List:Commits« Previous MessageNext Message »
From:Alexander Nozdrin Date:May 9 2011 8:37am
Subject:bzr push into mysql-5.5 branch (alexander.nozdrin:3498 to 3499) Bug#12362125
View as plain text  
 3499 Alexander Nozdrin	2011-05-09
      Patch for Bug#12362125 (SP INOUT HANDLING IS BROKEN FOR TEXT TYPE).
      
      Attempts to assign value to a table column from trigger by using
      NEW.column_name pseudo-variable might result in garbled data.
      That happened when:
        - the column had a BLOB-based type (e.g. TEXT)
          and
        - the value being assigned was retrieved from stored routine variable
          of the same type.
      
      The problem was that BLOB values were not copied correctly in this
      case. Instead of doing a copy of a real value, the value's representation
      in record buffer was copied. This representation is essentially a
      pointer to a buffer associated with the virtual table for routine
      variables where the real value is stored. Since this buffer got
      freed once trigger was left or could have changed its contents when
      new value was assigned to corresponding routine variable such a shallow
      copying resulted in garbled data in NEW.colum_name column.
      
      It worked in 5.1 due to a subtle bug in create_virtual_tmp_table():
        - in 5.1 create_virtual_tmp_table() returned a table which
          had db_low_byte_first == false.
        - in 5.5 and up create_virtual_tmp_table() returns a table which
          has db_low_byte_first == true.
      Actually, db_low_byte_first == false only for ISAM storage engine,
      which was deprecated and removed in 5.0.
      
      Having db_low_byte_first == false led to getting false in the
      complex condition for the 2nd "if" in field_conv(), which in turn
      led to copy-blob-behavior as a fall-back strategy:
        - to->table->s->db_low_byte_first was true (correct value)
        - from->table->s->db_low_byte_first was false (incorrect value)
      
      In 5.5 and up that condition is true, which means blob-values are
      not copied.

    modified:
      mysql-test/r/trigger.result
      mysql-test/t/trigger.test
      sql/item.cc
 3498 Alexander Nozdrin	2011-05-06
      Patch for Bug#12374486 - SEVERE MEMORY LEAK IN PREPARED STATEMENTS
      THAT CALL STORED PROCEDURES.
      
      The bug was introduced by WL#4435. The problem was that if a stored
      procedure generated a few result sets with different set of columns,
      a new memory would be allocated after every EXECUTE for every
      result set.
      
      The fix is to introduce a new memory root in scope of MYSQL_STMT,
      and to store result-set metadata in that memory root.

    modified:
      include/mysql.h
      include/mysql.h.pp
      libmysql/libmysql.c
=== modified file 'mysql-test/r/trigger.result'
--- a/mysql-test/r/trigger.result	2011-03-10 08:07:57 +0000
+++ b/mysql-test/r/trigger.result	2011-05-09 08:29:23 +0000
@@ -2208,4 +2208,22 @@ trigger_name
 # Clean-up.
 drop temporary table t1;
 drop table t1;
-End of 6.0 tests.
+
+#
+# Bug #12362125: SP INOUT HANDLING IS BROKEN FOR TEXT TYPE.
+#
+DROP TABLE IF EXISTS t1;
+CREATE TABLE t1(c TEXT);
+CREATE TRIGGER t1_bi BEFORE INSERT ON t1 FOR EACH ROW
+BEGIN
+DECLARE v TEXT;
+SET v = 'aaa';
+SET NEW.c = v;
+END|
+INSERT INTO t1 VALUES('qazwsxedc');
+SELECT c FROM t1;
+c
+aaa
+DROP TABLE t1;
+
+End of 5.5 tests.

=== modified file 'mysql-test/t/trigger.test'
--- a/mysql-test/t/trigger.test	2011-03-10 08:07:57 +0000
+++ b/mysql-test/t/trigger.test	2011-05-09 08:29:23 +0000
@@ -2583,4 +2583,32 @@ select trigger_name from information_sch
 drop temporary table t1;
 drop table t1;
 
---echo End of 6.0 tests.
+
+--echo
+--echo #
+--echo # Bug #12362125: SP INOUT HANDLING IS BROKEN FOR TEXT TYPE.
+--echo #
+
+--disable_warnings
+DROP TABLE IF EXISTS t1;
+--enable_warnings
+
+CREATE TABLE t1(c TEXT);
+
+delimiter |;
+CREATE TRIGGER t1_bi BEFORE INSERT ON t1 FOR EACH ROW
+BEGIN
+  DECLARE v TEXT;
+  SET v = 'aaa';
+  SET NEW.c = v;
+END|
+delimiter ;|
+
+INSERT INTO t1 VALUES('qazwsxedc');
+
+SELECT c FROM t1;
+
+DROP TABLE t1;
+
+--echo
+--echo End of 5.5 tests.

=== modified file 'sql/item.cc'
--- a/sql/item.cc	2011-05-06 11:41:24 +0000
+++ b/sql/item.cc	2011-05-09 08:29:23 +0000
@@ -7134,8 +7134,26 @@ bool Item_trigger_field::set_value(THD *
 {
   Item *item= sp_prepare_func_item(thd, it);
 
-  return (!item || (!fixed && fix_fields(thd, 0)) ||
-          (item->save_in_field(field, 0) < 0));
+  if (!item)
+    return true;
+
+  if (!fixed)
+  {
+    if (fix_fields(thd, NULL))
+      return true;
+  }
+
+  // NOTE: field->table->copy_blobs should be false here, but let's
+  // remember the value at runtime to avoid subtle bugs.
+  bool copy_blobs_saved= field->table->copy_blobs;
+
+  field->table->copy_blobs= true;
+
+  int err_code= item->save_in_field(field, 0);
+
+  field->table->copy_blobs= copy_blobs_saved;
+
+  return err_code < 0;
 }
 
 

No bundle (reason: useless for push emails).
Thread
bzr push into mysql-5.5 branch (alexander.nozdrin:3498 to 3499) Bug#12362125Alexander Nozdrin9 May