Below is the list of changes that have just been committed into a local
5.0 repository of tnurnberg. When tnurnberg does a push these changes
will be propagated to the main repository and, within 24 hours after the
push, to the public repository.
For information on how to access the public repository
see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html
ChangeSet@stripped, 2008-02-27 20:31:50+01:00, tnurnberg@stripped +3 -0
Bug#34749: Server crash when using NAME_CONST() with an aggregate function
NAME_CONST('whatever', -1) * MAX(whatever) bombed since -1 was
not seen as constant, but as FUNCTION_UNARY_MINUS(constant)
while we are at the same time pretending it was a basic const
item. This confused the aggregate handlers in exciting ways.
We now make NAME_CONST() behave more consistently in that when
it is transparent with regard to basic_const_item(), it also
is with regard to type().
mysql-test/r/func_misc.result@stripped, 2008-02-27 20:31:47+01:00, tnurnberg@stripped +17 -0
show that a combination of NAME_CONST('x', -y) and an aggregate
no longer crashes the server
mysql-test/t/func_misc.test@stripped, 2008-02-27 20:31:47+01:00, tnurnberg@stripped +16 -0
show that a combination of NAME_CONST('x', -y) and an aggregate
no longer crashes the server
sql/item.cc@stripped, 2008-02-27 20:31:47+01:00, tnurnberg@stripped +9 -1
make NAME_CONST() transparent in that type() of
-constant is that of constant, not that of unary
minus (id est, FUNC_ITEM).
diff -Nrup a/mysql-test/r/func_misc.result b/mysql-test/r/func_misc.result
--- a/mysql-test/r/func_misc.result 2007-12-13 12:47:21 +01:00
+++ b/mysql-test/r/func_misc.result 2008-02-27 20:31:47 +01:00
@@ -207,6 +207,23 @@ test
SELECT NAME_CONST('test', 'test');
test
test
+CREATE TABLE t1 (a INT);
+INSERT INTO t1 VALUES (1),(2),(3);
+SELECT NAME_CONST('flag',1) * MAX(a) FROM t1;
+NAME_CONST('flag',1) * MAX(a)
+3
+SELECT NAME_CONST('flag',1.5) * MAX(a) FROM t1;
+NAME_CONST('flag',1.5) * MAX(a)
+4.5
+SELECT NAME_CONST('flag',-1) * MAX(a) FROM t1;
+NAME_CONST('flag',-1) * MAX(a)
+-3
+SELECT NAME_CONST('flag',-1.5) * MAX(a) FROM t1;
+NAME_CONST('flag',-1.5) * MAX(a)
+-4.5
+SELECT NAME_CONST('flag',-SQRT(4)) * MAX(a) FROM t1;
+ERROR HY000: Incorrect arguments to NAME_CONST
+DROP TABLE t1;
CREATE TABLE t1 (a int);
INSERT INTO t1 VALUES (5), (2);
SELECT NAME_CONST(x,2) FROM (SELECT a x FROM t1) t;
diff -Nrup a/mysql-test/t/func_misc.test b/mysql-test/t/func_misc.test
--- a/mysql-test/t/func_misc.test 2007-12-13 12:47:21 +01:00
+++ b/mysql-test/t/func_misc.test 2008-02-27 20:31:47 +01:00
@@ -205,6 +205,22 @@ SELECT NAME_CONST('test', -1.0);
SELECT NAME_CONST('test', 'test');
#
+# Bug #34749: Server crash when using NAME_CONST() with an aggregate function
+#
+
+CREATE TABLE t1 (a INT);
+INSERT INTO t1 VALUES (1),(2),(3);
+# NAME_CONST() + aggregate.
+SELECT NAME_CONST('flag',1) * MAX(a) FROM t1;
+SELECT NAME_CONST('flag',1.5) * MAX(a) FROM t1;
+# Now, wrap the INT_ITEM in Item_func_neg and watch the pretty explosions
+SELECT NAME_CONST('flag',-1) * MAX(a) FROM t1;
+SELECT NAME_CONST('flag',-1.5) * MAX(a) FROM t1;
+--error ER_WRONG_ARGUMENTS
+SELECT NAME_CONST('flag',-SQRT(4)) * MAX(a) FROM t1;
+DROP TABLE t1;
+
+#
# Bug #27545: erroneous usage of NAME_CONST with a name as the first parameter
# resolved against a column name of a derived table hangs the client
#
diff -Nrup a/sql/item.cc b/sql/item.cc
--- a/sql/item.cc 2008-02-12 20:51:00 +01:00
+++ b/sql/item.cc 2008-02-27 20:31:47 +01:00
@@ -1218,8 +1218,16 @@ Item::Type Item_name_const::type() const
if (item->type() == FIELD_ITEM)
((Item_field *) item)->...
we return NULL_ITEM in the case to avoid wrong casting.
+
+ valid_args guarantees value_item->basic_const_item(); if type is
+ FUNC_ITEM, then we have a fudged item_func_neg() on our hands
+ and return the underlying type.
*/
- return valid_args ? value_item->type() : NULL_ITEM;
+ return valid_args ?
+ ((value_item->type() == FUNC_ITEM) ?
+ ((Item_func *) value_item)->key_item()->type() :
+ value_item->type()) :
+ NULL_ITEM;
}
| Thread |
|---|
| • bk commit into 5.0 tree (tnurnberg:1.2608) BUG#34749 | Tatjana A Nuernberg | 27 Feb |
