3531 Norvald H. Ryeng 2011-10-27
Bug #11764372 57197: EVEN MORE USER VARIABLE CRASHING FUN
Problem: Some assignments of subselect results to user variables
causes the server to crash.
During query execution, copy_fields() tries to read a Copy_field from
a null pointer. The Copy_field has already been freed and the pointer
set to null during TMP_TABLE_PARAM::cleanup(). However, copy_field_end
is not reset. The copy_field() function is expected to handle a null
copy_field pointer, but only if copy_field_end is also null.
Fix: Set copy_field_end and save_copy_field_end to null when deleting
copy fields in TMP_TABLE_PARAM::cleanup() and add assertion in
copy_fields() to check parameters.
@ mysql-test/r/user_var.result
Add test for bug#11764372
@ mysql-test/t/user_var.test
Add test for bug#11764372
@ sql/sql_class.h
Set end pointers to null when deleting copy fields
@ sql/sql_select.cc
Add assertion to check parameter sanity
modified:
mysql-test/r/user_var.result
mysql-test/t/user_var.test
sql/sql_class.h
sql/sql_select.cc
3530 Marc Alff 2011-10-27 [merge]
Merge mysql-trunk-wl5863 --> mysql-trunk
WL#5863 PERFORMANCE SCHEMA, NESTED-SET data model
modified:
mysql-test/suite/perfschema/r/func_file_io.result
mysql-test/suite/perfschema/r/pfs_upgrade.result
mysql-test/suite/perfschema/r/schema.result
mysql-test/suite/perfschema/r/start_server_nothing.result
mysql-test/suite/perfschema/r/table_schema.result
scripts/mysql_system_tables.sql
storage/perfschema/pfs.cc
storage/perfschema/pfs_events.h
storage/perfschema/pfs_instr.cc
storage/perfschema/table_events_stages.cc
storage/perfschema/table_events_stages.h
storage/perfschema/table_events_statements.cc
storage/perfschema/table_events_statements.h
storage/perfschema/table_events_waits.cc
storage/perfschema/table_events_waits.h
=== modified file 'mysql-test/r/user_var.result'
--- a/mysql-test/r/user_var.result 2011-03-08 19:14:42 +0000
+++ b/mysql-test/r/user_var.result 2011-10-27 08:08:46 +0000
@@ -486,3 +486,10 @@ f1 f2
DROP TRIGGER trg1;
DROP TABLE t1;
End of 5.5 tests
+CREATE TABLE t1(a int);
+INSERT INTO t1 VALUES (1), (2);
+SELECT DISTINCT @a:=MIN(t1.a) FROM t1, t1 AS t2
+GROUP BY @b:=(SELECT COUNT(*) > t2.a);
+@a:=MIN(t1.a)
+1
+DROP TABLE t1;
=== modified file 'mysql-test/t/user_var.test'
--- a/mysql-test/t/user_var.test 2011-03-08 19:14:42 +0000
+++ b/mysql-test/t/user_var.test 2011-10-27 08:08:46 +0000
@@ -405,3 +405,13 @@ DROP TRIGGER trg1;
DROP TABLE t1;
--echo End of 5.5 tests
+
+#
+# Bug #11764372 57197: EVEN MORE USER VARIABLE CRASHING FUN
+#
+
+CREATE TABLE t1(a int);
+INSERT INTO t1 VALUES (1), (2);
+SELECT DISTINCT @a:=MIN(t1.a) FROM t1, t1 AS t2
+GROUP BY @b:=(SELECT COUNT(*) > t2.a);
+DROP TABLE t1;
=== modified file 'sql/sql_class.h'
--- a/sql/sql_class.h 2011-10-14 15:04:41 +0000
+++ b/sql/sql_class.h 2011-10-27 08:08:46 +0000
@@ -3722,7 +3722,8 @@ public:
if (copy_field) /* Fix for Intel compiler */
{
delete [] copy_field;
- save_copy_field= copy_field= 0;
+ save_copy_field= copy_field= NULL;
+ save_copy_field_end= copy_field_end= NULL;
}
}
};
=== modified file 'sql/sql_select.cc'
--- a/sql/sql_select.cc 2011-10-19 06:13:35 +0000
+++ b/sql/sql_select.cc 2011-10-27 08:08:46 +0000
@@ -23622,7 +23622,9 @@ copy_fields(TMP_TABLE_PARAM *param)
Copy_field *ptr=param->copy_field;
Copy_field *end=param->copy_field_end;
- for (; ptr != end; ptr++)
+ DBUG_ASSERT((ptr != NULL && end >= ptr) || (ptr == NULL && end == NULL));
+
+ for (; ptr < end; ptr++)
(*ptr->do_copy)(ptr);
List_iterator_fast<Item> it(param->copy_funcs);
No bundle (reason: useless for push emails).
| Thread |
|---|
| • bzr push into mysql-trunk branch (norvald.ryeng:3530 to 3531) Bug#11764372 | Norvald H. Ryeng | 27 Oct |
