List:Commits« Previous MessageNext Message »
From:Martin Hansson Date:May 11 2010 2:21pm
Subject:bzr commit into mysql-5.0-bugteam branch (martin.hansson:2863) Bug#48157
View as plain text  
#At file:///data0/martin/bzr/bug48157/5.0bt/ based on revid:martin.hansson@stripped

 2863 Martin Hansson	2010-05-11
      Bug#48157: crash in Item_field::used_tables
            
      MySQL handles the join syntax "JOIN ... USING( field1,
      ... )" and natural joins by building the same parse tree as
      a corresponding join with an "ON t1.field1 = t2.field1 ..."
      expression would produce. This parse tree was not cleaned up
      properly in the following scenario. If a thread tries to
      lock some tables and finds that the tables were dropped and
      re-created while waiting for the lock, it cleans up column
      references in the statement by means a per-statement free
      list. But if the statement was part of a stored procedure,
      column references on the stored procedure's free list
      weren't cleaned up and thus contained pointers to freed
      objects.
            
      Fixed by adding a call to clean up the current prepared
      statement's free list.
      
      This is a backport from MySQL 5.1

    modified:
      sql/item.h
      sql/sql_parse.cc
      sql/sql_update.cc
=== modified file 'sql/item.h'
--- a/sql/item.h	2009-04-01 11:02:26 +0000
+++ b/sql/item.h	2010-05-11 14:21:05 +0000
@@ -470,6 +470,13 @@ public:
   my_string name;			/* Name from select */
   /* Original item name (if it was renamed)*/
   my_string orig_name;
+  /**
+     Intrusive list pointer for free list. If not null, points to the next
+     Item on some Query_arena's free list. For instance, stored procedures
+     have their own Query_arena's.
+     
+     @see Query_arena::free_list
+  */
   Item *next;
   uint32 max_length;
   uint name_length;                     /* Length of name */

=== modified file 'sql/sql_parse.cc'
--- a/sql/sql_parse.cc	2010-05-03 15:16:51 +0000
+++ b/sql/sql_parse.cc	2010-05-11 14:21:05 +0000
@@ -1411,8 +1411,10 @@ end:
 }
 
 
-    /* This works because items are allocated with sql_alloc() */
-
+/**
+   This works because items are allocated with sql_alloc().
+   @note The function also handles null pointers (empty list).
+*/
 void cleanup_items(Item *item)
 {
   DBUG_ENTER("cleanup_items");  

=== modified file 'sql/sql_update.cc'
--- a/sql/sql_update.cc	2009-12-13 23:58:16 +0000
+++ b/sql/sql_update.cc	2010-05-11 14:21:05 +0000
@@ -908,8 +908,9 @@ reopen_tables:
       items from 'fields' list, so the cleanup above is necessary to.
     */
     cleanup_items(thd->free_list);
-
+    cleanup_items(thd->stmt_arena->free_list);
     close_tables_for_reopen(thd, &table_list);
+
     goto reopen_tables;
   }
 


Attachment: [text/bzr-bundle] bzr/martin.hansson@sun.com-20100511142105-5n09wopu6gn4dmbn.bundle
Thread
bzr commit into mysql-5.0-bugteam branch (martin.hansson:2863) Bug#48157Martin Hansson11 May