Patch for Bug#12362125 (SP INOUT HANDLING IS BROKEN FOR TEXT TYPE).

Attempts to assign value to a table column from trigger by using NEW.column_name pseudo-variable might result in garbled data. That happened when: - the column had a BLOB-based type (e.g. TEXT) and - the value being assigned was retrieved from stored routine variable of the same type. The problem was that BLOB values were not copied correctly in this case. Instead of doing a copy of a real value, the value's representation in record buffer was copied. This representation is essentially a pointer to a buffer associated with the virtual table for routine variables where the real value is stored. Since this buffer got freed once trigger was left or could have changed its contents when new value was assigned to corresponding routine variable such a shallow copying resulted in garbled data in NEW.colum_name column. It worked in 5.1 due to a subtle bug in create_virtual_tmp_table(): - in 5.1 create_virtual_tmp_table() returned a table which had db_low_byte_first == false. - in 5.5 and up create_virtual_tmp_table() returns a table which has db_low_byte_first == true. Actually, db_low_byte_first == false only for ISAM storage engine, which was deprecated and removed in 5.0. Having db_low_byte_first == false led to getting false in the complex condition for the 2nd "if" in field_conv(), which in turn led to copy-blob-behavior as a fall-back strategy: - to->table->s->db_low_byte_first was true (correct value) - from->table->s->db_low_byte_first was false (incorrect value) In 5.5 and up that condition is true, which means blob-values are not copied.

Patch for Bug#12362125 (SP INOUT HANDLING IS BROKEN FOR TEXT TYPE).
Attempts to assign value to a table column from trigger by using NEW.column_name pseudo-variable might result in garbled data. That happened when: - the column had a BLOB-based type (e.g. TEXT) and - the value being assigned was retrieved from stored routine variable of the same type. The problem was that BLOB values were not copied correctly in this case. Instead of doing a copy of a real value, the value's representation in record buffer was copied. This representation is essentially a pointer to a buffer associated with the virtual table for routine variables where the real value is stored. Since this buffer got freed once trigger was left or could have changed its contents when new value was assigned to corresponding routine variable such a shallow copying resulted in garbled data in NEW.colum_name column. It worked in 5.1 due to a subtle bug in create_virtual_tmp_table(): - in 5.1 create_virtual_tmp_table() returned a table which had db_low_byte_first == false. - in 5.5 and up create_virtual_tmp_table() returns a table which has db_low_byte_first == true. Actually, db_low_byte_first == false only for ISAM storage engine, which was deprecated and removed in 5.0. Having db_low_byte_first == false led to getting false in the complex condition for the 2nd "if" in field_conv(), which in turn led to copy-blob-behavior as a fall-back strategy: - to->table->s->db_low_byte_first was true (correct value) - from->table->s->db_low_byte_first was false (incorrect value) In 5.5 and up that condition is true, which means blob-values are not copied.
542c88c8 · Alexander Nozdrin · c4841133 · 542c88c8 · 542c88c8 · 542c88c8
Commit 542c88c8 authored May 09, 2011 by Alexander Nozdrin
Show whitespace changes
Inline Side-by-side

Showing with 68 additions and 4 deletions

mysql-test/r/trigger.result mysql-test/r/trigger.result +19 -1

mysql-test/t/trigger.test mysql-test/t/trigger.test +29 -1

sql/item.cc sql/item.cc +20 -2

No files found.
--- a/mysql-test/r/trigger.result
+++ b/mysql-test/r/trigger.result
@@ -2208,4 +2208,22 @@ trigger_name
 # Clean-up.
 drop temporary table t1;
 drop table t1;
-End of 6.0 tests.
+#
+# Bug #12362125: SP INOUT HANDLING IS BROKEN FOR TEXT TYPE.
+#
+DROP TABLE IF EXISTS t1;
+CREATE TABLE t1(c TEXT);
+CREATE TRIGGER t1_bi BEFORE INSERT ON t1 FOR EACH ROW
+BEGIN
+DECLARE v TEXT;
+SET v = 'aaa';
+SET NEW.c = v;
+END|
+INSERT INTO t1 VALUES('qazwsxedc');
+SELECT c FROM t1;
+c
+aaa
+DROP TABLE t1;
+End of 5.5 tests.
--- a/mysql-test/t/trigger.test
+++ b/mysql-test/t/trigger.test
@@ -2583,4 +2583,32 @@ select trigger_name from information_schema.triggers
 drop temporary table t1;
 drop table t1;
--echo End of 6.0 tests.
+--echo
+--echo #
+--echo # Bug #12362125: SP INOUT HANDLING IS BROKEN FOR TEXT TYPE.
+--echo #
+--disable_warnings
+DROP TABLE IF EXISTS t1;
+--enable_warnings
+CREATE TABLE t1(c TEXT);
+delimiter |;
+CREATE TRIGGER t1_bi BEFORE INSERT ON t1 FOR EACH ROW
+BEGIN
+  DECLARE v TEXT;
+  SET v = 'aaa';
+  SET NEW.c = v;
+END|
+delimiter ;|
+INSERT INTO t1 VALUES('qazwsxedc');
+SELECT c FROM t1;
+DROP TABLE t1;
+--echo
+--echo End of 5.5 tests.
--- a/sql/item.cc
+++ b/sql/item.cc
@@ -7134,8 +7134,26 @@ bool Item_trigger_field::set_value(THD *thd, sp_rcontext * /*ctx*/, Item **it)
 {
  Item *item= sp_prepare_func_item(thd, it);
-  return (!item || (!fixed && fix_fields(thd, 0)) ||
+  if (!item)
-          (item->save_in_field(field, 0) < 0));
+    return true;
+  if (!fixed)
+  {
+    if (fix_fields(thd, NULL))
+      return true;
+  }
+  // NOTE: field->table->copy_blobs should be false here, but let's
+  // remember the value at runtime to avoid subtle bugs.
+  bool copy_blobs_saved= field->table->copy_blobs;
+  field->table->copy_blobs= true;
+  int err_code= item->save_in_field(field, 0);
+  field->table->copy_blobs= copy_blobs_saved;
+  return err_code < 0;
 }