List:Commits« Previous MessageNext Message »
From:Martin Hansson Date:December 10 2010 10:30am
Subject:bzr commit into mysql-5.1-bugteam branch (martin.hansson:3515) Bug#58207
View as plain text  
#At file:///data0/martin/bzrroot/bug58207/5.1bt-minimal_fix/ based on revid:bjorn.munch@stripped

 3515 Martin Hansson	2010-12-10
      Bug#58207: invalid memory reads when using default column value and 
      tmptable needed
      
      The function DEFAULT() works by modifying the the data buffer pointers (often
      referred to as 'record' or 'table record') of its argument. This modification
      is done during name resolution (fix_fields().) Here, the pointers are set to
      point into a buffer of default values by means of offsetting the pointer by
      the distance between the buffers' start addresses. Unfortunately, the same
      modification is done when creating a temporary table during optimization. At
      this point the Item may or may not be name-resolved. If it is, the bespoke
      pointer offsetting method is fragile enough to point into an undefined memory
      area, giving rise to everything from valgrind warnings to segmentation faults.
      
      Fixed by checking if an Item is name-resolved before modifying the pointers.

    modified:
      mysql-test/r/subselect4.result
      mysql-test/t/subselect4.test
      sql/sql_select.cc
=== modified file 'mysql-test/r/subselect4.result'
--- a/mysql-test/r/subselect4.result	2010-09-07 09:21:09 +0000
+++ b/mysql-test/r/subselect4.result	2010-12-10 10:30:29 +0000
@@ -164,5 +164,24 @@ a	b
 2	NULL
 DROP TABLE t1, t2, t3, t4, t5;
 #
+# Bug#58207: invalid memory reads when using default column value and 
+# tmptable needed
+#
+CREATE TABLE t1( a CHAR(1)   DEFAULT 'a' );
+CREATE TABLE t2( a CHAR(245) DEFAULT 'a' );
+INSERT INTO t1 VALUES ('b'), ('c');
+INSERT INTO t2 VALUES ('b'), ('c');
+# Caused crash in valgrind builds
+SELECT * FROM (SELECT DEFAULT(a) FROM t1) t11;
+DEFAULT(a)
+a
+a
+# Should not cause valgrind error
+SELECT * FROM (SELECT DEFAULT(a) AS b FROM t2 GROUP BY a) t21;
+b
+a
+a
+DROP TABLE t1, t2;
+#
 # End of 5.1 tests.
 #

=== modified file 'mysql-test/t/subselect4.test'
--- a/mysql-test/t/subselect4.test	2010-09-07 09:21:09 +0000
+++ b/mysql-test/t/subselect4.test	2010-12-10 10:30:29 +0000
@@ -136,6 +136,23 @@ SELECT * FROM t1 WHERE NULL NOT IN ( SEL
 
 DROP TABLE t1, t2, t3, t4, t5;
 
+--echo #
+--echo # Bug#58207: invalid memory reads when using default column value and 
+--echo # tmptable needed
+--echo #
+CREATE TABLE t1( a CHAR(1)   DEFAULT 'a' );
+CREATE TABLE t2( a CHAR(245) DEFAULT 'a' );
+
+INSERT INTO t1 VALUES ('b'), ('c');
+INSERT INTO t2 VALUES ('b'), ('c');
+
+--echo # Caused crash in valgrind builds
+SELECT * FROM (SELECT DEFAULT(a) FROM t1) t11;
+
+--echo # Should not cause valgrind error
+SELECT * FROM (SELECT DEFAULT(a) AS b FROM t2 GROUP BY a) t21;
+
+DROP TABLE t1, t2;
 
 --echo #
 --echo # End of 5.1 tests.

=== modified file 'sql/sql_select.cc'
--- a/sql/sql_select.cc	2010-11-26 12:51:48 +0000
+++ b/sql/sql_select.cc	2010-12-10 10:30:29 +0000
@@ -10207,6 +10207,15 @@ create_tmp_table(THD *thd,TMP_TABLE_PARA
                          item->marker == 4, force_copy_fields,
                          param->convert_blob_length);
 
+      /*
+        Fields that are used as arguments to the DEFAULT() function have their
+        data pointers set to the default value during name resulotion. If by
+        any chance they have been resolved at this stage (e.g. if they appear
+        in a subquery) we should not update these pointers.
+      */
+      if (item->type() == Item::DEFAULT_VALUE_ITEM && item->fixed)
+        default_field[fieldnr]= NULL;
+
       if (!new_field)
       {
 	if (thd->is_fatal_error)


Attachment: [text/bzr-bundle] bzr/martin.hansson@oracle.com-20101210103029-adlfw1s9a394goc0.bundle
Thread
bzr commit into mysql-5.1-bugteam branch (martin.hansson:3515) Bug#58207Martin Hansson10 Dec