file .\filesort.cc, line 149 (part II)
Problem: the server didn't disregard sort order
for some zero length tuples.
Fix: skip sort order in such a case
(zero length NOT NULL string functions).
strict aliasing violations.
Post-merge fix: include my_compiler.h before my_attribute.h
as the latter will undef __attribute__ if the compiler is not
GCC. Based on the compiler version, in my_compiler.h we know
for sure whether the aligned attribute is supported. Furthermore,
undefining attribute might cause bugs if some system header
uses it.
strict aliasing violations.
Another rather noisy violation of strict aliasing rules
is the spatial code which makes use of stack-based memory
(of type Geometry_buffer) to provide placement for Geometry
objects. Although a placement new is allowed to dynamically
change the type of a object, the object returned by the
new placement was being ignored and the original stack-based
object was being casted to the new type, thus violating strict
aliasing rules.
The solution is to reorganize the code so that the object
returned by the new placement is used instead of casting the
original object. Also, to ensure that the stack-based object
is properly aligned with respect to the objects it provides
placement for, a set of compiler-dependent macros and types
are introduced so that the alignment of objects can be inquired
and specified.
Backport fixes from ndb: Rework the constructors of some static
object's to not call dbug functions since the constructors will
be called before main, and consequently, before the dbug library
is initialized.
and reverse() function
3 problems fixed :
1. The reported problem : caused by incorrect parsing of
the file as ucs data resulting in wrong length of the parsed
string. Fixed by truncating the invalid trailing bytes
(non-complete multibyte characters) when reading from the file
2. LOAD DATA when reading from a proper UCS2 file wasn't
recognizing the new line characters. Fixed by first looking
if a byte is a new line (or any other special) character before
reading it as a part of a multibyte character.
3. When using user variables to hold the column data in LOAD
DATA the character set of the user variable was set incorrectly
to the database charset. Fixed by setting it to the charset
specified by LOAD DATA (if any).
bytes_received/bytes_sent are ulonglong so they cannot be handled by the
ulong handling code in add_to_status/add_diff_to_status().
Fixed by adding code to handle these two variables in
add_to_status()/add_diff_to_status() and making sure they are not a subject
to the ulong handling code.
> ------------------------------------------------------------
> revno: 3392.1.1
> revision-id: gshchepa@mysql.com-20100521184732-0jvpzinv0uwyvr2d
> parent: sven.sandberg@sun.com-20100520153801-yyhujm1qqa4eyfn0
> committer: Gleb Shchepa <gshchepa@mysql.com>
> branch nick: 53804-5.1
> timestamp: Fri 2010-05-21 22:47:32 +0400
> message:
> Bug #53804: serious flaws in the alter database .. upgrade
> data directory name command
>
> The check_db_name function has been modified to validate tails of
> #mysql50#-prefixed database names for compliance with MySQL 5.0
> database name encoding rules (the check_table_name function call
> has been reused).
> ------------------------------------------------------------
> revno: 3386
> revision-id: sergey.glukhov@sun.com-20100518082821-yajhvbv1ghmlpu1n
> parent: aelkin@mysql.com-20100516170332-x8priwrdjwolc065
> committer: Sergey Glukhov <Sergey.Glukhov@sun.com>
> branch nick: mysql-5.1-bugteam
> timestamp: Tue 2010-05-18 13:28:21 +0500
> message:
> Bug#48729 SELECT ... FROM INFORMATION_SCHEMA.ROUTINES causes memory to grow
> Analysis showed that in case of accessing I_S table
> ROUTINES we perform unnecessary allocations
> with get_field() function for every processed row that
> in their turn causes significant memory growth.
> the fix is to avoid use of get_field().
> ------------------------------------------------------------
> revno: 3367 [merge]
> revision-id: joro@sun.com-20100504140328-srxf3c088j2twnq6
> parent: kristofer.pettersson@sun.com-20100503172109-f9hracq5pqsaomb1
> parent: joro@sun.com-20100503151651-nakknn8amrapmdp7
> committer: Georgi Kodinov <joro@sun.com>
> branch nick: B53371-5.1-bugteam
> timestamp: Tue 2010-05-04 17:03:28 +0300
> message:
> Bug #53371: COM_FIELD_LIST can be abused to bypass table level grants.
>
> This is the 5.1 merge and extension of the fix.
> The server was happily accepting paths in table name in all places a table
> name is accepted (e.g. a SELECT). This allowed all users that have some
> privilege over some database to read all tables in all databases in all
> mysql server instances that the server file system has access to.
> Fixed by :
> 1. making sure no path elements are allowed in quoted table name when
> constructing the path (note that the path symbols are still valid in table names
> when they're properly escaped by the server).
> 2. checking the #mysql50# prefixed names the same way they're checked for
> path elements in mysql-5.0.
> ------------------------------------------------------------
> Use --include-merges or -n0 to see merged revisions.
> ------------------------------------------------------------
> revno: 3351.41.1
> revision-id: alexey.kopytov@sun.com-20100430111048-jdls6ofn4kkmpt09
> parent: sergey.glukhov@sun.com-20100329134249-03wyhzp5k92dzhcb
> committer: Alexey Kopytov <Alexey.Kopytov@Sun.com>
> branch nick: my51-bug48419
> timestamp: Fri 2010-04-30 15:10:48 +0400
> message:
> Bug #48419: another explain crash..
>
> WHERE predicates containing references to empty tables in a
> subquery were handled incorrectly by the optimizer when
> executing EXPLAIN. As a result, the optimizer could try to
> evaluate such predicates rather than just stop with
> "Impossible WHERE noticed after reading const tables" as
> it would do in a non-subquery case. This led to valgrind
> errors and crashes.
>
> Fixed the code checking the above condition so that subqueries
> are not excluded and hence are handled in the same way as top
> level SELECTs.
> ------------------------------------------------------------
> revno: 1810.3987.14
> revision-id: davi.arnaut@sun.com-20100429132816-ictyul6d75itek22
> parent: ramil@mysql.com-20100429044232-f0pkyx8fnpszf142
> committer: Davi Arnaut <Davi.Arnaut@Sun.COM>
> branch nick: 50974-5.0
> timestamp: Thu 2010-04-29 10:28:16 -0300
> message:
> Bug#50974: Server keeps receiving big (> max_allowed_packet) packets indefinitely.
>
> The server could be tricked to read packets indefinitely if it
> received a packet larger than the maximum size of one packet.
> This problem is aggravated by the fact that it can be triggered
> before authentication.
>
> The solution is to no skip big packets for non-authenticated
> sessions. If a big packet is sent before a session is authen-
> ticated, a error is returned and the connection is closed.
> ------------------------------------------------------------
> revno: 3363 [merge]
> revision-id: davi.arnaut@sun.com-20100429231819-i3anwzrdasjmezvt
> parent: davi.arnaut@sun.com-20100401131522-895y8uzvv8ag44gs
> parent: davi.arnaut@sun.com-20100429132816-ictyul6d75itek22
> committer: Davi Arnaut <Davi.Arnaut@Sun.COM>
> branch nick: mysql-5.1-bugteam
> timestamp: Thu 2010-04-29 20:18:19 -0300
> message:
> Manual merge.
> ------------------------------------------------------------
> Use --include-merges or -n0 to see merged revisions.
> ------------------------------------------------------------
> revno: 1810.3987.13
> revision-id: ramil@mysql.com-20100429044232-f0pkyx8fnpszf142
> parent: alexey.kopytov@sun.com-20100426200600-op06qy98llzpzgl1
> committer: Ramil Kalimullin <ramil@mysql.com>
> branch nick: b53237-5.0-bugteam
> timestamp: Thu 2010-04-29 08:42:32 +0400
> message:
> Fix for bug #53237: mysql_list_fields/COM_FIELD_LIST stack smashing
>
> Problem: "COM_FIELD_LIST is an old command of the MySQL server, before there was real move to only
> SQL. Seems that the data sent to COM_FIELD_LIST( mysql_list_fields() function) is not
> checked for sanity. By sending long data for the table a buffer is overflown, which can
> be used deliberately to include code that harms".
>
> Fix: check incoming data length.
The patch did not apply cleanly:
- Line numbers are completely off, roughly it is 2030 -> 1313
- What is called "pend" in the patch, is "arg_end" in the source.
> ------------------------------------------------------------
> revno: 3351.14.47
> revision-id: marko.makela@oracle.com-20100421095033-0acvzxb8um8cms0a
> parent: marko.makela@oracle.com-20100421094032-ir4glqk46qvg2ywn
> committer: Marko Mäkelä <marko.makela@oracle.com>
> branch nick: 5.1-innodb
> timestamp: Wed 2010-04-21 12:50:33 +0300
> message:
> dtuple_convert_big_rec(): Store locally any fields whose maximum length
> is less than 256 bytes. (Bug #52745)
> Add related comments and debug assertions to the "offsets"
> functions in rem0rec.c.
> Approved by Sunny Bains
> ------------------------------------------------------------
> revno: 3351.14.50
> revision-id: marko.makela@oracle.com-20100421185359-8qaxoa2yyrpzwdd7
> parent: marko.makela@oracle.com-20100421102723-0i80uezbyu0ekj5d
> committer: Marko Mäkelä <marko.makela@oracle.com>
> branch nick: 5.1-innodb
> timestamp: Wed 2010-04-21 21:53:59 +0300
> message:
> btr_page_split_and_insert(): Avoid an infinite loop. (Bug #52964)
>
> btr_page_tuple_smaller(): New function, refactored from
> btr_page_split_and_insert().
>
> btr_page_get_split_rec(): Renamed from btr_page_get_sure_split_rec().
> Note that a NULL return may mean that the tuple is to be inserted into
> either the lower or upper page, to be determined by btr_page_tuple_smaller().
>
> btr_page_split_and_insert(): When btr_page_get_split_rec() returns NULL,
> invoke btr_page_tuple_smaller() to determine which half-page the tuple
> belongs to.
>
> Reviewed by Sunny Bains
> ------------------------------------------------------------
> revno: 3362
> revision-id: davi.arnaut@sun.com-20100401131522-895y8uzvv8ag44gs
> parent: ramil@mysql.com-20100429045409-r7r5lcyiruis15v7
> committer: Davi Arnaut <Davi.Arnaut@Sun.COM>
> branch nick: 50755-5.1
> timestamp: Thu 2010-04-01 10:15:22 -0300
> message:
> Bug#50755: Crash if stored routine def contains version comments
>
> The problem was that a syntactically invalid trigger could cause
> the server to crash when trying to list triggers. The crash would
> happen due to a mishap in the backup/restore procedure that should
> protect parser items which are not associated with the trigger. The
> backup/restore is used to isolate the parse tree (and context) of
> a statement from the load (and parsing) of a trigger. In this case,
> a error during the parsing of a trigger could cause the improper
> backup/restore sequence.
>
> The solution is to properly restore the original statement context
> before the parser is exited due to syntax errors in the trigger body.
Incorrect handling of NULL arguments could lead to a crash on
the IN or CASE operations when either NULL arguments were
passed explicitly as arguments (IN) or implicitly generated by
the WITH ROLLUP modifier (both IN and CASE).
Item_func_case::find_item() assumed all necessary comparators
to be instantiated in fix_length_and_dec(). However, in the
presence of WITH ROLLUP modifier, arguments could be
substituted with an Item_null leading to an "unexpected"
STRING_RESULT comparator being invoked.
In addition to the problem identical to the above,
Item_func_in::val_int() could crash even with explicitly passed
NULL arguments due to an optimization in fix_length_and_dec()
leading to NULL arguments being ignored during comparators
creation.
when renaming tables
Allocate the table name using ut_malloc() instead of table->heap because
the latter cannot be freed.
Adjust dict_sys->size calculations all over the code.
Change dict_table_t::name from const char* to char* because we need to
ut_malloc()/ut_free() it.
Reviewed by: Inaam, Marko, Heikki (rb://384)
Approved by: Heikki (rb://384)
ha_innobase::index_read(), ha_innobase::records_in_range(): Check that
the index is useable before invoking row_sel_convert_mysql_key_to_innobase().
This fix is based on a suggestion by Yasufumi Kinoshita.
In process of record search it is not taken into account
that inital quick->file->ref value could be inapplicable
to range interval. After proper row is found this value is
stored into the record buffer and later the record is
filtered out at condition evaluation stage.
The fix is store a refernce of found row to the handler ref field.
dict_check_tablespaces_and_store_max_id(): Initialize max_space_id
and fil_system->max_assigned_id from DICT_HDR_MAX_SPACE_ID.
fil_space_create(): Suppress the warning unless !recv_recovery_on
(do not complain while applying the redo log).
Problem: a flaw (derefencing a NULL pointer) in the LIKE optimization
code may lead to a server crash in some rare cases.
Fix: check the pointer before its dereferencing.
mysql_client_binlog_statement
Problem: server may read from unassigned memory performing
"wrong" BINLOG queries.
Fix: never read from unassigned memory.
line exceeds the limit
The number and/or names of our files for the main test suite
(contents of "mysql-test/t/") now exceeds the command line
length limit on AIX.
Solve the problem by using separate "cp" commands for the
various file name extensions.
