From 127ca525942e0e519f05fd5c01ca814738810db0 Mon Sep 17 00:00:00 2001 From: unknown Date: Tue, 3 Aug 2010 18:57:39 +0200 Subject: [PATCH 01/18] Raise version number after cloning 5.1.50 --- configure.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.in b/configure.in index efd291f953c..3ec62b836f1 100644 --- a/configure.in +++ b/configure.in @@ -12,7 +12,7 @@ dnl dnl When changing the major version number please also check the switch dnl statement in mysqlbinlog::check_master_version(). You may also need dnl to update version.c in ndb. -AC_INIT([MySQL Server], [5.1.50], [], [mysql]) +AC_INIT([MySQL Server], [5.1.51], [], [mysql]) AC_CONFIG_SRCDIR([sql/mysqld.cc]) AC_CANONICAL_SYSTEM From 04970a2ff1d0019e256f12626c85266c3a0ebf35 Mon Sep 17 00:00:00 2001 From: Jimmy Yang Date: Wed, 4 Aug 2010 03:11:33 -0700 Subject: [PATCH 02/18] Fix Bug #54582 stack overflow when opening many tables linked with foreign keys at once rb://391 approved by Heikki Z --- storage/innobase/dict/dict0load.c | 81 ++++++++++++++++++++-- storage/innobase/handler/ha_innodb.cc | 10 +++ storage/innobase/include/db0err.h | 3 + storage/innobase/include/dict0load.h | 2 + storage/innobase/include/dict0mem.h | 21 ++++++ storage/innobase/include/que0que.h | 3 + storage/innobase/row/row0mysql.c | 21 +++++- storage/innodb_plugin/ChangeLog | 8 +++ storage/innodb_plugin/dict/dict0load.c | 81 ++++++++++++++++++++-- storage/innodb_plugin/handler/ha_innodb.cc | 13 ++++ storage/innodb_plugin/include/db0err.h | 3 + storage/innodb_plugin/include/dict0load.h | 2 + storage/innodb_plugin/include/dict0mem.h | 21 ++++++ storage/innodb_plugin/include/que0que.h | 3 + storage/innodb_plugin/row/row0merge.c | 2 +- storage/innodb_plugin/row/row0mysql.c | 21 +++++- 16 files changed, 276 insertions(+), 19 deletions(-) diff --git a/storage/innobase/dict/dict0load.c b/storage/innobase/dict/dict0load.c index d5e7600f4d0..625956600c0 100644 --- a/storage/innobase/dict/dict0load.c +++ b/storage/innobase/dict/dict0load.c @@ -864,16 +864,27 @@ err_exit: err = dict_load_indexes(table, heap); + /* Initialize table foreign_child value. Its value could be + changed when dict_load_foreigns() is called below */ + table->fk_max_recusive_level = 0; + /* If the force recovery flag is set, we open the table irrespective of the error condition, since the user may want to dump data from the clustered index. However we load the foreign key information only if all indexes were loaded. */ if (err == DB_SUCCESS) { - err = dict_load_foreigns(table->name, TRUE); + err = dict_load_foreigns(table->name, TRUE, TRUE); + + if (err != DB_SUCCESS) { + dict_table_remove_from_cache(table); + table = NULL; + } } else if (!srv_force_recovery) { dict_table_remove_from_cache(table); table = NULL; } + + table->fk_max_recusive_level = 0; #if 0 if (err != DB_SUCCESS && table != NULL) { @@ -1095,8 +1106,12 @@ dict_load_foreign( /* out: DB_SUCCESS or error code */ const char* id, /* in: foreign constraint id as a null-terminated string */ - ibool check_charsets) + ibool check_charsets, /* in: TRUE=check charset compatibility */ + ibool check_recursive) + /* in: Whether to record the foreign table + parent count to avoid unlimited recursive + load of chained foreign tables */ { dict_foreign_t* foreign; dict_table_t* sys_foreign; @@ -1110,6 +1125,8 @@ dict_load_foreign( ulint len; ulint n_fields_and_type; mtr_t mtr; + dict_table_t* for_table; + dict_table_t* ref_table; ut_ad(mutex_own(&(dict_sys->mutex))); @@ -1194,11 +1211,54 @@ dict_load_foreign( dict_load_foreign_cols(id, foreign); - /* If the foreign table is not yet in the dictionary cache, we - have to load it so that we are able to make type comparisons - in the next function call. */ + ref_table = dict_table_check_if_in_cache_low( + foreign->referenced_table_name); - dict_table_get_low(foreign->foreign_table_name); + /* We could possibly wind up in a deep recursive calls if + we call dict_table_get_low() again here if there + is a chain of tables concatenated together with + foreign constraints. In such case, each table is + both a parent and child of the other tables, and + act as a "link" in such table chains. + To avoid such scenario, we would need to check the + number of ancesters the current table has. If that + exceeds DICT_FK_MAX_CHAIN_LEN, we will stop loading + the child table. + Foreign constraints are loaded in a Breath First fashion, + that is, the index on FOR_NAME is scanned first, and then + index on REF_NAME. So foreign constrains in which + current table is a child (foreign table) are loaded first, + and then those constraints where current table is a + parent (referenced) table. + Thus we could check the parent (ref_table) table's + reference count (fk_max_recusive_level) to know how deep the + recursive call is. If the parent table (ref_table) is already + loaded, and its fk_max_recusive_level is larger than + DICT_FK_MAX_CHAIN_LEN, we will stop the recursive loading + by skipping loading the child table. It will not affect foreign + constraint check for DMLs since child table will be loaded + at that time for the constraint check. */ + if (!ref_table + || ref_table->fk_max_recusive_level < DICT_FK_MAX_RECURSIVE_LOAD) { + + /* If the foreign table is not yet in the dictionary cache, we + have to load it so that we are able to make type comparisons + in the next function call. */ + + for_table = dict_table_get_low(foreign->foreign_table_name); + + if (for_table && ref_table && check_recursive) { + /* This is to record the longest chain of ancesters + this table has, if the parent has more ancesters + than this table has, record it after add 1 (for this + parent */ + if (ref_table->fk_max_recusive_level + >= for_table->fk_max_recusive_level) { + for_table->fk_max_recusive_level = + ref_table->fk_max_recusive_level + 1; + } + } + } /* Note that there may already be a foreign constraint object in the dictionary cache for this constraint: then the following @@ -1223,6 +1283,8 @@ dict_load_foreigns( /*===============*/ /* out: DB_SUCCESS or error code */ const char* table_name, /* in: table name */ + ibool check_recursive,/* in: Whether to check recursive + load of tables chained by FK */ ibool check_charsets) /* in: TRUE=check charset compatibility */ { @@ -1324,7 +1386,7 @@ loop: /* Load the foreign constraint definition to the dictionary cache */ - err = dict_load_foreign(id, check_charsets); + err = dict_load_foreign(id, check_charsets, check_recursive); if (err != DB_SUCCESS) { btr_pcur_close(&pcur); @@ -1352,6 +1414,11 @@ load_next_index: mtr_start(&mtr); + /* Switch to scan index on REF_NAME, fk_max_recusive_level + already been updated when scanning FOR_NAME index, no need to + update again */ + check_recursive = FALSE; + goto start_load; } diff --git a/storage/innobase/handler/ha_innodb.cc b/storage/innobase/handler/ha_innodb.cc index d10fcb8d31e..930785d7dcd 100644 --- a/storage/innobase/handler/ha_innodb.cc +++ b/storage/innobase/handler/ha_innodb.cc @@ -763,6 +763,16 @@ convert_error_code_to_mysql( my_error(ER_QUERY_INTERRUPTED, MYF(0)); return(-1); + } else if (error == DB_FOREIGN_EXCEED_MAX_CASCADE) { + push_warning_printf(thd, MYSQL_ERROR::WARN_LEVEL_WARN, + HA_ERR_ROW_IS_REFERENCED, + "InnoDB: Cannot delete/update " + "rows with cascading foreign key " + "constraints that exceed max " + "depth of %d. Please " + "drop extra constraints and try " + "again", DICT_FK_MAX_RECURSIVE_LOAD); + return(-1); } else { return(-1); // Unknown error } diff --git a/storage/innobase/include/db0err.h b/storage/innobase/include/db0err.h index 2be6005622d..af3e78fe833 100644 --- a/storage/innobase/include/db0err.h +++ b/storage/innobase/include/db0err.h @@ -73,6 +73,9 @@ Created 5/24/1996 Heikki Tuuri a later version of the engine. */ #define DB_INTERRUPTED 49 /* the query has been interrupted with "KILL QUERY N;" */ +#define DB_FOREIGN_EXCEED_MAX_CASCADE 50/* Foreign key constraint related + cascading delete/update exceeds + maximum allowed depth */ /* The following are partial failure codes */ #define DB_FAIL 1000 diff --git a/storage/innobase/include/dict0load.h b/storage/innobase/include/dict0load.h index 7e19c2eb3c0..eb6083e06f9 100644 --- a/storage/innobase/include/dict0load.h +++ b/storage/innobase/include/dict0load.h @@ -82,6 +82,8 @@ dict_load_foreigns( /*===============*/ /* out: DB_SUCCESS or error code */ const char* table_name, /* in: table name */ + ibool check_recursive,/* in: Whether to check recursive + load of tables chained by FK */ ibool check_charsets);/* in: TRUE=check charsets compatibility */ /************************************************************************ diff --git a/storage/innobase/include/dict0mem.h b/storage/innobase/include/dict0mem.h index ac28fdb1bae..2f2a7441478 100644 --- a/storage/innobase/include/dict0mem.h +++ b/storage/innobase/include/dict0mem.h @@ -283,6 +283,21 @@ a foreign key constraint is enforced, therefore RESTRICT just means no flag */ #define DICT_FOREIGN_ON_DELETE_NO_ACTION 16 #define DICT_FOREIGN_ON_UPDATE_NO_ACTION 32 +/** Tables could be chained together with Foreign key constraint. When +first load the parent table, we would load all of its descedents. +This could result in rescursive calls and out of stack error eventually. +DICT_FK_MAX_RECURSIVE_LOAD defines the maximum number of recursive loads, +when exceeded, the child table will not be loaded. It will be loaded when +the foreign constraint check needs to be run. */ +#define DICT_FK_MAX_RECURSIVE_LOAD 250 + +/** Similarly, when tables are chained together with foreign key constraints +with on cascading delete/update clause, delete from parent table could +result in recursive cascading calls. This defines the maximum number of +such cascading deletes/updates allowed. When exceeded, the delete from +parent table will fail, and user has to drop excessive foreign constraint +before proceeds. */ +#define FK_MAX_CASCADE_DEL 300 /* Data structure for a database table */ struct dict_table_struct{ @@ -339,6 +354,12 @@ struct dict_table_struct{ NOT allowed until this count gets to zero; MySQL does NOT itself check the number of open handles at drop */ + unsigned fk_max_recusive_level:8; + /*!< maximum recursive level we support when + loading tables chained together with FK + constraints. If exceeds this level, we will + stop loading child table into memory along with + its parent table */ ulint n_foreign_key_checks_running; /* count of how many foreign key check operations are currently being performed diff --git a/storage/innobase/include/que0que.h b/storage/innobase/include/que0que.h index 8fbf5330c89..71f4cfdfb8f 100644 --- a/storage/innobase/include/que0que.h +++ b/storage/innobase/include/que0que.h @@ -367,6 +367,9 @@ struct que_thr_struct{ thus far */ ulint lock_state; /* lock state of thread (table or row) */ + ulint fk_cascade_depth; /*!< maximum cascading call depth + supported for foreign key constraint + related delete/updates */ }; #define QUE_THR_MAGIC_N 8476583 diff --git a/storage/innobase/row/row0mysql.c b/storage/innobase/row/row0mysql.c index 4a834c4efc2..3b76ffa76f1 100644 --- a/storage/innobase/row/row0mysql.c +++ b/storage/innobase/row/row0mysql.c @@ -555,6 +555,12 @@ handle_new_error: "forcing-recovery.html" " for help.\n", stderr); + } else if (err == DB_FOREIGN_EXCEED_MAX_CASCADE) { + fprintf(stderr, "InnoDB: Cannot delete/update rows with" + " cascading foreign key constraints that exceed max" + " depth of %lu\n" + "Please drop excessive foreign constraints" + " and try again\n", (ulong) DICT_FK_MAX_RECURSIVE_LOAD); } else { fprintf(stderr, "InnoDB: unknown error code %lu\n", (ulong) err); @@ -1406,11 +1412,15 @@ row_update_for_mysql( run_again: thr->run_node = node; thr->prev_node = node; + thr->fk_cascade_depth = 0; row_upd_step(thr); err = trx->error_state; + /* Reset fk_cascade_depth back to 0 */ + thr->fk_cascade_depth = 0; + if (err != DB_SUCCESS) { que_thr_stop_for_mysql(thr); @@ -1597,6 +1607,12 @@ row_update_cascade_for_mysql( trx_t* trx; trx = thr_get_trx(thr); + + thr->fk_cascade_depth++; + + if (thr->fk_cascade_depth > FK_MAX_CASCADE_DEL) { + return (DB_FOREIGN_EXCEED_MAX_CASCADE); + } run_again: thr->run_node = node; thr->prev_node = node; @@ -2129,7 +2145,7 @@ row_table_add_foreign_constraints( if (err == DB_SUCCESS) { /* Check that also referencing constraints are ok */ - err = dict_load_foreigns(name, TRUE); + err = dict_load_foreigns(name, FALSE, TRUE); } if (err != DB_SUCCESS) { @@ -3878,7 +3894,8 @@ end: an ALTER, not in a RENAME. */ err = dict_load_foreigns( - new_name, old_is_tmp ? trx->check_foreigns : TRUE); + new_name, FALSE, + old_is_tmp ? trx->check_foreigns : TRUE); if (err != DB_SUCCESS) { ut_print_timestamp(stderr); diff --git a/storage/innodb_plugin/ChangeLog b/storage/innodb_plugin/ChangeLog index 3e802360d23..56729852a62 100644 --- a/storage/innodb_plugin/ChangeLog +++ b/storage/innodb_plugin/ChangeLog @@ -1,3 +1,11 @@ +2010-08-03 The InnoDB Team + + * dict/dict0load.c, handler/ha_innodb.cc, include/db0err.h, + include/dict0load.h, include/dict0mem.h, include/que0que.h, + row/row0merge.c, row/row0mysql.c: + Fix Bug#54582 stack overflow when opening many tables linked + with foreign keys at once + 2010-07-27 The InnoDB Team * include/mem0pool.h, mem/mem0mem.c, mem/mem0pool.c, srv/srv0start.c: diff --git a/storage/innodb_plugin/dict/dict0load.c b/storage/innodb_plugin/dict/dict0load.c index 3c495d21786..3acc267308f 100644 --- a/storage/innodb_plugin/dict/dict0load.c +++ b/storage/innodb_plugin/dict/dict0load.c @@ -1009,16 +1009,27 @@ err_exit: err = dict_load_indexes(table, heap); + /* Initialize table foreign_child value. Its value could be + changed when dict_load_foreigns() is called below */ + table->fk_max_recusive_level = 0; + /* If the force recovery flag is set, we open the table irrespective of the error condition, since the user may want to dump data from the clustered index. However we load the foreign key information only if all indexes were loaded. */ if (err == DB_SUCCESS) { - err = dict_load_foreigns(table->name, TRUE); + err = dict_load_foreigns(table->name, TRUE, TRUE); + + if (err != DB_SUCCESS) { + dict_table_remove_from_cache(table); + table = NULL; + } } else if (!srv_force_recovery) { dict_table_remove_from_cache(table); table = NULL; } + + table->fk_max_recusive_level = 0; #if 0 if (err != DB_SUCCESS && table != NULL) { @@ -1241,8 +1252,12 @@ dict_load_foreign( /*==============*/ const char* id, /*!< in: foreign constraint id as a null-terminated string */ - ibool check_charsets) + ibool check_charsets, /*!< in: TRUE=check charset compatibility */ + ibool check_recursive) + /*!< in: Whether to record the foreign table + parent count to avoid unlimited recursive + load of chained foreign tables */ { dict_foreign_t* foreign; dict_table_t* sys_foreign; @@ -1256,6 +1271,8 @@ dict_load_foreign( ulint len; ulint n_fields_and_type; mtr_t mtr; + dict_table_t* for_table; + dict_table_t* ref_table; ut_ad(mutex_own(&(dict_sys->mutex))); @@ -1340,11 +1357,54 @@ dict_load_foreign( dict_load_foreign_cols(id, foreign); - /* If the foreign table is not yet in the dictionary cache, we - have to load it so that we are able to make type comparisons - in the next function call. */ + ref_table = dict_table_check_if_in_cache_low( + foreign->referenced_table_name); - dict_table_get_low(foreign->foreign_table_name); + /* We could possibly wind up in a deep recursive calls if + we call dict_table_get_low() again here if there + is a chain of tables concatenated together with + foreign constraints. In such case, each table is + both a parent and child of the other tables, and + act as a "link" in such table chains. + To avoid such scenario, we would need to check the + number of ancesters the current table has. If that + exceeds DICT_FK_MAX_CHAIN_LEN, we will stop loading + the child table. + Foreign constraints are loaded in a Breath First fashion, + that is, the index on FOR_NAME is scanned first, and then + index on REF_NAME. So foreign constrains in which + current table is a child (foreign table) are loaded first, + and then those constraints where current table is a + parent (referenced) table. + Thus we could check the parent (ref_table) table's + reference count (fk_max_recusive_level) to know how deep the + recursive call is. If the parent table (ref_table) is already + loaded, and its fk_max_recusive_level is larger than + DICT_FK_MAX_CHAIN_LEN, we will stop the recursive loading + by skipping loading the child table. It will not affect foreign + constraint check for DMLs since child table will be loaded + at that time for the constraint check. */ + if (!ref_table + || ref_table->fk_max_recusive_level < DICT_FK_MAX_RECURSIVE_LOAD) { + + /* If the foreign table is not yet in the dictionary cache, we + have to load it so that we are able to make type comparisons + in the next function call. */ + + for_table = dict_table_get_low(foreign->foreign_table_name); + + if (for_table && ref_table && check_recursive) { + /* This is to record the longest chain of ancesters + this table has, if the parent has more ancesters + than this table has, record it after add 1 (for this + parent */ + if (ref_table->fk_max_recusive_level + >= for_table->fk_max_recusive_level) { + for_table->fk_max_recusive_level = + ref_table->fk_max_recusive_level + 1; + } + } + } /* Note that there may already be a foreign constraint object in the dictionary cache for this constraint: then the following @@ -1369,6 +1429,8 @@ ulint dict_load_foreigns( /*===============*/ const char* table_name, /*!< in: table name */ + ibool check_recursive,/*!< in: Whether to check recursive + load of tables chained by FK */ ibool check_charsets) /*!< in: TRUE=check charset compatibility */ { @@ -1470,7 +1532,7 @@ loop: /* Load the foreign constraint definition to the dictionary cache */ - err = dict_load_foreign(id, check_charsets); + err = dict_load_foreign(id, check_charsets, check_recursive); if (err != DB_SUCCESS) { btr_pcur_close(&pcur); @@ -1498,6 +1560,11 @@ load_next_index: mtr_start(&mtr); + /* Switch to scan index on REF_NAME, fk_max_recusive_level + already been updated when scanning FOR_NAME index, no need to + update again */ + check_recursive = FALSE; + goto start_load; } diff --git a/storage/innodb_plugin/handler/ha_innodb.cc b/storage/innodb_plugin/handler/ha_innodb.cc index e0a62ed3ac5..1cba1de1590 100644 --- a/storage/innodb_plugin/handler/ha_innodb.cc +++ b/storage/innodb_plugin/handler/ha_innodb.cc @@ -767,6 +767,19 @@ convert_error_code_to_mysql( case DB_INTERRUPTED: my_error(ER_QUERY_INTERRUPTED, MYF(0)); /* fall through */ + + case DB_FOREIGN_EXCEED_MAX_CASCADE: + push_warning_printf(thd, MYSQL_ERROR::WARN_LEVEL_WARN, + HA_ERR_ROW_IS_REFERENCED, + "InnoDB: Cannot delete/update " + "rows with cascading foreign key " + "constraints that exceed max " + "depth of %d. Please " + "drop extra constraints and try " + "again", DICT_FK_MAX_RECURSIVE_LOAD); + + /* fall through */ + case DB_ERROR: default: return(-1); /* unspecified error */ diff --git a/storage/innodb_plugin/include/db0err.h b/storage/innodb_plugin/include/db0err.h index c841c2b4afe..c7fa6d2a444 100644 --- a/storage/innodb_plugin/include/db0err.h +++ b/storage/innodb_plugin/include/db0err.h @@ -94,6 +94,9 @@ enum db_err { DB_PRIMARY_KEY_IS_NULL, /* a column in the PRIMARY KEY was found to be NULL */ + DB_FOREIGN_EXCEED_MAX_CASCADE, /* Foreign key constraint related + cascading delete/update exceeds + maximum allowed depth */ /* The following are partial failure codes */ DB_FAIL = 1000, diff --git a/storage/innodb_plugin/include/dict0load.h b/storage/innodb_plugin/include/dict0load.h index 60b8c1fb632..f41882019d5 100644 --- a/storage/innodb_plugin/include/dict0load.h +++ b/storage/innodb_plugin/include/dict0load.h @@ -97,6 +97,8 @@ ulint dict_load_foreigns( /*===============*/ const char* table_name, /*!< in: table name */ + ibool check_recursive,/*!< in: Whether to check recursive + load of tables chained by FK */ ibool check_charsets);/*!< in: TRUE=check charsets compatibility */ /********************************************************************//** diff --git a/storage/innodb_plugin/include/dict0mem.h b/storage/innodb_plugin/include/dict0mem.h index 2fce1e00927..19782c2e76a 100644 --- a/storage/innodb_plugin/include/dict0mem.h +++ b/storage/innodb_plugin/include/dict0mem.h @@ -112,6 +112,21 @@ ROW_FORMAT=REDUNDANT. */ in table->flags. */ /* @} */ +/** Tables could be chained together with Foreign key constraint. When +first load the parent table, we would load all of its descedents. +This could result in rescursive calls and out of stack error eventually. +DICT_FK_MAX_RECURSIVE_LOAD defines the maximum number of recursive loads, +when exceeded, the child table will not be loaded. It will be loaded when +the foreign constraint check needs to be run. */ +#define DICT_FK_MAX_RECURSIVE_LOAD 250 + +/** Similarly, when tables are chained together with foreign key constraints +with on cascading delete/update clause, delete from parent table could +result in recursive cascading calls. This defines the maximum number of +such cascading deletes/updates allowed. When exceeded, the delete from +parent table will fail, and user has to drop excessive foreign constraint +before proceeds. */ +#define FK_MAX_CASCADE_DEL 300 /**********************************************************************//** Creates a table memory object. @@ -434,6 +449,12 @@ struct dict_table_struct{ NOT allowed until this count gets to zero; MySQL does NOT itself check the number of open handles at drop */ + unsigned fk_max_recusive_level:8; + /*!< maximum recursive level we support when + loading tables chained together with FK + constraints. If exceeds this level, we will + stop loading child table into memory along with + its parent table */ ulint n_foreign_key_checks_running; /*!< count of how many foreign key check operations are currently being performed diff --git a/storage/innodb_plugin/include/que0que.h b/storage/innodb_plugin/include/que0que.h index 39f8d07af89..84b83208416 100644 --- a/storage/innodb_plugin/include/que0que.h +++ b/storage/innodb_plugin/include/que0que.h @@ -381,6 +381,9 @@ struct que_thr_struct{ thus far */ ulint lock_state; /*!< lock state of thread (table or row) */ + ulint fk_cascade_depth; /*!< maximum cascading call depth + supported for foreign key constraint + related delete/updates */ }; #define QUE_THR_MAGIC_N 8476583 diff --git a/storage/innodb_plugin/row/row0merge.c b/storage/innodb_plugin/row/row0merge.c index 56a68b58225..05d77ad7f19 100644 --- a/storage/innodb_plugin/row/row0merge.c +++ b/storage/innodb_plugin/row/row0merge.c @@ -2395,7 +2395,7 @@ row_merge_rename_tables( goto err_exit; } - err = dict_load_foreigns(old_name, TRUE); + err = dict_load_foreigns(old_name, FALSE, TRUE); if (err != DB_SUCCESS) { err_exit: diff --git a/storage/innodb_plugin/row/row0mysql.c b/storage/innodb_plugin/row/row0mysql.c index feeb7fc80b7..a582de3e583 100644 --- a/storage/innodb_plugin/row/row0mysql.c +++ b/storage/innodb_plugin/row/row0mysql.c @@ -576,6 +576,13 @@ handle_new_error: "InnoDB: " REFMAN "forcing-recovery.html" " for help.\n", stderr); break; + case DB_FOREIGN_EXCEED_MAX_CASCADE: + fprintf(stderr, "InnoDB: Cannot delete/update rows with" + " cascading foreign key constraints that exceed max" + " depth of %lu\n" + "Please drop excessive foreign constraints" + " and try again\n", (ulong) DICT_FK_MAX_RECURSIVE_LOAD); + break; default: fprintf(stderr, "InnoDB: unknown error code %lu\n", (ulong) err); @@ -1381,11 +1388,15 @@ row_update_for_mysql( run_again: thr->run_node = node; thr->prev_node = node; + thr->fk_cascade_depth = 0; row_upd_step(thr); err = trx->error_state; + /* Reset fk_cascade_depth back to 0 */ + thr->fk_cascade_depth = 0; + if (err != DB_SUCCESS) { que_thr_stop_for_mysql(thr); @@ -1576,6 +1587,12 @@ row_update_cascade_for_mysql( trx_t* trx; trx = thr_get_trx(thr); + + thr->fk_cascade_depth++; + + if (thr->fk_cascade_depth > FK_MAX_CASCADE_DEL) { + return (DB_FOREIGN_EXCEED_MAX_CASCADE); + } run_again: thr->run_node = node; thr->prev_node = node; @@ -2056,7 +2073,7 @@ row_table_add_foreign_constraints( name, reject_fks); if (err == DB_SUCCESS) { /* Check that also referencing constraints are ok */ - err = dict_load_foreigns(name, TRUE); + err = dict_load_foreigns(name, FALSE, TRUE); } if (err != DB_SUCCESS) { @@ -3915,7 +3932,7 @@ end: an ALTER, not in a RENAME. */ err = dict_load_foreigns( - new_name, !old_is_tmp || trx->check_foreigns); + new_name, FALSE, !old_is_tmp || trx->check_foreigns); if (err != DB_SUCCESS) { ut_print_timestamp(stderr); From ad90d1942ec916fe45a2bfa35a78c36c8920b1d9 Mon Sep 17 00:00:00 2001 From: Jimmy Yang Date: Wed, 4 Aug 2010 03:37:44 -0700 Subject: [PATCH 03/18] Fix bug #54678, InnoDB, TRUNCATE, ALTER, I_S SELECT, crash or deadlock rb://399 approved by Sunny Bains --- storage/innodb_plugin/ChangeLog | 5 +++ storage/innodb_plugin/include/dict0dict.h | 16 +++++++++ storage/innodb_plugin/include/dict0dict.ic | 42 ++++++++++++++++++++++ storage/innodb_plugin/row/row0mysql.c | 14 ++++++++ 4 files changed, 77 insertions(+) diff --git a/storage/innodb_plugin/ChangeLog b/storage/innodb_plugin/ChangeLog index 56729852a62..ce625a93871 100644 --- a/storage/innodb_plugin/ChangeLog +++ b/storage/innodb_plugin/ChangeLog @@ -1,3 +1,8 @@ +2010-08-03 The InnoDB Team + + * include/dict0dict.h, include/dict0dict.ic, row/row0mysql.c: + Fix bug #54678, InnoDB, TRUNCATE, ALTER, I_S SELECT, crash or deadlock + 2010-08-03 The InnoDB Team * dict/dict0load.c, handler/ha_innodb.cc, include/db0err.h, diff --git a/storage/innodb_plugin/include/dict0dict.h b/storage/innodb_plugin/include/dict0dict.h index 3a1bee4cd89..5ffa59538c8 100644 --- a/storage/innodb_plugin/include/dict0dict.h +++ b/storage/innodb_plugin/include/dict0dict.h @@ -680,6 +680,22 @@ ulint dict_table_zip_size( /*================*/ const dict_table_t* table); /*!< in: table */ +/*********************************************************************//** +Obtain exclusive locks on all index trees of the table. This is to prevent +accessing index trees while InnoDB is updating internal metadata for +operations such as truncate tables. */ +UNIV_INLINE +void +dict_table_x_lock_indexes( +/*======================*/ + dict_table_t* table); /*!< in: table */ +/*********************************************************************//** +Release the exclusive locks on all index tree. */ +UNIV_INLINE +void +dict_table_x_unlock_indexes( +/*========================*/ + dict_table_t* table); /*!< in: table */ /********************************************************************//** Checks if a column is in the ordering columns of the clustered index of a table. Column prefixes are treated like whole columns. diff --git a/storage/innodb_plugin/include/dict0dict.ic b/storage/innodb_plugin/include/dict0dict.ic index 46e78df8272..1704e9c2d71 100644 --- a/storage/innodb_plugin/include/dict0dict.ic +++ b/storage/innodb_plugin/include/dict0dict.ic @@ -452,6 +452,48 @@ dict_table_zip_size( return(dict_table_flags_to_zip_size(table->flags)); } +/*********************************************************************//** +Obtain exclusive locks on all index trees of the table. This is to prevent +accessing index trees while InnoDB is updating internal metadata for +operations such as truncate tables. */ +UNIV_INLINE +void +dict_table_x_lock_indexes( +/*======================*/ + dict_table_t* table) /*!< in: table */ +{ + dict_index_t* index; + + ut_a(table); + ut_ad(mutex_own(&(dict_sys->mutex))); + + /* Loop through each index of the table and lock them */ + for (index = dict_table_get_first_index(table); + index != NULL; + index = dict_table_get_next_index(index)) { + rw_lock_x_lock(dict_index_get_lock(index)); + } +} + +/*********************************************************************//** +Release the exclusive locks on all index tree. */ +UNIV_INLINE +void +dict_table_x_unlock_indexes( +/*========================*/ + dict_table_t* table) /*!< in: table */ +{ + dict_index_t* index; + + ut_a(table); + ut_ad(mutex_own(&(dict_sys->mutex))); + + for (index = dict_table_get_first_index(table); + index != NULL; + index = dict_table_get_next_index(index)) { + rw_lock_x_unlock(dict_index_get_lock(index)); + } +} /********************************************************************//** Gets the number of fields in the internal representation of an index, including fields added by the dictionary system. diff --git a/storage/innodb_plugin/row/row0mysql.c b/storage/innodb_plugin/row/row0mysql.c index a582de3e583..9d7cb976caf 100644 --- a/storage/innodb_plugin/row/row0mysql.c +++ b/storage/innodb_plugin/row/row0mysql.c @@ -2766,6 +2766,15 @@ row_truncate_table_for_mysql( trx->table_id = table->id; + /* Lock all index trees for this table, as we will + truncate the table/index and possibly change their metadata. + All DML/DDL are blocked by table level lock, with + a few exceptions such as queries into information schema + about the table, MySQL could try to access index stats + for this kind of query, we need to use index locks to + sync up */ + dict_table_x_lock_indexes(table); + if (table->space && !table->dir_path_of_temp_table) { /* Discard and create the single-table tablespace. */ ulint space = table->space; @@ -2782,6 +2791,7 @@ row_truncate_table_for_mysql( || fil_create_new_single_table_tablespace( space, table->name, FALSE, flags, FIL_IBD_FILE_INITIAL_SIZE) != DB_SUCCESS) { + dict_table_x_unlock_indexes(table); ut_print_timestamp(stderr); fprintf(stderr, " InnoDB: TRUNCATE TABLE %s failed to" @@ -2885,6 +2895,10 @@ next_rec: mem_heap_free(heap); + /* Done with index truncation, release index tree locks, + subsequent work relates to table level metadata change */ + dict_table_x_unlock_indexes(table); + dict_hdr_get_new_id(&new_id, NULL, NULL); info = pars_info_create(); From b37256b1ab27527336ed5044f891d27654edd955 Mon Sep 17 00:00:00 2001 From: Sunny Bains Date: Thu, 5 Aug 2010 19:18:17 +1000 Subject: [PATCH 04/18] Fix bug# 55543 - InnoDB Plugin: Signal 6: Assertion failure in file fil/fil0fil.c line 4306 The bug is due to a double delete of a BLOB, once via: rollback -> btr_cur_pessimistic_delete() and the second time via purge. The bug is in row_upd_clust_rec_by_insert(). There we relinquish ownership of the non-updated BLOB columns in btr_cur_mark_extern_inherited_fields() before building the row entry that will be inserted and whose contents will be logged in the UNDO log. However, we don't set the BLOB column later to INHERITED so that a possible rollback will not free the original row's non-updated BLOB entries. This is because the condition that checks for that is in : if (node->upd_ext) {}. node->upd_ext is non-NULL only if a BLOB column was updated and that column is part of some key ordering (see row_upd_replace()). This results in the non-update BLOB columns being deleted during a rollback and subsequently by purge again. rb://413 --- storage/innodb_plugin/btr/btr0cur.c | 12 +++++++++--- storage/innodb_plugin/include/btr0cur.h | 5 +++-- storage/innodb_plugin/row/row0upd.c | 12 +++++++----- 3 files changed, 19 insertions(+), 10 deletions(-) diff --git a/storage/innodb_plugin/btr/btr0cur.c b/storage/innodb_plugin/btr/btr0cur.c index 7fa7d42320a..8db12a0bbb8 100644 --- a/storage/innodb_plugin/btr/btr0cur.c +++ b/storage/innodb_plugin/btr/btr0cur.c @@ -3484,9 +3484,10 @@ btr_cur_set_ownership_of_extern_field( Marks not updated extern fields as not-owned by this record. The ownership is transferred to the updated record which is inserted elsewhere in the index tree. In purge only the owner of externally stored field is allowed -to free the field. */ +to free the field. +@return TRUE if BLOB ownership was transferred */ UNIV_INTERN -void +ibool btr_cur_mark_extern_inherited_fields( /*=================================*/ page_zip_des_t* page_zip,/*!< in/out: compressed page whose uncompressed @@ -3500,13 +3501,14 @@ btr_cur_mark_extern_inherited_fields( ulint n; ulint j; ulint i; + ibool change_ownership = FALSE; ut_ad(rec_offs_validate(rec, NULL, offsets)); ut_ad(!rec_offs_comp(offsets) || !rec_get_node_ptr_flag(rec)); if (!rec_offs_any_extern(offsets)) { - return; + return(FALSE); } n = rec_offs_n_fields(offsets); @@ -3529,10 +3531,14 @@ btr_cur_mark_extern_inherited_fields( btr_cur_set_ownership_of_extern_field( page_zip, rec, index, offsets, i, FALSE, mtr); + + change_ownership = TRUE; updated: ; } } + + return(change_ownership); } /*******************************************************************//** diff --git a/storage/innodb_plugin/include/btr0cur.h b/storage/innodb_plugin/include/btr0cur.h index 7dc2eb63cf5..e151fdcb563 100644 --- a/storage/innodb_plugin/include/btr0cur.h +++ b/storage/innodb_plugin/include/btr0cur.h @@ -468,9 +468,10 @@ btr_estimate_number_of_different_key_vals( Marks not updated extern fields as not-owned by this record. The ownership is transferred to the updated record which is inserted elsewhere in the index tree. In purge only the owner of externally stored field is allowed -to free the field. */ +to free the field. +@return TRUE if BLOB ownership was transferred */ UNIV_INTERN -void +ibool btr_cur_mark_extern_inherited_fields( /*=================================*/ page_zip_des_t* page_zip,/*!< in/out: compressed page whose uncompressed diff --git a/storage/innodb_plugin/row/row0upd.c b/storage/innodb_plugin/row/row0upd.c index 397b117c067..04c3139fcc7 100644 --- a/storage/innodb_plugin/row/row0upd.c +++ b/storage/innodb_plugin/row/row0upd.c @@ -1598,6 +1598,7 @@ row_upd_clust_rec_by_insert( dict_table_t* table; dtuple_t* entry; ulint err; + ibool change_ownership = FALSE; ut_ad(node); ut_ad(dict_index_is_clust(index)); @@ -1630,9 +1631,9 @@ row_upd_clust_rec_by_insert( index = dict_table_get_first_index(table); offsets = rec_get_offsets(rec, index, offsets_, ULINT_UNDEFINED, &heap); - btr_cur_mark_extern_inherited_fields( - btr_cur_get_page_zip(btr_cur), - rec, index, offsets, node->update, mtr); + change_ownership = btr_cur_mark_extern_inherited_fields( + btr_cur_get_page_zip(btr_cur), rec, index, offsets, + node->update, mtr); if (check_ref) { /* NOTE that the following call loses the position of pcur ! */ @@ -1661,10 +1662,11 @@ row_upd_clust_rec_by_insert( row_upd_index_entry_sys_field(entry, index, DATA_TRX_ID, trx->id); - if (node->upd_ext) { + if (change_ownership) { /* If we return from a lock wait, for example, we may have extern fields marked as not-owned in entry (marked in the - if-branch above). We must unmark them. */ + if-branch above). We must unmark them, take the ownership + back. */ btr_cur_unmark_dtuple_extern_fields(entry); From 09eb23d50b4b9a2df7d2f81c8e5020ddbc022c2a Mon Sep 17 00:00:00 2001 From: Sunny Bains Date: Thu, 5 Aug 2010 19:24:34 +1000 Subject: [PATCH 05/18] Fix Bug #55277 - Failing assertion: auto_inc > 0 Handle overflow when reading value from SELECT MAX(C) FROM T; Call ha_innobase::info() after initializing the autoinc value in ha_innobase::open(). Fix for both the builtin and plugin. rb://402 --- .../suite/innodb/r/innodb-autoinc.result | 13 ++++++++++++ mysql-test/suite/innodb/t/innodb-autoinc.test | 12 +++++++++++ storage/innobase/handler/ha_innodb.cc | 21 ++++++++++++------- storage/innodb_plugin/handler/ha_innodb.cc | 21 ++++++++++++------- 4 files changed, 53 insertions(+), 14 deletions(-) diff --git a/mysql-test/suite/innodb/r/innodb-autoinc.result b/mysql-test/suite/innodb/r/innodb-autoinc.result index a36b3a1a865..350c7ebd541 100644 --- a/mysql-test/suite/innodb/r/innodb-autoinc.result +++ b/mysql-test/suite/innodb/r/innodb-autoinc.result @@ -1244,3 +1244,16 @@ t1 CREATE TABLE `t1` ( PRIMARY KEY (`c1`) ) ENGINE=InnoDB AUTO_INCREMENT=7 DEFAULT CHARSET=latin1 DROP TABLE t1; +DROP TABLE IF EXISTS t1; +Warnings: +Note 1051 Unknown table 't1' +CREATE TABLE t1(c1 BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY) ENGINE=InnoDB; +INSERT INTO t1 VALUES (NULL); +INSERT INTO t1 VALUES (18446744073709551615); +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c1` bigint(20) unsigned NOT NULL AUTO_INCREMENT, + PRIMARY KEY (`c1`) +) ENGINE=InnoDB AUTO_INCREMENT=18446744073709551615 DEFAULT CHARSET=latin1 +DROP TABLE t1; diff --git a/mysql-test/suite/innodb/t/innodb-autoinc.test b/mysql-test/suite/innodb/t/innodb-autoinc.test index ef0359b78b0..10602499222 100644 --- a/mysql-test/suite/innodb/t/innodb-autoinc.test +++ b/mysql-test/suite/innodb/t/innodb-autoinc.test @@ -662,3 +662,15 @@ INSERT INTO t1 VALUES (1), (2), (-685113344), (NULL); SELECT * FROM t1; SHOW CREATE TABLE t1; DROP TABLE t1; + +## +# 55277: Failing assertion: auto_inc > 0 +# +DROP TABLE IF EXISTS t1; +CREATE TABLE t1(c1 BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY) ENGINE=InnoDB; +INSERT INTO t1 VALUES (NULL); +INSERT INTO t1 VALUES (18446744073709551615); +# Restart the server +-- source include/restart_mysqld.inc +SHOW CREATE TABLE t1; +DROP TABLE t1; diff --git a/storage/innobase/handler/ha_innodb.cc b/storage/innobase/handler/ha_innodb.cc index 930785d7dcd..300d9743234 100644 --- a/storage/innobase/handler/ha_innodb.cc +++ b/storage/innobase/handler/ha_innodb.cc @@ -2720,12 +2720,19 @@ ha_innobase::innobase_initialize_autoinc() err = row_search_max_autoinc(index, col_name, &read_auto_inc); switch (err) { - case DB_SUCCESS: - /* At the this stage we do not know the increment - or the offset, so use a default increment of 1. */ - auto_inc = read_auto_inc + 1; - break; + case DB_SUCCESS: { + ulonglong col_max_value; + col_max_value = innobase_get_int_col_max_value(field); + + /* At the this stage we do not know the increment + nor the offset, so use a default increment of 1. */ + + auto_inc = innobase_next_autoinc( + read_auto_inc, 1, 1, col_max_value); + + break; + } case DB_RECORD_NOT_FOUND: ut_print_timestamp(stderr); fprintf(stderr, " InnoDB: MySQL and InnoDB data " @@ -2951,8 +2958,6 @@ retry: /* Init table lock structure */ thr_lock_data_init(&share->lock,&lock,(void*) 0); - info(HA_STATUS_NO_LOCK | HA_STATUS_VARIABLE | HA_STATUS_CONST); - /* Only if the table has an AUTOINC column. */ if (prebuilt->table != NULL && table->found_next_number_field != NULL) { dict_table_autoinc_lock(prebuilt->table); @@ -2969,6 +2974,8 @@ retry: dict_table_autoinc_unlock(prebuilt->table); } + info(HA_STATUS_NO_LOCK | HA_STATUS_VARIABLE | HA_STATUS_CONST); + DBUG_RETURN(0); } diff --git a/storage/innodb_plugin/handler/ha_innodb.cc b/storage/innodb_plugin/handler/ha_innodb.cc index 1cba1de1590..69ca4a5051e 100644 --- a/storage/innodb_plugin/handler/ha_innodb.cc +++ b/storage/innodb_plugin/handler/ha_innodb.cc @@ -3361,12 +3361,19 @@ ha_innobase::innobase_initialize_autoinc() err = row_search_max_autoinc(index, col_name, &read_auto_inc); switch (err) { - case DB_SUCCESS: - /* At the this stage we do not know the increment - or the offset, so use a default increment of 1. */ - auto_inc = read_auto_inc + 1; - break; + case DB_SUCCESS: { + ulonglong col_max_value; + col_max_value = innobase_get_int_col_max_value(field); + + /* At the this stage we do not know the increment + nor the offset, so use a default increment of 1. */ + + auto_inc = innobase_next_autoinc( + read_auto_inc, 1, 1, col_max_value); + + break; + } case DB_RECORD_NOT_FOUND: ut_print_timestamp(stderr); fprintf(stderr, " InnoDB: MySQL and InnoDB data " @@ -3661,8 +3668,6 @@ retry: dict_table_get_format(prebuilt->table)); } - info(HA_STATUS_NO_LOCK | HA_STATUS_VARIABLE | HA_STATUS_CONST); - /* Only if the table has an AUTOINC column. */ if (prebuilt->table != NULL && table->found_next_number_field != NULL) { dict_table_autoinc_lock(prebuilt->table); @@ -3679,6 +3684,8 @@ retry: dict_table_autoinc_unlock(prebuilt->table); } + info(HA_STATUS_NO_LOCK | HA_STATUS_VARIABLE | HA_STATUS_CONST); + DBUG_RETURN(0); } From 45a87c685b1378d3840df3e391134afb01dead6f Mon Sep 17 00:00:00 2001 From: Gleb Shchepa Date: Fri, 6 Aug 2010 23:29:37 +0400 Subject: [PATCH 06/18] Bug #55424: convert_tz crashes when fed invalid data The CONVERT_TZ function crashes the server when the timezone argument is an empty SET field value. 1) The CONVERT_TZ may find a timezone string in the tz_names hash. 2) A string representation of the empty SET is a String of zero length with the NULL pointer. 3) If the key argument length is zero, hash functions do comparison using the length of the record being compared against. I.e. a zero-length String buffer is an invalid argument for hash search functions, and if String points to NULL buffer, hashcmp() fails with SEGV accessing that memory. The my_tz_find function has been modified to treat empty Strings as invalid timezone values to skip unnecessary hash search. mysql-test/r/timezone2.result: Test case for bug #55424. mysql-test/t/timezone2.test: Test case for bug #55424. sql/sql_string.h: Bug #55424: convert_tz crashes when fed invalid data Added "const" modifier to String::is_empty(). sql/tztime.cc: Bug #55424: convert_tz crashes when fed invalid data The my_tz_find function has been modified to treat empty Strings as invalid timezone values to skip unnecessary hash search. --- mysql-test/r/timezone2.result | 12 ++++++++++++ mysql-test/t/timezone2.test | 9 +++++++++ sql/sql_string.h | 2 +- sql/tztime.cc | 2 +- 4 files changed, 23 insertions(+), 2 deletions(-) diff --git a/mysql-test/r/timezone2.result b/mysql-test/r/timezone2.result index 2948bb8ecec..e2e337628ce 100644 --- a/mysql-test/r/timezone2.result +++ b/mysql-test/r/timezone2.result @@ -296,4 +296,16 @@ CONVERT_TZ(NOW(), 'UTC', 'Europe/Moscow') IS NULL UPDATE t1 SET t = CONVERT_TZ(t, 'UTC', 'Europe/Moscow'); UNLOCK TABLES; DROP TABLE t1; +# +# Bug #55424: convert_tz crashes when fed invalid data +# +CREATE TABLE t1 (a SET('x') NOT NULL); +INSERT INTO t1 VALUES (''); +SELECT CONVERT_TZ(1, a, 1) FROM t1; +CONVERT_TZ(1, a, 1) +NULL +SELECT CONVERT_TZ(1, 1, a) FROM t1; +CONVERT_TZ(1, 1, a) +NULL +DROP TABLE t1; End of 5.1 tests diff --git a/mysql-test/t/timezone2.test b/mysql-test/t/timezone2.test index 15ddceb8d68..c4445da107c 100644 --- a/mysql-test/t/timezone2.test +++ b/mysql-test/t/timezone2.test @@ -273,5 +273,14 @@ UNLOCK TABLES; DROP TABLE t1; +--echo # +--echo # Bug #55424: convert_tz crashes when fed invalid data +--echo # + +CREATE TABLE t1 (a SET('x') NOT NULL); +INSERT INTO t1 VALUES (''); +SELECT CONVERT_TZ(1, a, 1) FROM t1; +SELECT CONVERT_TZ(1, 1, a) FROM t1; +DROP TABLE t1; --echo End of 5.1 tests diff --git a/sql/sql_string.h b/sql/sql_string.h index d62908e5d66..bb7d69aeccc 100644 --- a/sql/sql_string.h +++ b/sql/sql_string.h @@ -97,7 +97,7 @@ public: inline uint32 alloced_length() const { return Alloced_length;} inline char& operator [] (uint32 i) const { return Ptr[i]; } inline void length(uint32 len) { str_length=len ; } - inline bool is_empty() { return (str_length == 0); } + inline bool is_empty() const { return (str_length == 0); } inline void mark_as_const() { Alloced_length= 0;} inline const char *ptr() const { return Ptr; } inline char *c_ptr() diff --git a/sql/tztime.cc b/sql/tztime.cc index c7a4ad049ec..7ebb8eb392a 100644 --- a/sql/tztime.cc +++ b/sql/tztime.cc @@ -2259,7 +2259,7 @@ my_tz_find(THD *thd, const String *name) DBUG_PRINT("enter", ("time zone name='%s'", name ? ((String *)name)->c_ptr_safe() : "NULL")); - if (!name) + if (!name || name->is_empty()) DBUG_RETURN(0); VOID(pthread_mutex_lock(&tz_LOCK)); From 4bf81165e45eb13c0be0042773a0fcbafdf3803b Mon Sep 17 00:00:00 2001 From: Georgi Kodinov Date: Fri, 13 Aug 2010 14:18:46 +0300 Subject: [PATCH 07/18] Bug #55615 and bug #55564 An user assignment variable expression that's evaluated in a logical expression context (Item::val_bool()) can be pre-calculated in a temporary table for GROUP BY. However when the expression value is used after the temp table creation it was re-evaluated instead of being read from the temp table due to a missing val_bool_result() method. Fixed by implementing the method. --- mysql-test/r/user_var.result | 17 +++++++++++++++++ mysql-test/t/user_var.test | 18 ++++++++++++++++++ sql/item_func.cc | 8 ++++++++ sql/item_func.h | 1 + 4 files changed, 44 insertions(+) diff --git a/mysql-test/r/user_var.result b/mysql-test/r/user_var.result index be10bd9954b..56266a46e20 100644 --- a/mysql-test/r/user_var.result +++ b/mysql-test/r/user_var.result @@ -430,4 +430,21 @@ CREATE TRIGGER t_after_insert AFTER INSERT ON t1 FOR EACH ROW SET @bug42188 = 10 INSERT INTO t1 VALUES (1); INSERT INTO t1 VALUES (1); DROP TABLE t1; +CREATE TABLE t1(a INT); +INSERT INTO t1 VALUES (0),(0); +# BUG#55615 : should not crash +SELECT (@a:=(SELECT @a:=1 FROM t1 LIMIT 1)) AND COUNT(1) FROM t1 GROUP BY @a; +(@a:=(SELECT @a:=1 FROM t1 LIMIT 1)) AND COUNT(1) +1 +1 +# BUG#55564 : should not crash +SELECT IF( +@v:=LEAST((SELECT 1 FROM t1 t2 LEFT JOIN t1 ON (@v) GROUP BY t1.a), a), +count(*), 1) +FROM t1 GROUP BY a LIMIT 1; +IF( +@v:=LEAST((SELECT 1 FROM t1 t2 LEFT JOIN t1 ON (@v) GROUP BY t1.a), a), +count(*), 1) +1 +DROP TABLE t1; End of 5.1 tests diff --git a/mysql-test/t/user_var.test b/mysql-test/t/user_var.test index b6b58e7bd46..4f27866de23 100644 --- a/mysql-test/t/user_var.test +++ b/mysql-test/t/user_var.test @@ -328,4 +328,22 @@ INSERT INTO t1 VALUES (1); INSERT INTO t1 VALUES (1); DROP TABLE t1; +# +# Bug #55615: debug assertion after using variable in assignment and +# referred to +# Bug #55564: crash with user variables, assignments, joins... +# + +CREATE TABLE t1(a INT); +INSERT INTO t1 VALUES (0),(0); +--echo # BUG#55615 : should not crash +SELECT (@a:=(SELECT @a:=1 FROM t1 LIMIT 1)) AND COUNT(1) FROM t1 GROUP BY @a; +--echo # BUG#55564 : should not crash +SELECT IF( + @v:=LEAST((SELECT 1 FROM t1 t2 LEFT JOIN t1 ON (@v) GROUP BY t1.a), a), + count(*), 1) +FROM t1 GROUP BY a LIMIT 1; + +DROP TABLE t1; + --echo End of 5.1 tests diff --git a/sql/item_func.cc b/sql/item_func.cc index 1b13297c951..eecdc801512 100644 --- a/sql/item_func.cc +++ b/sql/item_func.cc @@ -4263,6 +4263,14 @@ longlong Item_func_set_user_var::val_int_result() return entry->val_int(&null_value); } +bool Item_func_set_user_var::val_bool_result() +{ + DBUG_ASSERT(fixed == 1); + check(TRUE); + update(); // Store expression + return entry->val_int(&null_value) != 0; +} + String *Item_func_set_user_var::str_result(String *str) { DBUG_ASSERT(fixed == 1); diff --git a/sql/item_func.h b/sql/item_func.h index 71168c64e4b..256348eee08 100644 --- a/sql/item_func.h +++ b/sql/item_func.h @@ -1353,6 +1353,7 @@ public: my_decimal *val_decimal(my_decimal *); double val_result(); longlong val_int_result(); + bool val_bool_result(); String *str_result(String *str); my_decimal *val_decimal_result(my_decimal *); bool is_null_result(); From 9ab59902a96e22e827fc2bb7681a7cf178c6c7f1 Mon Sep 17 00:00:00 2001 From: Sunny Bains Date: Mon, 16 Aug 2010 10:12:22 +1000 Subject: [PATCH 08/18] Add test to the plugin branch from fix for bug# 55277. --- .../suite/innodb_plugin/r/innodb-autoinc.result | 13 +++++++++++++ .../suite/innodb_plugin/t/innodb-autoinc.test | 12 ++++++++++++ 2 files changed, 25 insertions(+) diff --git a/mysql-test/suite/innodb_plugin/r/innodb-autoinc.result b/mysql-test/suite/innodb_plugin/r/innodb-autoinc.result index a36b3a1a865..350c7ebd541 100644 --- a/mysql-test/suite/innodb_plugin/r/innodb-autoinc.result +++ b/mysql-test/suite/innodb_plugin/r/innodb-autoinc.result @@ -1244,3 +1244,16 @@ t1 CREATE TABLE `t1` ( PRIMARY KEY (`c1`) ) ENGINE=InnoDB AUTO_INCREMENT=7 DEFAULT CHARSET=latin1 DROP TABLE t1; +DROP TABLE IF EXISTS t1; +Warnings: +Note 1051 Unknown table 't1' +CREATE TABLE t1(c1 BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY) ENGINE=InnoDB; +INSERT INTO t1 VALUES (NULL); +INSERT INTO t1 VALUES (18446744073709551615); +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c1` bigint(20) unsigned NOT NULL AUTO_INCREMENT, + PRIMARY KEY (`c1`) +) ENGINE=InnoDB AUTO_INCREMENT=18446744073709551615 DEFAULT CHARSET=latin1 +DROP TABLE t1; diff --git a/mysql-test/suite/innodb_plugin/t/innodb-autoinc.test b/mysql-test/suite/innodb_plugin/t/innodb-autoinc.test index 49394a019d0..3d67fe5738d 100644 --- a/mysql-test/suite/innodb_plugin/t/innodb-autoinc.test +++ b/mysql-test/suite/innodb_plugin/t/innodb-autoinc.test @@ -667,6 +667,18 @@ SELECT * FROM t1; SHOW CREATE TABLE t1; DROP TABLE t1; +## +# 55277: Failing assertion: auto_inc > 0 +# +DROP TABLE IF EXISTS t1; +CREATE TABLE t1(c1 BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY) ENGINE=InnoDB; +INSERT INTO t1 VALUES (NULL); +INSERT INTO t1 VALUES (18446744073709551615); +# Restart the server +-- source include/restart_mysqld.inc +SHOW CREATE TABLE t1; +DROP TABLE t1; + # # restore environment to the state it was before this test execution # From 6bea77aefeb6d9c430f2cb723e5524d32ece28aa Mon Sep 17 00:00:00 2001 From: Georgi Kodinov Date: Fri, 20 Aug 2010 11:52:16 +0300 Subject: [PATCH 09/18] Bug #55826: create table .. select crashes with when KILL_BAD_DATA is returned Two problems discovered with the LEAST()/GREATEST() functions: 1. The check for a null value should happen even after the second call to val_str() in the args. This is important because two subsequent calls to the same Item::val_str() may yield different results. Fixed by checking for NULL value before dereferencing the string result. 2. While looping over the arguments and evaluating them the loop should stop if there was an error evaluating so far or the statement was killed. Fixed by checking for error and bailing out. --- mysql-test/suite/innodb/r/innodb_mysql.result | 13 +++++++++++++ mysql-test/suite/innodb/t/innodb_mysql.test | 15 +++++++++++++++ sql/item_func.cc | 16 +++++++++++++++- 3 files changed, 43 insertions(+), 1 deletion(-) diff --git a/mysql-test/suite/innodb/r/innodb_mysql.result b/mysql-test/suite/innodb/r/innodb_mysql.result index 8765f58b120..cb0e2a35e34 100644 --- a/mysql-test/suite/innodb/r/innodb_mysql.result +++ b/mysql-test/suite/innodb/r/innodb_mysql.result @@ -2507,4 +2507,17 @@ LOCK TABLES t1 READ; ALTER TABLE t1 COMMENT 'test'; UNLOCK TABLES; DROP TABLE t1; +# +# Bug#55826: create table .. select crashes with when KILL_BAD_DATA +# is returned +# +CREATE TABLE t1(a INT) ENGINE=innodb; +INSERT INTO t1 VALUES (0); +SET SQL_MODE='STRICT_ALL_TABLES'; +CREATE TABLE t2 +SELECT LEAST((SELECT '' FROM t1),NOW()) FROM `t1`; +ERROR 22007: Incorrect datetime value: '' for column 'NOW()' at row 1 +DROP TABLE t1,t2; +ERROR 42S02: Unknown table 't2' +SET SQL_MODE=DEFAULT; End of 5.1 tests diff --git a/mysql-test/suite/innodb/t/innodb_mysql.test b/mysql-test/suite/innodb/t/innodb_mysql.test index 80f14d32eb8..c8acc6813e8 100644 --- a/mysql-test/suite/innodb/t/innodb_mysql.test +++ b/mysql-test/suite/innodb/t/innodb_mysql.test @@ -751,4 +751,19 @@ UNLOCK TABLES; DROP TABLE t1; +--echo # +--echo # Bug#55826: create table .. select crashes with when KILL_BAD_DATA +--echo # is returned +--echo # + +CREATE TABLE t1(a INT) ENGINE=innodb; +INSERT INTO t1 VALUES (0); +SET SQL_MODE='STRICT_ALL_TABLES'; +--error ER_TRUNCATED_WRONG_VALUE +CREATE TABLE t2 + SELECT LEAST((SELECT '' FROM t1),NOW()) FROM `t1`; +DROP TABLE t1,t2; +SET SQL_MODE=DEFAULT; + + --echo End of 5.1 tests diff --git a/sql/item_func.cc b/sql/item_func.cc index eecdc801512..f022a218889 100644 --- a/sql/item_func.cc +++ b/sql/item_func.cc @@ -2263,7 +2263,7 @@ void Item_func_min_max::fix_length_and_dec() stored to the value pointer, if latter is provided. RETURN - 0 If one of arguments is NULL + 0 If one of arguments is NULL or there was a execution error # index of the least/greatest argument */ @@ -2277,6 +2277,14 @@ uint Item_func_min_max::cmp_datetimes(ulonglong *value) Item **arg= args + i; bool is_null; longlong res= get_datetime_value(thd, &arg, 0, datetime_item, &is_null); + + /* Check if we need to stop (because of error or KILL) and stop the loop */ + if (thd->is_error()) + { + null_value= 1; + return 0; + } + if ((null_value= args[i]->null_value)) return 0; if (i == 0 || (res < min_max ? cmp_sign : -cmp_sign) > 0) @@ -2305,6 +2313,12 @@ String *Item_func_min_max::val_str(String *str) if (null_value) return 0; str_res= args[min_max_idx]->val_str(str); + if (args[min_max_idx]->null_value) + { + // check if the call to val_str() above returns a NULL value + null_value= 1; + return NULL; + } str_res->set_charset(collation.collation); return str_res; } From cd4ca4b7a3d8e2971f76858895b36829d27fe845 Mon Sep 17 00:00:00 2001 From: Alexey Kopytov Date: Tue, 24 Aug 2010 14:35:48 +0400 Subject: [PATCH 10/18] Bug #55568: user variable assignments crash server when used within query The server could crash after materializing a derived table which requires a temporary table for grouping. When destroying the temporary table used to execute a query for a derived table, JOIN::destroy() did not clean up Item_fields pointing to fields in the temporary table. This led to dereferencing a dangling pointer when printing out the items tree later in the outer SELECT. The solution is an addendum to the patch for bug37362: in addition to cleaning up items in tmp_all_fields3, do the same for items in tmp_all_fields1, since now we have an example where this is necessary. mysql-test/r/join.result: Added test cases for bug#55568 and a duplicate bug #54468. mysql-test/t/join.test: Added test cases for bug#55568 and a duplicate bug #54468. sql/field.cc: Make sure field->table_name is not set to NULL in Field::make_field() to avoid assertion failure in Item_field::make_field() after cleaning up items (the assertion fired in udf.test when running the test suite with the patch applied). sql/sql_select.cc: In addition to cleaning up items in tmp_all_fields3, do the same for items in tmp_all_fields1. Introduce a new helper function to avoid code duplication. sql/sql_select.h: Introduce a new helper function to avoid code duplication in JOIN::destroy(). --- mysql-test/r/join.result | 51 ++++++++++++++++++++++++++++++++++++++++ mysql-test/t/join.test | 46 ++++++++++++++++++++++++++++++++++++ sql/field.cc | 2 +- sql/sql_select.cc | 22 +++++++++++------ sql/sql_select.h | 1 + 5 files changed, 114 insertions(+), 8 deletions(-) diff --git a/mysql-test/r/join.result b/mysql-test/r/join.result index c60c6bfb3c8..c3c292b2106 100644 --- a/mysql-test/r/join.result +++ b/mysql-test/r/join.result @@ -1184,4 +1184,55 @@ NULL NULL 1 DROP TABLE t1, t2, mm1; +# +# Bug #55568: user variable assignments crash server when used within +# query +# +CREATE TABLE t1 (a INT); +INSERT INTO t1 VALUES (0), (1); +SELECT MULTIPOINT( +1, +( +SELECT MULTIPOINT( +MULTIPOINT( +1, +(SELECT COUNT(*) FROM (SELECT 1 FROM t1 GROUP BY a,a) d) +) +) FROM t1 +) +) != COUNT(*) q FROM t1 GROUP BY a; +q +NULL +NULL +SELECT MULTIPOINT( +1, +( +SELECT MULTIPOINT( +MULTIPOINT( +1, +(SELECT COUNT(*) FROM (SELECT 1 FROM t1 GROUP BY a,a) d) +) +) FROM t1 +) +) != COUNT(*) q FROM t1 GROUP BY a; +q +NULL +NULL +DROP TABLE t1; +# +# Bug #54468: crash after item's print() function when ordering/grouping +# by subquery +# +CREATE TABLE t1(a INT, b INT); +INSERT INTO t1 VALUES (), (); +SELECT 1 FROM t1 +GROUP BY +GREATEST(t1.a, +(SELECT 1 FROM +(SELECT t1.b FROM t1,t1 t2 +ORDER BY t1.a, t1.a LIMIT 1) AS d) +); +1 +1 +DROP TABLE t1; End of 5.1 tests diff --git a/mysql-test/t/join.test b/mysql-test/t/join.test index 43b373c9703..6969be6fdc4 100644 --- a/mysql-test/t/join.test +++ b/mysql-test/t/join.test @@ -851,4 +851,50 @@ ENGINE=MERGE UNION=(t1,t2); SELECT t1.a FROM mm1,t1; DROP TABLE t1, t2, mm1; +--echo # +--echo # Bug #55568: user variable assignments crash server when used within +--echo # query +--echo # + +CREATE TABLE t1 (a INT); + +INSERT INTO t1 VALUES (0), (1); + +let $i=2; +while ($i) +{ + SELECT MULTIPOINT( + 1, + ( + SELECT MULTIPOINT( + MULTIPOINT( + 1, + (SELECT COUNT(*) FROM (SELECT 1 FROM t1 GROUP BY a,a) d) + ) + ) FROM t1 + ) + ) != COUNT(*) q FROM t1 GROUP BY a; + dec $i; +} + +DROP TABLE t1; + +--echo # +--echo # Bug #54468: crash after item's print() function when ordering/grouping +--echo # by subquery +--echo # + +CREATE TABLE t1(a INT, b INT); +INSERT INTO t1 VALUES (), (); + +SELECT 1 FROM t1 +GROUP BY +GREATEST(t1.a, + (SELECT 1 FROM + (SELECT t1.b FROM t1,t1 t2 + ORDER BY t1.a, t1.a LIMIT 1) AS d) + ); + +DROP TABLE t1; + --echo End of 5.1 tests diff --git a/sql/field.cc b/sql/field.cc index c887a5f1c9b..619e6a780da 100644 --- a/sql/field.cc +++ b/sql/field.cc @@ -1535,7 +1535,7 @@ void Field::make_field(Send_field *field) } else field->org_table_name= field->db_name= ""; - if (orig_table) + if (orig_table && orig_table->alias) { field->table_name= orig_table->alias; field->org_col_name= field_name; diff --git a/sql/sql_select.cc b/sql/sql_select.cc index 2fc287bbe66..fc137f5fd90 100644 --- a/sql/sql_select.cc +++ b/sql/sql_select.cc @@ -2378,13 +2378,8 @@ JOIN::destroy() cleanup(1); /* Cleanup items referencing temporary table columns */ - if (!tmp_all_fields3.is_empty()) - { - List_iterator_fast it(tmp_all_fields3); - Item *item; - while ((item= it++)) - item->cleanup(); - } + cleanup_item_list(tmp_all_fields1); + cleanup_item_list(tmp_all_fields3); if (exec_tmp_table1) free_tmp_table(thd, exec_tmp_table1); if (exec_tmp_table2) @@ -2395,6 +2390,19 @@ JOIN::destroy() DBUG_RETURN(error); } + +void JOIN::cleanup_item_list(List &items) const +{ + if (!items.is_empty()) + { + List_iterator_fast it(items); + Item *item; + while ((item= it++)) + item->cleanup(); + } +} + + /** An entry point to single-unit select (a select without UNION). diff --git a/sql/sql_select.h b/sql/sql_select.h index b39827ef61b..007dc91957c 100644 --- a/sql/sql_select.h +++ b/sql/sql_select.h @@ -577,6 +577,7 @@ private: */ bool implicit_grouping; bool make_simple_join(JOIN *join, TABLE *tmp_table); + void cleanup_item_list(List &items) const; }; From 224261eec5cef02a57e54621bcddc5a07a262d9f Mon Sep 17 00:00:00 2001 From: Jimmy Yang Date: Tue, 24 Aug 2010 20:42:33 -0700 Subject: [PATCH 11/18] This is to resolve a hang situation in 5.1 builtin raised by bug #49251 (deadlock/crash with concurrent truncate table and index statistics calculation) by backporting a solution from #54678 fixed for 5.1 plugin and 5.5. --- storage/innobase/include/dict0dict.h | 16 ++++++++++ storage/innobase/include/dict0dict.ic | 42 +++++++++++++++++++++++++++ storage/innobase/row/row0mysql.c | 13 +++++++++ 3 files changed, 71 insertions(+) diff --git a/storage/innobase/include/dict0dict.h b/storage/innobase/include/dict0dict.h index e76f23d0767..369d354c520 100644 --- a/storage/innobase/include/dict0dict.h +++ b/storage/innobase/include/dict0dict.h @@ -588,6 +588,22 @@ dict_table_is_comp_noninline( /* out: TRUE if table uses the compact page format */ const dict_table_t* table); /* in: table */ +/*********************************************************************//** +Obtain exclusive locks on all index trees of the table. This is to prevent +accessing index trees while InnoDB is updating internal metadata for +operations such as truncate tables. */ +UNIV_INLINE +void +dict_table_x_lock_indexes( +/*======================*/ + dict_table_t* table); /* in: table */ +/*********************************************************************//** +Release the exclusive locks on all index tree. */ +UNIV_INLINE +void +dict_table_x_unlock_indexes( +/*========================*/ + dict_table_t* table); /* in: table */ /************************************************************************ Checks if a column is in the ordering columns of the clustered index of a table. Column prefixes are treated like whole columns. */ diff --git a/storage/innobase/include/dict0dict.ic b/storage/innobase/include/dict0dict.ic index 7d38cbcd1fa..5cdbdbeb03d 100644 --- a/storage/innobase/include/dict0dict.ic +++ b/storage/innobase/include/dict0dict.ic @@ -298,6 +298,48 @@ dict_table_is_comp( return(UNIV_LIKELY(table->flags & DICT_TF_COMPACT)); } +/*********************************************************************//** +Obtain exclusive locks on all index trees of the table. This is to prevent +accessing index trees while InnoDB is updating internal metadata for +operations such as truncate tables. */ +UNIV_INLINE +void +dict_table_x_lock_indexes( +/*======================*/ + dict_table_t* table) /* in: table */ +{ + dict_index_t* index; + + ut_a(table); + ut_ad(mutex_own(&(dict_sys->mutex))); + + /* Loop through each index of the table and lock them */ + for (index = dict_table_get_first_index(table); + index != NULL; + index = dict_table_get_next_index(index)) { + rw_lock_x_lock(dict_index_get_lock(index)); + } +} + +/*********************************************************************//** +Release the exclusive locks on all index tree. */ +UNIV_INLINE +void +dict_table_x_unlock_indexes( +/*========================*/ + dict_table_t* table) /* in: table */ +{ + dict_index_t* index; + + ut_a(table); + ut_ad(mutex_own(&(dict_sys->mutex))); + + for (index = dict_table_get_first_index(table); + index != NULL; + index = dict_table_get_next_index(index)) { + rw_lock_x_unlock(dict_index_get_lock(index)); + } +} /************************************************************************ Gets the number of fields in the internal representation of an index, including fields added by the dictionary system. */ diff --git a/storage/innobase/row/row0mysql.c b/storage/innobase/row/row0mysql.c index 3b76ffa76f1..aae4703737b 100644 --- a/storage/innobase/row/row0mysql.c +++ b/storage/innobase/row/row0mysql.c @@ -2830,6 +2830,15 @@ row_truncate_table_for_mysql( trx->table_id = table->id; + /* Lock all index trees for this table, as we will + truncate the table/index and possibly change their metadata. + All DML/DDL are blocked by table level lock, with + a few exceptions such as queries into information schema + about the table, MySQL could try to access index stats + for this kind of query, we need to use index locks to + sync up */ + dict_table_x_lock_indexes(table); + /* scan SYS_INDEXES for all indexes of the table */ heap = mem_heap_create(800); @@ -2902,6 +2911,10 @@ next_rec: mem_heap_free(heap); + /* Done with index truncation, release index tree locks, + subsequent work relates to table level metadata change */ + dict_table_x_unlock_indexes(table); + new_id = dict_hdr_get_new_id(DICT_HDR_TABLE_ID); info = pars_info_create(); From 6cf49743e803f7289679f4268a8bc5e988f2d820 Mon Sep 17 00:00:00 2001 From: Alexey Kopytov Date: Thu, 26 Aug 2010 14:13:02 +0400 Subject: [PATCH 12/18] Bug #53544: Server hangs during JOIN query in stored procedure called twice in a row Queries with nested joins could cause an infinite loop in the server when used from SP/PS. When flattening nested joins, simplify_joins() tracks if the name resolution list needs to be updated by setting fix_name_res to TRUE if the current loop iteration has done any transformations to the join table list. The problem was that the flag was not reset before the next loop iteration leading to unnecessary "fixing" of the name resolution list which in turn could lead to a loop (i.e. circularly-linked part) in that list. This was causing problems on subsequent execution when used together with stored procedures or prepared statements. Fixed by making sure fix_name_res is reset on every loop iteration. mysql-test/r/join.result: Added a test case for bug #53544. mysql-test/t/join.test: Added a test case for bug #53544. sql/sql_select.cc: Make sure fix_name_res is reset on every loop iteration. --- mysql-test/r/join.result | 20 ++++++++++++++++++++ mysql-test/t/join.test | 20 ++++++++++++++++++++ sql/sql_select.cc | 2 +- 3 files changed, 41 insertions(+), 1 deletion(-) diff --git a/mysql-test/r/join.result b/mysql-test/r/join.result index c3c292b2106..9a8b441b363 100644 --- a/mysql-test/r/join.result +++ b/mysql-test/r/join.result @@ -1235,4 +1235,24 @@ ORDER BY t1.a, t1.a LIMIT 1) AS d) 1 1 DROP TABLE t1; +# +# Bug #53544: Server hangs during JOIN query in stored procedure called +# twice in a row +# +CREATE TABLE t1(c INT); +INSERT INTO t1 VALUES (1), (2); +PREPARE stmt FROM "SELECT t2.c AS f1 FROM t1 LEFT JOIN + t1 t2 ON t1.c=t2.c RIGHT JOIN + t1 t3 ON t1.c=t3.c + GROUP BY f1;"; +EXECUTE stmt; +f1 +1 +2 +EXECUTE stmt; +f1 +1 +2 +DEALLOCATE PREPARE stmt; +DROP TABLE t1; End of 5.1 tests diff --git a/mysql-test/t/join.test b/mysql-test/t/join.test index 6969be6fdc4..73a1ae5eb82 100644 --- a/mysql-test/t/join.test +++ b/mysql-test/t/join.test @@ -897,4 +897,24 @@ GREATEST(t1.a, DROP TABLE t1; +--echo # +--echo # Bug #53544: Server hangs during JOIN query in stored procedure called +--echo # twice in a row +--echo # + +CREATE TABLE t1(c INT); + +INSERT INTO t1 VALUES (1), (2); + +PREPARE stmt FROM "SELECT t2.c AS f1 FROM t1 LEFT JOIN + t1 t2 ON t1.c=t2.c RIGHT JOIN + t1 t3 ON t1.c=t3.c + GROUP BY f1;"; + +EXECUTE stmt; +EXECUTE stmt; + +DEALLOCATE PREPARE stmt; +DROP TABLE t1; + --echo End of 5.1 tests diff --git a/sql/sql_select.cc b/sql/sql_select.cc index a77c270f709..ed5123817bf 100644 --- a/sql/sql_select.cc +++ b/sql/sql_select.cc @@ -8885,10 +8885,10 @@ simplify_joins(JOIN *join, List *join_list, COND *conds, bool top) /* Flatten nested joins that can be flattened. */ TABLE_LIST *right_neighbor= NULL; - bool fix_name_res= FALSE; li.rewind(); while ((table= li++)) { + bool fix_name_res= FALSE; nested_join= table->nested_join; if (nested_join && !table->on_expr) { From 9a4a7cf184b40b203702043f886f9bd9c26592fd Mon Sep 17 00:00:00 2001 From: Kristofer Pettersson Date: Tue, 7 Sep 2010 11:37:46 +0200 Subject: [PATCH 13/18] Bug#55531 crash with conversions of geometry types / strings Convertion from a floating point number to a string caused a crash. During rare circumstances a String object could crash when it was requested to allocate new memory. A crash could occcur in Field_double::val_str() because of a pointer referencing memory inside a String object which was of unknown size. And finally, the geometric collection should not accept arguments which are non geometric. mysql-test/r/gis.result: * Test cases change because we intercept the error behind the previous crashes much earlier. sql/field.cc: * It makes no sense to impose a lower limit on the length and not setting a upper limit will cause crashes later. sql/item_geofunc.h: * Disallow for binding with field- and item types which differ from MYSQL_TYPE_GEOMETRY types. --- mysql-test/r/gis.result | 60 ++++------------------------------------- mysql-test/t/gis.test | 42 ++++++++++++++++++----------- sql/field.cc | 2 +- sql/item_geofunc.h | 13 +++++++++ 4 files changed, 46 insertions(+), 71 deletions(-) diff --git a/mysql-test/r/gis.result b/mysql-test/r/gis.result index 3e28227d542..565563237d1 100644 --- a/mysql-test/r/gis.result +++ b/mysql-test/r/gis.result @@ -707,10 +707,7 @@ numgeometries(b) IS NULL, numinteriorrings(b) IS NULL, numpoints(b) IS NULL, area(b) IS NULL, glength(b) IS NULL, srid(b) IS NULL, x(b) IS NULL, y(b) IS NULL from t1; -geometryfromtext(b) IS NULL geometryfromwkb(b) IS NULL astext(b) IS NULL aswkb(b) IS NULL geometrytype(b) IS NULL centroid(b) IS NULL envelope(b) IS NULL startpoint(b) IS NULL endpoint(b) IS NULL exteriorring(b) IS NULL pointn(b, 1) IS NULL geometryn(b, 1) IS NULL interiorringn(b, 1) IS NULL multipoint(b) IS NULL isempty(b) IS NULL issimple(b) IS NULL isclosed(b) IS NULL dimension(b) IS NULL numgeometries(b) IS NULL numinteriorrings(b) IS NULL numpoints(b) IS NULL area(b) IS NULL glength(b) IS NULL srid(b) IS NULL x(b) IS NULL y(b) IS NULL -1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 -1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 -1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 +ERROR 22007: Illegal non geometric '' value found during parsing select within(b, b) IS NULL, contains(b, b) IS NULL, overlaps(b, b) IS NULL, equals(b, b) IS NULL, disjoint(b, b) IS NULL, touches(b, b) IS NULL, @@ -725,10 +722,7 @@ point(b, b) IS NULL, linestring(b) IS NULL, polygon(b) IS NULL, multipoint(b) IS multilinestring(b) IS NULL, multipolygon(b) IS NULL, geometrycollection(b) IS NULL from t1; -point(b, b) IS NULL linestring(b) IS NULL polygon(b) IS NULL multipoint(b) IS NULL multilinestring(b) IS NULL multipolygon(b) IS NULL geometrycollection(b) IS NULL -0 1 1 1 1 1 1 -1 1 1 1 1 1 1 -0 1 1 1 1 1 1 +ERROR 22007: Illegal non geometric '' value found during parsing drop table t1; CREATE TABLE t1(a POINT) ENGINE=MyISAM; INSERT INTO t1 VALUES (NULL); @@ -1010,51 +1004,7 @@ f5 datetime YES NULL drop view v1; drop table t1; SELECT MultiPoint(12345,''); -MultiPoint(12345,'') -NULL -SELECT MultiPoint(123451,''); -MultiPoint(123451,'') -NULL -SELECT MultiPoint(1234512,''); -MultiPoint(1234512,'') -NULL -SELECT MultiPoint(12345123,''); -MultiPoint(12345123,'') -NULL -SELECT MultiLineString(12345,''); -MultiLineString(12345,'') -NULL -SELECT MultiLineString(123451,''); -MultiLineString(123451,'') -NULL -SELECT MultiLineString(1234512,''); -MultiLineString(1234512,'') -NULL -SELECT MultiLineString(12345123,''); -MultiLineString(12345123,'') -NULL -SELECT LineString(12345,''); -LineString(12345,'') -NULL -SELECT LineString(123451,''); -LineString(123451,'') -NULL -SELECT LineString(1234512,''); -LineString(1234512,'') -NULL -SELECT LineString(12345123,''); -LineString(12345123,'') -NULL -SELECT Polygon(12345,''); -Polygon(12345,'') -NULL -SELECT Polygon(123451,''); -Polygon(123451,'') -NULL -SELECT Polygon(1234512,''); -Polygon(1234512,'') -NULL -SELECT Polygon(12345123,''); -Polygon(12345123,'') -NULL +ERROR 22007: Illegal non geometric '12345' value found during parsing +SELECT 1 FROM (SELECT GREATEST(1,GEOMETRYCOLLECTION('00000','00000')) b FROM DUAL) AS d WHERE (LINESTRING(d.b)); +ERROR 22007: Illegal non geometric '' value found during parsing End of 5.1 tests diff --git a/mysql-test/t/gis.test b/mysql-test/t/gis.test index bc0695aaa93..5a367188163 100644 --- a/mysql-test/t/gis.test +++ b/mysql-test/t/gis.test @@ -401,6 +401,7 @@ create table t1 (a int, b blob); insert into t1 values (1, ''), (2, NULL), (3, '1'); select * from t1; +--error ER_ILLEGAL_VALUE_FOR_TYPE select geometryfromtext(b) IS NULL, geometryfromwkb(b) IS NULL, astext(b) IS NULL, aswkb(b) IS NULL, geometrytype(b) IS NULL, centroid(b) IS NULL, @@ -419,6 +420,7 @@ select intersects(b, b) IS NULL, crosses(b, b) IS NULL from t1; +--error ER_ILLEGAL_VALUE_FOR_TYPE select point(b, b) IS NULL, linestring(b) IS NULL, polygon(b) IS NULL, multipoint(b) IS NULL, multilinestring(b) IS NULL, multipolygon(b) IS NULL, @@ -702,24 +704,34 @@ drop table t1; # Bug#44684: valgrind reports invalid reads in # Item_func_spatial_collection::val_str # +--error ER_ILLEGAL_VALUE_FOR_TYPE SELECT MultiPoint(12345,''); -SELECT MultiPoint(123451,''); -SELECT MultiPoint(1234512,''); -SELECT MultiPoint(12345123,''); +#SELECT MultiPoint(123451,''); +#SELECT MultiPoint(1234512,''); +#SELECT MultiPoint(12345123,''); -SELECT MultiLineString(12345,''); -SELECT MultiLineString(123451,''); -SELECT MultiLineString(1234512,''); -SELECT MultiLineString(12345123,''); +--error ER_ILLEGAL_VALUE_FOR_TYPE +#SELECT MultiLineString(12345,''); +#SELECT MultiLineString(123451,''); +#SELECT MultiLineString(1234512,''); +#SELECT MultiLineString(12345123,''); -SELECT LineString(12345,''); -SELECT LineString(123451,''); -SELECT LineString(1234512,''); -SELECT LineString(12345123,''); +--error ER_ILLEGAL_VALUE_FOR_TYPE +#SELECT LineString(12345,''); +#SELECT LineString(123451,''); +#SELECT LineString(1234512,''); +#SELECT LineString(12345123,''); -SELECT Polygon(12345,''); -SELECT Polygon(123451,''); -SELECT Polygon(1234512,''); -SELECT Polygon(12345123,''); +--error ER_ILLEGAL_VALUE_FOR_TYPE +#SELECT Polygon(12345,''); +#SELECT Polygon(123451,''); +#SELECT Polygon(1234512,''); +#SELECT Polygon(12345123,''); + +# +# Bug55531 crash with conversions of geometry types / strings +# +--error ER_ILLEGAL_VALUE_FOR_TYPE +SELECT 1 FROM (SELECT GREATEST(1,GEOMETRYCOLLECTION('00000','00000')) b FROM DUAL) AS d WHERE (LINESTRING(d.b)); --echo End of 5.1 tests diff --git a/sql/field.cc b/sql/field.cc index 619e6a780da..724f8e0af73 100644 --- a/sql/field.cc +++ b/sql/field.cc @@ -4561,7 +4561,7 @@ String *Field_double::val_str(String *val_buffer, #endif doubleget(nr,ptr); - uint to_length=max(field_length, DOUBLE_TO_STRING_CONVERSION_BUFFER_SIZE); + uint to_length= DOUBLE_TO_STRING_CONVERSION_BUFFER_SIZE; val_buffer->alloc(to_length); char *to=(char*) val_buffer->ptr(); diff --git a/sql/item_geofunc.h b/sql/item_geofunc.h index edbe104e307..070c2cd26fc 100644 --- a/sql/item_geofunc.h +++ b/sql/item_geofunc.h @@ -175,6 +175,19 @@ public: item_type=it; } String *val_str(String *); + void fix_length_and_dec() + { + for( unsigned int i=0; ifixed && args[i]->field_type() != MYSQL_TYPE_GEOMETRY) + { + String str; + args[i]->val_str(&str); + my_error(ER_ILLEGAL_VALUE_FOR_TYPE,MYF(0),"non geometric",str.c_ptr()); + } + } + } + const char *func_name() const { return "multipoint"; } }; From 6d18ac0308be36cc819f498d57930976969e17f7 Mon Sep 17 00:00:00 2001 From: Kristofer Pettersson Date: Tue, 7 Sep 2010 15:43:00 +0200 Subject: [PATCH 14/18] Post fix following fix for bug55531: Disabling testcase for bug 55568 because {1} isn't a valid geometry for a geometry collection. --- mysql-test/r/join.result | 35 -------------------------- mysql-test/t/join.test | 54 +++++++++++++++++++++------------------- 2 files changed, 29 insertions(+), 60 deletions(-) diff --git a/mysql-test/r/join.result b/mysql-test/r/join.result index 9a8b441b363..96504df4b1e 100644 --- a/mysql-test/r/join.result +++ b/mysql-test/r/join.result @@ -1185,41 +1185,6 @@ NULL 1 DROP TABLE t1, t2, mm1; # -# Bug #55568: user variable assignments crash server when used within -# query -# -CREATE TABLE t1 (a INT); -INSERT INTO t1 VALUES (0), (1); -SELECT MULTIPOINT( -1, -( -SELECT MULTIPOINT( -MULTIPOINT( -1, -(SELECT COUNT(*) FROM (SELECT 1 FROM t1 GROUP BY a,a) d) -) -) FROM t1 -) -) != COUNT(*) q FROM t1 GROUP BY a; -q -NULL -NULL -SELECT MULTIPOINT( -1, -( -SELECT MULTIPOINT( -MULTIPOINT( -1, -(SELECT COUNT(*) FROM (SELECT 1 FROM t1 GROUP BY a,a) d) -) -) FROM t1 -) -) != COUNT(*) q FROM t1 GROUP BY a; -q -NULL -NULL -DROP TABLE t1; -# # Bug #54468: crash after item's print() function when ordering/grouping # by subquery # diff --git a/mysql-test/t/join.test b/mysql-test/t/join.test index 73a1ae5eb82..05d630edfb2 100644 --- a/mysql-test/t/join.test +++ b/mysql-test/t/join.test @@ -851,33 +851,37 @@ ENGINE=MERGE UNION=(t1,t2); SELECT t1.a FROM mm1,t1; DROP TABLE t1, t2, mm1; ---echo # ---echo # Bug #55568: user variable assignments crash server when used within ---echo # query ---echo # +#--echo # +#--echo # Bug #55568: user variable assignments crash server when used within +#--echo # query +#--echo # +# +# +# This test case is invalidated because of fix of bug 55531 +# The reason is that {1} is not a valid geometric collection. +# +#CREATE TABLE t1 (a INT); -CREATE TABLE t1 (a INT); +#INSERT INTO t1 VALUES (0), (1); -INSERT INTO t1 VALUES (0), (1); - -let $i=2; -while ($i) -{ - SELECT MULTIPOINT( - 1, - ( - SELECT MULTIPOINT( - MULTIPOINT( - 1, - (SELECT COUNT(*) FROM (SELECT 1 FROM t1 GROUP BY a,a) d) - ) - ) FROM t1 - ) - ) != COUNT(*) q FROM t1 GROUP BY a; - dec $i; -} - -DROP TABLE t1; +#let $i=2; +#while ($i) +#{ +# SELECT MULTIPOINT( +# 1, +# ( +# SELECT MULTIPOINT( +# MULTIPOINT( +# 1, +# (SELECT COUNT(*) FROM (SELECT 1 FROM t1 GROUP BY a,a) d) +# ) +# ) FROM t1 +# ) +# ) != COUNT(*) q FROM t1 GROUP BY a; +# dec $i; +#} +# +#DROP TABLE t1; --echo # --echo # Bug #54468: crash after item's print() function when ordering/grouping From 0782e25aa2cbb260f5fe965511e1f3736add83c6 Mon Sep 17 00:00:00 2001 From: Sergey Vojtovich Date: Wed, 8 Sep 2010 00:16:10 +0400 Subject: [PATCH 15/18] main.gis-rtree, main.type_float and main.type_newdecimal were marked as experimental due to BUG38965. --- mysql-test/collections/default.experimental | 3 +++ 1 file changed, 3 insertions(+) diff --git a/mysql-test/collections/default.experimental b/mysql-test/collections/default.experimental index 8da83d8ae97..91dada3ee05 100644 --- a/mysql-test/collections/default.experimental +++ b/mysql-test/collections/default.experimental @@ -45,3 +45,6 @@ parts.partition_syntax_ndb # joro : NDB tests marked as experiment parts.partition_value_ndb # joro : NDB tests marked as experimental as agreed with bochklin main.mysqlhotcopy_myisam # horst: due to bug#54129 main.mysqlhotcopy_archive # horst: due to bug#54129 +main.gis-rtree # svoj: due to BUG#38965 +main.type_float # svoj: due to BUG#38965 +main.type_newdecimal # svoj: due to BUG#38965 From 762c7ca4620be17ed7a4006954926b0e8aa8666b Mon Sep 17 00:00:00 2001 From: Ramil Kalimullin Date: Thu, 9 Sep 2010 13:40:17 +0400 Subject: [PATCH 16/18] Fix for bug#56679: gis.test: valgrind error Item_func_spatial_collection::fix_length_and_dec() changed to use argument's print() method to print the ER_ILLEGAL_VALUE_FOR_TYPE error. mysql-test/r/gis.result: Fix for bug#56679: gis.test: valgrind error - test result adjusted. sql/item_geofunc.h: Fix for bug#56679: gis.test: valgrind error - use argument's print() method instead of improper val_str() call in the Item_func_spatial_collection::fix_length_and_dec(), as it's applicable only for constant items. --- mysql-test/r/gis.result | 6 +++--- sql/item_geofunc.h | 10 ++++++---- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/mysql-test/r/gis.result b/mysql-test/r/gis.result index 02c8afc2d77..3b18ee61336 100644 --- a/mysql-test/r/gis.result +++ b/mysql-test/r/gis.result @@ -707,7 +707,7 @@ numgeometries(b) IS NULL, numinteriorrings(b) IS NULL, numpoints(b) IS NULL, area(b) IS NULL, glength(b) IS NULL, srid(b) IS NULL, x(b) IS NULL, y(b) IS NULL from t1; -ERROR 22007: Illegal non geometric '' value found during parsing +ERROR 22007: Illegal non geometric '`test`.`t1`.`b`' value found during parsing select within(b, b) IS NULL, contains(b, b) IS NULL, overlaps(b, b) IS NULL, equals(b, b) IS NULL, disjoint(b, b) IS NULL, touches(b, b) IS NULL, @@ -722,7 +722,7 @@ point(b, b) IS NULL, linestring(b) IS NULL, polygon(b) IS NULL, multipoint(b) IS multilinestring(b) IS NULL, multipolygon(b) IS NULL, geometrycollection(b) IS NULL from t1; -ERROR 22007: Illegal non geometric '' value found during parsing +ERROR 22007: Illegal non geometric '`test`.`t1`.`b`' value found during parsing drop table t1; CREATE TABLE t1(a POINT) ENGINE=MyISAM; INSERT INTO t1 VALUES (NULL); @@ -1006,7 +1006,7 @@ drop table t1; SELECT MultiPoint(12345,''); ERROR 22007: Illegal non geometric '12345' value found during parsing SELECT 1 FROM (SELECT GREATEST(1,GEOMETRYCOLLECTION('00000','00000')) b FROM DUAL) AS d WHERE (LINESTRING(d.b)); -ERROR 22007: Illegal non geometric '' value found during parsing +ERROR 22007: Illegal non geometric ''00000'' value found during parsing # # BUG#51875: crash when loading data into geometry function polyfromwkb # diff --git a/sql/item_geofunc.h b/sql/item_geofunc.h index 070c2cd26fc..b3ecbc39933 100644 --- a/sql/item_geofunc.h +++ b/sql/item_geofunc.h @@ -177,13 +177,15 @@ public: String *val_str(String *); void fix_length_and_dec() { - for( unsigned int i=0; ifixed && args[i]->field_type() != MYSQL_TYPE_GEOMETRY) + if (args[i]->fixed && args[i]->field_type() != MYSQL_TYPE_GEOMETRY) { String str; - args[i]->val_str(&str); - my_error(ER_ILLEGAL_VALUE_FOR_TYPE,MYF(0),"non geometric",str.c_ptr()); + args[i]->print(&str, QT_ORDINARY); + str.append('\0'); + my_error(ER_ILLEGAL_VALUE_FOR_TYPE, MYF(0), "non geometric", + str.ptr()); } } } From cc6d22f5356e0969d8d5d1046edc69cb17ea19fb Mon Sep 17 00:00:00 2001 From: Alfranio Correia Date: Fri, 10 Sep 2010 11:49:57 +0100 Subject: [PATCH 17/18] BUG#55675 rpl.rpl_log_pos fails sporadically with error binlog truncated in the middle Disabled the test case. --- mysql-test/suite/rpl/t/disabled.def | 1 + 1 file changed, 1 insertion(+) diff --git a/mysql-test/suite/rpl/t/disabled.def b/mysql-test/suite/rpl/t/disabled.def index ef77c54e067..5b150288935 100644 --- a/mysql-test/suite/rpl/t/disabled.def +++ b/mysql-test/suite/rpl/t/disabled.def @@ -11,3 +11,4 @@ ############################################################################## rpl_row_create_table : Bug#51574 Feb 27 2010 andrei failed different way than earlier with bug#45576 +rpl_log_pos : BUG#55675 Sep 10 2010 27 2010 alfranio rpl.rpl_log_pos fails sporadically with error binlog truncated in the middle From 611f8ea37299425a861fcc7e4685841e8557d3d3 Mon Sep 17 00:00:00 2001 From: Georgi Kodinov Date: Mon, 13 Sep 2010 17:17:50 +0300 Subject: [PATCH 18/18] Raise version number after cloning 5.1.51 --- configure.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.in b/configure.in index 3ec62b836f1..c1672557bd1 100644 --- a/configure.in +++ b/configure.in @@ -12,7 +12,7 @@ dnl dnl When changing the major version number please also check the switch dnl statement in mysqlbinlog::check_master_version(). You may also need dnl to update version.c in ndb. -AC_INIT([MySQL Server], [5.1.51], [], [mysql]) +AC_INIT([MySQL Server], [5.1.52], [], [mysql]) AC_CONFIG_SRCDIR([sql/mysqld.cc]) AC_CANONICAL_SYSTEM