1. 10 Jun, 2013 1 commit
  2. 04 Jun, 2013 1 commit
  3. 24 May, 2013 1 commit
    • Venkatesh Duggirala's avatar
      Bug#16765278 DELETE SQL_LOAD_MB* FILE (TEMP FILE) CREATED · e8a0b9f9
      Venkatesh Duggirala authored
      BY BINLOG_KILLED_SIMULATE.TEST
            
      'mysqbinlog' tool creates a temporary file while 
      preparing LOAD DATA QUERY. These files needs to be deleted
      at the end of the test script otherwise these files are
      left out in the daily-run machines, causing
      "no space on device issues"
            
      Fix: 
      Delete them at the end of these test scripts
      1) execute mysqlbinlog with --local-load option to
      create these files in a specified tmpdir
      2) delete the tmpdir at the end of the test script
      e8a0b9f9
  4. 23 May, 2013 1 commit
    • Chaithra Gopalareddy's avatar
      Bug #16119355: PREPARED STATEMENT: READ OF FREED MEMORY WITH · 4bd94e7d
      Chaithra Gopalareddy authored
                                       STRING CONVERSION FUNCTIONS
                  
      Problem:
      While executing the prepared statement, user variable is
      set to memory which would be freed at the end of
      execution.
      If the statement is executed again, valgrind throws
      error when accessing this pointer.
                        
      Analysis:
                      
      1. First time when Item_func_set_user_var::check is called,
         memory is allocated for "value" to store the result.
         (In the call to copy_if_not_alloced).
      2. While sending the result, Item_func_set_user_var::check
         is called again. But, this time, its called with
         "use_result_field" set to true. 
         As a result, we call result_field->val_str(&value).
      3. Here memory allocated for "value" gets freed. And "value"
         gets set to "result_field", with "str_length" being that of
         result_field's.
      4. In the call to JOIN::cleanup, result_field's memory gets
         freed as this is allocated in a chunk as part of the
         temporary table which is needed to execute the query.
      5. Next time, when execute of the same statement is called,
         "value" will be set to memory which is already freed.
         Valgrind error occurs as "str_length" is positive 
         (set at Step 3)
                        
      Note that user variables list is stored as part of the Lex object
      in set_var_list. Hence the persistance across executions.
                  
      Solution:
      Patch for Bug#11764371 fixed in mysql-5.6+ fixes this problem 
      as well.So backporting the same.
                  
      In the solution for Bug#11764371, we create another object of 
      user_var and repoint it to temp_table's field. As a result while 
      deleting the alloced buffer in Step 3, since the cloned object 
      does not own the buffer, deletion will not happen.
      So at step 5 when we execute the statement second time, the 
      original object will be used and since deletion did not happen 
      valgrind will not complain about dangling pointer.
      
      
      sql/item_func.h:
        Add constructors.
      sql/sql_select.cc:
        Change user variable assignment functions to read from fields after
        tables have been unlocked.
      4bd94e7d
  5. 22 May, 2013 1 commit
    • Chaithra Gopalareddy's avatar
      Bug#11766191:INVALID MEMORY READ IN DO_DIV_MOD WITH DOUBLY ASSIGNED VARIABLES · 0c903fb5
      Chaithra Gopalareddy authored
      Bug#12608543: CRASHES WITH DECIMALS AND STATEMENT NEEDS TO BE REPREPARED ERRORS
      
      Backporting these two fixes to 5.1 
      Added unittest to test my_decimal construtor and assignment operators
      
      sql/my_decimal.h:
        Added constructor and assignment operators for my_decimal
      unittest/my_decimal/my_decimal-t.cc:
        Added test to check constructor and assignment operators for my_decimal
      0c903fb5
  6. 16 May, 2013 3 commits
    • sayantan dutta's avatar
    • Annamalai Gurusami's avatar
      Bug #16806366 BOGUS CALL TO LOCK_REC_RESTORE_FROM_PAGE_INFIMUM IN · 59b43c79
      Annamalai Gurusami authored
      INSERT BUFFER MERGE
      
      Problem:
      
      When the record is merged from the change buffer to the actual page,
      in a particular condition, it is assumed that the deleted rec will
      be re-used by the inserted rec.  With this assumption the lock is
      restored on the pointer to the deleted rec itself, thinking that
      it is pointing to the newly inserted rec.
      
      Solution:
      
      Just before restoring the lock, update the rec pointer to point
      to the newly inserted record.  An assert has been added to verify
      this.  This assert will fail without the fix and will pass with
      the fix.
      
      rb#2449 in review by Marko and Jimmy
      
      
      59b43c79
    • Jon Olav Hauglid's avatar
      Bug#16807394: PREVENT NEW ERROR MESSAGES FROM BEING ADDED TO 5.5 · 9486aaef
      Jon Olav Hauglid authored
      In order to keep error message numbers stable between GA releases, we
      can not now add a new error message to 5.1/5.5 as this message would get 
      a number now used in 5.6.
      
      This patch enforces this by adding a 5.1/5.5 specific check when processing
      the error message file. If a new error message is added, building will
      abort and report an error.
      9486aaef
  7. 15 May, 2013 1 commit
    • Marko Mäkelä's avatar
      Bug#16736929 PAGE_ZIP_DECOMPRESS() FAILS ON EMPTY RECORD · 205bf59a
      Marko Mäkelä authored
      When a record contains no user data bytes (such as when the PRIMARY
      KEY is an empty string and all secondary index fields are NULL or the
      empty string), page_zip_decompress() could fail to set the record
      heap_no correctly.
      
      page_zip_decompress_node_ptrs(), page_zip_decompress_sec(),
      page_zip_decompress_clust(): Set heap_no also at the end of the
      compressed data stream.
      
      rb#2448 approved by Jimmy Yang and Inaam Rana
      205bf59a
  8. 13 May, 2013 3 commits
  9. 12 May, 2013 1 commit
    • Annamalai Gurusami's avatar
      Fixing a build issue. In InnoDB plugin, the function · 87a1918f
      Annamalai Gurusami authored
      innobase_convert_to_filename_charset() was by mistake kept within
      the conditional compilation of UNIV_COMPILE_TEST_FUNCS.  Now placing
      the function out of UNIV_COMPILE_TEST_FUNCS.  Also, removed the
      unnecessary log message (as in 5.6+).
      87a1918f
  10. 10 May, 2013 3 commits
  11. 07 May, 2013 4 commits
    • Chaithra Gopalareddy's avatar
      Bug #16119355: PREPARED STATEMENT: READ OF FREED MEMORY WITH · 266dd9c0
      Chaithra Gopalareddy authored
                                 STRING CONVERSION FUNCTIONS
                  
      Problem:
      While executing the prepared statement, user variable is
      set to memory which would be freed at the end of
      execution.
      If the statement is executed again, valgrind throws
      error when accessing this pointer.
                  
      Analysis:
                  
      1. First time when Item_func_set_user_var::check is called,
      memory is allocated for "value" to store the result.
      (In the call to copy_if_not_alloced).
      2. While sending the result, Item_func_set_user_var::check
      is called again. But, this time, its called with
      "use_result_field" set to true. 
      As a result, we call result_field->val_str(&value).
      3. Here memory allocated for "value" gets freed. And "value"
      gets set to "result_field", with "str_length" being that of
      result_field's.
      4. In the call to JOIN::cleanup, result_field's memory gets
      freed as this is allocated in a chunk as part of the
      temporary table which is needed to execute the query.
      5. Next time, when execute of the same statement is called,
      "value" will be set to memory which is already freed.
      Valgrind error occurs as "str_length" is positive 
      (set at Step 3)
                  
      Note that user variables list is stored as part of the Lex object
      in set_var_list. Hence the persistance across executions.
            
      Solution:
      Patch for Bug#11764371 fixed in mysql-5.6+ fixes this problem 
      as well.So backporting the same.
            
      In the solution for Bug#11764371, we create another object of 
      user_var and repoint it to temp_table's field. As a result while 
      deleting the alloced buffer in Step 3, since the cloned object 
      does not own the buffer, deletion will not happen.
      So at step 5 when we execute the statement second time, the 
      original object will be used and since deletion did not happen 
      valgrind will not complain about dangling pointer.
      
      
      sql/item_func.h:
        Add constructors.
      sql/sql_select.cc:
        Change user variable assignment functions to read from fields after
        tables have been unlocked.
      266dd9c0
    • Sergey Glukhov's avatar
      Bug#16095534 CRASH: PREPARED STATEMENT CRASHES IN ITEM_BOOL_FUNC2::FIX_LENGTH_AND_DEC · 2ec9dcf6
      Sergey Glukhov authored
      The problem happened due to broken left expression in Item_in_optimizer object.
      In case of the bug left expression is runtime created Item_outer_ref item which
      is deleted at the end of the statement and one of Item_in_optimizer arguments
      becomes bad when re-executed. The fix is to use real_item() instead of original
      left expression. Note: It feels a bit weird that after preparing, the field is
      directly part of the generated Item_func_eq, whereas in execution it is replaced
      with an Item_outer_ref wrapper object.
      
      
      sql/item_subselect.cc:
        use left_expr->real_item() instead of original left expression
        because left_expr can be runtime created Ref item which is deleted
        at the end of the statement. Thus one of 'substitution' arguments
        can be broken in case of PS.
      2ec9dcf6
    • Balasubramanian Kandasamy's avatar
    • Murthy Narkedimilli's avatar
      Merging the changes from 5.1 branch to release branch. · be8f5a6b
      Murthy Narkedimilli authored
      Includes bug fixes for:
      Bug #16722314 FOREIGN KEY ID MODIFIED DURING EXPORT
      Bug #16754901 PARS_INFO_FREE NOT CALLED IN DICT_CREATE_ADD_FOREIGN_TO_DICTIONARY
      be8f5a6b
  12. 06 May, 2013 2 commits
    • Annamalai Gurusami's avatar
      Bug #16722314 FOREIGN KEY ID MODIFIED DURING EXPORT · bf7325bb
      Annamalai Gurusami authored
      Bug #16754901 PARS_INFO_FREE NOT CALLED IN DICT_CREATE_ADD_FOREIGN_TO_DICTIONARY
      
      Problem:
      
      There are two situations here.  The constraint name is explicitly
      given by the user and the constraint name is automatically generated
      by InnoDB.  In the case of generated constraint name, it is formed by
      adding table name as prefix.  The table names are stored internally in
      my_charset_filename.  In the case of constraint name explicitly given
      by the user, it is stored in UTF8 format itself.  So, in some
      situations the constraint name is in utf8 and in some situations it is
      in my_charset_filename format.  Hence this problem.
      
      Solution:
      
      Always store the foreign key constraint name in UTF-8 even when
      automatically generated.
      
      Bug #16754901 PARS_INFO_FREE NOT CALLED IN DICT_CREATE_ADD_FOREIGN_TO_DICTIONARY
      
      Problem:
      
      There was a memory leak in the function dict_create_add_foreign_to_dictionary().
      The allocated pars_info_t object is not freed in the error code path.
      
      Solution:
      
      Allocate the pars_info_t object after the error checking.
      
      rb#2368 in review
      
      bf7325bb
    • unknown's avatar
      Raise version number after cloning 5.1.70 · 1a552530
      unknown authored
      1a552530
  13. 30 Apr, 2013 2 commits
    • unknown's avatar
      Bug#16405422 - RECOVERY FAILURE, ASSERT !RECV_NO_LOG_WRITE · 92989fde
      unknown authored
      eliminate a race condition over recv_sys->n_addrs which might result in a database corruption
      in recovery, without reporting a recovery error.
      
      recv_recover_page_func(): move the code segment that decrements recv_sys->n_addrs
        to the end of the function, after the call to mtr_commit()
      
      rb://2282 approved by Inaam
      92989fde
    • Neeraj Bisht's avatar
      BUG#16222245 - CRASH WITH EXPLAIN FOR A QUERY WITH LOOSE SCAN FOR · 0c9c76e9
      Neeraj Bisht authored
      GROUP BY, MYISAM 
      
      Problem:-
      In a query, where we are using loose index scan optimization and 
      we have MIN() causes segmentation fault(where table row length 
      is less then key_length).
      
      Analysis:
      
      While using loose index scan for MIN(), we call key_copy(), to copy 
      the key data from record.
      This function is using temporary record buffer to store key data 
      from the record buffer.But in case where the key length is greater 
      then the buffer length, this will cause a segmentation fault.
      
      
      Solution:
      Give a proper buffer to store a key record.
      
      
      sql/opt_range.cc:
        We can't use record buffer to store key data.So, give a proper buffer to store a key record.
      0c9c76e9
  14. 24 Apr, 2013 2 commits
  15. 22 Apr, 2013 1 commit
  16. 20 Apr, 2013 1 commit
    • Neeraj Bisht's avatar
      Bug#16073689 : CRASH IN ITEM_FUNC_MATCH::INIT_SEARCH · 89b1b508
      Neeraj Bisht authored
      Problem:
      In query like
      select 1 from .. order by match .. against ...;
      causes a debug assert failue.
      
      Analysis:
      In union type query like
      
      (select * from order by a) order by b;
      or
      (select * from order by a) union (select * from order by b);
      
      We skip resolving of order by a for 1st query and order by of a and b in 
      2nd query.
      
      
      This means that, in case when our order by have Item_func_match class, 
      we skip resolving it.
      But we maintain a ft_func_list and at the time of optimization, when we 
      Perform FULLTEXT search before all regular searches on the bases of the 
      list we call Item_func_match::init_search() which will cause debug assert 
      as the item is not resolved.
      
      
      Solution:
      We will skip execution if the item is not fixed and we will not 
      fix index(Item_func_match::fix_index()) for which 
      Item_func_match::fix_field() is not called so that on later changes 
      we can check the dependency on fix field.
      
      
      sql/item_func.cc:
        skiping execution, if item is not resolved.
      89b1b508
  17. 16 Apr, 2013 1 commit
  18. 14 Apr, 2013 1 commit
    • Chaithra Gopalareddy's avatar
      Bug#16347426:ASSERTION FAILED: (SELECT_INSERT && · 2d836633
      Chaithra Gopalareddy authored
                   !TABLES->NEXT_NAME_RESOLUTION_TABLE) || !TAB
            
      Problem:
      The context info of select query gets corrupted when a query
      with group_concat having order by is present in an order by
      clause of the select query. As a result, server crashes with
      an assert.
            
      Analysis:
      While parsing order by for group_concat, it is presumed that
      it is always present before the actual order by for the
      select query.
      As a result, parser uses select->order_list to populate the
      order by items of group_concat and creates a select->gorder_list
      to which select->order_list is copied onto. Once this is done,
      it empties the select->order_list.
      In the case presented in the bugpage, as order by is already
      parsed when group_concat's order by is encountered, parser
      presumes that it is the second order by in the select query
      and creates fake_lex_unit which results in the change of
      context info.
            
      Solution:
      Make group_concat's order by parsing independent of the select
      
      
      sql/item_sum.cc:
        Change the argument as, select->gorder_list is not pointer anymore
      sql/item_sum.h:
        Change the argument as, select->gorder_list is not pointer anymore
      sql/mysql_priv.h:
        Parsing for group_concat's order by is made independent.
        As a result, add_order_to_list cannot be used anymore.
      sql/sql_lex.cc:
        Parsing for group_concat's order by is made independent.
        As a result, add_order_to_list cannot be used anymore.
      sql/sql_lex.h:
        Parsing for group_concat's order by is made independent.
        As a result, add_order_to_list cannot be used anymore.
      sql/sql_yacc.yy:
         Make group_concat's order by parsing independent of the select
        queries order by.
      2d836633
  19. 09 Apr, 2013 1 commit
  20. 08 Apr, 2013 2 commits
  21. 02 Apr, 2013 2 commits
  22. 01 Apr, 2013 1 commit
  23. 31 Mar, 2013 1 commit
    • Chaithra Gopalareddy's avatar
      · cfb3bbac
      Chaithra Gopalareddy authored
      Bug #16347343 : CRASH, GROUP_CONCAT, DERIVED TABLES
            
      Problem:
      A select query inside a group_concat function having an 
      outer reference results in a crash.
            
      Analysis:
      In function Item_group_concat::add, we do not check if 
      return value of get_tmp_table_field can be NULL for 
      a non-const item. This can happen for a query with a 
      outer reference.
      While resolving the outer reference in the query present
      inside group_concat function, we set the "const_item_cache" 
      to false. As a result in the call to const_item() from 
      Item_func_group_concat::add, it returns false and goes on 
      to check if this can be NULL resulting in the crash.
      get_tmp_table_field does not return NULL for Items of type 
      Item_field, Item_result_field and Item_ref. 
      For all other items, it returns NULL. 
           
      Solution:
      Check for the return value of get_tmp_table_field before we 
      access field contents.
      
      sql/item_sum.cc:
        Check for the return value of get_tmp_table_field before accessing
      cfb3bbac
  24. 29 Mar, 2013 2 commits
  25. 28 Mar, 2013 1 commit
    • Georgi Kodinov's avatar
      Addendum #1 to the fix for bug #16451878 : GEOMETRY QUERY CRASHES SERVER · e927bda6
      Georgi Kodinov authored
      Fixed the get_data_size() methods for multi-point features to check properly for end 
      of their respective data arrays.
      Extended the point checking function to take a 3d optional argument so cases where
      there's additional data in each array element (besides the point data itself) can be
      covered by the helper function.
      Fixed the 3 cases where such offset was present to use the proper checking helper 
      function.
      Test cases added.
      Fixed review comments.
      e927bda6