Console View

Categories: connectors experimental galera main

Legend:

Passed

Failed

Warnings

Failed Again

Running

Exception

Offline

No data

connectors

experimental

galera

main

fe3039eef7b8...

fe3039eef7b8b6d86458d9ef63554647d85dcd54

Sergei Golubchik

serg@mariadb.org

MDEV-39673 group_concat ignores max_allowed_packet

GROUP_CONCAT is limited by group_concat_max_len,
but also, as a string function it must respect max_allowed_packet.

Let's introduce THD::gconcat_max_len() helper to simplify checks.

Also:
* make max group_concat_max_len value the same as max max_allowed_packet
* use the same MY_MIN((ulonglong) ..., UINT_MAX32) in
Item_func_json_objectagg as in Item_func_group_concat
* use overflow-safe type for lengths in Item_func_quote
(MAX_MAX_ALLOWED_PACKET is 1G so uint cannot overflow yet, but it's
a fragile assumption)

fcd3f81e08da...

fcd3f81e08daea471d371d3be051e6feabb06399

Vladislav Vaintroub

vvaintroub@gmail.com

MDEV-37556 Memory leak in proxy protocol with name resolution enabled

When proxy protocol is used and --skip-name-resolve is not set,
thd_set_peer_addr() is called twice per connection: once for the real TCP peer (in check_connection),
and again for the proxied address (in handle_proxy_header).
Each call invokes ip_to_hostname(), which allocates a hostname string
(unless loopback connection is used) and stores it as
thd->main_security_ctx.host. That code missed to free previously
allocated hostname, which results into memory leak.

This is now fixed. Also added debug-only test to mysql_client_test, which
fakes DNS and IP resolution the same way some perfschema tests do, to
emulate remote TCP connection in MTR.

f80219f1ffad...

f80219f1ffade1ec861b25b5da7b837f94f09889

Sergei Golubchik

serg@mariadb.org

MDEV-39292 fix incorrect merge

f139e207175b...

f139e207175b5bbb9f8f0bc24227c61379746218

Jan Lindström

jan.lindstrom@mariadb.com

MDEV-40027 : Galera Cluster-peer > Donor command execution

An appropriately privileged user (with SUPER privileges) could
execute shell commands as the uid of the mariadbd process
because the values of the system variable wsrep_sst_auth,
which can be modified at runtime, were not properly
sanitized when used to construct a shell command.

Combined rsync and mariabackup test cases and added
test case for incorrect values for wsrep_sst_auth.

ed8404a73f93...

ed8404a73f93e79aff7227bb4560a44cbfdb5d1c

Hemant Dangi

hemant.dangi@mariadb.com

MDEV-39721: wsrep_notify.cc: reject shell-unsafe characters in joiner-supplied member fields

Issue:
wsrep_notify_status() interpolated members[i].name() (the peer's
wsrep_node_name) and members[i].incoming() verbatim into a command
string that is then executed via 'sh -c' by wsp::process. A peer
joining the cluster with shell metacharacters in its wsrep_node_name
or wsrep_node_incoming_address caused arbitrary commands to run on
every cluster member that had wsrep_notify_cmd configured.
MDEV-39413 introduced safe() for the same threat class in the SST
scripts but did not cover the C++ wsrep_notify path.

Solution:
Validate each substituted field against a narrow whitelist before
interpolating. Node name allows alnum and -_. ; node address
additionally allows :[]/ for host:port and [ipv6] forms. On bad
input the notification is skipped with an error log instead of
forwarding the unsafe value to sh -c.

dae315a7b2bf...

dae315a7b2bf8bd2fd0449467e711e5a2db26669

Hemant Dangi

hemant.dangi@mariadb.com

MDEV-39648: wsrep_sst_rsync.sh: apply safe() to joiner-supplied parameters

Issue:
wsrep_sst_rsync.sh interpolated WSREP_SST_OPT_REMOTE_USER and
WSREP_SST_OPT_REMOTE_PSWD verbatim. Because both values originate from
the joiner side of the SST request, a newline in either could splice
an extra directive into the donor-written stunnel.conf (silently
downgrading peer-cert verification) or an extra line into the rsync
magic file. MDEV-39413 had introduced safe() for the same threat class
in wsrep_sst_mariabackup but did not extend it to the rsync script.

Solution:
Routing the rsync interpolations through safe() closes the gap, and
extending safe() to also reject tab and newline ensures multi-line
values cannot survive into a config-file heredoc.

d404a47c25b8...

d404a47c25b8d5d3b37d9d62c14311934523fd17

Teemu Ollakka

teemu.ollakka@galeracluster.com

Add missing notify_state_change() in Wsrep_client_service.

The change was forgotten from previous rebase/wsrep-lib update.

d1693276d534...

d1693276d5344ba794805e8b5902aaff61edb77f

Sergei Golubchik

serg@mariadb.org

MDEV-40059 too long character_set_collations crash

cbeb8876d9de...

cbeb8876d9de32bfeec98721c60f111eb4e128fe

Dave Gosselin

dave.gosselin@mariadb.com

MDEV-36059: 2nd PS exec crash w/nested VIEWs

A prepared statement runs preparation again on every execution, and
preparation merges any VIEWs named in the statement. A VIEW that
appears only inside a subquery is meant to be skipped by the merge for
insert pass during mysql_handle_derived, since it is not the target of
the DELETE.

The first execution prepares with the subquery still nested, so the
view is correctly skipped, and the DELETE succeeds. Optimization then
converts the IN subquery into a semi-join and adds its tables into the
first SELECT_LEX's table list (reassigning them to that SELECT_LEX).
This conversion is meant to persist for later executions.

Then the PS's second execution prepares against the already flattened
VIEW. mysql_handle_derived now finds the subquery's VIEW among the
first SELECT_LEX's tables and tries to merge it. mysql_handle_derived
already had some existing skip logic to recognize a VIEW, but the
semijoin conversion has already merged the VIEW into the first
SELECT_LEX, so the skip doesn't correctly apply. So a nested VIEW is
merged for insert with no table, causing a crash on the NULL table
pointer.

Solution is to skip a table during mysql_handle_derived when it is the
inner side of a semijoin, recognized by its embedding semijoin nest.

c8f382faa795...

c8f382faa795c6e64dd3514586b2b8e191b57db3

drrtuy

drrtuy@gmail.com

disable sfinae-incomplete warning for DuckDB code.

bbd558c38616...

bbd558c38616ce24bd2973486763c2a7c4db0969

forkfun

alice.sherepa@gmail.com

Merge branch '10.11' into '11.4'

b9809c07b412...

b9809c07b412456b194ab342e26d6432e85edf09

Kristian Nielsen

knielsen@knielsen-hq.org

Document the correct use of replication terminology

Signed-off-by: Kristian Nielsen <[email protected]>

b2050fdb4a87...

b2050fdb4a8776422baf01a41bf86845994edb97

Sergei Golubchik

serg@mariadb.org

strengthen safe() in wsrep_sst_common, just in case

aefe48e6ef95...

aefe48e6ef955947d139ff04488d6890034ed034

Marko Mäkelä

marko.makela@mariadb.com

MDEV-39344: trx_disconnect_prepared() uses wrong mutex

trx_t::disconnect_prepared(): Replaces trx_disconnect_prepared().
Protect is_recovered, mysql_thd with mutex, to be consistent with
protecting fetch_data_into_cache_low().

This fixes up
commit c0817dac99c28698dfc2b548d89acf1fb41dc32e (MDEV-29575).

Suggested by: Sergey Vojtovich

a9e2f7f648f3...

a9e2f7f648f339c6f49b5bbe0435fa6b04a27ed2

Sergei Golubchik

serg@mariadb.org

MDEV-39676 disallow global.wsrep_sst_donor=NULL again

it crashes in galera.mdev-28433

9a3e15318816...

9a3e15318816616bbdbc2b83a8f7171fa4fd42f8

Sergei Golubchik

serg@mariadb.org

MDEV-39581 dynamic column header missing sanity checks

8b27beead627...

8b27beead6277f1fc15a750f7c226be3761e14cc

Jan Lindström

jan.lindstrom@mariadb.com

MDEV-40056 : Analyze Galera Dynamic Variables Susceptible to RCEs

Fix potential issue with wsrep_node_address by allowing
only correctly constructed address.

8a7be7e9aac2...

8a7be7e9aac2ea79cd6ae63baab8ff547c1e3da9

Hemant Dangi

hemant.dangi@mariadb.com

MDEV-38843: BF applier failed on a node causing complete Cluster lockup

Issue:
When a BF applier failed to apply a write set and the transaction
rollback returned non-zero, wsrep-lib's apply_write_set() short-circuited
log_dummy_write_set(). That call releases commit order through
commit_order_leave() -- which drives the inconsistency vote -- and
advances the storage engine checkpoint. Skipping it left the seqno stuck
in commit order, so following appliers blocked on commit_order_enter and
the node silently locked the cluster while staying in the primary
component.

Solution:
wsrep-lib now always calls log_dummy_write_set() on the apply-error path,
so the apply error reaches the provider and the node is voted out and
evicted instead of hanging. The rollback result is still folded into ret,
and Wsrep_high_priority_service::rollback() returns its real result again.

867d16cea744...

867d16cea74450d2cd331f9e8d6564bd70c6fe13

forkfun

alice.sherepa@gmail.com

Merge branch '11.4' into '11.8'

821fe49dbbb2...

821fe49dbbb29235f721ebdfbefad17002f0272c

Vladislav Vaintroub

vvaintroub@gmail.com

MDEV-40001 my_sync() does not use NtFlushBuffersFileEx()

Copy the logic from Innodb. Use a fallback to FlushFileBuffers(), if
NtFlushBuffersFileEx() fails.

my_winfile.c is renamed to my_winfile.cc, since it is using a C++ feature,
initialization of global variable using non-constant expression.
Exported functions remain extern "C"

7fc6fce20dbb...

7fc6fce20dbb89b04af77bee540e4451a6a7c9c6

Sergei Golubchik

serg@mariadb.org

update CODING_STANDARDS.md for agent era

* moved human-oriented hopefully eventually consistent codiing style
document to https://mariadb.org/about/coding-style/
* rewrote the document in an agent friendly way: main rule first,
don't repeat rules that the agent would follow by default anyway,
highlight differences with the defaults, don't overdo explaining.
* asked claude to look through sql/ and mysys/ extract common patterns and
add them here as rules

760b57814f01...

760b57814f010d66f53ee5e7f885035180ff609b

Daniel Bartholomew

db@dbart.us

bump the VERSION

70a88a6b6e11...

70a88a6b6e11d3cb840d5b27d05d967aff099ef0

Thirunarayanan Balathandayuthapani

thiru@mariadb.com

MDEV-34998 Assertion `n_fields > n_cols || type & 32' failed in dict_index_t::init_change_cols on ALTER

Problem:
=======
During ALTER TABLE with column type modification and index addition,
InnoDB aborts with an assertion failure when processing collation
changes for single-column secondary indexes.

Solution:
========
dict_index_t::init_change_cols(): A single-column prefix secondary
index can have n_cols == n_fields when the column is the same as
the primary key column and undergoes a collation or type change
during ALTER TABLE.

5cedbdfcc65b...

5cedbdfcc65b07d15ab25164cdce677cf0d256fa

Sergei Golubchik

serg@mariadb.org

fix columnstore for new cmake

52bbe5b6e7fe...

52bbe5b6e7fe274f0c4738685326283c0d65944d

Sergei Golubchik

serg@mariadb.org

MDEV-39658 ASAN crash on invalid proxy_protocol_networks value

max_subnet estimate was off by one.

* only allow address with a known family
(trips an assert in addr_matches_subnet())
* adjust max_subnet estimate accordinly

4ec1ff493ea8...

4ec1ff493ea8da5867f9763b2ee4ef70684e4d80

drrtuy

drrtuy@gmail.com

chore: avoid building DuckDB at x86_32.

3c684f1e6942...

3c684f1e694281a48c257496f09ccc61dde960fc

Oleg Smirnov

olernov@gmail.com

MDEV-36344: UBSAN Lifo_buffer::have_space_for change

Adjust Lifo_buffer::have_space_for to not lead itself to UBSAN
overflows.

38beaa6684f6...

38beaa6684f68473df9d06c280b181ee3d22e40d

Dave Gosselin

dave.gosselin@mariadb.com

34fd0fedc5f3...

34fd0fedc5f3b612958b4a88bcc083a4bfd2ebd8

Marko Mäkelä

marko.makela@mariadb.com

MDEV-39344: fetch_data_into_cache() clears "is_truncated"

There is a memory limit implemented for the INFORMATION_SCHEMA tables
innodb_trx, innodb_locks, innodb_lock_waits. The predicate
trx_i_s_cache_is_truncated() would never hold in
trx_i_s_common_fill_table() due to a logic bug that had been
introduced in a refactoring.

fetch_data_into_cache(): Shrink the critical section of lock_sys.latch
and do not unconditionally reset cache->is_truncated when leaving the
function. This fixes a correctness regression that had been introduced
back in 2007 by commit 5cbf4e3840491c2d80928641bc0fbb8135e9c201
for the InnoDB Plugin for MySQL 5.1, which later became
the built-in InnoDB in MySQL 5.5 and MariaDB Server 5.5.

Reviewed by: Sergey Vojtovich

32ab8a2d4c0f...

32ab8a2d4c0fd04e89713f63f04c6cf40248b63d

Sergei Golubchik

serg@mariadb.org

MDEV-39657 ASAN error on malformed WKB point

check data length for Gis_point

29e43967f4f2...

29e43967f4f2c1a1d4af3372354bd203b8418152

Sergei Golubchik

serg@mariadb.org

only check for duckdb stuff if target duckdb is enabled

1fb075512a7a...

1fb075512a7aeab8646a163cbb6f265c49f4c075

Sergei Golubchik

serg@mariadb.org

refactor submodule.cmake to fetch less

don't update all submodules automatically,
only update those that are actually used by the build

160695101c17...

160695101c171378b5a35972cc042be076e23776

Marko Mäkelä

marko.makela@mariadb.com

MDEV-39344: Fix a TOCTOU race

trx_i_s_possibly_fetch_data_into_cache(): Fetch into the cache and
return whether the cache was truncated. Previously, we checked this
flag without holding any latch.

trx_i_s_cache_start_write(), trx_i_s_cache_end_write(),
trx_i_s_cache_is_truncated(): Remove. These are now part of
trx_i_s_possibly_fetch_data_into_cache().

trx_i_s_cache: Remove. The singleton cache object can be a static object
with no pointer indirection.

11c41cd93d2c...

11c41cd93d2c3732862ba043afd18508021440c0

Sergei Golubchik

serg@mariadb.org

MDEV-39622 OBJECT_INSTANCE_BEGIN in P_S are unstable, difficult to compare

let's show stable values that don't change between runs

0d59c434fab0...

0d59c434fab044ad5a28e24c5608959da14e5b0b

Oleksandr Byelkin

sanja@mariadb.com

Merge branch '10.6' into 10.11

0cb2cc959eb4...

0cb2cc959eb4ecaed42deadb5eb93e13dd6835e3

Dmitry Shulga

dmitry.shulga@mariadb.com

MDEV-40004: Server crashes in sp_head::register_instr_mem_root_for_deallocation upon shutdown

n shutdown server could crash in case triggers executed during server run
and some of triggers instructions were re-compiled.

The crash is caused by attempt to allocate a memory for storing pointers
on mem_roots used for memory allocation taken place on re-parsing failing
trigger's statements. The reason of crash is dereferencing of nullptr
returning by the function current_thd().

To fix the issue, use dummy THD on shutdown the table definition cache.
tdc_start_shutdown() is solely invoked from the function clean_up()
but the later is called from many places around the source code, not only
from mysql_main(), particularly clean_up() is called from unireg_abort().
Therefore, the extra argument added into the signature of the function
cleanup() to allow explicit request of use dummy THD on shutdown the table
definition cache.

0bf0e13a2238...

0bf0e13a2238a97593feda1fea133340861c0736

Sergei Golubchik

serg@mariadb.org

MDEV-40058 cached_sha2_password crashes on zero-length password

valid encrypted password cannot have zero length and must end with '\0'

0a311fea6e01...

0a311fea6e01945dd5f88c7d9ebe7352b7d25f31

Ian Gilfillan

github@greenman.co.za

MDBF-1180: Fix errors in CONTRIBUTING.md

08e0da85b276...

08e0da85b27634dd680afb3e2cf5457692b42a74

Dave Gosselin

dave.gosselin@mariadb.com

MDEV-38210: Unary negation of LONGTEXT, wrong result under GROUP BY

Unary negation of a LONGTEXT or LONGBLOB value returned the wrong
result under GROUP BY. The length of the result was set to the
argument length plus one for the sign, but for these two types the
argument length is already the largest value the length field can
hold, so adding one wrapped it back to zero. A zero length result
loses its value when it is stored in the temporary table that GROUP BY
builds, so the query returned an empty value instead of the expected
number. The argument length is now limited before the sign character
is added, so it can no longer wrap to zero.

087a948e2e46...

087a948e2e4620901d2c358b46907a15b0987059

Daniel Black

daniel@mariadb.org

MDEV-36344: UBSAN DsMrr_impl::dsmrr_init on null ptr

Under SQL_SELECT::test_quick_select there isn't
a mrr buffer. The TRP_RANGE.mrr_buf_size is explictly
sets its size to 0 in get_best_index_intersect.

Rather than hit undefined behaviour in what
eventually results in full_buf being nullptr,
jump the case and go directly to use_default_impl.