Commit graph

19828 commits

Author SHA1 Message Date
Jon Olav Hauglid
c1b2d72900 Bug #57130 crash in Item_field::print during SHOW CREATE TABLE or VIEW
This crash could happen if SHOW CREATE VIEW indirectly failed to open a
view due to failures to open underlying tables (or functions). Several
such errors were hidden and converted to ER_VIEW_INVALID warnings to
prevent exposing details of underlying tables for which the user have
no privileges.

However, with the changes introduced by the patch for Bug#52044,
failing to open a view will cause opened tables, views and functions
to be closed. Since the errors causing these failures were converted
to warnings, SHOW CREATE VIEW would try to continue. This made it
possible to try to access memory that had been freed, causing a crash.

This patch fixes the problem by not closing opened tables, views and
functions in these cases. This allows SHOW CREATE VIEW to continue
and also prevents it from accessing freed memory.

Test case added to lock_sync.test.
2010-11-03 16:47:32 +01:00
Sergey Glukhov
af8871e2ee 5.1-sucurity->5.5-security merge 2010-11-01 10:01:32 +03:00
Sergey Glukhov
930cf09ec7 test case fix 2010-11-01 09:47:57 +03:00
Jon Olav Hauglid
75d59ff967 Bug #57659 Segfault in Query_cache::invalidate_data for TRUNCATE TABLE
This crash could happen if TRUNCATE TABLE indirectly failed to open a
merge table due to failures to open underlying tables. Even if opening
failed, the TRUNCATE TABLE code would try to invalidate the table in
the query cache. Since this table had been closed and memory released,
this could lead to a crash.

This bug was introduced by a combination of the changes introduced by
the patch for Bug#52044, where failing to open a table will cause opened
tables to be closed. And the changes in patch for Bug#49938, where
TRUNCATE TABLE uses the standard open tables function.

This patch fixes the problem by setting the TABLE pointer to NULL before 
invalidating the query cache.

Test case added to truncate_coverage.test.
2010-10-29 16:10:53 +02:00
Georgi Kodinov
7de8306c19 merge 2010-10-29 15:25:18 +03:00
Georgi Kodinov
fd46de026d merge to 5.1-security 2010-10-29 14:02:49 +03:00
Sergey Glukhov
982b18f53e 5.1-security->5.5-security merge 2010-10-29 12:31:28 +04:00
Sergey Glukhov
4a23ac20d9 Bug#57688 Assertion `!table || (!table->write_set || bitmap_is_set(table->write_set, field
Lines below which were added in the patch for Bug#56814 cause this crash:

+      if (table->table)
+        table->table->maybe_null= FALSE;

Consider following test case:
--
CREATE TABLE t1(f1 INT NOT NULL);
INSERT INTO t1 VALUES (16777214),(0);

SELECT COUNT(*) FROM t1 LEFT JOIN t1 t2
ON 1 WHERE t2.f1 > 1 GROUP BY t2.f1;

DROP TABLE t1;
--

We set TABLE::maybe_null to FALSE for t2 table
and in create_tmp_field() we create appropriate tmp table field
using create_tmp_field_from_item() function instead of
create_tmp_field_from_field. As a result we have
LONGLONG field. As we have GROUP BY clause we calculate
group buffer length, see calc_group_buffer().
Item from group list which is used for calculation
refer to the field from real tables and have LONG type.
So group buffer length become insufficient for storing of
LONGLONG value. It leads to overwriting of wrong memory
area in do_field_int() function which is called from
end_update().
After some investigation I found out that
create_tmp_field_from_item() is used only for OLAP
grouping and can not be used for common grouping
as it could be an incompatibility between tmp
table fields and group buffer length.
We can not remove create_tmp_field_from_item() call from
create_tmp_field as OLAP needs it and we can not use this
function for common grouping. So we should remove setting
TABLE::maybe_null to FALSE from simplify_joins().
In this case we'll get wrong behaviour of
list_contains_unique_index() back. To fix it we
could use Field::real_maybe_null() check instead of
Field::maybe_null() and add addition check of
TABLE_LIST::outer_join.


mysql-test/r/group_by.result:
  test case
mysql-test/r/join_outer.result:
  test case
mysql-test/t/group_by.test:
  test case
mysql-test/t/join_outer.test:
  test case
sql/sql_select.cc:
  --remove wrong code
  --use Field::real_maybe_null() check instead of
    Field::maybe_null() and add addition check of
    TABLE_LIST::outer_join
2010-10-29 12:23:06 +04:00
Sergey Glukhov
7799c32329 5.1-security->5.5-security 2010-10-29 11:59:36 +04:00
Sergey Glukhov
c04bf683fe Bug#57194 group_concat cause crash and/or invalid memory reads with type errors
The problem is caused by bug49487 fix and became visible
after after bug56679 fix.
Items are cleaned up and set to unfixed state after filling derived table.
So we can not rely on item::fixed state in Item_func_group_concat::print
and we can not use 'args' array as items there may be cleaned up.
The fix is always to use orig_args array of items as it
always should contain the correct data.


mysql-test/r/func_gconcat.result:
  test case
mysql-test/t/func_gconcat.test:
  test case
sql/item_sum.cc:
  The fix is always to use orig_args array of items.
2010-10-29 11:44:32 +04:00
Sergey Glukhov
b41e2289ad 5.1-secutity->5.5-security merge(test case only) 2010-10-27 18:20:25 +04:00
Sergey Glukhov
c7371c9e75 Bug#57477 SIGFPE when dividing a huge number a negative number
The problem is dividing by const value when
the result is out of supported range.
The fix:
-return LONGLONG_MIN if the result is out of supported range for DIV operator.
-return 0 if divisor is -1 for MOD operator.


mysql-test/r/func_math.result:
  test case
mysql-test/t/func_math.test:
  test case
sql/item_func.cc:
  -return LONGLONG_MIN if the result is out of supported range for DIV operator.
  -return 0 if divisor is -1 for MOD operator.
2010-10-27 18:12:10 +04:00
Vasil Dimov
4bf273c8f1 Merge mysql-5.1-bugteam -> mysql-5.1-innodb 2010-10-27 16:39:22 +03:00
Anitha Gopi
fcfda43ca3 Fixed bug numbers in disabled.def files 2010-10-27 09:54:04 +05:30
Georgi Kodinov
bda4655eb9 merge 2010-10-27 09:34:03 +02:00
Georgi Kodinov
50d18aa2d5 merge 2010-10-27 09:32:26 +02:00
Anitha Gopi
3cc4cdf160 Up merge revision 3547 from 5.1. Enable sp_sync test since Bug 48157 is fixed 2010-10-27 11:04:48 +05:30
Alexander Nozdrin
e86b6c0db4 Patch for Bug#55850 (Trigger warnings not cleared).
The problem was that the warnings risen by a trigger were not cleared upon
successful completion. The warnings should be cleared if the trigger completes
successfully.

The fix is to skip merging warnings into caller's Warning Info for triggers.
2010-10-26 15:48:08 +04:00
Bjorn Munch
32c86a488d merge from 5.5-mtr 2010-10-26 08:30:02 +02:00
Bjorn Munch
676e012e47 merge from 5.1-mtr 2010-10-25 15:48:41 +02:00
Horst.Hunger
06a263e2b3 Due to failing on Freebsd. 2010-10-25 12:24:26 +02:00
Jon Olav Hauglid
1ecc17737f Merge from mysql-5.5-runtime to mysql-5.5-bugteam
No conflicts
2010-10-22 14:13:03 +02:00
Horst.Hunger
d63cbdde8e Due to issues with merge. 2010-10-22 10:20:17 +02:00
Jon Olav Hauglid
a776e5f3d2 Merge from mysql-5.5-bugteam to mysql-5.5-runtime
No conflicts
2010-10-21 16:28:29 +02:00
Bjorn Munch
33e78dc233 merge from 5.5 2010-10-21 11:20:53 +02:00
Horst.Hunger
d6af9bef7a due to merge 2010-10-20 16:56:09 +02:00
Konstantin Osipov
08c5798839 Merge 5.5-bugteam -> 5.5-runtime. 2010-10-19 19:20:25 +04:00
Bjorn Munch
7cd0a0d7d0 upmerge 56654 2010-10-19 14:13:05 +02:00
Bjorn Munch
84c57a5e27 Bug #52828 Tests that use perl fail when perl is not in path
main.mysqltest skipped on Windows because a perl intentionally does exit(1)
Use exit(2), as exit(1) on Windows is indistinguishable from failing to
execute perl.
2010-10-19 13:56:30 +02:00
Bjorn Munch
8a67fc8c82 Test wait_timeout: do not fail by SQL syntax error, use die 2010-10-19 13:54:28 +02:00
Magne Mahre
95d91c0f57 Bug #46941 crash with lower_case_table_names=2 and foreign key
data dictionary confusion

On file systems with case insensitive file names, and
lower_case_table_names set to '2', the server could crash
due to a table definition cache inconsistency.  This is 
the default setting on MacOSX, but may also be set and
used on MS Windows.

The bug is caused by using two different strategies for
creating the hash key for the table definition cache, resulting
in failure to look up an entry which is present in the cache,
or failure to delete an existing entry.  One strategy was to
use the real table name (with case preserved), and the other
to use a normalized table name (i.e a lower case version).

This is manifested in two cases.  One is  during 'DROP DATABASE', 
where all known files are removed.  The removal from
the table definition cache is done via a generated list of
TABLE_LIST with keys (wrongly) created using the case preserved 
name.  The other is during CREATE TABLE, where the cache lookup
is also (wrongly) based on the case preserved name.
   
The fix was to use only the normalized table name when
creating hash keys.


sql/sql_db.cc:
  Normalize table name (i.e lower case it)
sql/sql_table.cc:
  table_name contains the normalized name
  alias contains the real table name
2010-10-19 12:27:09 +02:00
Jon Olav Hauglid
8f73bddc9a Merge from mysql-5.5-bugteam to mysql-5.5-runtime
No conflicts
2010-10-19 11:26:45 +02:00
Tor Didriksen
a6df37dbbf Bug #57203 Assertion `field_length <= 255' failed.
After the fix for
Bug #55077 Assertion failed: width > 0 && to != ((void *)0), file .\dtoa.c
we no longer try to allocate a string of length 'field_length'
so the asserts are relevant only for ZEROFILL columns.



mysql-test/r/select.result:
  Add test case for Bug#57203
mysql-test/t/select.test:
  Add test case for Bug#57203
sql/field.cc:
  Rewrite the DBUG_ASSERTS on field_length.
2010-10-19 08:45:18 +02:00
Magne Mahre
b61b785285 Merge from mysql-5.1-bugteam to mysql-5.5-bugteam
Only test case is merged, as the fix was already
present in 5.5 code
2010-10-19 12:29:21 +02:00
Dmitry Shulga
1e2f4f68bd Auto-merge from mysql-5.1-bugteam for bug#36742. 2010-10-18 22:38:12 +07:00
Dmitry Shulga
cdddc7bfd5 Follow up for bug#36742. Changed test case for bug#19828
because currently hostname stored in db in lowercase.
2010-10-18 21:03:53 +07:00
Sergey Glukhov
babfc2e101 5.1-security->5.5-security merge 2010-10-18 16:22:02 +04:00
Sergey Glukhov
d0ac4e2c5a Bug#56814 Explain + subselect + fulltext crashes server
create_sort_index() function overwrites original JOIN_TAB::type field.
At re-execution of subquery overwritten JOIN_TAB::type(JT_ALL) is
used instead of JT_FT. It misleads test_if_skip_sort_order() and
the function tries to find suitable key for the order that should
not be allowed for FULLTEXT(JT_FT) table.
The fix is to restore JOIN_TAB strucures for subselect on re-execution
for EXPLAIN.
Additional fix:
Update TABLE::maybe_null field which
affects list_contains_unique_index() behaviour as it
could have the value(maybe_null==TRUE) based on the
assumption that this join is outer
(see setup_table_map() func).


mysql-test/r/explain.result:
  test case
mysql-test/t/explain.test:
  test case
sql/item_subselect.cc:
  Make subquery uncacheable in case of EXPLAIN. It allows to keep
  original JOIN_TAB::type(see JOIN::save_join_tab) and restore it
  on re-execution.
sql/sql_select.cc:
  -restore JOIN_TAB strucures for subselect on re-execution for EXPLAIN
  -Update TABLE::maybe_null field as it could have
   the value(maybe_null==TRUE) based on the assumption
   that this join is outer(see setup_table_map() func).
   This change is not related to the crash problem but
   affects EXPLAIN results in the test case.
2010-10-18 16:12:27 +04:00
Sergey Glukhov
318b590b0a 5.1-security->5.5-security merge 2010-10-18 15:06:15 +04:00
Sergey Glukhov
127c721cef Bug#54484 explain + prepared statement: crash and Got error -1 from storage engine
Subquery executes twice, at top level JOIN::optimize and ::execute stages.
At first execution create_sort_index() function is called and
FT_SELECT object is created and destroyed. HANDLER::ft_handler is cleaned up
in the object destructor and at second execution FT_SELECT::get_next() method
returns error.
The fix is to reinit HANDLER::ft_handler field before re-execution of subquery.


mysql-test/r/fulltext.result:
  test case
mysql-test/t/fulltext.test:
  test case
sql/item_func.cc:
  reinit ft_handler before re-execution of subquery
sql/item_func.h:
  Fixed method name
sql/sql_select.cc:
  reinit ft_handler before re-execution of subquery
2010-10-18 14:47:26 +04:00
Alexey Botchkov
2cf62cf2ef merging. 2010-10-15 20:44:55 +05:00
Alexey Botchkov
8760cec601 merging. 2010-10-15 20:13:35 +05:00
Vasil Dimov
3e56680632 Merge mysql-5.1-bugteam -> mysql-5.1-innodb 2010-10-15 17:38:39 +03:00
Mattias Jonsson
b86026dab5 Manual merge 2010-10-15 10:06:22 +02:00
Mattias Jonsson
2234783085 merge 2010-10-15 09:27:28 +02:00
Konstantin Osipov
248625d910 A fix and a test case for Bug#56540 "Exception (crash) in
sql_show.cc during rqg_info_schema test on Windows".

Ensure we do not access freed memory when filling
information_schema.views when one of the views
could not be properly opened.



mysql-test/r/information_schema.result:
  Update results - a fix for Bug#56540.
mysql-test/t/information_schema.test:
  Add a test case for Bug#56540
sql/sql_base.cc:
  Push an error into the Diagnostics area
  when we return an error.
  This directs get_all_tables() to the execution
  branch which doesn't involve 'process_table()'
  when no table/view was opened.
sql/sql_show.cc:
  Do not try to access underlying table fields
  when opening of a view failed. The underlying
  table is closed in that case, and accessing
  its fields may lead to dereferencing a damaged 
  pointer.
2010-10-14 20:56:56 +04:00
Jon Olav Hauglid
b5be2fbc8d Bug #55930 Assertion `thd->transaction.stmt.is_empty() ||
thd->in_sub_stmt || (thd->state..

OPTIMIZE TABLE is not directly supported by InnoDB. Instead,
recreate and analyze of the table is done. After recreate,
the table is closed and locks are released before the table
is reopened and locks re-acquired for the analyze phase.

This assertion was triggered if OPTIMIZE TABLE failed to
acquire thr_lock locks before starting the analyze phase.
The assertion tests (among other things) that there no
active statement transaction. However, as part of acquiring
the thr_lock lock, external_lock() is called for InnoDB
tables and this causes a statement transaction to be started.
If thr_multi_lock() later fails (e.g. due to timeout),
the failure handling code causes this assert to be triggered.

This patch fixes the problem by doing rollback of the
current statement transaction in case open_ltable (used by
OPTIMIZE TABLE) fails to acquire thr_lock locks.

Test case added to lock_sync.test.
2010-10-13 16:15:28 +02:00
Dmitry Shulga
333434d23b Auto-merge from mysql-5.1-bugteam for bug#36742. 2010-10-13 13:27:03 +07:00
Dmitry Shulga
8169faec27 Fixed bug#36742 - GRANT hostname case handling inconsistent.
mysql-test/r/grant.result:
  It was added result for test case for bug#36742.
mysql-test/t/grant.test:
  It was added test case for bug#36742.
sql/sql_yacc.yy:
  It was added convertation of host name part of user name to lowercase.
2010-10-13 12:28:58 +07:00
Ramil Kalimullin
dcf2373710 Merge. 2010-10-13 08:51:37 +04:00