Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Tale of Two MySQL Bugs

Posted by Unknown on from the just-buy-our-more-expensive-widget-instead dept.

New submitter Archie Cobbs writes "Last May I encountered a relatively obscure performance bug present in both MySQL 5.5.x and MariaDB 5.5.x (not surprising since they share the same codebase). This turned out to be a great opportunity to see whether Oracle or the MariaDB project is more responsive to bug reports. On May 31 Oracle got their bug report; within 24 hours they had confirmed the bug — pretty impressive. But since then, it's been radio silence for 3 months and counting. On July 25, MariaDB got their own copy. Within a week, a MariaDB developer had analyzed the bug and committed a patch. The resulting fix will be included in the next release, MariaDB 5.5.33."

41 of 191 comments (clear)

  1. Why fix it? by Anonymous Coward · · Score: 3, Interesting

    Why would Oracle fix a bug in something they're trying to kill off?

    1. Re:Why fix it? by Pieroxy · · Score: 2

      Apart from the copyright issues, pretty much. They'd better not do it though since they currently have all the copyright to MySQL code and incorporating a patch this way would kill all the advantages to this (namely, the option to close-source MySQL)

      --
      Write boring code, not shiny code!
  2. We need more data by WWJohnBrowningDo · · Score: 4, Interesting

    A sample size of one is insufficient to make any meaningful conclusions.

    Anyone up for scraping the two bug trackers and finding more identical bug reports?

    1. Re:We need more data by Darinbob · · Score: 4, Insightful

      A sample size of one is insufficient to make any meaningful conclusions.

      That sort of thinking won't get you very far in politics.

    2. Re:We need more data by icebike · · Score: 2

      You also have to wonder about the two month delay in sending the bug to mariaDB. Did that allow them to take advantage of some over the beer mug discussion with Oracle employees about who was going to release it first?

      --
      Sig Battery depleted. Reverting to safe mode.
  3. Re:A Post with an Agenda by NoNonAlphaCharsHere · · Score: 5, Funny

    Well, DONTGIVEAFUCK is one of the statuses on their Bugzilla. Just sayin'.

  4. This is surprising why? by PhrostyMcByte · · Score: 5, Insightful

    Small projects can be about purity. Making the best possible code base you can. Especially ones where people work on it for free -- they wouldn't be working on it if they didn't deeply believe in it.

    Large corporations have different goals. The success of a changeset is not measured in how many bugs you fix or even how many features you add, but how much positive impact your paying customers and shareholders perceive.

    1. Re:This is surprising why? by znrt · · Score: 2

      That may be true, but if people are working for free, the project can suffer from an inadequate amount of labor and the existing workers might have trouble getting stuff done in addition to their day job.

      this does happen in medium-big software companies too. not because of lack of resources, but because of poor management or just because "existing workers might have trouble getting stuff done *right* because of 'other priorities' ".

  5. Well... by Ramirozz · · Score: 5, Insightful

    If he would have the right intention to measure response time both bug reports should have been filed at the same time... filing a seocnd one with the text saying "hoping it gets more attention than the competition" is pretty biased and provocative to the actions.

    --
    http://www.quasarcr.com/
  6. Not really a fair test by greenreaper · · Score: 5, Insightful

    The poster made a comment in the second bug saying that they hoped to get a faster response than on the MySQL bug.

  7. Re:who cares? by Daniel+Dvorkin · · Score: 4, Interesting

    mysql is of historical curiosity. At best.

    I'd be willing to bet there are more deployments of MySQL than of all other standalone RDBMSs combined.

    --
    The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
  8. Re:A Post with an Agenda by Anonymous Coward · · Score: 2, Informative

    The bug report link's in the summary, moron.

  9. Re:who cares? by MightyMartian · · Score: 4, Funny

    Because we all know that's how you tell that something's better.

    I'm taking my Betamax tapes and going home! And get off my lawn!

    --
    The world's burning. Moped Jesus spotted on I50. Details at 11.
  10. Re:A Post with an Agenda by ShanghaiBill · · Score: 3, Funny

    Has anyone checked with Oracle on the status of this?

    I checked. They said they are waiting for the NSA to approve the code change.

  11. Oracle probably did testing.... by Proudrooster · · Score: 2

    Oracle, love'em or hate'em makes some rock solid databases. The reason for the delay in the patch release was most likely testing and validation of the patch. I am assuming Oracle does this for MySQL but, what do I know?

  12. Re:who cares? by Anonymous Coward · · Score: 3, Insightful

    Read the post quoted above you fucklord. It had nothing to do with how good MySQL was and everything to do with how "irrelevant" it is even though it's used on every single fucking shared hosting box ever.

    And yes, it sucks.

  13. Re:Translation by Score+Whore · · Score: 2

    Indeed. This "bug" seems pretty stupid. I mean on the submitter's part. Why would any vendor spend much time solving this problem when it should be simple enough not to write such stupid SQL to begin with. Anyone who spent time working on this probably had nothing much better to do.

    I mean really, I get it, but what is the use case for 'if a constant is equal to a different constant'?

  14. What about 10 year old mysql bugs? by the_B0fh · · Score: 4, Interesting

    For example, #1341. 10 fucking years old.

    #68892 - best comment on the bug: 'Not quite sure how the severity scales are generally used, but shouldn't a trivial command that breaks the one feature that is being splatted all over the homepage as having significant improvements be a little higher than "non-critical" ?'

    What about stupid shit like this: http://www.darkreading.com/database/expect-a-surge-in-breaches-following-mys/240001958?cid=nl_DR_daily_2012-06-14_html&elq=7e0510c44883432fa8e79c2ebde2ecb8 "The vulnerability itself is in the way MySQL accepts passwords -- the bug makes it such that there's a one in 256 chance that the wrong password will still grant the user access to an account. So an endless loop of attempts will eventually grant an attacker access. It was a bug so unique that Moore says some MySQL developers ran into it, couldn't reproduce it ,and eventually chalked it up as a fluke."

    Is MySQL even ACID compliant yet, without addons?

    http://nosql.mypopescu.com/post/1085685966/mysql-is-not-acid-compliant

    1. Re:What about 10 year old mysql bugs? by OhANameWhatName · · Score: 2

      #1341. 10 fucking years old

      Pffft, give Oracle time .. they can best it.

    2. Re:What about 10 year old mysql bugs? by greg1104 · · Score: 4, Informative

      I don't think it's possible for MySQL to get the "C" part in ACID right without a total rewrite, which seems unlikely under Oracle's watch. There used to be all sorts of trivial ways you could insert garbage data into MySQL, things like February 31 being a valid date or numbers going into boolean fields. They added this strict mode as a way to add validation for most of that. But strict is a client setting. All it takes is one client that ignores this, and the engine will still let you put garbage into there--values that are not going to be valid if you later work on them using a strict setting client. If you can put data in one end of that's not correct when read by another client, that's the exact opposite of a "consistent" database. It boggles my mind that anyone finds this acceptable. I guess people who do all their validation on the client are fine with it maybe? I can't explain how people who don't understand databases at all make their decisions.

      I don't follow MySQL closely enough to know if they're still silently truncating data sometimes too, but that's been a nagging problem over the years too. Strong validation of data is like security: you don't just bolt it on later. It's something that needs to be enforced in as many places as possible in the code, if you want any hope of getting it right and bug free. If you actually want data to be validated in all situations, you need to use something like PostgreSQL instead. There even new types you add to the database can execute any check constraint function you want before that data is allowed in, period. That overhead contributes to why MySQL is faster on trivial things, but sometimes you get what you pay for.

  15. Re:who cares? by cold+fjord · · Score: 5, Funny

    Some people never learn until you throw a laser disc at them. It smarts enough that they normally don't want a repeat.

    --
    much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
  16. Re:who cares? by Literaphile · · Score: 5, Insightful

    No, but it is how you tell whether something is "of historical curiosity", which obviously MySQL is not, since it's the most popular RDBMS by far.

  17. Re:who cares? by greg1104 · · Score: 3, Informative

    [Citation Needed]. Among industry watchers the two most popular RDBMS systems are considered to be Oracle and Microsoft's SQL Server. MySQL is in the same ballpark, but it certainly doesn't have a large lead. Here's one survey showing that via a few metrics they combine. You'll get the same sort of ranking if you dig into most market surveys.

  18. Re:who cares? by bill_mcgonigle · · Score: 2

    I never knew about Berkeley DB though, lol. It has been seized by Oracle in 2006.

    If you work on a FLOSS project that uses BDB, seriously consider if LMDB can work for you as well (or often better).

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  19. Re:who cares? by Literaphile · · Score: 3, Informative
    1. MSSQL is ahead by a whopping 8 points in that scale, 1313 to 1305. Next month, the scores could be reversed.
    2. All that "survey" really measures is how much people are talking about the systems, not their actual usage. I'll bet you'll find MySQL installed on more active servers than Oracle or MSSQL, especially since it's the go-to choice for shared hosting.
  20. Oracle will have the patch when they buy MariaDB by Macchendra · · Score: 2

    Do all the dedicated volunteers think their work won't be sold to Oracle? Also, they wouldn't want to break compatibility with this: http://www.oracle.com/technetwork/database/migration/mysql-093223.html

  21. Re:Translation by ultranova · · Score: 3, Insightful

    If you can take it out with no effect on the result, then why is it in there in the first place?

    Dynamic query generation? The literal might actually be a variable on the client side - say, the contents of some optional string.

    --

    Forget magic. Any technology distinguishable from divine power is insufficiently advanced.

  22. Re:Translation by Derek+Pomery · · Score: 2

    Yep.
    select 1 from
    table where
    (? IS NULL OR foo = ?) and
    (? IS NULL OR bar = ?) and
    (? IS NULL OR baz = ?)

    where foo, bar and baz are all optional.

    --
    -- perl -e'print pack"H*","6e656d6f406d38792e6f7267"' /. ate my old sig. Bastards.
  23. Re:Oracle will have the patch when they buy MariaD by greg1104 · · Score: 3, Insightful

    Yup, MariaDB is playing the same copyright assignment tricks that Monty used before, so that he could leverage community work yet still sell MySQL as a business. No reason to believe he's doing anything different this time. When the FSF asks for copyright assignment, that's acceptable because they have never breached the trust of their contributors. But when Monty does it, you have to assume he's setting things up so he can cash out again.

  24. Re:who cares? by greg1104 · · Score: 3, Insightful

    You might not agree with their methodology, but I did provide a reference for my claim. You should try it some time. Betting on a hunch is not a path to successful argument.

  25. Re:who cares? by znrt · · Score: 2

    [Citation Needed]. Among industry watchers the two most popular RDBMS systems are considered to be Oracle and Microsoft's SQL Server. MySQL is in the same ballpark, but it certainly doesn't have a large lead.

    well, in terms of price/performance ratio mysql/mariaDB simply cannot be beaten :D

    bytheway, as someone who grew up in engineering using db2, I can tell you oracle and sqlserver are two steaming piles of expensive crap. if you use them, you are doing it wrong, you should look for more value for your money.

  26. Re:who cares? by marcello_dl · · Score: 5, Interesting

    The confusion arising from the fact that oracle mysql shares the same name with the former mysql, while mariadb which is philosophically the natural heir of the latter had to choose a different name.

    Apparently Oracle did the right thing by buying up the name, many fall for it and many others mod them up. Depressing, huh.
    And now you all proper slashdotters are thanking God that something named "postgresql" has basically no marketing value, aren't you.

    --
    ---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
  27. Re:who cares? by hairyfeet · · Score: 2

    Or maybe, just maybe, nobody trusts old "three card Monty" not to sell their work out from under them again? last I checked old Monty still made you sign rights over to him, how much you wanna bet if some corp comes flashing a big check that you'll be saying the same bullshit about mariadb?

    Fool you once, shame on me. Fool you twice? You are a moron and deserve what you get.

    --
    ACs don't waste your time replying, your posts are never seen by me.
  28. Re:Its not really a bug by dotancohen · · Score: 2

    Actually, since many queries are the result of parsing a user's input in some scripting language, such a query is actually feasible.

    --
    It is dangerous to be right when the government is wrong.
  29. Time to RTFBugReport by viperidaenz · · Score: 2

    MySQL bug is lodged with a priority of "S5" - pretty low.
    MariaDB bug is "Major".
    No shit one was fixed before the other.

  30. Small project? by dutchwhizzman · · Score: 2

    How is MariaDB a small project and MySQL not? They both share roughly the same codebase and history. MariaDB has paid developers working on it, maybe even more than Oracle has on MySQL. For MariaDB, paying customers are probably more important than for Oracle, since Oracle can afford to lose money on this for a much longer time before they go bankrupt than MariaDB. If anything, the argument about "spending money on something only if it gives an immediate profit" applies way more to MariaDB than to Oracle.

    --
    I was promised a flying car. Where is my flying car?
  31. Re:who cares? by WaffleMonster · · Score: 3, Insightful

    I'd be willing to bet there are more deployments of MySQL than of all other standalone RDBMSs combined.

    I'd be willing to bet there are more deployments of SQLite than all other standalone RDBMSs combined.

  32. Oracle's testing suite is secret. by dutchwhizzman · · Score: 2

    Oracle has kept their testing suite and results closed source and secret. This is one of the reasons why MariaDB decided to do a cold hard fork and not look back. They can't possibly promise compatibility with Oracle since the specs are closed, effectively making the project closed. Assuming that Oracle tests things at all is purely speculation. If anything, regressions mentioned in other comments here suggest they don't do a very thorough job at all and their test suites only include new features and "old" tests, no regressions of bugs that got solved since they closed the testing specs.

    --
    I was promised a flying car. Where is my flying car?
  33. Re:who cares? by RaceProUK · · Score: 3, Informative

    What specifically makes SQLlite not a "standalone" database?

    The 'server' is embedded in the application, which means one instance per app instance. A true standalone RDBMS runs (a minimum of) one instance that multiple (instances of) apps query.

    --
    No colour or religion ever stopped the bullet from a gun
  34. Re:who cares? by ixs · · Score: 2

    MySQL only for small places?

    That makes no sense. Software licensing costs are always prohibitive at scale.
    For a single machine it doesn't matter if you're adding 1k for the software or not. If you're doing that for 25 machines, it suddenly becomes a lot more important.

    There's a bunch of larger websites around which have somewhere between tens and thousands of database servers around. Usually in a replicated setting which is very heavy on reads and has basically no writes which means they shard their databases in such a way that they fit into available memory and reads never go to disk.

    In such a setting, your software being free is a very important point. Per server or per core licensing kills you there.

    The usual option then is to go with MySQL or PostgreSQL. The latter has only relatively recently gotten acceptable replication so if you've been around a while you nearly always default to MySQL.

    If you're at such a size, you either negotiate a very decent support contract or you forgo that anyway and hire the knowledge in house. I do have worked for a company which did both, I do know that at least Facebook has gone for the latter by hiring Domas. No clue what support contracts they do have. Same for Google.
    If you're at that size, Monty will gladly listen to your needs and Percona will make you a very good deal for support.

    Suddenly MySQL or MariaDB looks like a pretty great database with much better support options and costs than Pg or Oracle. Forget about MSSQL, you're not running anything on Windows at scale.

  35. Re:who cares? by WaffleMonster · · Score: 2

    The 'server' is embedded in the application, which means one instance per app instance. A true standalone RDBMS runs (a minimum of) one instance that multiple (instances of) apps query.

    If my application accesses SQLlite database via odbc is it "embedded" in my application? How is the database not logically a standalone component in this case?

    If my application accesses SQLite database via a socket API does that count?

    SQLite also facilitiates concurrent access via shared memory. The only limit I'm aware of is concurrency model where you basically get one open transaction (excluding temp table) per database but lots of concurrent readers are possible. I'm not so sure I buy what is being implicated that process isolation of data tier itself is the deciding factor. "Standalone database" needs to be evaluated in my view based on logical separation rather than strictly physical process boundaries.