From: Date: October 16 2008 6:37pm
Subject: bzr commit into mysql-5.0-bugteam branch (gshchepa:2707) Bug#39844
List-Archive: http://lists.mysql.com/commits/56402
X-Bug: 39844
Message-Id: <20081016163750.80CFD40EBA4@localhost.localdomain>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7BIT

#At file:///work/bzr/5.0-bugteam-39844/

 2707 Gleb Shchepa	2008-10-16
      Bug #39844: Query Crash Mysql Server 5.0.67
      
      Server crashed during a sort order optimization
      of a dependent subquery:
      
      SELECT
          (SELECT t1.a FROM t1, t2
            WHERE t1.a = t2.b AND t2.a = t3.c
            ORDER BY t1.a)
        FROM t3;
      
      
      Bitmap of tables, that the reference to outer table
      column uses, in addition to the regular table bit
      has the OUTER_REF_TABLE_BIT bit set.
      The only_eq_ref_tables function traverses this map
      bit by bit simultaneously with join->map2table list.
      Obviously join->map2table never contains an entry
      for the OUTER_REF_TABLE_BIT pseudo-table, so the
      server crashed there.
      
      
      The only_eq_ref_tables function has been modified
      to traverse regular table bits only like the
      update_depend_map function (resetting of the
      OUTER_REF_TABLE_BIT there is enough, but
      resetting of the whole set of PSEUDO_TABLE_BITS
      is used there for sure).
modified:
  mysql-test/r/order_by.result
  mysql-test/t/order_by.test
  sql/sql_select.cc

per-file messages:
  mysql-test/r/order_by.result
    Added test case for bug #39844.
  mysql-test/t/order_by.test
    Added test case for bug #39844.
  sql/sql_select.cc
    Bug #39844: Query Crash Mysql Server 5.0.67
    
    The only_eq_ref_tables function has been modified
    to traverse regular table bits only like the
    update_depend_map function (resetting of the
    OUTER_REF_TABLE_BIT there is enough, but
    resetting of the whole set of PSEUDO_TABLE_BITS
    is used there for sure).
=== modified file 'mysql-test/r/order_by.result'
--- a/mysql-test/r/order_by.result	2008-02-08 10:35:00 +0000
+++ b/mysql-test/r/order_by.result	2008-10-16 16:37:17 +0000
@@ -1076,3 +1076,19 @@ set session max_sort_length= 2180;
 select * from t1 order by b;
 ERROR HY001: Out of sort memory; increase server sort buffer size
 drop table t1;
+#
+# Bug #39844: Query Crash Mysql Server 5.0.67
+#
+CREATE TABLE t1 (a INT PRIMARY KEY);
+CREATE TABLE t2 (a INT PRIMARY KEY, b INT);
+CREATE TABLE t3 (c INT);
+INSERT INTO t1 (a) VALUES (1), (2);
+INSERT INTO t2 (a,b) VALUES (1,2), (2,3);
+INSERT INTO t3 (c) VALUES (1), (2);
+SELECT
+(SELECT t1.a FROM t1, t2 WHERE t1.a = t2.b AND t2.a = t3.c ORDER BY t1.a)
+FROM t3;
+(SELECT t1.a FROM t1, t2 WHERE t1.a = t2.b AND t2.a = t3.c ORDER BY t1.a)
+2
+NULL
+DROP TABLE t1, t2, t3;

=== modified file 'mysql-test/t/order_by.test'
--- a/mysql-test/t/order_by.test	2008-02-08 10:35:00 +0000
+++ b/mysql-test/t/order_by.test	2008-10-16 16:37:17 +0000
@@ -738,3 +738,21 @@ set session max_sort_length= 2180;
 select * from t1 order by b;
 drop table t1;
 
+
+--echo #
+--echo # Bug #39844: Query Crash Mysql Server 5.0.67
+--echo #
+
+CREATE TABLE t1 (a INT PRIMARY KEY);
+CREATE TABLE t2 (a INT PRIMARY KEY, b INT);
+CREATE TABLE t3 (c INT);
+
+INSERT INTO t1 (a) VALUES (1), (2);
+INSERT INTO t2 (a,b) VALUES (1,2), (2,3);
+INSERT INTO t3 (c) VALUES (1), (2);
+
+SELECT
+  (SELECT t1.a FROM t1, t2 WHERE t1.a = t2.b AND t2.a = t3.c ORDER BY t1.a)
+  FROM t3;
+
+DROP TABLE t1, t2, t3;

=== modified file 'sql/sql_select.cc'
--- a/sql/sql_select.cc	2008-10-10 10:13:12 +0000
+++ b/sql/sql_select.cc	2008-10-16 16:37:17 +0000
@@ -6574,6 +6574,7 @@ only_eq_ref_tables(JOIN *join,ORDER *ord
 {
   if (specialflag &  SPECIAL_SAFE_MODE)
     return 0;			// skip this optimize /* purecov: inspected */
+  tables&= ~PSEUDO_TABLE_BITS;
   for (JOIN_TAB **tab=join->map2table ; tables ; tab++, tables>>=1)
   {
     if (tables & 1 && !eq_ref_table(join, order, *tab))