From: Georgi Kodinov Date: August 12 2010 11:46am Subject: bzr commit into mysql-5.1-bugteam branch (Georgi.Kodinov:3479) Bug#55580 List-Archive: http://lists.mysql.com/commits/115570 X-Bug: 55580 Message-Id: <201008121146.o7CBkatL024679@magare.local> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8764117219031308045==" --===============8764117219031308045== MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline #At file:///home/kgeorge/mysql/work/B55580-5.1-bugteam/ based on revid:georgi.kodinov@stripped 3479 Georgi Kodinov 2010-08-12 Bug #55580 : segfault in read_view_sees_trx_id The server was not checking for errors generated during the execution of Item::val_xxx() methods when copying data to the group, order, or distinct temp table's row. Fixed by extending the copy_funcs() to return an error code and by checking for that error code on the places copy_funcs() is called. Test case added. modified: mysql-test/suite/innodb/r/innodb_mysql.result mysql-test/suite/innodb/t/innodb_mysql.test sql/item_sum.cc sql/sql_select.cc sql/sql_select.h === modified file 'mysql-test/suite/innodb/r/innodb_mysql.result' --- a/mysql-test/suite/innodb/r/innodb_mysql.result 2010-07-04 07:12:44 +0000 +++ b/mysql-test/suite/innodb/r/innodb_mysql.result 2010-08-12 11:46:30 +0000 @@ -2499,4 +2499,26 @@ ORDER BY f1 DESC LIMIT 5; id select_type table type possible_keys key key_len ref rows Extra 1 SIMPLE t1 range f2,f4 f4 1 NULL 11 Using where DROP TABLE t1; +# +# Bug#55580: segfault in read_view_sees_trx_id +# +CREATE TABLE t1 (a INT) ENGINE=Innodb; +CREATE TABLE t2 (a INT) ENGINE=Innodb; +INSERT INTO t1 VALUES (1),(2); +INSERT INTO t2 VALUES (1),(2); +START TRANSACTION; +SELECT * FROM t2 LOCK IN SHARE MODE; +a +1 +2 +START TRANSACTION; +SELECT * FROM t1 LOCK IN SHARE MODE; +a +1 +2 +SELECT * FROM t1 FOR UPDATE; +# should not crash +SELECT * FROM t1 GROUP BY POLYGON((SELECT a FROM t2 LIMIT 1 FOR UPDATE), t1.a); +ERROR 40001: Deadlock found when trying to get lock; try restarting transaction +DROP TABLE t1,t2; End of 5.1 tests === modified file 'mysql-test/suite/innodb/t/innodb_mysql.test' --- a/mysql-test/suite/innodb/t/innodb_mysql.test 2010-08-04 10:19:51 +0000 +++ b/mysql-test/suite/innodb/t/innodb_mysql.test 2010-08-12 11:46:30 +0000 @@ -733,4 +733,39 @@ ORDER BY f1 DESC LIMIT 5; DROP TABLE t1; +--echo # +--echo # Bug#55580: segfault in read_view_sees_trx_id +--echo # + +CREATE TABLE t1 (a INT) ENGINE=Innodb; +CREATE TABLE t2 (a INT) ENGINE=Innodb; +INSERT INTO t1 VALUES (1),(2); +INSERT INTO t2 VALUES (1),(2); + +connect (con1,localhost,root,,test); +connect (con2,localhost,root,,test); + +connection con1; +START TRANSACTION; +SELECT * FROM t2 LOCK IN SHARE MODE; + +connection con2; +START TRANSACTION; +SELECT * FROM t1 LOCK IN SHARE MODE; + +connection con1; +--send SELECT * FROM t1 FOR UPDATE + +connection con2; +--echo # should not crash +--error ER_LOCK_DEADLOCK +SELECT * FROM t1 GROUP BY POLYGON((SELECT a FROM t2 LIMIT 1 FOR UPDATE), t1.a); + +connection default; +disconnect con1; +disconnect con2; + +DROP TABLE t1,t2; + + --echo End of 5.1 tests === modified file 'sql/item_sum.cc' --- a/sql/item_sum.cc 2010-06-10 20:45:22 +0000 +++ b/sql/item_sum.cc 2010-08-12 11:46:30 +0000 @@ -2556,7 +2556,8 @@ bool Item_sum_count_distinct::add() if (always_null) return 0; copy_fields(tmp_table_param); - copy_funcs(tmp_table_param->items_to_copy); + if (copy_funcs(tmp_table_param->items_to_copy, table->in_use)) + return TRUE; for (Field **field=table->field ; *field ; field++) if ((*field)->is_real_null(0)) @@ -3128,7 +3129,8 @@ bool Item_func_group_concat::add() if (always_null) return 0; copy_fields(tmp_table_param); - copy_funcs(tmp_table_param->items_to_copy); + if (copy_funcs(tmp_table_param->items_to_copy, table->in_use)) + return TRUE; for (uint i= 0; i < arg_count_field; i++) { === modified file 'sql/sql_select.cc' --- a/sql/sql_select.cc 2010-07-19 18:34:28 +0000 +++ b/sql/sql_select.cc 2010-08-12 11:46:30 +0000 @@ -12485,7 +12485,9 @@ end_write(JOIN *join, JOIN_TAB *join_tab if (!end_of_records) { copy_fields(&join->tmp_table_param); - copy_funcs(join->tmp_table_param.items_to_copy); + if (copy_funcs(join->tmp_table_param.items_to_copy, join->thd)) + DBUG_RETURN(NESTED_LOOP_ERROR); /* purecov: inspected */ + #ifdef TO_BE_DELETED if (!table->uniques) // If not unique handling { @@ -12591,7 +12593,8 @@ end_update(JOIN *join, JOIN_TAB *join_ta memcpy(table->record[0]+key_part->offset, group->buff, 1); } init_tmptable_sum_functions(join->sum_funcs); - copy_funcs(join->tmp_table_param.items_to_copy); + if (copy_funcs(join->tmp_table_param.items_to_copy, join->thd)) + DBUG_RETURN(NESTED_LOOP_ERROR); /* purecov: inspected */ if ((error=table->file->ha_write_row(table->record[0]))) { if (create_myisam_from_heap(join->thd, table, &join->tmp_table_param, @@ -12626,7 +12629,8 @@ end_unique_update(JOIN *join, JOIN_TAB * init_tmptable_sum_functions(join->sum_funcs); copy_fields(&join->tmp_table_param); // Groups are copied twice. - copy_funcs(join->tmp_table_param.items_to_copy); + if (copy_funcs(join->tmp_table_param.items_to_copy, join->thd)) + DBUG_RETURN(NESTED_LOOP_ERROR); /* purecov: inspected */ if (!(error=table->file->ha_write_row(table->record[0]))) join->send_records++; // New group @@ -12713,7 +12717,8 @@ end_write_group(JOIN *join, JOIN_TAB *jo if (idx < (int) join->send_group_parts) { copy_fields(&join->tmp_table_param); - copy_funcs(join->tmp_table_param.items_to_copy); + if (copy_funcs(join->tmp_table_param.items_to_copy, join->thd)) + DBUG_RETURN(NESTED_LOOP_ERROR); if (init_sum_functions(join->sum_funcs, join->sum_funcs_end[idx+1])) DBUG_RETURN(NESTED_LOOP_ERROR); if (join->procedure) @@ -15773,14 +15778,33 @@ update_sum_func(Item_sum **func_ptr) return 0; } -/** Copy result of functions to record in tmp_table. */ +/** + Copy result of functions to record in tmp_table. -void -copy_funcs(Item **func_ptr) + Uses the thread pointer to check for errors in + some of the val_xxx() methods called by the + save_in_result_field() function. + TODO: make the Item::val_xxx() return error code + + @param func_ptr array of the function Items to copy to the tmp table + @param thd pointer to the current thread for error checking + @retval + FALSE if OK + @retval + TRUE on error +*/ + +bool +copy_funcs(Item **func_ptr, const THD *thd) { Item *func; for (; (func = *func_ptr) ; func_ptr++) + { func->save_in_result_field(1); + if (thd->is_error()) + return TRUE; + } + return FALSE; } === modified file 'sql/sql_select.h' --- a/sql/sql_select.h 2010-02-26 13:16:46 +0000 +++ b/sql/sql_select.h 2010-08-12 11:46:30 +0000 @@ -601,7 +601,7 @@ bool setup_copy_fields(THD *thd, TMP_TAB List &new_list1, List &new_list2, uint elements, List &fields); void copy_fields(TMP_TABLE_PARAM *param); -void copy_funcs(Item **func_ptr); +bool copy_funcs(Item **func_ptr, const THD *thd); bool create_myisam_from_heap(THD *thd, TABLE *table, TMP_TABLE_PARAM *param, int error, bool ignore_last_dupp_error); uint find_shortest_key(TABLE *table, const key_map *usable_keys); --===============8764117219031308045== MIME-Version: 1.0 Content-Type: text/bzr-bundle; charset="us-ascii"; name="bzr/georgi.kodinov@stripped" Content-Transfer-Encoding: 7bit Content-Disposition: inline # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: georgi.kodinov@stripped\ # pm2hnbvd13bomo5y # target_branch: file:///home/kgeorge/mysql/work/B55580-5.1-bugteam/ # testament_sha1: 698fed688c2885f891d9d6f72bb2517230ad769c # timestamp: 2010-08-12 14:46:36 +0300 # base_revision_id: georgi.kodinov@stripped\ # wu8dpos5rtoglro3 # # Begin bundle IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWYFqwH8ABczfgFiwWPf//3/v 3yC////6YAyHfbMudnIq6Uqitthl26ZlOQ1oAUAO2daMJJIE0yp5T2mk8mp6SZgKPSeoPSGT00h6 j2qD1A9QJSNJpiTyj0JpRvUJ6jT1NAAAAAMgD1BwDCMJpiGAQDIAYRpkyYRgIaCRJqaTI0jaj1Ta NFPFPCPVHlHqYTR6jR6gaepo9RoHAMIwmmIYBAMgBhGmTJhGAhoJJAjQCZNBMCaTCaaNNU8kGjR5 RsiPUB6kIQskMSMV3tsEr+2CmrCN1W4CKTk4IBmGWlizlZ4cP3yMuPxH2Jr7yzNfp4e2rPBEH+fN PM/XiegevPv/VtXAjRHigjGO3ejcz3kfCNTC7HTRFGarYHc0I8nRo/vXAGqBSXjbNONdMJerVKii Te+LpOplXeksfduzhBklkyStJFUyck+yDIFv5hdJz+HETzWAZyVd56kcUZkNtJtsG03vf0imyMMJ w0ELW+N8j4+SFS7POe1pVL2W2zdZmrAzkHdU8aK9y7mq5o28YeJ1Ed/nDlngHYL1jDjwB4aw49tG rIpZm8wl9jn+oQMhjiZWhYtwPrsGiXSaNa8Sfdpd7nFI8Y/iRn5QiPdKcEOYJzNFm3ubl7bNnBpw ncDfnPgnxq7UE0oehFalX6bpMkVigsOJIpSJRs4CTdRJcYtDnE+w01DBQU/Y4vuEL8dWjKutmF7V k8si+1mC7ZWd62D4bMTdu67dWjFP2eyfWbHeYkaSXAh+nW/o+SCFkkTbGYYZqinrKNf/J8Voc4UK h4EoVAbObMxbvzhUUrOOPOag7Z7eHpIUSuzSB3g1kygzeOAHtxKDC4vwgZmVC5ByIhU3QSO3l7k7 4nOBtNdB4AX9g3zCY0LPUKy/KguEuRPVcphao2ffCX4VHfoGKNGKYcUsyQb90qwKoCRcYeC4eRF+ OdDR7ZEN5MS3G9cC3qanG+JTWCk0OHMKhbrBoQzItZAkSKRXjhp5VpRksVsDmCtCVQL+715gt0EX LtoOqIV2ufRY8QWFjhhWmBComlQnldUyY0ZX4jFR57a01jIwupLGlxdYZUO++DK8EstRutUFiWdX UanQv0CXMjK4cSEspqtMH1YsLmlTm++7ZeY5TnAVVJ6RE08qI5JiJuvwHuKkRJOvRdErhcszOg9/ qoKqcewTX3jb1QjAyU6LaDdEQ45bYWo2tRyN5r3Fmdw8XIMa9IJUS5NoEtJfn1UOm2pSL/gPJgwm SEVCpGQqcI4aRSmYpbZBZW8Zm+wDGbGGgedpgaPUJb45p5Mw2aDTjCGJW7W4goiUSgoFaWPGH9bh 7ScKprSlRz4NWbDIqkt5HgRME8iJUijiCMKJu7eAZk60lqbgUhhwVIveiYteo0qSzhySlonfASzH 6xinMYkxLFsNYnvKzJiBqG+591M5MZbC7Xcydg2ywgPHTeVYYkdMNV9xqSw2QI6DYULP39GLqAY6 Mqo2hWt1CeMYFbsRXVSaJKJX34udwOwZaxKOOU7KuJG+gyVxmYDl1jKoZPdRWMnkhoTEnYs/RTcR ztLSk730EDMpNTknG0q4FRE61eXG04hpKZsYo0RVkazNcmW66LGJR3RTA5cnJCui8wI9R2lNVtOo YyNA1hjWRRrxSgdNhWUDhmHGnE3zDLQ6vPOBfUyGwakpQSsZFTDF7tskGOJYOLqvMoDkePMx02Y6 RpjU2pQkm4weQwsaiUZEkYEK7WcTo2woFMgPFqrzjUWFhMwNJSVjiBieyOk00Xt12K7ehc5p0WWX a2Wrct1BFSIFMJOxyK0Ctr5yZO3uhkDbbIzeYljPSEzSwfzUhcursFNmxQMZ6EbKJoGO4OfuRwda FxHU0BgHVgekXuDP8D4h7A8gqHhUGsTJDONw0/5FIaSr2nVEeDhB4Oie4Ofm5iIb4NkSCVNIMC/f vEUVSoxWnIDHhhaIWBaIQCUwUFkEgiGmUlbIe8oVDf8rgzmgqHxC8IAkPE94fkSp/6J3h2ioEPFD BzIpFaBch8GBxSDA4JAgDwUEoEaiaQWXCXCF5ALQU0AzpAwTfsIDBMchVBaGQaAkExF5Ui0wQUhM HIcAUJ5ImA4FBQsCgFS4Bo8HibAuAYDRwOBqGbEgESAXBkGA8KAxBRx+cgimCYMgt+XwEfda3gyI ZkGwTC3J+LVYvgK0I9CsShQRGxQrCUHUEeglSuHYOR3G83DEA203lx+R+Qw5/2tSNZjn9ARqtRtz cXzwlQBs/FFh9WIAXnUiuqyLM/5lt6EbSVG+uZbdtbODvoF5jEj36i9UTk7uceUhxLaRFcMJSRHd hSHCXSWGAgxr410CW9PKUI89wuRaYn1Nh0GIjGzZkMXKR3l6wFE5lJWWH6XWl5eXGvwLgkii+LPT wRDJsEkavCibUnyjRC+0UQ3InmBmgRoKBDF1tZ6QhlkbhluL5JVRq19PQUmLEtqqN6d3pOYSk8xo kvS8DbNLgQrwKUi9aDdTsIdQjiVmEMSK7bb5zNeuf5x2i4abEgwJ+szKuauKDU1HAhw4Gb3J6GPW 9x9GUIjAlqNXbs6sao6dXrI7dv6HkdOtGlG7kwTZ2SOzEBwuh0OiNvuqy1aDmTMzaEwqDWFoqk5H jYmg6N0pgMdeW5XedT0KM8izDpxz61E2Oulj9MZ4hdNCS5x7uO9LkmS8x6A6ESOJN98+4yZeLHXD m2haNnxrRGItUEAHOVWfmtSIrKW1tcvOI0EZoWk2sg6CRqL1DYuhwLJnM7xXi1rZ80exGaKF7w4P F7GZvsUiHLiZEl5shjStqCU1+p5iZDnxRzSDNczNRq4q48ls1nsHEAXRwwB2Mr3h6ByEnBAuKCI8 vPYe3ggNsU3rGQGp5jwKTibKxt/BeDJDbqrV9N58GGbuFAzoSVBCIrAKvcR3gZtowcTfHrwGYgkF arPh28bJgYMyTUXTNADWWHWETykfKpHKoLw6r/Qn7OiZvP9g7xivA3gQWZkgNPTyN1QxcnsL1BmB m4HikrazxI6ZoYLgQ4Q4TxTJmgqW9id3+SzZ3quSCvx6QKh2QkOJJgxEmPQkRZVepPiLfpiN1evu VHcMJaVLtsrclWKxZEUuhcor7isMGFjudHKblgQUxUC9Q1sGKxYokREpKlkiLKl7ngP3eKCb4IOb 0HzB4nxEQK1BIL1pLVGz9pJPK0nDJmS6DlQZjYBmBQbCte44vQGEJCgDxHYvxOSAqKMgalaCk+4H M5XliSMm7RLSlYzMngMLvcg5D3GkkXh8oCDcPFPWDvzSDICUepIJLEoMaEyzNKyTiiUKk21kA/Ie cmzQuxyV+B0F2PQyXKIv3d01o7VIxJ6xJv/Z+C0Wq69ULr3lyQalYVDyowSXkai5fwmcCsmb2A0t BM8d6MpniRSD5MBQBTTxKeMjaZhioTQnnmtbvifg45m70eKxILabHrNOE6w5ryT8ev0J7skHndXZ cgrPJ0PaoP9pcnsw3aQ7O5Mj/rH67eIQ1sLkldaJBIbqvHUJ1MUejBOtwL9dpaSrGqoqTeBRGlLH SV6l3ttttuivXYKkDZhAYMhgrtAcixc0/ZqMM1N4w/WptCt0lIYcMWwiLAS8mA4nMpr2DqUd4iFA aEu602G+6nm5R7AoUjnChlI9F4YiEXWNvaDe54NLCwjGtXat281O0pbWKSstBwG0UlQBkvBRdFOI vS6jXgBtIMF610/ircT1b63QbShS0KSmRqWbYLLeLyOKxKz42N0cJEzVtXgaBKypbHFy9DaBrLrB 52ET4Z4a+dCxuGNR8DYe88VpO5UrXQVcrzgP3jAqVsXvNxXuab2gJhPHI87+hERI2HAoxLyVTjPc Ko6i5CX0StdmxnnNx0HWXTEf8XckU4UJCBasB/A= --===============8764117219031308045==--