A Tale of Two MySQL Bugs 191
New submitter Archie Cobbs writes "Last May I encountered a relatively obscure performance bug present in both MySQL 5.5.x and MariaDB 5.5.x (not surprising since they share the same codebase). This turned out to be a great opportunity to see whether Oracle or the MariaDB project is more responsive to bug reports. On May 31 Oracle got their bug report; within 24 hours they had confirmed the bug — pretty impressive. But since then, it's been radio silence for 3 months and counting. On July 25, MariaDB got their own copy. Within a week, a MariaDB developer had analyzed the bug and committed a patch. The resulting fix will be included in the next release, MariaDB 5.5.33."
Why fix it? (Score:3, Interesting)
Why would Oracle fix a bug in something they're trying to kill off?
Re: (Score:3)
Apart from the copyright issues, pretty much. They'd better not do it though since they currently have all the copyright to MySQL code and incorporating a patch this way would kill all the advantages to this (namely, the option to close-source MySQL)
Re: (Score:2)
Examining the patch would make it stupid-easy for them to go and fix it, without actually applying the patch.
We need more data (Score:5, Interesting)
A sample size of one is insufficient to make any meaningful conclusions.
Anyone up for scraping the two bug trackers and finding more identical bug reports?
Re:We need more data (Score:5, Insightful)
A sample size of one is insufficient to make any meaningful conclusions.
That sort of thinking won't get you very far in politics.
Re: (Score:3)
You also have to wonder about the two month delay in sending the bug to mariaDB. Did that allow them to take advantage of some over the beer mug discussion with Oracle employees about who was going to release it first?
Re: (Score:2)
You also have to wonder about the two month delay in sending the bug to mariaDB. Did that allow them to take advantage of some over the beer mug discussion with Oracle employees about who was going to release it first?
Doh. Because if you submitted to both teams at the same time then as soon as one fixed it then the other can just migrate the fix into their code. Of course this could have backfired on him if Oracle had fixed it super quick he would have no way to accurately test the responsiveness of the MariaDB team without finding a similar bug and next time submitting it to MariaDb first.
As it is though the problem is that as I read the bug report filed with MariaDB it would not surprise me if they fixed this super qui
Re: (Score:3)
Indeed. This "bug" seems pretty stupid. I mean on the submitter's part. Why would any vendor spend much time solving this problem when it should be simple enough not to write such stupid SQL to begin with. Anyone who spent time working on this probably had nothing much better to do.
I mean really, I get it, but what is the use case for 'if a constant is equal to a different constant'?
Re: (Score:2, Interesting)
Indeed. This "bug" seems pretty stupid. I mean on the submitter's part. Why would any vendor spend much time solving this problem when it should be simple enough not to write such stupid SQL to begin with. Anyone who spent time working on this probably had nothing much better to do.
I mean really, I get it, but what is the use case for 'if a constant is equal to a different constant'?
That's what I thought when the submitter said:
But when I comment out the 'M002649397' IS NULL OR clause (which has no effect on the result),
Yes, I guess technically this is a bug, but the obvious answer seems to be "Don't write stupid code in the first place". If you can take it out with no effect on the result, then why is it in there in the first place?
Re:Translation (Score:4, Insightful)
Dynamic query generation? The literal might actually be a variable on the client side - say, the contents of some optional string.
Re: (Score:2)
Yep.
select 1 from
table where
(? IS NULL OR foo = ?) and
(? IS NULL OR bar = ?) and
(? IS NULL OR baz = ?)
where foo, bar and baz are all optional.
coalesce (Score:2)
select 1 from
table where
(coalesce(?, foo) = foo) and
(coalesce(?, bar) = bar) and
(coalesce(?, baz) = baz)
Re: (Score:2)
Re: (Score:2)
But, eh... Only works for the simple case I guess...
(? IS NULL OR foo LIKE '%'||?||'%') AND
(? IS NULL OR bar = ?) AND
(? IS NULL OR (A = ? OR B = ? OR C = ?)) AND
(? IS NULL OR baz = to_date(?||'-'||?,'YYYY-MM'))
Re: (Score:2)
Re: (Score:2)
I'm not even sure this is a bug. It's kind of like complaining that my C compiler didn't optimize out my infinite loop:
int main(int argc, char **argv) {
printf ("Die bastards\n");
while (1) ;
printf("Please die bastards\n");
exit (-1);
}
Whose problem is it?
Re: (Score:2)
Yea, I trust you on accurately reporting this.
This is surprising why? (Score:5, Insightful)
Small projects can be about purity. Making the best possible code base you can. Especially ones where people work on it for free -- they wouldn't be working on it if they didn't deeply believe in it.
Large corporations have different goals. The success of a changeset is not measured in how many bugs you fix or even how many features you add, but how much positive impact your paying customers and shareholders perceive.
Re: (Score:2)
Small projects can be about purity. Making the best possible code base you can. Especially ones where people work on it for free -- they wouldn't be working on it if they didn't deeply believe in it.
That may be true, but if people are working for free, the project can suffer from an inadequate amount of labor and the existing workers might have trouble getting stuff done in addition to their day job.
Re: (Score:2)
That may be true, but if people are working for free, the project can suffer from an inadequate amount of labor and the existing workers might have trouble getting stuff done in addition to their day job.
this does happen in medium-big software companies too. not because of lack of resources, but because of poor management or just because "existing workers might have trouble getting stuff done *right* because of 'other priorities' ".
Re: (Score:2)
Small projects can be about purity. Making the best possible code base you can. Especially ones where people work on it for free -- they wouldn't be working on it if they didn't deeply believe in it.
That may be true, but if people are working for free, the project can suffer from an inadequate amount of labor and the existing workers might have trouble getting stuff done in addition to their day job.
The bigger problem with when people are working for free is that they generally want to avoid the horrible can of worms bugs that need to be fixed by a shitload of horrible refactoring and concentrate on fixing silly little things instead. The other problem is where they have to do things that seem utterly wrong in principle to the developer like implement a broken and entirely wrong standard but that needs to be done for the sake of the project as a whole. (Disclaimer - I work with SCORM, the defacto broke
Re: (Score:2)
That doesn't change the equation one iota. Do you want the one that promptly fixes bugs or the one that holds off until the stockholders vote?
Small project? (Score:3)
Re: (Score:2)
I was promised a flying car. Where is my flying car?
Since religious nutjobs started crashing planes into buildings flying cars have been put on the back burner for a while. Sorry.
Well... (Score:5, Insightful)
Re: (Score:2)
Shanking with a rusty spoon? No, now the correct way to describe unfairness on Oracle's side is that you're adding weight to a kingpost [sail-world.com].
Not really a fair test (Score:5, Insightful)
Worst part (Score:2)
Re: (Score:2)
More likely, the intern found a more interesting project to work on and is hoping that his/her boss doesn't notice they didn't fix that bug before they go back to school.
Oracle probably did testing.... (Score:3)
Oracle, love'em or hate'em makes some rock solid databases. The reason for the delay in the patch release was most likely testing and validation of the patch. I am assuming Oracle does this for MySQL but, what do I know?
Re: (Score:2)
but, what do I know?
Clearly not a lot, yet still you infer to know a great deal.
Ever considered getting into politics?
Re: (Score:2)
Not sure which is funnier; the idea that MySQL is a "rock solid databases" or that Oracle cares about validating its optimizer. I'll just point you at Top 10 Optimizer Regression Bugs in MySQL 5.6 [blogspot.com] and wander off now.
Oracle's testing suite is secret. (Score:3)
Re: (Score:2)
Oracle, love'em or hate'em makes some rock solid databases.
I suppose if you ignore annoying database bugs and endless parade of critical security vulnerabilities I could see this being true.
Re: (Score:2)
Oracle, love'em or hate'em makes some rock solid databases.
Yes, their databases are so rock-solid it is like getting blood from a stone if you need anything less than a business-critical patch (including fixes that have already been made on another platform) . This has been my experience on at least two separate occasions. I gave up waiting for a fix for a TCP-connect issue because they don't know how to handle EINTR during a 'connect'.
What about 10 year old mysql bugs? (Score:5, Interesting)
For example, #1341. 10 fucking years old.
#68892 - best comment on the bug: 'Not quite sure how the severity scales are generally used, but shouldn't a trivial command that breaks the one feature that is being splatted all over the homepage as having significant improvements be a little higher than "non-critical" ?'
What about stupid shit like this: http://www.darkreading.com/database/expect-a-surge-in-breaches-following-mys/240001958?cid=nl_DR_daily_2012-06-14_html&elq=7e0510c44883432fa8e79c2ebde2ecb8 [darkreading.com] "The vulnerability itself is in the way MySQL accepts passwords -- the bug makes it such that there's a one in 256 chance that the wrong password will still grant the user access to an account. So an endless loop of attempts will eventually grant an attacker access. It was a bug so unique that Moore says some MySQL developers ran into it, couldn't reproduce it ,and eventually chalked it up as a fluke."
Is MySQL even ACID compliant yet, without addons?
http://nosql.mypopescu.com/post/1085685966/mysql-is-not-acid-compliant [mypopescu.com]
Re: (Score:3)
#1341. 10 fucking years old
Pffft, give Oracle time .. they can best it.
Re:What about 10 year old mysql bugs? (Score:5, Informative)
I don't think it's possible for MySQL to get the "C" part in ACID right without a total rewrite, which seems unlikely under Oracle's watch. There used to be all sorts of trivial ways you could insert garbage data into MySQL, things like February 31 being a valid date or numbers going into boolean fields. They added this strict mode [mysql.com] as a way to add validation for most of that. But strict is a client setting. All it takes is one client that ignores this, and the engine will still let you put garbage into there--values that are not going to be valid if you later work on them using a strict setting client. If you can put data in one end of that's not correct when read by another client, that's the exact opposite of a "consistent" database. It boggles my mind that anyone finds this acceptable. I guess people who do all their validation on the client are fine with it maybe? I can't explain how people who don't understand databases at all make their decisions.
I don't follow MySQL closely enough to know if they're still silently truncating data sometimes too, but that's been a nagging problem over the years too. Strong validation of data is like security: you don't just bolt it on later. It's something that needs to be enforced in as many places as possible in the code, if you want any hope of getting it right and bug free. If you actually want data to be validated in all situations, you need to use something like PostgreSQL instead. There even new types you add to the database can execute any check constraint function you want before that data is allowed in, period. That overhead contributes to why MySQL is faster on trivial things, but sometimes you get what you pay for.
Re: (Score:2)
The popular web frameworks these days have a little bit of wrapper code which maps DB values to native values. So for instance it's impossible to insert an incorrect date as it would not be possible to construct it with the API you have to go through. So in practice, it's not really an issue for new systems.
Also, while it's lame if MySQL doesn't catch those and I've certainly seen enough legacy DB systems to appreciate the RDBMS-consistency-rules-as-last-iine-of-defence idea, I do think that these days, if
Re: (Score:2)
Definitely a new way to look at security - yeah, our stuff's shitty, but has there been a huge increase in breakins huh? HUH?! HUH?!! Yeah! So shut the fuck up!
Re: (Score:2)
The other AC posted a very interesting article. You should read: http://grimoire.ca/mysql/choose-something-else [grimoire.ca]
Re: (Score:2)
'foo' is null is a user problem (Score:2)
The optimizer is correct in making it run poorly, it is poor sql to begin with. If anything it should throw an error instead of accepting garbage.
If I saw you putting that in a project I would quickly fire you arse. Heck, I'd probably fire you for using mysql to begin with.
Then what are computers for? (Score:2)
Re: (Score:2)
The documentation explicitly says cases like this are optimized away. This also makes writing parametrized queries easier: you don't need to care about optional arguments, as the server will do this for you.
I agree with you about using mysql, though.
Re: (Score:2)
If the documentation says it does, then yes, it is in fact the optimizers job.
If it's not actually going to do it, then they shouldn't say it will.
Oracle will have the patch when they buy MariaDB (Score:2)
Re:Oracle will have the patch when they buy MariaD (Score:4, Insightful)
Yup, MariaDB is playing the same copyright assignment [mariadb.com] tricks that Monty used before, so that he could leverage community work yet still sell MySQL as a business. No reason to believe he's doing anything different this time. When the FSF asks for copyright assignment, that's acceptable because they have never breached the trust of their contributors. But when Monty does it, you have to assume he's setting things up so he can cash out again.
Monty probably won't (Score:2)
Time to RTFBugReport (Score:3)
MySQL bug is lodged with a priority of "S5" - pretty low.
MariaDB bug is "Major".
No shit one was fixed before the other.
Let's be fair to Oracle... (Score:2)
...it takes time to derive a method of generating revenue from a bug...
This is a complete troll! (Score:2)
Calling out a bug for comparing a quoted string to null, eg: '1234mhgt' = null tripping up the optimizer?
No wonder Oracle is ignoring their asses. I would too!
Why am I not surprised? (Score:2)
A couple of years ago, I had a tech support call into Oracle for a Sun server. It took them almost a *month* to send out an FE, and that time included two weeks of emailing an engineer on another continent (S. America), and an "in country" engineer... who only worked third shift.
Oh, and after escalating it, three managers in three days "taking ownership".
I expect *everything* that Larry buys to be supported that way.
mark "wouldn't want to waste money
Re:A Post with an Agenda (Score:5, Funny)
Re: (Score:2, Informative)
Re:A Post with an Agenda (Score:4, Funny)
Has anyone checked with Oracle on the status of this?
I checked. They said they are waiting for the NSA to approve the code change.
Re:who cares? (Score:5, Interesting)
mysql is of historical curiosity. At best.
I'd be willing to bet there are more deployments of MySQL than of all other standalone RDBMSs combined.
Re: (Score:2)
I bet there are more sqlite and berkeleydb's out there than mysql.
Re: (Score:2)
That's why he said "standalone" databases, to exclude sqlite. I never knew about Berkeley DB though, lol. It has been seized by Oracle in 2006.
Re: (Score:3)
I never knew about Berkeley DB though, lol. It has been seized by Oracle in 2006.
If you work on a FLOSS project that uses BDB, seriously consider if LMDB [symas.com] can work for you as well (or often better).
Re: (Score:2)
Especially as BDB got relicensed to a non-free license.
Re: (Score:2)
sqlite3 not standalone enough? j/k. kinda.
Re:who cares? (Score:5, Interesting)
The confusion arising from the fact that oracle mysql shares the same name with the former mysql, while mariadb which is philosophically the natural heir of the latter had to choose a different name.
Apparently Oracle did the right thing by buying up the name, many fall for it and many others mod them up. Depressing, huh.
And now you all proper slashdotters are thanking God that something named "postgresql" has basically no marketing value, aren't you.
Re: (Score:3)
Re: (Score:2)
when a behemoth like Oracle signs a contract, they know exactly what they buy. Monty can sell whatever he owns to whoever he likes, IMHO. It's nothing compared to violation of GPL terms, for example. It's a good idea to keep the source and license of every important piece of software you use, for exactly those reasons, and consider work signed over to someone else as LOST.
Re: (Score:2)
Re: (Score:2)
Those who signed over their work to monty do have the open source mariaDB in return, no? That one is as controllable as mysql code (which Oracle can't close down).
If you don't want to feel cheated do not contribute anything under any license. As I said, GPL violations are way worse, so anything you put under GPL and gets stolen by the chinese manufacturer or the korean big corporation should make you way angrier.
Re:who cares? (Score:4, Insightful)
I'd be willing to bet there are more deployments of MySQL than of all other standalone RDBMSs combined.
I'd be willing to bet there are more deployments of SQLite than all other standalone RDBMSs combined.
Re: (Score:2)
And that's why Window XP is the best OS around, right?
Re:who cares? (Score:5, Funny)
Because we all know that's how you tell that something's better.
I'm taking my Betamax tapes and going home! And get off my lawn!
Re:who cares? (Score:5, Funny)
Some people never learn until you throw a laser disc at them. It smarts enough that they normally don't want a repeat.
Re: (Score:3, Insightful)
Read the post quoted above you fucklord. It had nothing to do with how good MySQL was and everything to do with how "irrelevant" it is even though it's used on every single fucking shared hosting box ever.
And yes, it sucks.
Re:who cares? (Score:5, Insightful)
Re:who cares? (Score:4, Informative)
[Citation Needed]. Among industry watchers the two most popular RDBMS systems are considered to be Oracle and Microsoft's SQL Server. MySQL is in the same ballpark, but it certainly doesn't have a large lead. Here's one survey [db-engines.com] showing that via a few metrics they combine. You'll get the same sort of ranking if you dig into most market surveys.
Re:who cares? (Score:4, Informative)
Re:who cares? (Score:4, Insightful)
You might not agree with their methodology, but I did provide a reference for my claim. You should try it some time. Betting on a hunch is not a path to successful argument.
Re: (Score:2)
Re: (Score:2)
[Citation Needed]. Among industry watchers the two most popular RDBMS systems are considered to be Oracle and Microsoft's SQL Server. MySQL is in the same ballpark, but it certainly doesn't have a large lead.
well, in terms of price/performance ratio mysql/mariaDB simply cannot be beaten :D
bytheway, as someone who grew up in engineering using db2, I can tell you oracle and sqlserver are two steaming piles of expensive crap. if you use them, you are doing it wrong, you should look for more value for your money.
Re: (Score:2)
There are plenty of benchmarks that show MSSQL and Oracle with better price/performance ration than MySQL. Here [tpc.org] is an example of a benchmark and here [wordpress.com] is a random person who did the math and found out that the licensing cost of MSSQL is more than balanced by the lower support cost in a large installation.
I'm not saying that MySQL isn't a good choice, just that the licensing cost is only a small part of the cost of a DBMS installation, so MySQL being open source really isn't that big of a price advantage unl
Re: (Score:2)
here [wordpress.com] is a random person who did the math and found out that the licensing cost of MSSQL is more than balanced by the lower support cost in a large installation.
Part of the assumptions in the listed prices are that only Microsoft SQL Server won't have a support contract.
Re: (Score:2)
MySQL only for small places?
That makes no sense. Software licensing costs are always prohibitive at scale.
For a single machine it doesn't matter if you're adding 1k for the software or not. If you're doing that for 25 machines, it suddenly becomes a lot more important.
There's a bunch of larger websites around which have somewhere between tens and thousands of database servers around. Usually in a replicated setting which is very heavy on reads and has basically no writes which means they shard their databas
Re: (Score:2)
Re: (Score:2)
I don't know any rdbms that requires a single user/password for each application.
Re: (Score:2)
Re: (Score:2)
If you need to have more than a 1 to 1 mysql to php setup you need a database with a workable user management.
I don't see how the MySQL user rights configuration is any more difficult to use than any other database. Admittedly, it's easy to get bitten if you forget that the login permissions are based on a combination of username and connection source (IP or hostname), which allows a "user" to have different passwords depending on where they are connecting from.
After that, it's pretty much the same "GRANT" command used by every SQL-based database to give fine-grained access to objects.
Re: (Score:2)
Being better is irrelevant to whether something is "of historical curiosity" or is actually in widespread current use.
Maybe you should learn to read?
Re: (Score:2)
Who said anything about better? We're talking about irrelevance.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Incorrect as SQLlite isn't a stand alone which was clearly a qualifier. A word of advice, best not to correct other's for spelling as you will often make a mistake as bad or worse.
What specifically makes SQLlite not a "standalone" database?
Re:who cares? (Score:4, Informative)
What specifically makes SQLlite not a "standalone" database?
The 'server' is embedded in the application, which means one instance per app instance. A true standalone RDBMS runs (a minimum of) one instance that multiple (instances of) apps query.
Re: (Score:3)
The 'server' is embedded in the application, which means one instance per app instance. A true standalone RDBMS runs (a minimum of) one instance that multiple (instances of) apps query.
If my application accesses SQLlite database via odbc is it "embedded" in my application? How is the database not logically a standalone component in this case?
If my application accesses SQLite database via a socket API does that count?
SQLite also facilitiates concurrent access via shared memory. The only limit I'm aware of is concurrency model where you basically get one open transaction (excluding temp table) per database but lots of concurrent readers are possible. I'm not so sure I buy what is being i
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
One could argue that SQLite doesn't run in a multi-user mode on its own. You'd have to put another process in front of it to serialize requests, if you wanted to serve web site data from it. Is that your point?
Re: (Score:2)
He's using the possessive sense [angryflower.com]. Spelling is something that the other possesses. Seems correct to me.
Re: (Score:2)
hah.
Re: (Score:2)
Not really. It's a failure to calculate an optimal execution plan.
When the "'foo' IS NULL OR" clause is added, that has no effect on the result is added, the execution plan changes to a sub-optimal one.
Re: (Score:3)
Actually, since many queries are the result of parsing a user's input in some scripting language, such a query is actually feasible.
Users are stupid (Score:2)