From: Roy Lyseng Date: May 26 2011 12:31pm Subject: Re: bzr commit into mysql-trunk branch (epotemkin:3002) Bug#11783262 List-Archive: http://lists.mysql.com/commits/138201 Message-Id: <4DDE4804.3020704@oracle.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hi Evgeny, the bugfix is approved. However, it seems that it would be less error-prone to store fieldnr in the KEY_PART_INFO struct as one less the current value. Most uses of the field subtracts one before using it. Later refactoring? Thanks, Roy On 25.05.11 14.09, Evgeny Potemkin wrote: > #At file:///work/bzrroot/11783262-bug/ based on revid:epotemkin@stripped > > 3002 Evgeny Potemkin 2011-05-25 > Bug#11783262: CRASH IN ITEM_FIELD::ITEM_FIELD IN ITEM.CC ON SUBQUERY IN FROM. > Incorrect initialization of field's index led to dereferencing memory out of > array bounds and crash. > > Now KEY_PART_INFO::init_from_field correctly initializes Field::field_index. > @ mysql-test/r/derived.result > Added a test case for the bug#11783262. > @ mysql-test/t/derived.test > Added a test case for the bug#11783262. > @ sql/table.cc > Bug#11783262: CRASH IN ITEM_FIELD::ITEM_FIELD IN ITEM.CC ON SUBQUERY IN FROM. > Now KEY_PART_INFO::init_from_field correctly initializes Field::field_index. > > modified: > mysql-test/r/derived.result > mysql-test/t/derived.test > sql/table.cc > === modified file 'mysql-test/r/derived.result' > --- a/mysql-test/r/derived.result 2011-02-17 12:14:26 +0000 > +++ b/mysql-test/r/derived.result 2011-05-25 12:09:53 +0000 > @@ -1328,3 +1328,23 @@ f1 f11 f2 f22 f3 f33 > DROP TABLE t1,t2,t3; > DROP VIEW v1,v2,v3,v4,v6,v7; > # > +# > +# BUG#11783262: CRASH IN ITEM_FIELD::ITEM_FIELD IN ITEM.CC ON SUBQUERY > +# IN FROM WITH WL5274 > +# > +CREATE TABLE t1 ( > +col_int_key INT, > +col_time_key time, > +col_varchar_key VARCHAR(1), > +KEY col_int_key (col_int_key), > +KEY col_varchar_key (col_varchar_key,col_int_key) > +) ENGINE=INNODB; > +SELECT alias1.col_time_key AS field1 > +FROM ( ( SELECT SQ1_alias1.* FROM t1 AS SQ1_alias1 ) AS alias1 > +INNER JOIN t1 AS alias2 > +ON (alias2.col_int_key = alias1.col_int_key) > +) > +WHERE alias1.col_int_key = 207 > +ORDER BY alias1.col_varchar_key, field1; > +field1 > +DROP TABLE t1; > > === modified file 'mysql-test/t/derived.test' > --- a/mysql-test/t/derived.test 2011-02-17 12:14:26 +0000 > +++ b/mysql-test/t/derived.test 2011-05-25 12:09:53 +0000 > @@ -693,3 +693,24 @@ DROP VIEW v1,v2,v3,v4,v6,v7; > > --echo # > > +--echo # > +--echo # BUG#11783262: CRASH IN ITEM_FIELD::ITEM_FIELD IN ITEM.CC ON SUBQUERY > +--echo # IN FROM WITH WL5274 > +--echo # > + > +CREATE TABLE t1 ( > + col_int_key INT, > + col_time_key time, > + col_varchar_key VARCHAR(1), > + KEY col_int_key (col_int_key), > + KEY col_varchar_key (col_varchar_key,col_int_key) > +) ENGINE=INNODB; > +SELECT alias1.col_time_key AS field1 > +FROM ( ( SELECT SQ1_alias1.* FROM t1 AS SQ1_alias1 ) AS alias1 > + INNER JOIN t1 AS alias2 > + ON (alias2.col_int_key = alias1.col_int_key) > + ) > +WHERE alias1.col_int_key = 207 > +ORDER BY alias1.col_varchar_key, field1; > + > +DROP TABLE t1; > > === modified file 'sql/table.cc' > --- a/sql/table.cc 2011-02-17 12:14:26 +0000 > +++ b/sql/table.cc 2011-05-25 12:09:53 +0000 > @@ -775,7 +775,7 @@ void KEY_PART_INFO::init_flags() > void KEY_PART_INFO::init_from_field(Field *fld) > { > field= fld; > - fieldnr= field->field_index; > + fieldnr= field->field_index + 1; > null_bit= field->null_bit; > null_offset= (uint) (field->null_ptr - (uchar*) field->table->record[0]); > offset= field->offset(field->table->record[0]); >