Below is the list of changes that have just been committed into a local
5.0 repository of evgen. When evgen does a push these changes will
be propagated to the main repository and, within 24 hours after the
push, to the public repository.
For information on how to access the public repository
see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html
ChangeSet
1.2080 06/03/01 16:12:30 evgen@stripped +3 -0
Fixed bug#17366: Unchecked Item_int results in server crash
When there is conjunction of conds, the substitute_for_best_equal_field()
will call the eliminate_item_equal() function in loop to build final
expression. But if eliminate_item_equal() finds that some cond will always
evaluate to 0, then that cond will be substituted by Item_int with value ==
0. In this case on the next iteration eliminate_item_equal() will get that
Item_int and treat it as Item_cond. This is leads to memory corruption and
server crash on cleanup phase.
To the eliminate_item_equal() function was added DBUG_ASSERT for checking
that all items treaten as Item_cond are really Item_cond.
The substitute_for_best_equal_field() now checks that if
eliminate_item_equal() returns Item_int and it's value is 0 then this
value is returned as the result of whole conjunction.
sql/sql_select.cc
1.396 06/03/01 16:11:22 evgen@stripped +9 -1
Fixed bug#17366: Unchecked Item_int results in server crash
To the eliminate_item_equal() function was added DBUG_ASSERT for checking
that all items treaten as Item_cond are really Item_cond.
The substitute_for_best_equal_field() now checks that if
eliminate_item_equal() returns Item_int and it's value is 0 then this
value is returned as the result of whole conjunction.
mysql-test/r/subselect.result
1.135 06/03/01 16:11:07 evgen@stripped +7 -0
Added test for bug#17366: Unchecked Item_int results in server crash
mysql-test/t/subselect.test
1.114 06/03/01 16:10:38 evgen@stripped +7 -0
Added test for bug#17366: Unchecked Item_int results in server crash
# This is a BitKeeper patch. What follows are the unified diffs for the
# set of deltas contained in the patch. The rest of the patch, the part
# that BitKeeper cares about, is below these diffs.
# User: evgen
# Host: moonbone.local
# Root: /work/17336-bug-5.0-mysql
--- 1.395/sql/sql_select.cc 2006-02-20 04:25:59 +03:00
+++ 1.396/sql/sql_select.cc 2006-03-01 16:11:22 +03:00
@@ -7066,7 +7066,10 @@
if (!cond)
cond= new Item_cond_and(eq_list);
else
+ {
+ DBUG_ASSERT(cond->type() == Item::COND_ITEM);
((Item_cond *) cond)->add_at_head(&eq_list);
+ }
cond->quick_fix_field();
cond->update_used_tables();
@@ -7150,7 +7153,12 @@
List_iterator_fast<Item_equal> it(cond_equal->current_level);
while ((item_equal= it++))
{
- cond= eliminate_item_equal(cond, cond_equal->upper_levels, item_equal);
+ cond= eliminate_item_equal(cond, cond_equal->upper_levels,
+ item_equal);
+ // Due to 'AND' nature, if the result at some stage == 0,
+ // the whole cond_equal will be 0. In this case just return it.
+ if (cond->type() == Item::INT_ITEM && !cond->val_int())
+ break;
}
}
}
--- 1.134/mysql-test/r/subselect.result 2006-02-20 04:25:59 +03:00
+++ 1.135/mysql-test/r/subselect.result 2006-03-01 16:11:07 +03:00
@@ -3157,3 +3157,10 @@
1 PRIMARY t1 ALL NULL NULL NULL NULL 9 Using where
2 DEPENDENT SUBQUERY t1 index NULL a 8 NULL 9 Using filesort
DROP TABLE t1;
+create table t1( f1 int,f2 int);
+insert into t1 values (1,1),(2,2);
+select tt.t from (select 'crash1' as t, f2 from t1) as tt left join t1 on tt.t = 'crash2' and tt.f2 = t1.f2 where tt.t = 'crash1';
+t
+crash1
+crash1
+drop table t1;
--- 1.113/mysql-test/t/subselect.test 2006-02-14 05:50:00 +03:00
+++ 1.114/mysql-test/t/subselect.test 2006-03-01 16:10:38 +03:00
@@ -2073,3 +2073,10 @@
DROP TABLE t1;
+#
+# Bug#17366: Unchecked Item_int results in server crash
+#
+create table t1( f1 int,f2 int);
+insert into t1 values (1,1),(2,2);
+select tt.t from (select 'crash1' as t, f2 from t1) as tt left join t1 on tt.t = 'crash2' and tt.f2 = t1.f2 where tt.t = 'crash1';
+drop table t1;
| Thread |
|---|
| • bk commit into 5.0 tree (evgen:1.2080) BUG#17366 | eugene | 1 Mar |
