1. 30 Jan, 2012 1 commit
    • Gopal Shankar's avatar
      Bug#13105873 :Valgrind Warning: CRASH IN FOREIGN · 04c5e521
      Gopal Shankar authored
            KEY HANDLING ON SUBSEQUENT CREATE TABLE IF NOT EXISTS
            
            PROBLEM:
            --------
            Consider a SP routine which does CREATE TABLE
            with REFERENCES clause. The first call to this routine
            invokes parser and the parsed items are cached, so as 
            to avoid parsing for the second execution of the routine.
            
            It is obsevered that valgrind reports a warning
            upon read of thd->lex->alter_info->key_list->Foreign_key object,
            which seem to be pointing to a invalid memory address
            during second time execution of the routine. Accessing this object
            theoretically could cause a crash.
            
            ANALYSIS:
            ---------
            The problem stems from the fact that for some reason
            elements of ref_columns list in thd->lex->alter_info->
            key_list->Foreign_key object are changed to point to
            objects allocated on runtime memory root.
            
            During the first execution of routine we create
            a copy of thd->lex->alter_info object.
            As part of this process we create a clones of objects in
            Alter_info::key_list and of Foreign_key object in particular.
            Then Foreign_key object is cloned for some reason we
            perform shallow copies of both Foreign_key::ref_columns
            and Foreign_key::columns list. So new instance of 
            Foreign_key object starts to SHARE contents of ref_columns
            and columns list with the original instance.
            After that as part of cloning process we call
            list_copy_and_replace_each_value() for elements of
            ref_columns list. As result ref_columns lists in both
            original and cloned Foreign_key object start to contain
            pointers to Key_part_spec objects allocated on runtime
            memory root because of shallow copy.
            
            So when we start copying of thd->lex->alter_info object
            during the second execution of stored routine we indeed
            encounter pointer to the Key_part_spec object allocated
            on runtime mem-root which was cleared during at the end
            of previous execution. This is done in sp_head::execute(), 
            by a call to free_root(&execute_mem_root,MYF(0));
            As result we get valgrind warnings about accessing 
            unreferenced memory.
            
            FIX:
            ----
            The safest solution to this problem is to 
            fix Foreign_key(Foreign_key, MEM_ROOT) constructor to do
            a deep copy of columns lists, similar to Key(Key, MEM_ROOT) 
            constructor.
      04c5e521
  2. 27 Jan, 2012 1 commit
    • Tor Didriksen's avatar
      Bug#13580775 ASSERTION FAILED: RECORD_LENGTH == M_RECORD_LENGTH · 1422d0b0
      Tor Didriksen authored
      Bug#13011410 CRASH IN FILESORT CODE WITH GROUP BY/ROLLUP
      
      The assert in 13580775 is visible in 5.6 only, 
      but shows that all versions are vulnerable.
      13011410 crashes in all versions.
      
      filesort tries to re-use the sort buffer between invocations in order to save
      malloc/free overhead.
      The fix for Bug 11748783 - 37359: FILESORT CAN BE MORE EFFICIENT.
      added an assert that buffer properties (num_records, record_length) are
      consistent between invocations. Indeed, they are not necessarily consistent.
        
      Fix: re-allocate the sort buffer if properties change.
      1422d0b0
  3. 12 Jan, 2012 4 commits
  4. 11 Jan, 2012 3 commits
  5. 10 Jan, 2012 2 commits
    • Nirbhay Choubey's avatar
      BUG#11760384 - 52792: mysqldump in XML mode does not dump · 7faf69dd
      Nirbhay Choubey authored
                           routines.
      
      mysqldump in xml mode did not dump routines, events or
      triggers.
      
      This patch fixes this issue by fixing the if conditions
      that disallowed the dump of above mentioned objects in
      xml mode, and added the required code to enable dump
      in xml format.
      7faf69dd
    • Yasufumi Kinoshita's avatar
      Bug#12400341 INNODB CAN LEAVE ORPHAN IBD FILES AROUND · 40203bd5
      Yasufumi Kinoshita authored
      If we meet DB_TOO_MANY_CONCURRENT_TRXS during the execution tab_create_graph from row_create_table_for_mysql(), .ibd file for the table should be created already but was not deleted for the error handling.
      
      rb:875 approved by Jimmy Yang
      40203bd5
  6. 09 Jan, 2012 1 commit
    • Jon Olav Hauglid's avatar
      Backport from mysql-trunk of: · 6c1bbb50
      Jon Olav Hauglid authored
      ------------------------------------------------------------
      revno: 3258
      committer: Jon Olav Hauglid <jon.hauglid@oracle.com>
      branch nick: mysql-trunk-bug12663165
      timestamp: Thu 2011-07-14 10:05:12 +0200
      message:
        Bug#12663165 SP DEAD CODE REMOVAL DOESN'T UNDERSTAND CONTINUE HANDLERS
        
        When stored routines are loaded, a simple optimizer tries to locate
        and remove dead code. The problem was that this dead code removal
        did not work correctly with CONTINUE handlers.
        
        If a statement triggers a CONTINUE handler, the following statement
        will be executed after the handler statement has completed. This
        means that the following statement is not dead code even if the
        previous statement unconditionally alters control flow. This fact
        was lost on the dead code removal routine, which ended up with
        removing instructions that could have been executed. This could
        then lead to assertions, crashes and generally bad behavior when
        the stored routine was executed.
        
        This patch fixes the problem by marking as live code all stored
        routine instructions that are in the same scope as a CONTINUE handler.
        
        Test case added to sp.test.
      6c1bbb50
  7. 06 Jan, 2012 2 commits
  8. 02 Jan, 2012 1 commit
    • Tatjana Azundris Nuernberg's avatar
      BUG#11755281/47032: ERROR 2006 / ERROR 2013 INSTEAD OF PROPER ERROR MESSAGE · 1666da4b
      Tatjana Azundris Nuernberg authored
      If init_command was incorrect, we couldn't let users execute
      queries, but we couldn't report the issue to the client either
      as it does not expect error messages before even sending a
      command. Thus, we simply disconnected them without throwing
      a clear error.
      
      We now go through the proper sequence once (without executing
      any user statements) so we can report back what the problem
      is. Only then do we disconnect the user.
      
      As always, root remains unaffected by this as init_command is
      (still) not executed for them.
      1666da4b
  9. 28 Dec, 2011 1 commit
    • Marko Mäkelä's avatar
      Bug#13418934 REMOVE HAVE_PURIFY DEPENDENCES FROM INNODB · a290a844
      Marko Mäkelä authored
      InnoDB: Remove HAVE_purify, UNIV_INIT_MEM_TO_ZERO, UNIV_SET_MEM_TO_ZERO.
      
      The compile-time setting HAVE_purify can mask potential bugs.
      It is being set in PB2 Valgrind runs. We should simply get rid of it,
      and replace it with UNIV_MEM_INVALID() to declare uninitialized memory
      as such in Valgrind-instrumented binaries.
      
      os_mem_alloc_large(), ut_malloc_low(): Remove the parameter set_to_zero.
      
      ut_malloc(): Define as a macro that invokes ut_malloc_low().
      
      buf_pool_init(): Never initialize the buffer pool frames. All pages
      must be initialized before flushing them to disk.
      
      mem_heap_alloc(): Never initialize the allocated memory block.
      
      os_mem_alloc_nocache(), ut_test_malloc(): Unused function, remove.
      
      rb:813 approved by Jimmy Yang
      a290a844
  10. 23 Dec, 2011 2 commits
  11. 22 Dec, 2011 3 commits
    • Vasil Dimov's avatar
      Fix Bug#13510739 63775: SERVER CRASH ON HANDLER READ NEXT AFTER DELETE RECORD. · 43ea968d
      Vasil Dimov authored
      CREATE TABLE bug13510739 (c INTEGER NOT NULL, PRIMARY KEY (c)) ENGINE=INNODB;
      INSERT INTO bug13510739 VALUES (1), (2), (3), (4);
      DELETE FROM bug13510739 WHERE c=2;
      HANDLER bug13510739 OPEN;
      HANDLER bug13510739 READ `primary` = (2);
      HANDLER bug13510739 READ `primary` NEXT;  <-- crash
      
      The bug is that in the particular testcase row_search_for_mysql() picked up
      a delete-marked record and quit, leaving the cursor non-positioned state and
      on the subsequent 'get next' call the code crashed because of the
      non-positioned cursor.
      
      In row0sel.cc (line numbers from mysql-trunk):
      
      4653         if (rec_get_deleted_flag(rec, comp)) {
      ...
      4679                 if (index == clust_index && unique_search) {
      4680 
      4681                         err = DB_RECORD_NOT_FOUND;
      4682                         
      4683                         goto normal_return;
      4684                 }       
      
      it quit from here, not storing the cursor position.
      
      In contrast, if the record=2 is not found at all (e.g. sleep(1) after DELETE
      to let the purge wipe it away completely) then 'get = 2' does find record=3
      and quits from here:
      
      4366                 if (0 != cmp_dtuple_rec(search_tuple, rec, offsets)) {
      ...
      4394                         btr_pcur_store_position(pcur, &mtr);
      4395 
      4396                         err = DB_RECORD_NOT_FOUND;
      4397 #if 0
      4398                         ut_print_name(stderr, trx, FALSE, index->name);
      4399                         fputs(" record not found 3\n", stderr);
      4400 #endif
      4401 
      4402                         goto normal_return;
      
      Another fix could be to extend the condition on line 4366 to hold only if
      seach_tuple matches rec AND if rec is not delete marked.
      
      Notice that in the above test case if we wait about 1 second somewhere after
      DELETE and before 'get = 2', then the testcase does not crash and returns 4
      instead. Not sure if this is the correct behavior, but this bugfix removes
      the crash and makes the code return what it also returns in the non-crashing
      case (if rec=2 is not found during 'get = 2', e.g. we have sleep(1) there).
      
      Approved by:	Marko (http://bur03.no.oracle.com/rb/r/863/)
      43ea968d
    • Inaam Rana's avatar
      Add ChangeLog message. · 51078332
      Inaam Rana authored
      51078332
    • Inaam Rana's avatar
      Bug#11866367 FPE WHEN SETTING INNODB_SPIN_WAIT_DELAY · 2cdcb18b
      Inaam Rana authored
      rb://865
      approved by: Jimmy
      
      Integer overflow causes division by zero.
      2cdcb18b
  12. 16 Dec, 2011 8 commits
  13. 15 Dec, 2011 2 commits
  14. 14 Dec, 2011 2 commits
  15. 13 Dec, 2011 1 commit
    • Annamalai Gurusami's avatar
      Bug #13117023: Innodb increments handler_read_key when it should not · 22b38304
      Annamalai Gurusami authored
      The counter handler_read_key (SSV::ha_read_key_count) is incremented 
      incorrectly.
      
      The mysql server maintains a per thread system_status_var (SSV)
      object.  This object contains among other things the counter
      SSV::ha_read_key_count. The purpose of this counter is to measure the
      number of requests to read a row based on a key (or the number of
      index lookups).
      
      This counter was wrongly incremented in the
      ha_innobase::innobase_get_index(). The fix removes
      this increment statement (for both innodb and innodb_plugin).
      
      The various callers of the innobase_get_index() was checked to
      determine if anybody must increment this counter (if they first call
      innobase_get_index() and then perform an index lookup).  It was found
      that no caller of innobase_get_index() needs to worry about the
      SSV::ha_read_key_count counter.
      22b38304
  16. 12 Dec, 2011 3 commits
  17. 30 Nov, 2011 2 commits
  18. 29 Nov, 2011 1 commit
    • Tor Didriksen's avatar
      Build broken for gcc 4.5.1 in optimized mode. · cfef24eb
      Tor Didriksen authored
      readline.cc: In function char* batch_readline(LINE_BUFFER*):
      readline.cc:60:9: error: out_length may be used uninitialized in this function
      log.cc: In function int find_uniq_filename(char*):
      log.cc:1857:8: error: number may be used uninitialized in this function
      cfef24eb