From: Date: July 26 2008 10:44pm
Subject: bzr commit into mysql-5.0 branch (igor:2647) Bug#38191
List-Archive: http://lists.mysql.com/commits/50563
X-Bug: 38191
Message-Id: <20080726204419.0AC3770574C@igor-laptop.mysql.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

#At file:///home/igor/dev-bzr/mysql-5.0-bug38191/

 2647 Igor Babaev	2008-07-26
      Fixed bug #38191.
      Calling List<Cached_item>::delete_elements for the same list twice
      caused a crash of the server in the function JOIN::cleaunup.
      Ensured that delete_elements() in JOIN::cleanup would be called only once.
modified:
  mysql-test/r/subselect.result
  mysql-test/t/subselect.test
  sql/sql_select.cc

per-file messages:
  mysql-test/r/subselect.result
    Added a test case for bug #38191.
  mysql-test/t/subselect.test
    Added a test case for bug #38191.
  sql/sql_select.cc
    Fixed bug #38191.
    Ensured that delete_elements() in JOIN::cleanup would be called only once.
=== modified file 'mysql-test/r/subselect.result'
--- a/mysql-test/r/subselect.result	2008-05-16 14:05:55 +0000
+++ b/mysql-test/r/subselect.result	2008-07-26 20:44:07 +0000
@@ -4396,4 +4396,15 @@ id	select_type	table	type	possible_keys	
 Warnings:
 Note	1003	select 1 AS `1` from `test`.`t1` where <in_optimizer>(1,<exists>(select 1 AS `1` from `test`.`t1` where (`test`.`t1`.`a` > 3) group by `test`.`t1`.`a` having (<cache>(1) = <ref_null_helper>(1))))
 DROP TABLE t1;
+CREATE TABLE t1(pk int PRIMARY KEY, a int, INDEX idx(a));
+INSERT INTO t1 VALUES (1, 10), (3, 30), (2, 20);
+CREATE TABLE t2(pk int PRIMARY KEY, a int, b int, INDEX idxa(a));
+INSERT INTO t2 VALUES (2, 20, 700), (1, 10, 200), (4, 10, 100);
+SELECT * FROM t1
+WHERE EXISTS (SELECT DISTINCT a FROM t2 WHERE t1.a < t2.a ORDER BY b);
+pk	a
+1	10
+3	30
+2	20
+DROP TABLE t1,t2;
 End of 5.0 tests.

=== modified file 'mysql-test/t/subselect.test'
--- a/mysql-test/t/subselect.test	2008-06-25 14:59:38 +0000
+++ b/mysql-test/t/subselect.test	2008-07-26 20:44:07 +0000
@@ -3295,5 +3295,17 @@ EXPLAIN EXTENDED SELECT 1 FROM t1 WHERE 
 EXPLAIN EXTENDED SELECT 1 FROM t1 WHERE 1 IN (SELECT 1 FROM t1 WHERE a > 3 GROUP BY a);
 DROP TABLE t1;
 
+#
+# Bug #38191: Server crash with subquery containing DISTINCT and ORDER BY
+#
+
+CREATE TABLE t1(pk int PRIMARY KEY, a int, INDEX idx(a));
+INSERT INTO t1 VALUES (1, 10), (3, 30), (2, 20);
+CREATE TABLE t2(pk int PRIMARY KEY, a int, b int, INDEX idxa(a));
+INSERT INTO t2 VALUES (2, 20, 700), (1, 10, 200), (4, 10, 100);
+SELECT * FROM t1
+   WHERE EXISTS (SELECT DISTINCT a FROM t2 WHERE t1.a < t2.a ORDER BY b);
+DROP TABLE t1,t2;
+
 --echo End of 5.0 tests.
 

=== modified file 'sql/sql_select.cc'
--- a/sql/sql_select.cc	2008-07-15 14:13:21 +0000
+++ b/sql/sql_select.cc	2008-07-26 20:44:07 +0000
@@ -6469,6 +6469,12 @@ void JOIN::cleanup(bool full)
     if (tmp_join)
       tmp_table_param.copy_field= 0;
     group_fields.delete_elements();
+    /* 
+      Ensure that the above delete_elements() would not be called
+      twice for the same list.
+    */
+    if (tmp_join && tmp_join != this)
+      tmp_join->group_fields= group_fields;
     /*
       We can't call delete_elements() on copy_funcs as this will cause
       problems in free_elements() as some of the elements are then deleted.