From: Norvald&nbsp;H.&nbsp;Ryeng
Date: October 27 2011 7:04am
Subject: bzr push into mysql-trunk branch (norvald.ryeng:3528 to 3529) Bug#11764818
List-Archive: http://lists.mysql.com/commits/141592
X-Bug: 11764818
Message-Id: <20111027070410.C2AAA1EC9@atum06.no.oracle.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

 3529 Norvald H. Ryeng	2011-10-27
      Bug #11764818 57692: CRASH IN ITEM_FUNC_IN::VAL_INT() WITH ZEROFILL
      
      Problem: During optimization, ZEROFILL values may be converted to
      string constants. However, the IN function does not handle switching
      datatypes after planning, leading to IN finding a null pointer instead
      of its argument.
      
      Item_func_in creates a table of cmp_items, one for each datatype used
      in the comparison. This table is created during query planning by
      fix_length_and_dec(). During optimization,
      Item_field::equal_fields_propagator() converts ZEROFILL numbers to
      strings, but the comparison table in Item_func_in is not
      updated. During execution, the position in the comparison table is
      found by examining the result types of the fields to be
      compared. Since the result type of the fields have changed, the wrong
      position in the comparison table is inferred, and this position
      contains a null pointer.
      
      Fix: Set the cmp_context of arguments to Item_func_in so that
      Item_field::equal_fields_propagator() will not convert them to
      strings.
     @ mysql-test/r/compare.result
        Add test for bug#11764818
     @ mysql-test/t/compare.test
        Add test for bug#11764818
     @ sql/item_cmpfunc.cc
        Set cmp_context of arguments to Item_func_in

    modified:
      mysql-test/r/compare.result
      mysql-test/t/compare.test
      sql/item_cmpfunc.cc
 3528 Alexander Nozdrin	2011-10-27 [merge]
      Null merge from mysql-5.5.

=== modified file 'mysql-test/r/compare.result'
--- a/mysql-test/r/compare.result	2011-07-19 15:11:15 +0000
+++ b/mysql-test/r/compare.result	2011-10-27 07:03:49 +0000
@@ -96,3 +96,7 @@ SELECT * FROM t1 WHERE a > '2008-01-01'
 a
 DROP TABLE t1;
 End of 5.0 tests
+CREATE TABLE t1(a INT ZEROFILL);
+SELECT 1 FROM t1 WHERE t1.a IN (1, t1.a) AND t1.a=2;
+1
+DROP TABLE t1;

=== modified file 'mysql-test/t/compare.test'
--- a/mysql-test/t/compare.test	2008-09-18 12:55:36 +0000
+++ b/mysql-test/t/compare.test	2011-10-27 07:03:49 +0000
@@ -86,3 +86,11 @@ SELECT * FROM t1 WHERE a > '2008-01-01'
 DROP TABLE t1;
 
 --echo End of 5.0 tests
+
+#
+# Bug #11764818 57692: Crash in item_func_in::val_int() with ZEROFILL
+#
+
+CREATE TABLE t1(a INT ZEROFILL);
+SELECT 1 FROM t1 WHERE t1.a IN (1, t1.a) AND t1.a=2;
+DROP TABLE t1;

=== modified file 'sql/item_cmpfunc.cc'
--- a/sql/item_cmpfunc.cc	2011-10-18 13:45:29 +0000
+++ b/sql/item_cmpfunc.cc	2011-10-27 07:03:49 +0000
@@ -4242,6 +4242,16 @@ void Item_func_in::fix_length_and_dec()
       }
     }
   }
+  /*
+    Set cmp_context of all arguments. This prevents
+    Item_field::equal_fields_propagator() from transforming a zerofill integer
+    argument into a string constant. Such a change would require rebuilding
+    cmp_itmes.
+   */
+  for (arg= args + 1, arg_end= args + arg_count; arg != arg_end ; arg++)
+  {
+    arg[0]->cmp_context= item_cmp_type(left_result_type, arg[0]->result_type());
+  }
   max_length= 1;
 }
 

No bundle (reason: useless for push emails).