1. 18 Mar, 2013 1 commit
    • Vasil Dimov's avatar
      Fix Bug#16400412 UNNECESSARY DICT_UPDATE_STATISTICS DURING CONCURRENT · 90b3eefb
      Vasil Dimov authored
      UPDATES
      
      After checking that the table has changed too much in
      row_update_statistics_if_needed() and calling dict_update_statistics(),
      also check if the same condition holds after acquiring the table stats
      latch. This is to avoid multiple threads concurrently entering and
      executing the stats update code.
      
      Approved by:	Marko (rb:2186)
      90b3eefb
  2. 19 Mar, 2013 3 commits
  3. 18 Mar, 2013 5 commits
    • Sujatha Sivakumar's avatar
      merge from mysql-5.1 to mysql-5.5 · c4837b36
      Sujatha Sivakumar authored
      c4837b36
    • Sujatha Sivakumar's avatar
      Bug#14771299 OUT-OF-BOUND READS WRITE IN MYSQLBINLOG · ddc0cff3
      Sujatha Sivakumar authored
      Problem:
      =======
      Found using AddressSanitizer testing.
      
      The mysqlbinlog utility may result in out-of-bound heap
      buffer reads and thus, undefined behaviour, when processing
      RBR events in the old (pre-5.1 GA) format.
      
      The following code in process_event() would only be correct
      if Rows_log_event was the base class for
      Write,Update,Delete_rows_log_event_old classes:
      
          case PRE_GA_WRITE_ROWS_EVENT:
          case PRE_GA_DELETE_ROWS_EVENT:
          case PRE_GA_UPDATE_ROWS_EVENT:
      ...
              Rows_log_event *e= (Rows_log_event*) ev;
              Table_map_log_event *ignored_map=
                print_event_info->m_table_map_ignored.get_table(e->get_table_id());
      ...
              if (e->get_flags(Rows_log_event::STMT_END_F))
              {
      ...
              }
      
      However, Rows_log_event is only the base class for the
      Write,Update_Delete_rows_event family of classes, but not
      for their *_old counterparts. So the above typecasts are
      incorrect for the old-format RBR events and may result (and
      do result according to AddressSanitizer reports) in reading
      memory outside of the previously allocated on heap buffer.
      
      Fix:
      ===
      The above mentioned invalid type cast has been replaced with
      appropriate old counterpart.
      
      Note:The above mentioned issue is present only mysql-5.1 and
      5.5. This is fixed in mysql-5.6 and above as part of 
      Bug#55790. Hence few of the relevant changes of Bug#55790 are
      being back ported to fix the current issue.
      ddc0cff3
    • Neeraj Bisht's avatar
      Bug #16076289 : BACKPORT FIX FOR BUG #14786792 TO 5.5 · 913d6e23
      Neeraj Bisht authored
      	
      	Backport the changes for bug#14786792 which is regression 
      	of fix for bug#11761854.So backported both changes.
      913d6e23
    • Nirbhay Choubey's avatar
      fb401ad3
    • Nirbhay Choubey's avatar
      Bug#14685362 : MEMORY LEAKS IN MYSQL CLIENT IN · 78eb5818
      Nirbhay Choubey authored
        INTERACTIVE MODE
      
      In interactive mode, libedit/readline allocates memory
      for every new line entered & later the allocated memory
      never gets freed.
      
      Fixed by freeing the allocated memory blocks appropriately.
      78eb5818
  4. 15 Mar, 2013 2 commits
  5. 14 Mar, 2013 3 commits
    • Tor Didriksen's avatar
      Bug#16359402 CRASH WITH AGGREGATES: ASSERTION FAILED: N < M_SIZE · f4d2b576
      Tor Didriksen authored
      We need to take 'n_sum_items' into the calculation
      when allocating the ref_ptr_array.
      f4d2b576
    • Sergey Glukhov's avatar
      5.1 -> 5.5 merge · 17ee332d
      Sergey Glukhov authored
      17ee332d
    • Sergey Glukhov's avatar
      Bug#16075310 SERVER CRASH OR VALGRIND ERRORS IN ITEM_FUNC_GROUP_CONCAT::SETUP AND ::ADD · ca5caac1
      Sergey Glukhov authored
      Item_func_group_concat::copy_or_same() creates a copy of original object.
      It also creates a copy of ORDER structure because ORDER struct elements may
      be modified in find_order_in_list() called from Item_func_group_concat::setup().
      As ORDER copy is created using memcpy, ORDER::next elements point to original
      ORDER structs. Thus find_order_in_list() called from EXECUTE stmt modifies
      ordinal ORDER item pointers so they point to runtime items, these items are
      freed after execution, so original ORDER structure becomes invalid.
      The fix is to properly update ORDER::next fields so that they point to
      new ORDER elements.
      ca5caac1
  6. 13 Mar, 2013 5 commits
  7. 12 Mar, 2013 6 commits
    • Venkatesh Duggirala's avatar
      BUG#14593883-REPLICATION BREAKS WHEN SET DATA TYPE · e68bc5e8
      Venkatesh Duggirala authored
      COLUMNS ARE USED INSIDE A STORED PROCEDURE                                      
                                                                                      
      Problem: When 'SET' type columns are used in a DML                              
      inside a stored procedure and a NULL value is passed                            
      to that column, replication is breaking.                                        
                                                                                      
      Analysis: All stored procedure variables used inside                            
      a DML will be substituted with NAME_CONST functions.                            
      While NAME_CONST are used in this particular scenario,                          
      i.e., when NULL value is passed then charset is copied                          
      from 'empty_set_string' member of Field_set class.                              
      The operator '=' overload method inside 'String' class                          
      is not coping str_charset from R.H.S object to L.H.S object.                    
      Hence charset is wrongly copied in the string assignment                        
                                                                                      
      Fix: Handle coping str_charset member in operator '=' overload                  
      method.
      e68bc5e8
    • Venkatesh Duggirala's avatar
      BUG#14593883-REPLICATION BREAKS WHEN SET DATA TYPE · 5b523ee7
      Venkatesh Duggirala authored
      COLUMNS ARE USED INSIDE A STORED PROCEDURE                                      
                                                                                      
      Problem: The operator '=' overload method inside
      'String' class is not coping str_charset member from
      R.H.S object to L.H.S object. Hence charset is wrongly
      set while using string assignments
      
      Analaysis: The above mentioned problem is
      identified while doing the analaysis of bug#14593883.
      Though the test scenario mentioned in the bug page
      is not  an issue in mysql-5.1 code, the actual root cause
      ie., "str_charset member is not copied" exists in the 
      mysql-5.1 code base. 
      
      Fix: Handle coping str_charset member in operator '=' overload                  
      method.
      5b523ee7
    • Marko Mäkelä's avatar
      Bug#16409715 ASSERT SYNC_THREAD_LEVELS_G(ARRAY, LEVEL - 1, TRUE), · 37134f61
      Marko Mäkelä authored
      IBUF, FREE SPACE MANAGEMENT
      
      ibuf_merge_or_delete_for_page(): Declare the user index page latched
      for UNIV_SYNC_DEBUG after opening the change buffer cursor. This
      should avoid the bogus latching order violation.
      
      ibuf_delete_rec(): Add assertions to the callers, checking that the
      mini-transaction was committed when the function returned TRUE. This
      is a non-functional change, just clarifying the code.
      
      rb#2136 approved by Kevin Lewis
      37134f61
    • Marko Mäkelä's avatar
      Merge mysql-5.1 to mysql-5.5. · 7f9ddb84
      Marko Mäkelä authored
      7f9ddb84
    • Marko Mäkelä's avatar
      Bug#16463505 PESSIMISTIC PAGE_ZIP_AVAILABLE() MAY CAUSE INFINITE PAGE SPLIT · 1a2cb3de
      Marko Mäkelä authored
      For a fresh insert, page_zip_available() was counting some fields twice.
      In the worst case, the compressed page size grows by PAGE_ZIP_DIR_SLOT_SIZE
      plus the size of the record that is being inserted. The size of the record
      already includes the fields that will be stored in the uncompressed portion
      of the compressed page.
      
      page_zip_get_trailer_len(): Remove the output parameter entry_size,
      because no caller is interested in it.
      
      page_zip_max_ins_size(), page_zip_available(): Assume that the page grows
      by PAGE_ZIP_DIR_SLOT_SIZE and the record size (which includes the fields
      that would be stored in the uncompressed portion of the page).
      
      rb#2169 approved by Sunny Bains
      1a2cb3de
    • mysql-builder@oracle.com's avatar
      No commit message · 3a01f981
      mysql-builder@oracle.com authored
      No commit message
      3a01f981
  8. 11 Mar, 2013 2 commits
  9. 08 Mar, 2013 1 commit
  10. 07 Mar, 2013 1 commit
    • Aditya A's avatar
      BUG#16069598 - SERVER CRASH BY NULL POINTER DEREFERENCING IN · 5f502ea3
      Aditya A authored
                     MEM_HEAP_CREATE_BLOCK() 
      
      PROBLEM
      -------
      
      If we give start mysqld with the option --innodb_log_buffer_size=50GB
      ,then  mem_area_alloc() function fails to allocate memory and returns
      NULL.In debug version we assert at this point,but there is no check in
      release version and we get a segmentation fault.
      
      FIX
      ---
      Added a log message saying that we are unable to allocate memory.
      After this message we assert.
      
      [Approved by Kevin http://rb.no.oracle.com/rb/r/2065 ]
      5f502ea3
  11. 05 Mar, 2013 1 commit
  12. 01 Mar, 2013 1 commit
  13. 07 Mar, 2013 1 commit
    • Ashish Agarwal's avatar
      Bug#16169063: SECURITY CONCERN BECAUSE OF INSUFFICIENT LOGGING · da6538b6
      Ashish Agarwal authored
      PROBLEM: If multiple statements are sent by a single
               request then only the last statement was
               getting logged. An attacker can bypass the
               audit log just by sending two comsecutive
               statements in one request.
      
      SOLUTION: Each statements from a single request are
                logged.
      da6538b6
  14. 06 Mar, 2013 2 commits
    • Annamalai Gurusami's avatar
      Bug #16133801 UNEXPLAINABLE INNODB UNIQUE INDEX LOCKS ON DELETE + · 833c75da
      Annamalai Gurusami authored
      INSERT WITH SAME VALUES
      
      Problem:
      
      When a transaction is in READ COMMITTED isolation level, gap locks are still
      taken in the secondary index, when row is inserted.  This happens when the
      secondary index is scanned for duplicate.  
      
      The function row_ins_scan_sec_index_for_duplicate() always calls the 
      function row_ins_set_shared_rec_lock() with LOCK_ORDINARY irrespective of
      the transaction isolation level.
      
      Solution:
      
      The function row_ins_scan_sec_index_for_duplicate() calls the 
      function row_ins_set_shared_rec_lock() with LOCK_ORDINARY or 
      LOCK_REC_NOT_GAP based on the transaction isolation level.
      
      rb://2035 approved by Krunal and Marko
      833c75da
    • murthy.narkedimilli@oracle.com's avatar
      20bf30c2
  15. 05 Mar, 2013 2 commits
  16. 01 Mar, 2013 2 commits
    • Marc Alff's avatar
      L0ocal merge · 8d1c57f9
      Marc Alff authored
      8d1c57f9
    • Venkatesh Duggirala's avatar
      BUG#11753923-SQL THREAD CRASHES ON DISK FULL · 2a38b8bc
      Venkatesh Duggirala authored
      Fixing post push issue
      Simulator name used needs to be changed to make it
      work properly.
      
      Analysis: 
      Debug control list addition (ListAddDel function
      dbug.c file) code was written in such a way that
      if new element is subset of already existing element,
      then the new element is not added.
      i.e., set @@global.debug = '+d,abcd', is existing in
      the list then you cannot add "a" or "ab" or "abc"
      in the list.
      2a38b8bc
  17. 28 Feb, 2013 2 commits
    • Jon Olav Hauglid's avatar
      Bug#16385711: HANDLER, CREATE TABLE IF NOT EXISTS, · d1c1981b
      Jon Olav Hauglid authored
                    PROBLEM AFTER MYSQL_HA_FIND
      
      This problem occured if a prepared statement tried to create a table
      for which there already existed a view with the same name while a
      SQL handler was opened.
      
      Before DDL statements are executed, mysql_ha_rm_tables() is called
      to remove any matching tables from the internal list of opened SQL
      handler tables. This match was done on TABLE_LIST::db and 
      TABLE_LIST::table_name. This is problematic for views (which use
      TABLE_LIST::view_db and TABLE_LIST::view_name) and anonymous
      derived tables.
      
      This patch fixes the problem by skipping TABLE_LISTs representing
      anonymous derived tables and using get_db_name()/get_table_name()
      which handles views when looking for SQL handler tables to remove.
      d1c1981b
    • Marc Alff's avatar
      Bug#16414644 ASSERTION FAILED: SIZE == PFS_ALLOCATED_MEMORY · fafa23dc
      Marc Alff authored
      Before this fix, the command
        SHOW ENGINE PERFORMANCE_SCHEMA STATUS
      could report wrong amount of memory allocated,
      when the amount of memory used exceeds 4GB.
      
      The problem is that size computations are not done using size_t,
      so that overflows do occur, truncating the results.
      
      This fix compute memory sizes properly with size_t.
      
      Tested manually.
      
      No test script provided, as the script would need to allocate too much 
      memory for the test.
      fafa23dc