From: Date: August 20 2008 11:54am
Subject: bzr push into mysql-5.0 branch (gluh:2671) Bug#38291
List-Archive: http://lists.mysql.com/commits/52022
X-Bug: 38291
Message-Id: <20080820095430.ECFB924A0078@eagle.localdomain>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

 2671 Sergey Glukhov	2008-08-20
      Bug#38291 memory corruption and server crash with view/sp/function
      Send_field.org_col_name has broken value on secondary execution.
      It happens when result field is created from the field which belongs to view
      due to forgotten assignment of some Send_field attributes. 
      The fix:
      set Send_field.org_col_name,org_table_name with correct value during Send_field intialization.
modified:
  mysql-test/r/metadata.result
  mysql-test/r/sp.result
  mysql-test/t/sp.test
  sql/item.cc
  tests/mysql_client_test.c

=== modified file 'mysql-test/r/metadata.result'
--- a/mysql-test/r/metadata.result	2007-06-20 09:21:48 +0000
+++ b/mysql-test/r/metadata.result	2008-08-20 09:49:28 +0000
@@ -108,11 +108,11 @@ id
 1
 select * from v1 group by id limit 0;
 Catalog	Database	Table	Table_alias	Column	Column_alias	Type	Length	Max length	Is_null	Flags	Decimals	Charsetnr
-def	test	t1	v1	id	id	3	10	0	Y	32768	0	63
+def	test	v1	v1	id	id	3	10	0	Y	32768	0	63
 id
 select * from v1 where id=1000 group by id;
 Catalog	Database	Table	Table_alias	Column	Column_alias	Type	Length	Max length	Is_null	Flags	Decimals	Charsetnr
-def	test	t1	v1	id	id	3	10	0	Y	32768	0	63
+def	test	v1	v1	id	id	3	10	0	Y	32768	0	63
 id
 select * from v1 where id=1 group by id;
 Catalog	Database	Table	Table_alias	Column	Column_alias	Type	Length	Max length	Is_null	Flags	Decimals	Charsetnr
@@ -126,7 +126,7 @@ renamed
 1
 select * from v3 where renamed=1 group by renamed;
 Catalog	Database	Table	Table_alias	Column	Column_alias	Type	Length	Max length	Is_null	Flags	Decimals	Charsetnr
-def			v3		renamed	8	12	0	Y	32896	0	63
+def		v3	v3	renamed	renamed	8	12	0	Y	32896	0	63
 renamed
 drop table t1;
 drop view v1,v2,v3;
@@ -156,8 +156,8 @@ c1
 3
 SELECT v1.c1, v2.c2 FROM v1 JOIN v2 ON c1=c2;
 Catalog	Database	Table	Table_alias	Column	Column_alias	Type	Length	Max length	Is_null	Flags	Decimals	Charsetnr
-def	test	t1	v1	c1	c1	254	1	1	Y	0	0	8
-def	test	t2	v2	c2	c2	254	1	1	Y	0	0	8
+def	test	v1	v1	c1	c1	254	1	1	Y	0	0	8
+def	test	v2	v2	c2	c2	254	1	1	Y	0	0	8
 c1	c2
 1	1
 2	2

=== modified file 'mysql-test/r/sp.result'
--- a/mysql-test/r/sp.result	2008-02-17 11:37:39 +0000
+++ b/mysql-test/r/sp.result	2008-08-20 09:49:28 +0000
@@ -6646,6 +6646,22 @@ ttt
 2
 drop function func30787;
 drop table t1;
+create table t1(c1 INT);
+create function f1(p1 int) returns varchar(32)
+return 'aaa';
+create view v1 as select f1(c1) as parent_control_name from t1;
+create procedure p1()
+begin
+select parent_control_name as c1 from v1;
+end //
+call p1();
+c1
+call p1();
+c1
+drop procedure p1;
+drop function f1;
+drop view v1;
+drop table t1;
 # ------------------------------------------------------------------
 # -- End of 5.0 tests
 # ------------------------------------------------------------------

=== modified file 'mysql-test/t/sp.test'
--- a/mysql-test/t/sp.test	2008-02-17 11:37:39 +0000
+++ b/mysql-test/t/sp.test	2008-08-20 09:49:28 +0000
@@ -7794,6 +7794,30 @@ drop function func30787;
 drop table t1;
 
 
+#
+# Bug#38291 memory corruption and server crash with view/sp/function
+#
+
+create table t1(c1 INT);
+create function f1(p1 int) returns varchar(32)
+  return 'aaa';
+create view v1 as select f1(c1) as parent_control_name from t1;
+
+delimiter //;
+create procedure p1()
+begin
+    select parent_control_name as c1 from v1;
+end //
+delimiter ;//
+
+call p1();
+call p1();
+
+drop procedure p1;
+drop function f1;
+drop view v1;
+drop table t1;
+
 --echo # ------------------------------------------------------------------
 --echo # -- End of 5.0 tests
 --echo # ------------------------------------------------------------------

=== modified file 'sql/item.cc'
--- a/sql/item.cc	2008-07-30 11:07:37 +0000
+++ b/sql/item.cc	2008-08-20 09:49:28 +0000
@@ -5764,6 +5764,10 @@ void Item_ref::make_field(Send_field *fi
     field->table_name= table_name;
   if (db_name)
     field->db_name= db_name;
+  if (orig_field_name)
+    field->org_col_name= orig_field_name;
+  if (orig_table_name)
+    field->org_table_name= orig_table_name;
 }
 
 

=== modified file 'tests/mysql_client_test.c'
--- a/tests/mysql_client_test.c	2008-08-15 20:13:27 +0000
+++ b/tests/mysql_client_test.c	2008-08-20 09:49:28 +0000
@@ -16162,7 +16162,7 @@ static void test_bug32265()
   metadata= mysql_stmt_result_metadata(stmt);
   field= mysql_fetch_field(metadata);
   DIE_UNLESS(strcmp(field->table, "v1") == 0);
-  DIE_UNLESS(strcmp(field->org_table, "t1") == 0);
+  DIE_UNLESS(strcmp(field->org_table, "v1") == 0);
   DIE_UNLESS(strcmp(field->db, "client_test_db") == 0);
   mysql_free_result(metadata);
   mysql_stmt_close(stmt);
@@ -16174,7 +16174,7 @@ static void test_bug32265()
   metadata= mysql_stmt_result_metadata(stmt);
   field= mysql_fetch_field(metadata);
   DIE_UNLESS(strcmp(field->table, "v1") == 0);
-  DIE_UNLESS(strcmp(field->org_table, "t1") == 0);
+  DIE_UNLESS(strcmp(field->org_table, "v1") == 0);
   DIE_UNLESS(strcmp(field->db, "client_test_db") == 0);
   mysql_free_result(metadata);
   mysql_stmt_close(stmt);