME_CONST.
2007-10-09 11:36:05 +02:00
mhansson/martin@linux-st28.site
967c782fa7 Merge linux-st28.site:/home/martin/mysql/src/bug30832/my50-bug30832
into  linux-st28.site:/home/martin/mysql/src/bug30832/my51-bug30832
2007-10-01 09:11:45 +02:00
mhansson/martin@linux-st28.site
397da9d9b7 Bug #30832: Assertion + crash with select name_const('test', now());
The NAME_CONST function is required to work correctly with constants only.
When executed with functions that return types other than those returned by
Item::field_type (string, int, decimal, or real), the result gets cast to
one of those types. This cannot happen for constants.
Fixed by only allowing constants as arguments to NAME_CONST.
2007-09-28 18:05:23 +02:00
tsmith@ramayana.hindu.god
2c44def1ee Bug #30389: connection_id() always return 0 in embedded server
Initialize thd->variables.pseudo_thread_id when a new embedded
thd is created.
2007-08-27 14:31:27 -06:00