List:Commits« Previous MessageNext Message »
From:Norvald H. Ryeng Date:October 27 2011 8:09am
Subject:bzr push into mysql-trunk branch (norvald.ryeng:3530 to 3531) Bug#11764372
View as plain text  
 3531 Norvald H. Ryeng	2011-10-27
      Bug #11764372 57197: EVEN MORE USER VARIABLE CRASHING FUN
      
      Problem: Some assignments of subselect results to user variables
      causes the server to crash.
      
      During query execution, copy_fields() tries to read a Copy_field from
      a null pointer. The Copy_field has already been freed and the pointer
      set to null during TMP_TABLE_PARAM::cleanup(). However, copy_field_end
      is not reset. The copy_field() function is expected to handle a null
      copy_field pointer, but only if copy_field_end is also null.
      
      Fix: Set copy_field_end and save_copy_field_end to null when deleting
      copy fields in TMP_TABLE_PARAM::cleanup() and add assertion in
      copy_fields() to check parameters.
     @ mysql-test/r/user_var.result
        Add test for bug#11764372
     @ mysql-test/t/user_var.test
        Add test for bug#11764372
     @ sql/sql_class.h
        Set end pointers to null when deleting copy fields
     @ sql/sql_select.cc
        Add assertion to check parameter sanity

    modified:
      mysql-test/r/user_var.result
      mysql-test/t/user_var.test
      sql/sql_class.h
      sql/sql_select.cc
 3530 Marc Alff	2011-10-27 [merge]
      Merge mysql-trunk-wl5863 --> mysql-trunk
      
      WL#5863 PERFORMANCE SCHEMA, NESTED-SET data model 

    modified:
      mysql-test/suite/perfschema/r/func_file_io.result
      mysql-test/suite/perfschema/r/pfs_upgrade.result
      mysql-test/suite/perfschema/r/schema.result
      mysql-test/suite/perfschema/r/start_server_nothing.result
      mysql-test/suite/perfschema/r/table_schema.result
      scripts/mysql_system_tables.sql
      storage/perfschema/pfs.cc
      storage/perfschema/pfs_events.h
      storage/perfschema/pfs_instr.cc
      storage/perfschema/table_events_stages.cc
      storage/perfschema/table_events_stages.h
      storage/perfschema/table_events_statements.cc
      storage/perfschema/table_events_statements.h
      storage/perfschema/table_events_waits.cc
      storage/perfschema/table_events_waits.h
=== modified file 'mysql-test/r/user_var.result'
--- a/mysql-test/r/user_var.result	2011-03-08 19:14:42 +0000
+++ b/mysql-test/r/user_var.result	2011-10-27 08:08:46 +0000
@@ -486,3 +486,10 @@ f1	f2
 DROP TRIGGER trg1;
 DROP TABLE t1;
 End of 5.5 tests
+CREATE TABLE t1(a int);
+INSERT INTO t1 VALUES (1), (2);
+SELECT DISTINCT @a:=MIN(t1.a) FROM t1, t1 AS t2
+GROUP BY @b:=(SELECT COUNT(*) > t2.a);
+@a:=MIN(t1.a)
+1
+DROP TABLE t1;

=== modified file 'mysql-test/t/user_var.test'
--- a/mysql-test/t/user_var.test	2011-03-08 19:14:42 +0000
+++ b/mysql-test/t/user_var.test	2011-10-27 08:08:46 +0000
@@ -405,3 +405,13 @@ DROP TRIGGER trg1;
 DROP TABLE t1;
 
 --echo End of 5.5 tests
+
+#
+# Bug #11764372 57197: EVEN MORE USER VARIABLE CRASHING FUN
+#
+
+CREATE TABLE t1(a int);
+INSERT INTO t1 VALUES (1), (2);
+SELECT DISTINCT @a:=MIN(t1.a) FROM t1, t1 AS t2
+GROUP BY @b:=(SELECT COUNT(*) > t2.a);
+DROP TABLE t1;

=== modified file 'sql/sql_class.h'
--- a/sql/sql_class.h	2011-10-14 15:04:41 +0000
+++ b/sql/sql_class.h	2011-10-27 08:08:46 +0000
@@ -3722,7 +3722,8 @@ public:
     if (copy_field)				/* Fix for Intel compiler */
     {
       delete [] copy_field;
-      save_copy_field= copy_field= 0;
+      save_copy_field= copy_field= NULL;
+      save_copy_field_end= copy_field_end= NULL;
     }
   }
 };

=== modified file 'sql/sql_select.cc'
--- a/sql/sql_select.cc	2011-10-19 06:13:35 +0000
+++ b/sql/sql_select.cc	2011-10-27 08:08:46 +0000
@@ -23622,7 +23622,9 @@ copy_fields(TMP_TABLE_PARAM *param)
   Copy_field *ptr=param->copy_field;
   Copy_field *end=param->copy_field_end;
 
-  for (; ptr != end; ptr++)
+  DBUG_ASSERT((ptr != NULL && end >= ptr) || (ptr == NULL && end == NULL));
+
+  for (; ptr < end; ptr++)
     (*ptr->do_copy)(ptr);
 
   List_iterator_fast<Item> it(param->copy_funcs);

No bundle (reason: useless for push emails).
Thread
bzr push into mysql-trunk branch (norvald.ryeng:3530 to 3531) Bug#11764372Norvald H. Ryeng27 Oct