send_result_set_metadata

Analysis
--------
Cursor inside trigger accessing NEW/OLD row leads server exit.

The reason for the bug was that implementation of function
create_tmp_table() was not considering Item::TRIGGER_FIELD_ITEM
as possible alternative for type of class being instantiated.
This was resulting in a mismatch between a number of columns
in result list and temp table definition. This mismatch leads
to the failure of assertion
DBUG_ASSERT(send_result_set_metadata.elements == item_list.elements)
in the method Materialized_cursor::send_result_set_metadata
in debug mode.

Fix:
---
Added code to consider Item::TRIGGER_FIELD_ITEM as valid
type while creating fields.

Issue: A select for update subquery in having clause
resulted deadlock and its transaction was rolled back
by innodb. val_XXX interfaces do not handle errors and
it do not propogate errors to its caller. sub_select
did not see this error when it called
evaluate_join_record and later made a call to innodb.
As transaction is rolled back innodb asserted.

Fix: Now evaluate_join_record checks if there is any
error reported and then return the same to its caller.

               FIND_USED_PARTITIONS | SQL/OPT_RANGE.CC:3884

Post-push fix.

               FIND_USED_PARTITIONS | SQL/OPT_RANGE.CC:3884

Issue:
-----
During partition pruning, first we identify the partition
in which row can reside and then identify the subpartition.
If we find a partition but not the subpartion then we hit
a debug assert. While finding the subpartition we check
the current thread's error status in part_val_int()
function after some operation. In this case the thread's
error status is already set to an error (multiple rows
returned) so the function returns no partition found and
results in incorrect behavior.

SOLUTION:
---------
Currently any error encountered in part_val_int is
considered a "partition not found" type error. Instead of
an assert, a check needs to be done and a valid error
returned.

			INSERT INDEX RECORD

Problem:
=======

IBUF_BITMAP_FREE bit in ibuf bitmap array is used to indicate the free
space available in leaf page. IBUF_BITMAP_FREE bit indicates free
space more than actual existing free space for the leaf page.

Solution:
=========

Ibuf_bitmap_array is not updated for the secondary index leaf page when
insert operation is done by updating a delete marked existing
record in the index.
Reviewed-by: Jimmy Yang <jimmy.yang@oracle.com>
RB: 9544

               WARNINGS

Backporting to 5.1 and 5.5

No commit message

Description:- mysqlslap is a diagnostic utility designed to
emulate client load for a MySQL server and to report the
timing of each stage. This utility crashes when invalid
values are passed to the options 'num_int_cols_opt' or
'num_chars_cols_opt' or 'engine'.

Analysis:- mysqlslap uses "parse_option()" to parse the
values specified to the options 'num_int_cols_opt',
'num_chars_cols_opt' and 'engine'. These options takes
values separated by commas. In "parse_option()", the comma
separated values are separated and copied into a buffer
without checking the length of the string to be copied. The
size of the buffer is defined by a macro HUGE_STRING_LENGTH
whose value is 8196. So if the length of the any of the
comma separated value exceeds HUGE_STRING_LENGTH, will
result in a buffer overflow.

Fix:- A check is introduced in "parse_option()" to check
whether the size of the string to be copied is more than
HUGE_STRING_LENGTH. If it is more, an error, "Invalid value
specified for the option 'xxx'" is thrown.
Option length was incorrectly calculated for the last comma
separated value. So fixed that as well.

                 HOST WHEN IT CONTAINS WILDCARD

Description :- Incorrect access privileges are provided to a
user due to wrong sorting of users when wildcard characters
is present in the hostname.

Analysis :- Function "get_sorts()" is used to sort the
strings of user name, hostname, database name. It is used
to arrange the users in the access privilege matching order.
When a user connects, it checks in the sorted user access
privilege list and finds a corresponding matching entry for
the user. Algorithm used in "get_sort()" sorts the strings
inappropriately. As a result, when a user connects to the
server, it is mapped to incorrect user access privileges.
Algorithm used in "get_sort()" counts the number of
characters before the first occurence of any one of the
wildcard characters (single-wildcard character '_' or
multi-wildcard character '%') and sorts in that order.
As a result of inconnect sorting it treats hostname "%" and
"%.mysql.com" as equally-specific values and therefore
the order is indeterminate.

Fix:- The "get_sort()" algorithm has been modified to treat
"%" seperately. Now "get_sort()" returns a number which, if
sorted in descending order, puts strings in the following
order:-
* strings with no wildcards
* strings containg wildcards and non-wildcard characters
* single muilt-wildcard character('%')
* empty string.

Restrict when user table hashes can be viewed. Require SUPER privileges.

Description:- There is a possibility of negative array index
write associated with the function "terminal_writec()". This
is due to the assumption that there is a possibility of
getting -1 return value from the function call
"ct_visual_char()".

Analysis:- The function "terminal_writec()" is called only
from "em_delete_or_list()" and "vi_list_or_eof()" and both
these functions deal with the "^D" (ctrl+D) signal. So the
"size_t len" and "Char c" passed to "ct_visual_char()" (when
called from "terminal_writec()") is always 8 (macro
VISUAL_WIDTH_MAX is passed whose value is 8) and 4 (ASCII
value for "^D"/"ctrl+D") respectively.
Since the value of "c" is 4, "ct_chr_class()" returns -1
(macro CHTYPE_ASCIICTL is associated with -1 value). And
since value of "len" is 8, "ct_visual_char()" will always
return 2 when it is called from "terminal_writec()".
So there is no possible case so that we encounter a negative
array index write in "terminal_writec()". But since there is
a rare posibility of using "terminal_writec()" in future
enhancements, it is good handle the error case as well.

Fix:- A condition is added in "terminal_writec()" to check
whether "ct_visual_char()" is returning -1 or not. If the
return value is -1, then value 0 is returned to its calling
function "em_delete_or_list()" or "vi_list_or_eof()", which
in turn will return CC_ERROR.

NOTE:- No testcase is added since currently there is no
possible scenario to encounter this error case.

               MYISAM TABLE CAUSES THE SERVER TO CRASH

Backport to mysql-5.1

Backporting the patch to 5.1 and 5.5

Description: SSL tests are failing in mysql-5.1 pb2

Analysis: The SSL certificates are ended by jan 2015.
Hence the SSL tests are failing.

Fix: We have generated new certificates with SHA1 algorithm.

Backport from mysql-5.5 to mysql-5.1

Bug# 19699237: UNINITIALIZED VARIABLE IN
               ITEM_FIELD::STR_RESULT LEADS TO INCORRECT
               BEHAVIOR

ISSUE:
------
When the following conditions are satisfied in a query, a
server crash occurs:
a) Two rows are compared using a NULL-safe equal-to operator.
b) Each of these rows belong to different charsets.

SOLUTION:
---------
When one charset is converted to another for comparision,
the constructor of "Item_func_conv_charset" is called.
This will attempt to use the Item_cache if the string is a
constant. This check succeeds because the "used_table_map"
of the Item_cache class is never set to the correct value.
Since it is mistakenly assumed to be a constant, it tries
to fetch the relevant null value related fields which are
yet to be initialized. This results in valgrind issues
and wrong results.

The fix is to update the "used_table_map" of "Item_cache".
This will allow "Item_func_conv_charset" to realise that
this is not a constant.

Problem: UDF doesn't handle the arguments properly when they
         are of string type due to a misplaced break.
         The length of arguments is also not set properly
         when the argument is NULL.

Solution: Fixed the code by putting the break at right place
          and setting the argument length to zero when the
          argument is NULL.

Backport from mysql-5.5 to mysql-5.1

Bug#19880368 : GROUP_CONCAT CRASHES AFTER DUMP_LEAF_KEY

Problem:
find_order_by_list does not update the address of order_item
correctly after resolving.

Solution:
Change the ref_by address for a order_by field if its
SUM_FUNC_ITEM to the address of the field present in
all_fields.

Backport from mysql-5.5 to mysql-5.1

Bug #19612819 :  FILESORT: ASSERTION FAILED: POS->FIELD != 0 || POS->ITEM != 0

Problem:
While getting the temp table field for a REF_ITEM
make_sortorder is using the real_item. As a result
server fails later with an assert.

Solution:
Do not use real_item to get the temp table field.
Instead use the REF_ITEM itself as temp table fields
are created for REF_ITEM not the real_item.

Backport from mysql-5.5 to mysql-5.1 of:

Bug19770858: MYSQLD CAN BE DRIVEN TO OOM WITH TWO SIMPLE SESSION VARS

The problem was that the maximum value of the transaction_prealloc_size
session system variable was ULONG_MAX which meant that it was possible
to cause the server to allocate excessive amounts of memory.

This patch fixes the problem by reducing the maxmimum value of
transaction_prealloc_size and transaction_alloc_block_size down
to 128K.

Note that transactions will still be able to allocate more than
128K if needed, this patch just reduces the amount that can be
preallocated - as well as the maximum size of the incremental
allocation blocks.

(cherry picked from commit 540c9f7ebb428bbf9ec028feabe1f7f919fdefd9)

Conflicts:
	mysql-test/suite/sys_vars/r/transaction_alloc_block_size_basic.result
	mysql-test/suite/sys_vars/r/transaction_alloc_block_size_basic_64.result
	mysql-test/suite/sys_vars/t/disabled.def
	mysql-test/suite/sys_vars/t/transaction_alloc_block_size_basic.test
	sql/sys_vars.cc

No commit message

get_cost_calc_buff_size() could return wrong value for the size of imerge_cost_buff.

No commit message

    UPPER CASE HOST NAME ANYMORE

Description:
It is not possible to drop users with host names with upper case
letters in them. i.e DROP USER 'root'@'Tmp_Host_Name'; is failing
with error.

Analysis: Since the fix 11748570 we came up with lower case hostnames
as standard. But in the current bug the hostname is created by
mysql_install_db script is still having upper case hostnames. 
So, if we have the hostname with upper case letters like(Tmp_Host_Name)
then we will have as it is stored in the mysql.user table. 
In this case if use "'DROP USER 'root'@'Tmp_Host_Name';" it gives 
error because we do compare with the lower case of hostname since the 
11748570 fix.

Fix: We need to convert the hostname to lower case before storing into 
the mysql.user table when we run the mysql_install_db script.

The filesort implementation needs space for at least 15 records
(plus some internal overhead) in its main sort buffer.

             AS A INNODB PARTITTION.

PROBLEM
-------
The correct engine_type was not being set during 
rebuild of the partition due to which the handler
was always created with the default engine,
which is innodb for 5.5+ ,therefore even if the
table was myisam, after rebuilding the partitions
ended up as innodb partitions.

FIX
---
Set the correct engine type during rebuild.  

[Approved by mattiasj #rb3599]

REPLICATION FILTERS ARE USED.

Problem:
When Filtered-slave applies Int_var_log_event and when it
tries to write the event to its own binlog, LAST_INSERT_ID
value is written wrongly.

Analysis:
THD::stmt_depends_on_first_successful_insert_id_in_prev_stmt
is a variable which is set when LAST_INSERT_ID() is used by
a statement. If it is set, first_successful_insert_id_in_
prev_stmt_for_binlog will be stored in the statement-based
binlog. This variable is CUMULATIVE along the execution of
a stored function or trigger: if one substatement sets it
to 1 it will stay 1 until the function/trigger ends,
thus making sure that first_successful_insert_id_in_
prev_stmt_for_binlog does not change anymore and is
propagated to the caller for binlogging. This is achieved
using the following code
if(!stmt_depends_on_first_successful_insert_id_in_prev_stmt)               
{                                                                           
  /* It's the first time we read it */                                      
  first_successful_insert_id_in_prev_stmt_for_binlog=                       
  first_successful_insert_id_in_prev_stmt;                                
  stmt_depends_on_first_successful_insert_id_in_prev_stmt= 1;               
}

Slave server, after receiving Int_var_log_event event from
master, it is setting
stmt_depends_on_first_successful_insert_id_in_prev_stmt
to true(*which is wrong*) and not setting
first_successful_insert_id_in_prev_stmt_for_binlog. Because
of this problem, when the actual DML statement with
LAST_INSERT_ID() is parsed by slave SQL thread,
first_successful_insert_id_in_prev_stmt_for_binlog is not
set. Hence the value zero (default value) is written to
slave's binlog.

Why only *Filtered slave* is effected when the code is
in common place:
-------------------------------------------------------
In Query_log_event::do_apply_event,
THD::stmt_depends_on_first_successful_insert_id_in_prev_stmt
is reset to zero at the end of the function. In case of
normal slave (No Filters), this variable will be reset. 
In Filtered slave, Slave SQL thread defers all IRU events's
execution until IRU's Query_log event is received. Once it
receives Query_log_event it executes all pending IRU events
and then it executes Query_log_event. Hence the variable is
not getting reset to 0, causing this bug.

Fix: As described above, the root cause was setting 
THD::stmt_depends_on_first_successful_insert_id_in_prev_stmt
when Int_var_log_event was executed by a SQL thread. Hence
removing the problematic line from the code.

Description: Fix for bug CVE-2012-5611 (bug 67685) is 
incomplete. The ACL_KEY_LENGTH-sized buffers in acl_get() and 
check_grant_db() can be overflown by up to two bytes. That's 
probably not enough to do anything more serious than crashing 
mysqld.
Analysis: In acl_get() when "copy_length" is calculated it 
just adding the variable lengths. But when we are using them 
with strmov() we are adding +1 to each. This will lead to a 
three byte buffer overflow (i.e two +1's at strmov() and one 
byte for the null added by strmov() function). Similarly it 
happens for check_grant_db() function as well.
Fix: We need to add "+2" to "copy_length" in acl_get() 
and "+1" to "copy_length" in check_grant_db(). 

WL#7266: Dump-thread additional concurrency tests                                                                                                                           

This worklog aims at testing the two following scenarios:

1) Whenever the mysql_binlog_send method (dump thread)
reaches the end of file when reading events from the binlog, before
checking if it should wait for more events, there was a test to
check if the file being read was still active, i.e, it was the last
known binlog. However, it was possible that something was written to
the binary log and then a rotation would happen, after EOF was
detected and before the check for active was performed. In this
case, the end of the binary log would not be read by the dump
thread, and this would cause the slave to lose updates.
This test verifies that the problem has been fixed. It waits during
this window while forcing a rotation in the binlog.

2) Verify dump thread can send events in active file, correctly after
encountering an IO error.

No commit message

ha_innobase::records_in_range() should return HA_POS_ERROR for the table during discarded without requesting pages.
The later other handler method should treat the error correctly.

Approved by Sunny in rb#3433

No commit message

No commit message

disable testcase due to BUG#17446090