1. 15 May, 2023 3 commits
  2. 12 May, 2023 6 commits
    • Mikhail Chalov's avatar
      Fix insecure use of strcpy, strcat and sprintf in Connect · 2ff01e76
      Mikhail Chalov authored
      Old style C functions `strcpy()`, `strcat()` and `sprintf()` are vulnerable to
      security issues due to lacking memory boundary checks. Replace these in the
      Connect storage engine with safe new and/or custom functions such as
      `snprintf()` `safe_strcpy()` and `safe_strcat()`.
      
      With this change FlawFinder and other static security analyzers report 287
      fewer findings.
      
      All new code of the whole pull request, including one or several files that are
      either new files or modified ones, are contributed under the BSD-new license. I
      am contributing on behalf of my employer Amazon Web Services, Inc.
      2ff01e76
    • Alexander Barkov's avatar
      MDEV-31250 ROW variables do not get assigned from subselects · b3cdb612
      Alexander Barkov authored
      ROW variables did not get assigned from subselects in these contexts:
      
      BEGIN
        DECLARE r ROW TYPE OF t1;
        SET r=(SELECT * FROM t1 WHERE a=1);
      END;
      
      BEGIN
        DECLARE r ROW TYPE OF t1 DEFAULT (SELECT * FROM t1 WHERE a=1);
      END;
      
      All fields of the ROW variable remained NULL.
      b3cdb612
    • Igor Babaev's avatar
      MDEV-31240 Crash with condition pushable into derived and containing outer reference · 0474466b
      Igor Babaev authored
      This bug could affect queries containing a subquery over splittable derived
      tables and having an outer references in its WHERE clause. If such subquery
      contained an equality condition whose left part was a reference to a column
      of the derived table and the right part referred only to outer columns
      then the server crashed in the function st_join_table::choose_best_splitting()
      The crashing code was added in the commit ce7ffe61
      that made the code of the function sensitive to presence of the flag
      OUTER_REF_TABLE_BIT in the KEYUSE_EXT::needed_in_prefix fields.
      
      The field needed_in_prefix of the KEYUSE_EXT structure should not contain
      table maps with OUTER_REF_TABLE_BIT or RAND_TABLE_BIT.
      
      Note that this fix is quite conservative: for affected queries it just
      returns the query plans that were used before the above mentioned commit.
      In fact the equalities causing crashes should be pushed into derived tables
      without any usage of split optimization.
      
      Approved by Sergei Petrunia <sergey@mariadb.com>
      0474466b
    • Jan Lindström's avatar
      MDEV-28433 : Server crashes when wsrep_sst_donor and wsrep_cluster_address set to NULL · f102b595
      Jan Lindström authored
      Do not allow setting wsrep_sst_donor as NULL as it is
      incorrect value. User can use value '' (default) that represents
      same as NULL. Setting wsrep_cluster_address to NULL is
      already handled correctly.
      Signed-off-by: default avatarJulius Goryavsky <julius.goryavsky@mariadb.com>
      f102b595
    • Daniele Sciascia's avatar
      MDEV-30473 Remove test galera.MDEV-27713 · 7d55eb00
      Daniele Sciascia authored
      Remove test galera.MDEV-27713. This test relies on GET_LOCK() and has
      stopped working since commit 844ddb11 (see MDEV-30473). This commit
      disabled GET_LOCK() in combination with Galera.
      Signed-off-by: default avatarJulius Goryavsky <julius.goryavsky@mariadb.com>
      7d55eb00
    • Julius Goryavsky's avatar
      3a7b3113
  3. 11 May, 2023 3 commits
    • Jan Lindström's avatar
      MDEV-30388 : Assertion `!wsrep_has_changes(thd) || (thd->lex->sql_command ==... · 28eaf66e
      Jan Lindström authored
      MDEV-30388 : Assertion `!wsrep_has_changes(thd) || (thd->lex->sql_command == SQLCOM_CREATE_TABLE && !thd->is_current_stmt_binlog_format_row()) || thd->wsrep_cs().transaction().state() == wsrep::transaction::s_aborted' failed
      
      Problem for Galera is the fact that sequences are not really
      transactional. Sequence operation is committed immediately
      in sql_sequence.cd and later Galera could find out that
      we have changes but actual statement is not there anymore.
      
      Therefore, we must make some restrictions what kind
      of sequences Galera can support.
      
      (1) Galera cluster supports only sequences implemented
      by InnoDB storage engine. This is because Galera replication
      supports currently only InnoDB.
      
      (2) We do not allow LOCK TABLE on sequence object and
      we do not allow sequence creation under LOCK TABLE, instead
      lock is released and we issue warning.
      
      (3) We allow sequences with NOCACHE definition or with
      INCREMEMENT BY 0 CACHE=n definition. This makes sure that
      sequence values are unique accross Galera cluster.
      Signed-off-by: default avatarJulius Goryavsky <julius.goryavsky@mariadb.com>
      28eaf66e
    • Oleksandr Byelkin's avatar
      de703a2b
    • Oleg Smirnov's avatar
      MDEV-30765 SHOW TABLES not working properly with lower_case_table_names=2 · 7e7e12e7
      Oleg Smirnov authored
      lower_case_table_names=2 means "table names and database names are
      stored as declared, but they are compared in lowercase".
      But names of objects in grants are stored in lowercase for any value
      of lower_case_table_names. This caused an error when checking grants
      for objects containing uppercase letters since table_hash_search()
      didn't take into account lower_case_table_names value
      7e7e12e7
  4. 10 May, 2023 2 commits
  5. 08 May, 2023 1 commit
    • Igor Babaev's avatar
      MDEV-31181 Crash with EXPLAIN EXTENDED for single-table DELETE using IN predicand · a09f661f
      Igor Babaev authored
      This bug affected EXPLAIN EXTENDED command for single-table DELETE that
      used an IN subquery in its WHERE clause. A crash happened if the optimizer
      chose to employ index_subquery or unique_subquery access when processing
      such command.
      The crash happened when the command tried to print the transformed query.
      In the current code of 10.4 for single-table DELETE statements the output
      of any explain command is produced after the join structures of all used
      subqueries have been destroyed. JOIN::destroy() sets the field tab of the
      JOIN_TAB structures created for subquery tables to NULL. As a result
      subselect_indexsubquery_engine::print(), subselect_indexsubquery_engine()
      cannot use this field to get the alias name of the joined table.
      
      This patch suggests to use the field TABLE_LIST::TAB that can be accessed
      from JOIN_TAB::tab_list to get the alias name of the joined table.
      
      Approved by Oleksandr Byelkin <sanja@mariadb.com>
      a09f661f
  6. 05 May, 2023 5 commits
    • Monty's avatar
      Fixed wrong test cases (embedded and ASAN) · 84b9fc25
      Monty authored
      - main.selectivity failed because one test produced different result with
        embedded (missing feature). Fixed by moving the failing part to
        selectivity_notembedded.
      - Disabled maria.encrypt-no-key for embedded as embedded does not support
        encryption
      - Moved test from join_cache to join_cache_notasan that tried to alloc()
        a buffer bigger than available memory.
      84b9fc25
    • Monty's avatar
      Added missing test file · c874d5c6
      Monty authored
      c874d5c6
    • Monty's avatar
      Cleanup of sql_join_cache code (no logic changes) · e74390d9
      Monty authored
      - Remove virtual from get_min_join_buffer_size() and
        get_max_join_buffer_size().
      - Avoid some calls to get_min_buffer_size()
      - Simply cache usage in get_..._join_buffer_size()
      - Simplify get_max_join_buffer_size() when using optimize_buff_size
      - Reindented some long comments
      
      Reviewer: Sergei Petrunia <sergey@mariadb.com>
      e74390d9
    • Monty's avatar
      Fixed calculation of JOIN_CACHE::max_records · 5fd46be5
      Monty authored
      The old code did set max_records to either number_of_rows
      (partial_join_cardinality) or memory size (join_buffer_space_limit)
      which did not make sense.
      
      Fixed by setting max_records to number of rows that fits into
      join_buffer_size.
      
      Other things:
      - Initialize buffer cache values in JOIN_CACHE constructors (safety)
      
      Reviewer: Sergei Petrunia <sergey@mariadb.com>
      5fd46be5
    • Sergei Petrunia's avatar
      MDEV-31194: Server crash or assertion failure with join_cache_level=4 · 2594da7a
      Sergei Petrunia authored
      The problem, introduced in patch for MDEV-26301:
      
      When check_join_cache_usage() decides not to use join buffer, it must
      adjust the access method accordingly. For BNL-H joins this means switching
      from pseudo-"ref access"(with index=MAX_KEY) to some other access method.
      
      Failing to do this will cause assertions down the line when code that is
      not aware of BNL-H will try to initialize index use for ref access with
      index=MAX_KEY.
      
      The fix is to follow the regular code path to disable the join buffer for
      the join_tab ("goto no_join_cache") instead of just returning from
      check_join_cache_usage().
      2594da7a
  7. 04 May, 2023 6 commits
  8. 03 May, 2023 6 commits
  9. 02 May, 2023 8 commits
    • Monty's avatar
      MDEV-6768 Wrong result with aggregate with join with no result set · 7f96dd50
      Monty authored
      When a query does implicit grouping and join operation produces an empty
      result set, a NULL-complemented row combination is generated.
      However, constant table fields still show non-NULL values.
      
      What happens in the is that end_send_group() is called with a
      const row but without any rows matching the WHERE clause.
      This last part is shown by 'join->first_record' not being set.
      
      This causes item->no_rows_in_result() to be called for all items to reset
      all sum functions to their initial state. However fields are not set
      to NULL.
      
      The used fix is to produce NULL-complemented records for constant tables
      as well. Also, reset the constant table's records back in case we're
      in a subquery which may get re-executed.
      An alternative fix would have item->no_rows_in_result() also work
      with Item_field objects.
      
      There is some other issues with the code:
      - join->no_rows_in_result_called is used but never set.
      - Tables that are used with group functions are not properly marked as
        maybe_null, which is required if the table rows should be regarded as
        null-complemented (not existing).
      - The code that tries to detect if mixed_implicit_grouping should be set
        didn't take into account all usage of fields and sum functions.
      - Item_func::restore_to_before_no_rows_in_result() called the wrong
        function.
      - join->clear() does not use a table_map argument to clear_tables(),
        which caused it to ignore constant tables.
      - unclear_tables() does not correctly restore status to what is
        was before clear_tables().
      
      Main bug fix was to always use a table_map argument to clear_tables() and
      always use join->clear() and clear_tables() together with unclear_tables().
      
      Other fixes:
      - Fixed Item_func::restore_to_before_no_rows_in_result()
      - Set 'join->no_rows_in_result_called' when no_rows_in_result_set()
        is called.
      - Removed not used argument from setup_end_select_func().
      - More code comments
      - Ensure that end_send_group() modifies the same fields as are in the
        result set.
      - Changed return_zero_rows() to use pointers instead of references,
        similar to the rest of the code.
      7f96dd50
    • Monty's avatar
      Fixed "Trying to lock uninitialized mutex' in parallel replication · 4f731757
      Monty authored
      The problem was that mutex_init() was called after the worker was
      put into the domain_hash, which allowed other threads to access it
      before mutex was initialized.
      4f731757
    • Monty's avatar
      MDEV-28054 Various crashes upon INSERT/UPDATE after changing Aria settings · 4cb0d43a
      Monty authored
      The cause of the crash was that test was setting
      aria_sort_buffer_size to MAX_LONG_LONG, which caused an overflow in
      my_malloc() when trying to allocate the buffer + 8 bytes.
      
      Fixed by reducing max size of sort_buffer for Aria and MyISAM
      
      Other things:
      - Added code in maria_repair_parallell() to not allocate a big sort buffer
        for small files.
      - Updated size of minumim sort buffer in Aria
      4cb0d43a
    • Monty's avatar
      MDEV-26258 Various crashes/asserts/corruptions when Aria encryption is... · 1ef22e28
      Monty authored
      MDEV-26258 Various crashes/asserts/corruptions when Aria encryption is enabled/used, but the encryption plugin is not loaded
      
      The reason for the MDEV reported failures is that the tests are enabling
      encryption for Aria but not providing any encryption keys.
      
      Fixed by checking if encryption keys exists before creating the table.
      
      Other things:
      - maria.encrypt_wrong-key changed as we now get the error on CREATE
        instead during insert.
      1ef22e28
    • Oleksandr Byelkin's avatar
      Merge branch '10.3' into 10.4 · 5597562a
      Oleksandr Byelkin authored
      5597562a
    • Oleksandr Byelkin's avatar
      New CC 3.1 · ca001cf2
      Oleksandr Byelkin authored
      ca001cf2
    • Oleksandr Byelkin's avatar
      1d15300b
    • Julius Goryavsky's avatar
      wsrep-lib external submodule update · c6ef9b1c
      Julius Goryavsky authored
      c6ef9b1c