1. 14 Oct, 2015 1 commit
    • Arun Kuruvila's avatar
      Bug #21602056 : CONCURRENT FLUSH PRIVILEGES + REVOKE/GRANT · 3846b085
      Arun Kuruvila authored
                      CRASHES IN WILD_CASE_COMPARE!
      
      Description:- Executing FLUSH PRIVILEGES and REVOKE/
      GRANT concurrently crashes the server.
      
      Analysis:- Concurrent FLUSH PRIVILEGES and REVOKE/GRANT
      might trigger a small time frame in which REVOKE/GRANT
      fetches the "acl_proxy_user" information as a part of
      "acl_check_proxy_grant_access()". Meanwhile FLUSH PRIVILEGES
      deletes the old acl structures as a part of "acl_reload()".
      After which REVOKE/GRANT tries to access the hostname in
      "wild_case_compare()" which leads to a crash because of the
      invalid memory access.
      
      Fix:- Mutex lock on "acl_cache" is acquired before fetching
      "acl_proxy_user" information in
      "acl_check_proxy_grant_access()".
      3846b085
  2. 12 Oct, 2015 1 commit
    • Mithun C Y's avatar
      Bug #20007383: HANDLE_FATAL_SIGNAL (SIG=11) IN UPDATE_REF_AND_KEYS. · f92dd6ae
      Mithun C Y authored
      Issue:
      ======
      The fulltext predicate is inside a subquery and involves
      an outer reference; it thus cannot be used for FT index look-up,
      but MySQL does not see it, which causes a illegal access.
      
      Solution:
      =========
      Solution is backported from bug#21140088. Outer reference can
      not be used as argument of the MATCH function. Added check for
      outer reference.
      f92dd6ae
  3. 08 Oct, 2015 1 commit
  4. 06 Oct, 2015 1 commit
    • Sreeharsha Ramanavarapu's avatar
      Bug #19894161: FATAL SIGNAL 11 IN · 130b5fbf
      Sreeharsha Ramanavarapu authored
                     CONVERT_CHARSET_PARTITION_CONSTANT:
                     SQL/SQL_PARTITION..CC:202
      
      Issue:
      -----
      This problem happens under the following conditions:
      1) A table partitioned with a character column as the key.
      2) The expressions specified in the partition definition
         requires a charset conversion. This can happen when the
         server's default collation is different from the
         expression's collation.
      3) INSERT DELAYED is used to insert data into the table.
      
      SOLUTION:
      ---------
      While creating the delayed_insert object, initialize it
      with the relevant select_lex.
      130b5fbf
  5. 01 Oct, 2015 1 commit
    • Sreeharsha Ramanavarapu's avatar
      Bug #19434916: FATAL_SIGNAL IN ADD_KEY_EQUAL_FIELDS() WITH · 415faa12
      Sreeharsha Ramanavarapu authored
                     UPDATE VIEW USING OUTER SUBQUERY
      
      Issue:
      -----
      While resolving a column which refers to a table/view in an
      outer query, it's respecitve item object is marked with the
      outer query's select_lex object. But when the column refers
      to a view or if the column is part of a subquery in the
      HAVING clause, an Item_ref object is created. While the
      reference to the outer query is stored by the Item_ref
      object, the same is not stored in it's real_item.
      
      This creates a problem with the IN-TO-EXISTS optmization.
      When there is an index over the column in the inner query,
      it will be considered since the column's real_item object
      will be mistaken for a local field. This will lead to a
      crash.
      
      SOLUTION:
      ---------
      Under the current design, the only way to fix this issue is
      to check the reginfo.join_tab for a NULL value. If yes, the
      query should not be worrying about the key use.
      
      The testcase and comments added as part of the fix for
      Bug#17766653 have been backported.
      415faa12
  6. 30 Sep, 2015 2 commits
  7. 22 Sep, 2015 3 commits
    • Aditya A's avatar
      Bug#20755615 CREATING INDEX ON A RENAMED COLUMN WITH CASE CRASH .FRM · ea9dbef6
      Aditya A authored
                      FILE
      
      PROBLEM
      
      In 5.5 when doing doing a rename of a column ,we ignore the case between
      old and new column names while comparing them,so if the change is just
      the case then we don't even mark the field FIELD_IS_RENAMED ,we just update
      the frm file ,but don't recreate the table as is the norm when alter is
      used.This leads to inconsistency in the innodb data dictionary which causes
      index creation to fail.
      
      FIX
      
      According to the documentation any innodb column rename should trigger
      rebuild of the table. Therefore for innodb tables we will do a strcmp()
      between the column names and if there is case change in column name
      we will trigger a rebuild.
      ea9dbef6
    • Arun Kuruvila's avatar
      Bug #21370329 : FLUSH DES_KEY_FILE MAY NOT WORK · 86375f7f
      Arun Kuruvila authored
      Description: The command FLUSH DES_KEY_FILE is expected to
      reload the DES keys from the file that was specified with
      the "--des-key-file" option at server startup. But it is not
      behaving as expected.
      
      Analysis: The des file reload is defined within a wrong
      conditional directive, rendering the command ineffective.
      Macro "OPENSSL" was used instead of "HAVE_OPENSSL" macro.
      
      Fix: "OPENSSL" macro is changed to "HAVE_OPENSSL".
      86375f7f
    • Annamalai Gurusami's avatar
      Bug #19929435 DROP DATABASE HANGS WITH MALFORMED TABLE · 8ea80ecf
      Annamalai Gurusami authored
      Note: Backporting the patch from mysql-5.6.
      
      Problem:
      
      A CREATE TABLE with an invalid table name is detected
      at SQL layer. So the table name is reset to an empty
      string.  But the storage engine is called with this
      empty table name.  The table name is specified as
      "database/table".  So, in the given scenario we get
      only "database/".
      
      Solution:
      
      Within InnoDB, detect this error and report it to
      higher layer.
      
      rb#9274 approved by jimmy.
      8ea80ecf
  8. 18 Sep, 2015 5 commits
  9. 16 Sep, 2015 1 commit
    • Shishir Jaiswal's avatar
      Bug #21467458 - UNINSTALL PLUGIN DAEMON_EXAMPLE CRASHES · 17387bc5
      Shishir Jaiswal authored
                      MYSQLD.
      
      DESCRIPTION
      ===========
      Crash occurs when daemon_example plugin is uninstalled
      immediately after its installed. This can be reproduced
      by installing and uninstalling the plugin repeatedly.
      
      ANALYSIS
      ========
      The daemon_example_plugin_deinit() function of the daemon
      example plugin calls pthread_cancel() but doesn't wait for
      the worker thread to actually complete before deallocating
      the data buffer and closing the file that it writes to.
      This is causing SEGFAULT!
      
      FIX
      ===
      Added a pthread_join() to wait for the thread to complete
      before doing the cleanup work.
      
      Removed a stray 'x' variable from the example code.
      
      NOTE
      ====
      Have made an entry in .opt file as given below:
      --plugin-dir=$DAEMONEXAMPLE_DIR
      
      This is done so that the program takes plugin directory as
      ../<dbg>/plugin/daemon_example/ instead of
      ../lib/plugin/
      17387bc5
  10. 11 Sep, 2015 1 commit
  11. 04 Sep, 2015 1 commit
    • Arun Kuruvila's avatar
      Bug #21503595 : --QUERY-ALLOC-BLOCK-SIZE=-1125899906842624 + · ddcad361
      Arun Kuruvila authored
                      PID_FILE CHECK LEADS TO OOM SIG 11
      
      Description:- A server started with 'query_alloc_block_size'
      option set to a certain range of negative values on a
      machine without enough memory may lead to OOM.
      
      Analysis:- Server uses 'strtoull()' to convert server
      variable values of type 'GET_UINT', 'GET_ULONG' or 'GET_ULL'
      from string to unsigned long long. According to the man
      page, 'strtoull()' function returns either the result of the
      conversion or, if there was a leading minus sign, the
      negation of the result of the conversion represented as an
      unsigned value, unless the original(nonnegated) value would
      overflow; in the latter case, strtoull() returns ULLONG_MAX
      and sets errno to ERANGE. So 'strtoull()' converts a small
      negative value to a larger postive value. For example string
      '-1125899906842624' will be converted to an unsigned value,
      '18445618173802708992' (ulonglong typecast of
      '-1125899906842624'). So a
      server started with 'query_alloc_block_size' set to
      "-1125899906842624" on a machine without enough memory will
      lead to OOM since server allocates '18445618173802708992'
      bytes(17178820608 GB) for query allocation block.
      
      Fix:- When server is started with any server variable, of
      type "GET_UINT", "GET_ULONG" or "GET_ULL", set to a negative
      value, a warning, "option xxx: value -yyy adjusted to zzz"
      is thrown and the value is adjusted to the lowest possible
      value for that variable. The dynamic server variable which
      is configured through the client exhibit the same behavior
      as fix made for variables configured during the server
      start up.
      ddcad361
  12. 01 Sep, 2015 2 commits
  13. 31 Aug, 2015 1 commit
  14. 26 Aug, 2015 1 commit
  15. 25 Aug, 2015 1 commit
  16. 21 Aug, 2015 1 commit
    • Arun Kuruvila's avatar
      Bug#20198490 : LOWER_CASE_TABLE_NAMES=0 ON WINDOWS LEADS TO · f4ff086a
      Arun Kuruvila authored
                     PROBLEMS
      
      Description:- Server variable "--lower_case_tables_names"
      when set to "0" on windows platform which does not support
      case sensitive file operations leads to problems. A warning
      message is printed in the error log while starting the
      server with "--lower_case_tables_names=0". Also according to
      the documentation, seting "lower_case_tables_names" to "0"
      on a case-insensitive filesystem might lead to index
      corruption.
      
      Analysis:- The problem reported in the bug is:-
      Creating an INNODB table 'a' and executing a query, "INSERT
      INTO a SELECT a FROM A;" on a server started with
      "--lower_case_tables_names=0" and running on a
      case-insensitive filesystem leads innodb to flat spin.
      Optimizer thinks that "a" and "A" are two different tables
      as the variable "lower_case_table_names" is set to "0". As a
      result, optimizer comes up with a plan which does not need a
      temporary table. If the same table is used in select and
      insert, a temporary table is needed. This incorrect
      optimizer plan leads to infinite insertions.
      
      Fix:- If the server is started with
      "--lower_case_tables_names" set to 0 on a case-insensitive
      filesystem, an error, "The server option
      'lower_case_table_names'is configured to use case sensitive
      table names but the data directory is on a case-insensitive
      file system which is an unsupported combination. Please
      consider either using a case sensitive file system for your
      data directory or switching to a case-insensitive table name
      mode.", is printed in the server error log and the server
      exits.
      f4ff086a
  17. 19 Aug, 2015 1 commit
  18. 18 Aug, 2015 2 commits
    • Shishir Jaiswal's avatar
      Bug #16171518 - LOAD XML DOES NOT HANDLE EMPTY ELEMENTS · ee02650b
      Shishir Jaiswal authored
      DESCRIPTION
      ===========
      Inability of mysql LOAD XML command to handle empty XML
      tags i.e. <row><tag/></row>. Also the behaviour is wrong
      and (different than above) when there is a space in empty
      tag i.e. <row><tag /></row>
      
      ANALYSIS
      ========
      In read_xml() the case where we encounter a close tag ('/')
      we're decreasing the 'level' blindly which is wrong.
      Actually when its an without-space-empty-tag (succeeding
      char is '>'), we need to skip the decrement. In other words
      whenever we hit a close tag ('/'), decrease the 'level'
      only when (i) It's not an (without space) empty tag i.e.
      <tag/> or, (ii) It is of format <row col="val" .../>
      
      FIX
      ===
      The switch case for '/' is modified. We've removed the
      blind decrement of 'level'. We do it only when its not an
      without-space-empty-tag. Also we are setting 'in_tag' to
      false to let program know that we're done reading current
      tag (required in the case of format <row col="val" .../>)
      ee02650b
    • Karthik Kamath's avatar
      BUG#11754258: INCORRECT ERROR MESSAGE WHEN CREATING UNSAFE · 93ac0eb1
      Karthik Kamath authored
                    VIEW
      
      
      It appears that the code refactoring done as part of the
      patch for the MySQL BUG#11749859 fixed this issue. This
      issue is not reproducible on MySQL 5.5+ versions now.
      As part of this patch, the test file "mysqldump.test" has
      been updated to remove the comment which was referring to
      the bug and also the line which suppresses the warning.
      93ac0eb1
  19. 17 Aug, 2015 2 commits
    • Mithun C Y's avatar
      Merge branch 'mysql-5.1' into mysql-5.5 · 8fe07088
      Mithun C Y authored
      8fe07088
    • Mithun C Y's avatar
      Bug #21350175: SUBQUERIES IN PROCEDURE CLAUSE OF SELECT STATEMENT CAUSES SERVER FAILURES. · 557a57f3
      Mithun C Y authored
      Analysis :
      ==========
      During JOIN::prepare of sub-query which creates the
      derived tables we call setup_procedure. Here we call
      fix_fields for parameters of procedure clause. Calling
      setup_procedure at this point may cause issue. If
      sub-query is one of parameter being fixed it might
      lead to complicated dependencies on derived tables
      being prepared.
      
      SOLUTION :
      ==========
      In 5.6 with WL#6242, we have made procedure clause
      parameters can only be NUM, so sub-queries are not
      allowed as parameters. So in 5.5 we can block
      sub-queries in procedure clause parameters.
      This eliminates above conflicting dependencies.
      557a57f3
  20. 12 Aug, 2015 1 commit
    • Aditya A's avatar
      Bug #21025880 DUPLICATE UK VALUES IN READ-COMMITTED (AGAIN) · 608efca4
      Aditya A authored
      PROBLEM
      
      Whenever we insert in unique secondary index we take shared
      locks on all possible duplicate record present in the table.
      But while during a replace on the unique secondary index ,
      we take exclusive and locks on the all duplicate record.
      When the records are deleted, they are first delete marked
      and later purged by the purge thread. While purging the
      record we call the lock_update_delete() which in turn calls
      lock_rec_inherit_to_gap() to inherit locks of the deleted
      records. In repeatable read mode we inherit all the locks
      from the record to the next record  but in the read commited
      mode we skip inherting them as gap type locks. We make a
      exception here if the lock on the records is  in shared mode
      ,we assume that it is set during insert for unique secondary
      index and needs to be inherited to stop constraint violation.
      We didnt handle the case when exclusive locks are set during
      replace, we skip inheriting locks of these records and hence
      causing constraint violation.
      
      FIX
      
      While inheriting the locks,check whether the transaction is
      allowed to do TRX_DUP_REPLACE/TRX_DUP_IGNORE, if true
      inherit the locks.
      
      [ Revewied by Jimmy #rb9709]
      608efca4
  21. 10 Aug, 2015 1 commit
  22. 07 Aug, 2015 2 commits
    • Ajo Robert's avatar
      Merge branch 'mysql-5.1' into mysql-5.5 · 552b1c8a
      Ajo Robert authored
      552b1c8a
    • Ajo Robert's avatar
      Bug #20760261 mysqld crashed in materialized_cursor:: · f3dce250
      Ajo Robert authored
      send_result_set_metadata
      
      Analysis
      --------
      Cursor inside trigger accessing NEW/OLD row leads server exit.
      
      The reason for the bug was that implementation of function
      create_tmp_table() was not considering Item::TRIGGER_FIELD_ITEM
      as possible alternative for type of class being instantiated.
      This was resulting in a mismatch between a number of columns
      in result list and temp table definition. This mismatch leads
      to the failure of assertion
      DBUG_ASSERT(send_result_set_metadata.elements == item_list.elements)
      in the method Materialized_cursor::send_result_set_metadata
      in debug mode.
      
      Fix:
      ---
      Added code to consider Item::TRIGGER_FIELD_ITEM as valid
      type while creating fields.
      f3dce250
  23. 05 Aug, 2015 2 commits
  24. 04 Aug, 2015 2 commits
  25. 03 Aug, 2015 3 commits