List:Commits« Previous MessageNext Message »
From:eugene Date:March 3 2007 10:47pm
Subject:bk commit into 4.1 tree (evgen:1.2607) BUG#25126
View as plain text  
Below is the list of changes that have just been committed into a local
4.1 repository of evgen. When evgen does a push these changes will
be propagated to the main repository and, within 24 hours after the
push, to the public repository.
For information on how to access the public repository
see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html

ChangeSet@stripped, 2007-03-04 00:47:42+03:00, evgen@stripped +4 -0
  Bug#25126: Wrongly resolved field leads to a crash.
  
  When the ORDER BY clause gets fixed it's allowed to search in the current
  item_list in order to find aliased fields and expressions. This is ok for a
  SELECT but wrong for an UPDATE statement. If the ORDER BY clause will
  contain a non-existing field which is mentioned in the UPDATE set list
  then the server will crash due to using of non-existing (0x0) field.
  
  When an Item_field is getting fixed it's allowed to search item list for
  aliased expressions and fields only for selects.

  mysql-test/r/update.result@stripped, 2007-03-04 00:46:39+03:00, evgen@stripped +4 -0
    Added a test case for bug#25126: Wrongly resolved field leads to a crash.

  mysql-test/t/update.test@stripped, 2007-03-04 00:46:43+03:00, evgen@stripped +8 -0
    Added a test case for bug#25126: Wrongly resolved field leads to a crash.

  sql/sql_base.cc@stripped, 2007-03-04 00:45:51+03:00, evgen@stripped +30 -1
    Bug#25126: Wrongly resolved field leads to a crash.
    When an Item_field is getting fixed it's allowed to search item list for
    aliased expressions and fields only for selects.

  sql/sql_select.cc@stripped, 2007-03-04 00:46:24+03:00, evgen@stripped +2 -5
    Bug#25126: Wrongly resolved field leads to a crash.
    When an Item_field is getting fixed it's allowed to search item list for
    aliased expressions and fields only for selects.

# This is a BitKeeper patch.  What follows are the unified diffs for the
# set of deltas contained in the patch.  The rest of the patch, the part
# that BitKeeper cares about, is below these diffs.
# User:	evgen
# Host:	sunlight.local
# Root:	/local_work/25126-bug-4.1-opt-mysql

--- 1.275/sql/sql_base.cc	2007-03-04 00:47:45 +03:00
+++ 1.276/sql/sql_base.cc	2007-03-04 00:47:45 +03:00
@@ -2518,11 +2518,14 @@
 {
   reg2 Item *item;
   List_iterator<Item> it(fields);
+  bool save_is_item_list_lookup;
   DBUG_ENTER("setup_fields");
 
   thd->set_query_id=set_query_id;
   thd->allow_sum_func= allow_sum_func;
   thd->where="field list";
+  save_is_item_list_lookup= thd->lex->current_select->is_item_list_lookup;
+  thd->lex->current_select->is_item_list_lookup= 0;
 
   /*
     To prevent fail on forward lookup we fill it with zerows,
@@ -2543,7 +2546,10 @@
   {
     if (!item->fixed && item->fix_fields(thd, tables, it.ref()) ||
 	(item= *(it.ref()))->check_cols(1))
+    {
+      thd->lex->current_select->is_item_list_lookup= save_is_item_list_lookup;
       DBUG_RETURN(-1); /* purecov: inspected */
+    }
     if (ref)
       *(ref++)= item;
     if (item->with_sum_func && item->type() != Item::SUM_FUNC_ITEM
&&
@@ -2551,6 +2557,7 @@
       item->split_sum_func(thd, ref_pointer_array, *sum_func_list);
     thd->used_tables|=item->used_tables();
   }
+  thd->lex->current_select->is_item_list_lookup= save_is_item_list_lookup;
   DBUG_RETURN(test(thd->net.report_error));
 }
 
@@ -2747,6 +2754,8 @@
 {
   table_map not_null_tables= 0;
   Item_arena *arena= 0, backup;
+  bool save_is_item_list_lookup= thd->lex->current_select->is_item_list_lookup;
+  thd->lex->current_select->is_item_list_lookup= 0;
   DBUG_ENTER("setup_conds");
 
   thd->set_query_id=1;
@@ -2756,7 +2765,10 @@
     thd->where="where clause";
     if (!(*conds)->fixed && (*conds)->fix_fields(thd, tables, conds) ||
 	(*conds)->check_cols(1))
+    {
+      thd->lex->current_select->is_item_list_lookup= save_is_item_list_lookup;
       DBUG_RETURN(1);
+    }
     not_null_tables= (*conds)->not_null_tables();
   }
 
@@ -2772,7 +2784,10 @@
       if (!table->on_expr->fixed &&
 	  table->on_expr->fix_fields(thd, tables, &table->on_expr) ||
 	  table->on_expr->check_cols(1))
+      {
+        thd->lex->current_select->is_item_list_lookup= save_is_item_list_lookup;
 	DBUG_RETURN(1);
+      }
       thd->lex->current_select->cond_count++;
 
       /*
@@ -2794,7 +2809,11 @@
         }
 	if ((*conds) && !(*conds)->fixed &&
 	    (*conds)->fix_fields(thd, tables, conds))
+        {
+          thd->lex->current_select->is_item_list_lookup=
+            save_is_item_list_lookup;
 	  DBUG_RETURN(1);
+        }
       }
     }
     if (table->natural_join)
@@ -2846,7 +2865,11 @@
           {
             if (!(*conds)->fixed && 
                 (*conds)->fix_fields(thd, tables, conds))
+            {
+              thd->lex->current_select->is_item_list_lookup=
+                save_is_item_list_lookup;
               DBUG_RETURN(1);
+            }
           }
         }
         else
@@ -2859,7 +2882,11 @@
           {
             if (!table->on_expr->fixed && 
                 table->on_expr->fix_fields(thd, tables, &table->on_expr))
-             DBUG_RETURN(1);
+            {
+              thd->lex->current_select->is_item_list_lookup=
+                save_is_item_list_lookup;
+              DBUG_RETURN(1);
+            }
           }
         }
       }
@@ -2881,9 +2908,11 @@
     */
     thd->lex->current_select->where= *conds;
   }
+  thd->lex->current_select->is_item_list_lookup= save_is_item_list_lookup;
   DBUG_RETURN(test(thd->net.report_error));
 
 err:
+  thd->lex->current_select->is_item_list_lookup= save_is_item_list_lookup;
   if (arena)
     thd->restore_backup_item_arena(arena, &backup);
   DBUG_RETURN(1);

--- 1.468/sql/sql_select.cc	2007-03-04 00:47:45 +03:00
+++ 1.469/sql/sql_select.cc	2007-03-04 00:47:45 +03:00
@@ -265,6 +265,7 @@
   select_lex->join= this;
   union_part= (unit_arg->first_select()->next_select() != 0);
 
+  thd->lex->current_select->is_item_list_lookup= 1;
   /* Check that all tables, fields, conds and order are ok */
 
   if (setup_tables(tables_list) ||
@@ -8702,16 +8703,12 @@
 
     'it' reassigned in if condition because fix_field can change it.
   */
-  thd->lex->current_select->is_item_list_lookup= 1;
   if (!it->fixed &&
       (it->fix_fields(thd, tables, order->item) ||
        (it= *order->item)->check_cols(1) ||
        thd->is_fatal_error))
-  {
-    thd->lex->current_select->is_item_list_lookup= 0;
     return 1;					// Wrong field 
-  }
-  thd->lex->current_select->is_item_list_lookup= 0;
+
   uint el= all_fields.elements;
   all_fields.push_front(it);		        // Add new field to field list
   ref_pointer_array[el]= it;

--- 1.30/mysql-test/r/update.result	2007-03-04 00:47:45 +03:00
+++ 1.31/mysql-test/r/update.result	2007-03-04 00:47:45 +03:00
@@ -377,3 +377,7 @@
 insert into t1 values (1,1);
 update t1 set `*f2`=1;
 drop table t1;
+create table t1(f1 int);
+update t1 set f2=1 order by f2;
+ERROR 42S22: Unknown column 'f2' in 'order clause'
+drop table t1;

--- 1.28/mysql-test/t/update.test	2007-03-04 00:47:45 +03:00
+++ 1.29/mysql-test/t/update.test	2007-03-04 00:47:45 +03:00
@@ -306,4 +306,12 @@
 insert into t1 values (1,1);
 update t1 set `*f2`=1;
 drop table t1;
+
+#
+# Bug#25126: Wrongly resolved field leads to a crash
+#
+create table t1(f1 int);
+--error 1054
+update t1 set f2=1 order by f2;
+drop table t1;
 # End of 4.1 tests
Thread
bk commit into 4.1 tree (evgen:1.2607) BUG#25126eugene3 Mar