Home - Waterfall Grid T-Grid Console Builders Recent Builds Buildslaves Changesources - JSON API - About

Console View


Categories: connectors experimental galera main
Legend:   Passed Failed Warnings Failed Again Running Exception Offline No data

connectors experimental galera main
Sergei Golubchik
MDEV-40362 #mysql50# mixes up with table names in the table cache

Only allow #mysql50# prefix on table names that would've been
otherwise encoded.

It is an error to put this prefix on a table that maps to the file name
without a conversion.
Rex Johnston
MDEV-36610 Subquery wrongly eliminated by table elimination

When equality propagation (build_equal_items()) merges an equality that
contains a subquery, such as "t1.a = (SELECT ...)", with an outer join's
ON equality, it can inject a reference to that subquery into the ON
expression. If the join columns have compatible types the subquery ends
up as the constant of a multiple equality (which Item::walk() skips); if
they differ (e.g. BIGINT vs INT) the field cannot be merged and the
subquery is substituted in as a plain "tbl.col = (SELECT ...)" argument.

In the latter case, if that outer join is removed by table elimination,
mark_as_eliminated() walks the ON expression and flags the shared
Item_subselect as eliminated. The subquery, however, still lives in
another part of the query and has to be executed, tripping
DBUG_ASSERT(!eliminated) in Item_subselect::exec() (and, in release
builds, disabling the subquery cache and hiding it from EXPLAIN).

The surviving reference can be:
- a WHERE/HAVING/select-list/ORDER/GROUP expression (subquery written
  there and pushed down into the eliminated ON), or
- the ON expression of an outer join that was not eliminated (subquery
  written in a surviving outer ON and pushed down into an eliminated
  inner one).

Fix: after table elimination, walk the expressions that survive into
execution (WHERE, HAVING, select list, ORDER/GROUP BY and the ON
expressions of outer joins that were not eliminated) and clear the
"eliminated" flag on any subquery still reachable from them.

Because a subquery can also be the constant of a multiple equality, and
Item::walk() does not visit an Item_equal's constant, Item_equal gets an
unmark_as_eliminated_processor() override that descends into its constant
explicitly.

Assisted by Claude Opus 4.8
Daniel Black
MDEV-39743: IS JSON was not interuptable

The IS JSON predicate in a query wasn't able to be killed,
and could exceed the max_statement_time of a query.

Introduce the mechanics so that a killed query would
result in the correct error.
ParadoxV5
MDEV-40298 Use-After-Free when SQL Thread stops in the middle of SHOW SLAVE STATUS

MDEV-36287 acknowledged that SHOW SLAVE STATUS needed to acquire a mutex
lock before accessing the SQL Thread’s THD, as otherwise it may access
invalid memory if a concurrent STOP SLAVE deletes the THD.
But it missed that the SQL Thread’s mutex is `mi->rli.run_lock`,
not `mi->run_lock`, so the bug was still not fixed.

This commit fills the oversight in by acquiring the correct
corresponding lock for each of `Slave_IO_State` & `Slave_SQL_State`.
Sergei Golubchik
MDEV-40358 symlinked table name is not encoded

encode table name in file name in DATA/INDEX DIRECTORY
Georg Richter
Fix build
Georg Richter
Fix MySQL error: replace SLAVE by REPLICA
Georg Richter
Fix build errors
Georgi (Joro) Kodinov
MDEV-39718: Produce Markdown plugin API documentation

Generated the plugin API headers using a shell script.
Fixed some doxygen comment mistakes in the headers.
Added a cmake conveninence target to generate the docs into $BUILD_DIR/docs
Added a main page for the API docs.
Included all of the existing group .md files into the CMake target
Leveraged moxygen 2.1.11's fixes to produce the full API docs in a single go
Removed the list of output .md files from the CMake target and switched to a
stamp file to avoid unnecessary rebuilds of the docs when the list of .md
files changes.
Daniel Black
MDEV-40165 10.11 JSON functions don't respect KILL QUERY

Or max_statement_time limit.

Implement interuptability of:
* JSON_OVERLAPS
* JSON_LENGTH
* JSON_DEPTH

As json_report_error now processes the killed there's
no need of thd->check_killed(). Removed this from a few
locations.

Verified that the path after every json_scan_next, the
location of checking the killed_ptr, reports errors
correctly.
Sergei Golubchik
MDEV-40358 symlinked table name is not encoded

encode table name in file name in DATA/INDEX DIRECTORY
Georg Richter
Fix windows build error (type conversion)
Daniel Black
MDEV-40237: Parition info nullptr dereference

thd->lex is null in InnoDB purge thd. The Item_field
can take a NULL context as a pointer for resolving
field names.
Alexey (Holyfoot) Botchkov
MDEV-40356 Server crashes in XMLSchema_simpleContent::validate_prepare.

Return an error when simpleContent is empty.
Aleksey Midenkov
WITHOUT_ABI_CHECK followup

Followup for b337e14440b as info_src takes time too.
info_src does not make much sense without ABI check.
Daniel Black
MDEV-40175: JSON_VALID don't respect KILL QUERY

Or max_statement_time limit.

Change the json_valid to take a json_engine_t argument.
Adjust the Item_json_valid to have a json_engine_t and
to report an error.

Note this means that invalid json syntax now has a
note on any json error. Raising this to a warning can
cause check constraints of JSON_VALID() to result
in ER_JSON_SYNTAX rather than ER_CONSTRAINT_FAILED
(valided in main.type_json test).

Consequential changes in debug build to json acl
testing validation and unit test having a dummy json_engine_t.

json_normalize also uses the same engine that was
passed as its argument to test json_valid. Because
the character set may have changed, if there's an error
adjust the je->s.c_str pointer. Its only the offset that
is currently used in the error messages anyway so there
may be offset errors depending on the original character
set.
Georg Richter
Added additional check for post_header_lengths

If a format description event was processed, we calculate
the post_header_len for the specific event at the beginning
of mariadb_rpl_fetch and check for under- or overflow
Vladislav Vaintroub
MDEV-27561 Fix uninitialized memory in DES_ENCRYPT

Initialize keyblock to zero before EVP_BytesToKey to prevent ununitialized
access later in DES_set_key_unchecked()
Vladislav Vaintroub
MDEV-27561 Fix uninitialized memory in DES_ENCRYPT

Initialize keyblock to zero before EVP_BytesToKey to prevent ununitialized
access later in DES_set_key_unchecked()
Sergei Golubchik
MDEV-40362 #mysql50# mixes up with table names in the table cache and on disk

Only allow #mysql50# prefix on table names that would've been
otherwise encoded. It is an error to put this prefix on a table
that maps to the file name without a conversion.

Don't allow creation of new tables with the #mysql50# prefix.
bsrikanth-mariadb
MDEV-39916: Crash when pushing "NOT col" from HAVING into WHERE

Add comments near "List<Item> attach_to_conds", inside class
st_select_lex, stating that the conditions from having clause into where
optimization are added to this list.
Yuchen Pei
MDEV-31182 Check for blob too in create_key_parts_for_pseudo_indexes

BLOB and VARCHAR has keys prefixed with length of the payload. This
length data itself has length HA_KEY_BLOB_LENGTH which is 2, as
demonstrated for example in Field_blob::set_key_image and
Field_varstring::set_key_image.

In this patch, when preparing key info for a range analysis, we
account for this extra HA_KEY_BLOB_LENGTH in the total key length for
BLOB. Previously it was only done for VARCHAR. This way, when doing
the actual range analysis, LIKE (Item_func_like::get_mm_leaf) can
correctly identify that it is dealing with a BLOB, thereby allowing
the space of 2 for the length data. This avoids later
Field_blob::set_key_image reading the payload as length data and
causing reading the wrong memory segment for the payload.
Mohammad Tafzeel Shams
MDEV-39848 : MSAN use-of-uninitialized-value in
btr_sea::hash_table::lock_get()

Issue:

Race condition in adaptive hash index:
btr_sea::partition::insert() allocates a new ahi_node,
increments free_offset, and then releases blocks_mutex before
initializing the node's fields (fold, rec, next).
Meanwhile, cleanup_after_erase_start() could acquire the
mutex and retrieve the uninitialized "top" node via
last->frame + last->free_offset - sizeof(ahi_node), then
access top->fold, triggering an MSAN error.

Fix:

- btr_sea::partition::insert() :
Initialize ahi_node fields (fold, rec, next, and debug
block) while still holding blocks_mutex, before the
wr_unlock() call. This ensures the node is fully
initialized before any other thread can observe it via
cleanup_after_erase_start().
Jaeheon Shim
MDEV-39932 Accept aggregated outer columns in subquery

Under ONLY_FULL_GROUP_BY, a query that aggregated an outer column inside
a subquery was wrongly rejected. This is fixed in
Item_field::fix_outer_field by not appending the field to
select->join->non_agg_fields when thd->lex->in_sum_func is not null.

Furthermore, in Item_sum::check_sum_func, for all outer fields that are
not aggregated at their SELECT_LEX's nest level, we append these fields
to sel->join->non_agg_fields in order to ensure proper aggregation after
the Item_sum's nest_level is known.

Make sure marker still gets set upon outer field resolution, even if that
field is inside an aggregate

Later on we may find that the aggregate does not aggregate that field at the
proper level, but for this to work correctly the marker needs to be set to
the cur_pos_in_select_list at the query level of outer_field resolution

Guard against sel->join being nullptr

Approved-by: Rex Johnston ([email protected])
Yuchen Pei
MDEV-31182 Make Field_geom::set_key_image do nothing

In fact, it should not be called at all, as GIS indexes do not store
the whole data.

Remove the only known callsite covered by a testcase (added in this
commit), in print_key_part_value

The new testcase results in new coverage that exposes an MSAN
uninitialised failure, where range->end_key.keypart_map is not
assigned for GIS indexes in sel_arg_range_seq_next, so we accordingly
do not use that keypart_map in the subsequent print_range call
Daniel Black
MDEV-31554 Cursor protocol cuts off json boolean

In Item_func_json_array_append::fix_length_and_dec,
Item_bool::max_char_length() was being used to
calculate the length that is required to fit a boolean.

Previously it was returning 1, which doesn't fit
"false".

Change Item_bool to return strlen("false"), 5.
Sergei Golubchik
cleanup: main.drop test
Sergei Golubchik
MDEV-40360 CONNECT REST can pass arguments to curl via HTTP parameter

tell curl to not try to interpret url as a parameter
Yuchen Pei
MDEV-31182 Check for blob too in create_key_parts_for_pseudo_indexes

BLOB and VARCHAR has keys prefixed with length of the payload. This
length data itself has length HA_KEY_BLOB_LENGTH which is 2, as
demonstrated for example in Field_blob::set_key_image and
Field_varstring::set_key_image.

In this patch, when preparing key info for a range analysis, we
account for this extra HA_KEY_BLOB_LENGTH in the total key length for
BLOB. Previously it was only done for VARCHAR. This way, when doing
the actual range analysis, LIKE (Item_func_like::get_mm_leaf) can
correctly identify that it is dealing with a BLOB, thereby allowing
the space of 2 for the length data. This avoids later
Field_blob::set_key_image reading the payload as length data and
causing reading the wrong memory segment for the payload.
Georg Richter
Fix build error (macos)
Georg Richter
rpl: Fix boundary underflows, alignment UB, and secure fuzzer paths

Extensively hardened the replication event parsing loop and rpl_fuzzer
against integer truncation bugs, unaligned memory accesses, and stack
exhaustion vulnerabilities exposed by coverage-guided fuzzing.

Replication Engine & Packet Boundary Fixes:
- Hardened FORMAT_DESCRIPTION_EVENT parsing by enforcing strict minimum
  event length layout constraints to prevent downstream array parsing corruption.
- Hardened pointer subtraction math in RPL_CALC_SAFE_LEN to assert bounds
  checks before casting to unsigned size_t, preventing wrapped negative
  offsets (e.g., -7 length allocations) from bypassing fuzzer guardrails.
- Upgraded event validation checks throughout the case state matrix to
  strictly reject any computed lengths that evaluate to <= 0.
- Refactored loose string tracking handlers to enforce length-bounded
  memory boundary matching (memcmp) instead of raw strstr/strlen, blocking
  potential out-of-bounds reads on non-null-terminated network payloads.

rpl_fuzzer Stabilization & Sanitizer Fixes:
- Fixed UndefinedBehaviorSanitizer (UBSan) alignment runtime errors inside
  the fuzzer's length clamping loop by substituting direct uint32_t pointer
  dereferences with safe unaligned memcpy operations.
- Hardened mariadb_rpl_send_semisync_ack to eliminate dangerous unbounded
  alloca() calls on the execution stack, implementing a safe, bounded local
  fallback workspace with clean malloc/free degradation routing.
- Added explicit null verification to deep connection handles (rpl->mysql)
  to eliminate crash vectors under flaky connection drops.
Georg Richter
rpl: Fix boundary underflows, alignment UB, and secure fuzzer paths

Extensively hardened the replication event parsing loop and rpl_fuzzer
against integer truncation bugs, unaligned memory accesses, and stack
exhaustion vulnerabilities exposed by coverage-guided fuzzing.

Replication Engine & Packet Boundary Fixes:
- Hardened FORMAT_DESCRIPTION_EVENT parsing by enforcing strict minimum
  event length layout constraints to prevent downstream array parsing corruption.
- Hardened pointer subtraction math in RPL_CALC_SAFE_LEN to assert bounds
  checks before casting to unsigned size_t, preventing wrapped negative
  offsets (e.g., -7 length allocations) from bypassing fuzzer guardrails.
- Upgraded event validation checks throughout the case state matrix to
  strictly reject any computed lengths that evaluate to <= 0.
- Refactored loose string tracking handlers to enforce length-bounded
  memory boundary matching (memcmp) instead of raw strstr/strlen, blocking
  potential out-of-bounds reads on non-null-terminated network payloads.

rpl_fuzzer Stabilization & Sanitizer Fixes:
- Fixed UndefinedBehaviorSanitizer (UBSan) alignment runtime errors inside
  the fuzzer's length clamping loop by substituting direct uint32_t pointer
  dereferences with safe unaligned memcpy operations.
- Hardened mariadb_rpl_send_semisync_ack to eliminate dangerous unbounded
  alloca() calls on the execution stack, implementing a safe, bounded local
  fallback workspace with clean malloc/free degradation routing.
- Added explicit null verification to deep connection handles (rpl->mysql)
  to eliminate crash vectors under flaky connection drops.
Daniel Black
Merge 10.11 into 11.4
Vladislav Vaintroub
MDEV-27561 Fix uninitialized memory in DES_ENCRYPT

Initialize keyblock to zero before EVP_BytesToKey to prevent ununitialized
access later in DES_set_key_unchecked()

Also, harden DES_ENCRYPT against second PS execution.
Yuchen Pei
MDEV-31182 Make Field_geom::set_key_image do nothing

In fact, it should not be called at all, as GIS indexes do not store
the whole data.

Remove the only known callsite covered by a testcase (added in this
commit), in print_key_part_value

The new testcase results in new coverage that exposes an MSAN
uninitialised failure, where range->end_key.keypart_map is not
assigned for GIS indexes in sel_arg_range_seq_next, so we accordingly
do not use that keypart_map in the subsequent print_range call
Daniel Black
MDEV-40165: JSON_EQUAL/JSON_NORMALIZE dont respect KILL QUERY

Or max_statement_time limit.

JSON_EQUAL/JSON_NORMALIZE also didn't report warnings
on invalid JSON inputs.

Change the json_normalize function to take a json_engine_t
as a argument and implement the sql/item_jsonfunc.cc calls
to have a json_engine_t.

To the JSON_EQUALS and JSON_NORMALIZE, add error handling
to produce an error when there was one. compare_nested_object,
part of JSON_OVERLAPS, uses a new json_engine and
copies the error/position to the returning function.

json_normalize expects the incoming je structure to have
a valid, or nullptr, killed_ptr, as json_start will reset this.
Yuchen Pei
MDEV-31182 Fix an MSAN issue introduced in the parent commit

(this commit is split out for a targeted review that does not
duplicate the review of its parent commit)

The new testcase results in new coverage that exposes an MSAN
uninitialised failure, where range->end_key.keypart_map is not
assigned for GIS indexes in sel_arg_range_seq_next, so we accordingly
do not use that keypart_map in the subsequent print_range call
Sergei Golubchik
cleanup: main.drop test
Yuchen Pei
MDEV-31182 Make Field_geom::set_key_image do nothing

In fact, it should not be called at all, as GIS indexes do not store
the whole data.

Remove the only known callsite covered by a testcase (added in this
commit), in print_key_part_value
Rex Johnston
MDEV-36610 Subquery wrongly eliminated by table elimination

When equality propagation (build_equal_items()) merges an equality that
contains a subquery, such as "t1.a = (SELECT ...)", with an outer join's
ON equality, it can inject a reference to that subquery into the ON
expression. If the join columns have compatible types the subquery ends
up as the constant of a multiple equality (which Item::walk() skips); if
they differ (e.g. BIGINT vs INT) the field cannot be merged and the
subquery is substituted in as a plain "tbl.col = (SELECT ...)" argument.

In the latter case, if that outer join is removed by table elimination,
mark_as_eliminated() walks the ON expression and flags the shared
Item_subselect as eliminated. The subquery, however, still lives in
another part of the query and has to be executed, tripping
DBUG_ASSERT(!eliminated) in Item_subselect::exec() (and, in release
builds, disabling the subquery cache and hiding it from EXPLAIN).

The surviving reference can be:
- a WHERE/HAVING/select-list/ORDER/GROUP expression (subquery written
  there and pushed down into the eliminated ON), or
- the ON expression of an outer join that was not eliminated (subquery
  written in a surviving outer ON and pushed down into an eliminated
  inner one).

Fix: after table elimination, walk the expressions that survive into
execution (WHERE, HAVING, select list, ORDER/GROUP BY and the ON
expressions of outer joins that were not eliminated) and clear the
"eliminated" flag on any subquery still reachable from them.

Because a subquery can also be the constant of a multiple equality, and
Item::walk() does not visit an Item_equal's constant, Item_equal gets an
unmark_as_eliminated_processor() override that descends into its constant
explicitly.

Assisted by Claude Opus 4.8