From: Alexander Barkov Date: August 3 2011 12:16pm Subject: bzr push into mysql-trunk branch (alexander.barkov:3338 to 3339) WL#946 List-Archive: http://lists.mysql.com/commits/140525 Message-Id: <201108031216.p73CGpOU013763@bar.myoffice.izhnet.ru> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit 3339 Alexander Barkov 2011-08-03 WL#946 added: mysql-test/r/type_fsp.result mysql-test/suite/rpl/r/rpl_fsp.result mysql-test/suite/rpl/t/rpl_fsp.test mysql-test/t/type_fsp.test modified: client/mysqlbinlog.cc client/mysqltest.cc include/decimal.h include/my_global.h include/my_time.h include/mysql.h.pp include/mysql_com.h libmysql/libmysql.c mysql-test/r/cast.result mysql-test/r/create.result mysql-test/r/ctype_binary.result mysql-test/r/ctype_cp1251.result mysql-test/r/ctype_latin1.result mysql-test/r/ctype_ucs.result mysql-test/r/ctype_utf8.result mysql-test/r/date_formats.result mysql-test/r/deprecated_features.result mysql-test/r/func_sapdb.result mysql-test/r/func_time.result mysql-test/r/func_timestamp.result mysql-test/r/information_schema.result mysql-test/r/loaddata.result mysql-test/r/metadata.result mysql-test/r/mysqlbinlog_row.result mysql-test/r/parser.result mysql-test/r/partition_datatype.result mysql-test/r/partition_error.result mysql-test/r/partition_innodb.result mysql-test/r/ps_2myisam.result mysql-test/r/ps_3innodb.result mysql-test/r/ps_4heap.result mysql-test/r/ps_5merge.result mysql-test/r/show_check.result mysql-test/r/sp-vars.result mysql-test/r/sp.result mysql-test/r/strict.result mysql-test/r/sysdate_is_now.result mysql-test/r/type_date.result mysql-test/r/type_datetime.result mysql-test/r/type_time.result mysql-test/r/type_timestamp.result mysql-test/suite/funcs_1/r/innodb_func_view.result mysql-test/suite/funcs_1/r/is_columns.result mysql-test/suite/funcs_1/r/is_columns_is.result mysql-test/suite/funcs_1/r/memory_func_view.result mysql-test/suite/funcs_1/r/myisam_func_view.result mysql-test/suite/funcs_1/r/storedproc.result mysql-test/suite/funcs_1/views/func_view.inc mysql-test/suite/innodb/r/innodb_bug52745.result mysql-test/suite/rpl/r/rpl_rewrt_db.result mysql-test/suite/sys_vars/r/timestamp_basic.result mysql-test/suite/sys_vars/t/timestamp_basic.test mysql-test/t/cast.test mysql-test/t/deprecated_features.test mysql-test/t/func_time.test mysql-test/t/information_schema.test mysql-test/t/metadata.test mysql-test/t/mysqlbinlog_row.test mysql-test/t/partition_innodb.test mysql-test/t/strict.test mysql-test/t/type_date.test mysql-test/t/type_datetime.test mysql-test/t/type_time.test sql-common/my_time.c sql/event_data_objects.cc sql/event_db_repository.cc sql/field.cc sql/field.h sql/field_conv.cc sql/filesort.cc sql/item.cc sql/item.h sql/item_cmpfunc.cc sql/item_cmpfunc.h sql/item_create.cc sql/item_create.h sql/item_func.cc sql/item_func.h sql/item_strfunc.cc sql/item_strfunc.h sql/item_subselect.h sql/item_sum.cc sql/item_sum.h sql/item_timefunc.cc sql/item_timefunc.h sql/log.cc sql/log_event.cc sql/log_event.h sql/log_event_old.cc sql/my_decimal.cc sql/my_decimal.h sql/mysqld.cc sql/opt_range.cc sql/protocol.cc sql/protocol.h sql/rpl_slave.cc sql/rpl_utility.cc sql/rpl_utility.h sql/sp.cc sql/sp_head.cc sql/sql_class.cc sql/sql_class.h sql/sql_const.h sql/sql_error.cc sql/sql_error.h sql/sql_insert.cc sql/sql_load.cc sql/sql_parse.cc sql/sql_partition.cc sql/sql_prepare.cc sql/sql_select.cc sql/sql_show.cc sql/sql_string.cc sql/sql_string.h sql/sql_table.cc sql/sql_time.cc sql/sql_time.h sql/sql_yacc.yy sql/sys_vars.cc sql/sys_vars.h sql/table.cc sql/table.h storage/innobase/handler/ha_innodb.cc strings/decimal.c tests/mysql_client_test.c 3338 Olav Sandstaa 2011-08-03 Fix for Bug#12601961 SEGFAULT IN HANDLER::COMPARE_KEY2. The crash in InnoDB's ICP implementation occured due to the handler's end_range member variable having an invalid value. As part of the ICP evaluation in InnoDB the code will check that the record is within the end_range of the query. In the case where this leads to a crash the end_range was not initialized and the code could then reference a non-valid memory area leading to the segmentation fault (it could probably also lead to a wrong result if the "random end_range" decided that the actual record was outside the valid record range). The case where ICP can be used without having a proper end_range defined is for "const" queries that will at most access one record. In the case where this occurs the table is read from join_read_const() (in sql_select.cc) which retrieves data using handler::ha_index_read_idx_map(). Since only max one record will be read, ha_index_read_idx_map() does not define an end_range for the handler. In this case end_range might be undefined when a pushed index condition is evaluated. The fix for this problem is to intialized end_range in the handler's constructor. The patch also adds an assert to ha_index_read_idx_map() to detect if it ever is called with an end_range value different from NULL. Without this fix the test case will either crash or pass depending on the value the unitialized end_range get. Running with valgrind it should produce a test failure. @ mysql-test/include/icp_tests.inc Test case for Bug#12601961 SEGFAULT IN HANDLER::COMPARE_KEY2. @ mysql-test/r/innodb_icp.result Test case for Bug#12601961 SEGFAULT IN HANDLER::COMPARE_KEY2. @ mysql-test/r/innodb_icp_none.result Test case for Bug#12601961 SEGFAULT IN HANDLER::COMPARE_KEY2. @ mysql-test/r/myisam_icp.result Test case for Bug#12601961 SEGFAULT IN HANDLER::COMPARE_KEY2. Note that this test is not run with MyISAM since it triggers a bug in MyISAM. It will be enabled when Bug#12724899 is fixed. @ mysql-test/r/myisam_icp_none.result Test case for Bug#12601961 SEGFAULT IN HANDLER::COMPARE_KEY2. Note that this test is not run with MyISAM since it triggers a bug in MyISAM. It will be enabled when Bug#12724899 is fixed. @ sql/handler.cc Add an assert to verify that when handler::ha_index_read_idx_map() is called an end_range is not set. The reason for checking this is that this could trigger an invalid end_range verification in the ICP implementation. @ sql/handler.h Initialize the handler's end_range member in the constructor in order to avoid that end_range containing a random value is checked and results in crash in the ICP implementation in InnoDB. Also extended the documentation of end_range and save_end_range and made save_end_range a protected member of the handler class. modified: mysql-test/include/icp_tests.inc mysql-test/r/innodb_icp.result mysql-test/r/innodb_icp_none.result mysql-test/r/myisam_icp.result mysql-test/r/myisam_icp_none.result sql/handler.cc sql/handler.h Diff too large for email (40362 lines, the limit is 10000). No bundle (reason: useless for push emails).