#At file:///home/kgeorge/mysql/work/B48291-5.0-bugteam/ based on revid:joro@stripped
2831 Georgi Kodinov 2009-10-30
Bug #48291 : crash with row() operator,select into @var, and
subquery returning multiple rows
Error handling was missing when handling subqueires in WHERE
and when assigning a SELECT result to a @variable.
This caused crash(es).
Fixed by adding error handling code to both the WHERE
condition evaluation and to assignment to an @variable.
modified:
mysql-test/r/select.result
mysql-test/t/select.test
sql/sql_class.cc
sql/sql_select.cc
=== modified file 'mysql-test/r/select.result'
--- a/mysql-test/r/select.result 2009-10-21 09:04:08 +0000
+++ b/mysql-test/r/select.result 2009-10-30 13:15:43 +0000
@@ -4430,4 +4430,16 @@ SELECT 1 FROM t1 NATURAL LEFT JOIN t1 AS
1
1
DROP TABLE t1;
+#
+# Bug #48291 : crash with row() operator,select into @var, and
+# subquery returning multiple rows
+#
+CREATE TABLE t1(a INT);
+INSERT INTO t1 VALUES (2),(3);
+# Should not crash
+SELECT 1 FROM t1 WHERE a <> 1 AND NOT
+ROW(a,a) <=> ROW((SELECT 1 FROM t1 WHERE 1=2),(SELECT 1 FROM t1))
+INTO @var0;
+ERROR 21000: Subquery returns more than 1 row
+DROP TABLE t1;
End of 5.0 tests
=== modified file 'mysql-test/t/select.test'
--- a/mysql-test/t/select.test 2009-10-21 09:04:08 +0000
+++ b/mysql-test/t/select.test 2009-10-30 13:15:43 +0000
@@ -3766,5 +3766,22 @@ EXPLAIN SELECT 1 FROM t1 NATURAL LEFT JO
SELECT 1 FROM t1 NATURAL LEFT JOIN t1 AS t2 FORCE INDEX(a);
DROP TABLE t1;
+
+--echo #
+--echo # Bug #48291 : crash with row() operator,select into @var, and
+--echo # subquery returning multiple rows
+--echo #
+
+CREATE TABLE t1(a INT);
+INSERT INTO t1 VALUES (2),(3);
+
+--echo # Should not crash
+--error ER_SUBQUERY_NO_1_ROW
+SELECT 1 FROM t1 WHERE a <> 1 AND NOT
+ROW(a,a) <=> ROW((SELECT 1 FROM t1 WHERE 1=2),(SELECT 1 FROM t1))
+INTO @var0;
+
+DROP TABLE t1;
+
--echo End of 5.0 tests
=== modified file 'sql/sql_class.cc'
--- a/sql/sql_class.cc 2009-07-24 15:58:58 +0000
+++ b/sql/sql_class.cc 2009-10-30 13:15:43 +0000
@@ -2068,9 +2068,11 @@ bool select_dumpvar::send_data(List<Item
else
{
Item_func_set_user_var *suv= new Item_func_set_user_var(mv->s, item);
- suv->fix_fields(thd, 0);
+ if (suv->fix_fields(thd, 0))
+ DBUG_RETURN (1);
suv->save_item_result(item);
- suv->update();
+ if (suv->update())
+ DBUG_RETURN (1);
}
}
DBUG_RETURN(0);
=== modified file 'sql/sql_select.cc'
--- a/sql/sql_select.cc 2009-10-30 09:40:44 +0000
+++ b/sql/sql_select.cc 2009-10-30 13:15:43 +0000
@@ -10822,6 +10822,7 @@ evaluate_join_record(JOIN *join, JOIN_TA
bool not_used_in_distinct=join_tab->not_used_in_distinct;
ha_rows found_records=join->found_records;
COND *select_cond= join_tab->select_cond;
+ bool select_cond_result= TRUE;
if (error > 0 || (*report_error)) // Fatal error
return NESTED_LOOP_ERROR;
@@ -10833,7 +10834,17 @@ evaluate_join_record(JOIN *join, JOIN_TA
return NESTED_LOOP_KILLED; /* purecov: inspected */
}
DBUG_PRINT("info", ("select cond 0x%lx", (ulong)select_cond));
- if (!select_cond || select_cond->val_int())
+
+ if (select_cond)
+ {
+ select_cond_result= test(select_cond->val_int());
+
+ /* check for errors evaluating the condition */
+ if (join->thd->net.report_error)
+ return NESTED_LOOP_ERROR;
+ }
+
+ if (!select_cond || select_cond_result)
{
/*
There is no select condition or the attached pushed down
Attachment: [text/bzr-bundle] bzr/joro@sun.com-20091030131543-2b23fnqckgbzvete.bundle
| Thread |
|---|
| • bzr commit into mysql-5.0 branch (joro:2831) Bug#48291 | Georgi Kodinov | 30 Oct |
