List:Commits« Previous MessageNext Message »
From:eugene Date:March 2 2007 10:13pm
Subject:bk commit into 5.0 tree (evgen:1.2428) BUG#25126
View as plain text  
Below is the list of changes that have just been committed into a local
5.0 repository of evgen. When evgen does a push these changes will
be propagated to the main repository and, within 24 hours after the
push, to the public repository.
For information on how to access the public repository
see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html

ChangeSet@stripped, 2007-03-03 00:13:07+03:00, evgen@stripped +4 -0
  Bug#25126: Wrongly resolved field leads to a crash.
  
  When the ORDER BY clause gets fixed it's allowed to search in the current
  item_list in order to find aliased fields and expressions. This is ok for a
  SELECT but wrong for an UPDATE statement. If the ORDER BY clause will
  contain a non-existing field which is mentioned in the UPDATE set list
  then the server will crash due to using of non-existing (0x0) field.
  
  Now item list lookups while item fixing are allowed only for selects.

  mysql-test/r/update.result@stripped, 2007-03-02 23:52:08+03:00, evgen@stripped +4 -0
    Added a test case for bug#25126: Wrongly resolved field leads to a crash.

  mysql-test/t/update.test@stripped, 2007-03-02 23:51:37+03:00, evgen@stripped +8 -0
    Added a test case for bug#25126: Wrongly resolved field leads to a crash.

  sql/sql_base.cc@stripped, 2007-03-03 00:12:40+03:00, evgen@stripped +10 -0
    Bug#25126: Wrongly resolved field leads to a crash.
    Now item list lookups while item fixing are allowed only for selects.

  sql/sql_select.cc@stripped, 2007-03-03 00:11:39+03:00, evgen@stripped +1 -5
    Bug#25126: Wrongly resolved field leads to a crash.
    Now item list lookups while item fixing are allowed only for selects.

# This is a BitKeeper patch.  What follows are the unified diffs for the
# set of deltas contained in the patch.  The rest of the patch, the part
# that BitKeeper cares about, is below these diffs.
# User:	evgen
# Host:	moonbone.local
# Root:	/mnt/gentoo64/work/25126-bug-5.0-opt-mysql

--- 1.369/sql/sql_base.cc	2007-03-02 13:23:54 +03:00
+++ 1.370/sql/sql_base.cc	2007-03-03 00:12:40 +03:00
@@ -4420,12 +4420,15 @@
   bool save_set_query_id= thd->set_query_id;
   nesting_map save_allow_sum_func= thd->lex->allow_sum_func;
   List_iterator<Item> it(fields);
+  bool save_is_item_list_lookup;
   DBUG_ENTER("setup_fields");
 
   thd->set_query_id=set_query_id;
   if (allow_sum_func)
     thd->lex->allow_sum_func|= 1 <<
thd->lex->current_select->nest_level;
   thd->where= THD::DEFAULT_WHERE;
+  save_is_item_list_lookup= thd->lex->current_select->is_item_list_lookup;
+  thd->lex->current_select->is_item_list_lookup= 0;
 
   /*
     To prevent fail on forward lookup we fill it with zerows,
@@ -4450,6 +4453,7 @@
     {
       thd->lex->allow_sum_func= save_allow_sum_func;
       thd->set_query_id= save_set_query_id;
+      thd->lex->current_select->is_item_list_lookup= save_is_item_list_lookup;
       DBUG_RETURN(TRUE); /* purecov: inspected */
     }
     if (ref)
@@ -4464,6 +4468,7 @@
 
   thd->lex->allow_sum_func= save_allow_sum_func;
   thd->set_query_id= save_set_query_id;
+  thd->lex->current_select->is_item_list_lookup= save_is_item_list_lookup;
   DBUG_RETURN(test(thd->net.report_error));
 }
 
@@ -4945,6 +4950,9 @@
 {
   SELECT_LEX *select_lex= thd->lex->current_select;
   Query_arena *arena= thd->stmt_arena, backup;
+  bool save_is_item_list_lookup= thd->lex->current_select->is_item_list_lookup;
+  thd->lex->current_select->is_item_list_lookup= 0;
+
   TABLE_LIST *table= NULL;	// For HP compilers
   /*
     it_is_update set to TRUE when tables of primary SELECT_LEX (SELECT_LEX
@@ -5030,9 +5038,11 @@
     select_lex->where= *conds;
     select_lex->conds_processed_with_permanent_arena= 1;
   }
+  thd->lex->current_select->is_item_list_lookup= save_is_item_list_lookup;
   DBUG_RETURN(test(thd->net.report_error));
 
 err_no_arena:
+  thd->lex->current_select->is_item_list_lookup= save_is_item_list_lookup;
   DBUG_RETURN(1);
 }
 

--- 1.495/sql/sql_select.cc	2007-02-27 11:37:15 +03:00
+++ 1.496/sql/sql_select.cc	2007-03-03 00:11:39 +03:00
@@ -403,6 +403,7 @@
   if (thd->derived_tables_processing)
     select_lex->exclude_from_table_unique_test= TRUE;
 
+  thd->lex->current_select->is_item_list_lookup= 1;
   /* Check that all tables, fields, conds and order are ok */
 
   if ((!(select_options & OPTION_SETUP_TABLES_DONE) &&
@@ -13265,16 +13266,11 @@
     We check order_item->fixed because Item_func_group_concat can put
     arguments for which fix_fields already was called.
   */
-  thd->lex->current_select->is_item_list_lookup= 1;
   if (!order_item->fixed &&
       (order_item->fix_fields(thd, order->item) ||
        (order_item= *order->item)->check_cols(1) ||
        thd->is_fatal_error))
-  {
-    thd->lex->current_select->is_item_list_lookup= 0;
     return TRUE; /* Wrong field. */
-  }
-  thd->lex->current_select->is_item_list_lookup= 0;
 
   uint el= all_fields.elements;
   all_fields.push_front(order_item); /* Add new field to field list. */

--- 1.32/mysql-test/r/update.result	2007-02-22 16:11:00 +03:00
+++ 1.33/mysql-test/r/update.result	2007-03-02 23:52:08 +03:00
@@ -453,3 +453,7 @@
 2	0.100000000000000000000000000000
 3	NULL
 DROP TABLE t1;
+create table t1(f1 int);
+update t1 set f2=1 order by f2;
+ERROR 42S22: Unknown column 'f2' in 'order clause'
+drop table t1;

--- 1.30/mysql-test/t/update.test	2007-02-22 16:11:00 +03:00
+++ 1.31/mysql-test/t/update.test	2007-03-02 23:51:37 +03:00
@@ -368,3 +368,11 @@
 SELECT * FROM t1;
 
 DROP TABLE t1;
+
+#
+# Bug#25126: Wrongly resolved field leads to a crash
+#
+create table t1(f1 int);
+--error 1054
+update t1 set f2=1 order by f2;
+drop table t1;
Thread
bk commit into 5.0 tree (evgen:1.2428) BUG#25126eugene2 Mar