List:Commits« Previous MessageNext Message »
From:eugene Date:March 1 2006 2:12pm
Subject:bk commit into 5.0 tree (evgen:1.2080) BUG#17366
View as plain text  
Below is the list of changes that have just been committed into a local
5.0 repository of evgen. When evgen does a push these changes will
be propagated to the main repository and, within 24 hours after the
push, to the public repository.
For information on how to access the public repository
see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html

ChangeSet
  1.2080 06/03/01 16:12:30 evgen@stripped +3 -0
  Fixed bug#17366: Unchecked Item_int results in server crash
  
  When there is conjunction of conds, the substitute_for_best_equal_field()
  will call the eliminate_item_equal() function in loop to build final
  expression. But if eliminate_item_equal() finds that some cond will always
  evaluate to 0, then that cond will be substituted by Item_int with value ==
  0. In this case on the next iteration eliminate_item_equal() will get that 
  Item_int and treat it as Item_cond. This is leads to memory corruption and
  server crash on cleanup phase.
  
  To the eliminate_item_equal() function was added DBUG_ASSERT for checking
  that all items treaten as Item_cond are really Item_cond.
  The substitute_for_best_equal_field() now checks that if
  eliminate_item_equal() returns Item_int and it's value is 0 then this 
  value is returned as the result of whole conjunction.

  sql/sql_select.cc
    1.396 06/03/01 16:11:22 evgen@stripped +9 -1
    Fixed bug#17366: Unchecked Item_int results in server crash
     
    To the eliminate_item_equal() function was added DBUG_ASSERT for checking
    that all items treaten as Item_cond are really Item_cond.
    The substitute_for_best_equal_field() now checks that if
    eliminate_item_equal() returns Item_int and it's value is 0 then this 
    value is returned as the result of whole conjunction.

  mysql-test/r/subselect.result
    1.135 06/03/01 16:11:07 evgen@stripped +7 -0
     Added test for bug#17366: Unchecked Item_int results in server crash

  mysql-test/t/subselect.test
    1.114 06/03/01 16:10:38 evgen@stripped +7 -0
    Added test for bug#17366: Unchecked Item_int results in server crash

# This is a BitKeeper patch.  What follows are the unified diffs for the
# set of deltas contained in the patch.  The rest of the patch, the part
# that BitKeeper cares about, is below these diffs.
# User:	evgen
# Host:	moonbone.local
# Root:	/work/17336-bug-5.0-mysql

--- 1.395/sql/sql_select.cc	2006-02-20 04:25:59 +03:00
+++ 1.396/sql/sql_select.cc	2006-03-01 16:11:22 +03:00
@@ -7066,7 +7066,10 @@
   if (!cond)
     cond= new Item_cond_and(eq_list);
   else
+  {
+    DBUG_ASSERT(cond->type() == Item::COND_ITEM);
     ((Item_cond *) cond)->add_at_head(&eq_list);
+  }
 
   cond->quick_fix_field();
   cond->update_used_tables();
@@ -7150,7 +7153,12 @@
       List_iterator_fast<Item_equal> it(cond_equal->current_level);
       while ((item_equal= it++))
       {
-        cond= eliminate_item_equal(cond, cond_equal->upper_levels, item_equal);
+        cond= eliminate_item_equal(cond, cond_equal->upper_levels,
+                                       item_equal);
+        // Due to 'AND' nature, if the result at some stage == 0,
+        // the whole cond_equal will be 0. In this case just return it.
+        if (cond->type() == Item::INT_ITEM && !cond->val_int())
+          break;
       }
     }
   }

--- 1.134/mysql-test/r/subselect.result	2006-02-20 04:25:59 +03:00
+++ 1.135/mysql-test/r/subselect.result	2006-03-01 16:11:07 +03:00
@@ -3157,3 +3157,10 @@
 1	PRIMARY	t1	ALL	NULL	NULL	NULL	NULL	9	Using where
 2	DEPENDENT SUBQUERY	t1	index	NULL	a	8	NULL	9	Using filesort
 DROP TABLE t1;
+create table t1( f1 int,f2 int);
+insert into t1 values (1,1),(2,2);
+select tt.t from (select 'crash1' as t, f2 from t1) as tt left join t1 on tt.t = 'crash2'
and tt.f2 = t1.f2 where tt.t = 'crash1';
+t
+crash1
+crash1
+drop table t1;

--- 1.113/mysql-test/t/subselect.test	2006-02-14 05:50:00 +03:00
+++ 1.114/mysql-test/t/subselect.test	2006-03-01 16:10:38 +03:00
@@ -2073,3 +2073,10 @@
 
 DROP TABLE t1;
 
+#
+# Bug#17366: Unchecked Item_int results in server crash
+#
+create table t1( f1 int,f2 int);
+insert into t1 values (1,1),(2,2);
+select tt.t from (select 'crash1' as t, f2 from t1) as tt left join t1 on tt.t = 'crash2'
and tt.f2 = t1.f2 where tt.t = 'crash1';
+drop table t1;
Thread
bk commit into 5.0 tree (evgen:1.2080) BUG#17366eugene1 Mar