c0addd0...
by
Dave Gosselin <email address hidden>
MDEV-32401: expression cache heap-use-after-free
Queries selecting a TEXT column by alias, then joining that with a subquery
referencing the same alias may invoke a subquery expression cache. Typically,
these caches expect to rely on heap memory for their backing temporary table,
but TEXT (and BLOB) types require an ARIA backing; in this case, a crash may
result. Such a query may look like:
SELECT t1.d FROM (SELECT c AS d FROM t0) AS t1 JOIN t0 ON (
SELECT ORD((SELECT BIT_OR(d))) FROM t0 GROUP BY d
);
This patch checks if there are blob types present before attempting to create
the SQL expression cache and if so, it does not, leaving the associated item
cache transparent.
The Expression_cache_tmptable implements the Expression_cache using a temporary
table. During Expression_cache_tmptable::init, we expect the created temporary
table to have the heap handlerton. However, for the crash in this ticket, it
is created using the ARIA handlerton instead. This happens because the
Create_tmp_table::choose_engine selects the ARIA engine because the temporary
table's associated TABLE_SHARE indicates that there are BLOB fields present.
This is true because TEXT fields are handled in the same way as BLOB fields in
our system; in our grammar, both TEXT and BLOB types rely on the
type_handler_blob handler. After the temporary table is created and the engine
associated with it, we then invoke move_field on each field associated with
the TABLE_SHARE. However, once this is complete and we return to
Expression_cache_tmptable::init, we check to see that the heap hton is used as
expected and it is not: so we delete the temporary table. Unfortunately, this
leaves the pointers inside the Field objects dangling, and we crash later as
indicated in the stack traces on this ticket. Non-BLOB types avoid this
problem because they end up with a temporary table backed by the heap
handlerton.
7aa86eb...
by
=?utf-8?q?Jan_Lindstr=C3=B6m?= <email address hidden>
MDEV-33828 : Transactional commit not supported by involved engine(s)
Problem was too tight condition on ha_commit_trans to not
allow non transactional storage engines participate 2pc
in Galera case. This is required because transaction
using e.g. procedures might read mysql.proc table inside
a trasaction and these tables use at the moment Aria
storage engine that does not support 2pc.
Fixed by allowing read only transactions to storage
engines that do not support two phase commit to participate
2pc transaction. These will be committed later separately.
Signed-off-by: Julius Goryavsky <email address hidden>
3003a3d...
by
Julius Goryavsky <email address hidden>
MDEV-33840 tpool : switch off maintenance timer when not needed.
Before patch, maintenance timer will tick every 0.4 seconds.
After this patch, timer will tick every 0.4 seconds when necessary(
there are delayed thread creation), switching off completely after 20
seconds of being idle.
MDEV-33731 Only iterate over m_locked_partitions in update_next_auto_inc_val()
Only locked will participate in the query in this case. Chances are
that not-locked partitions were not opened, which is the cause of the
crash in the added test case spider/bugfix.mdev_33731 without this
patch.
