From: Evgeny Potemkin Date: December 1 2009 6:28pm Subject: bzr commit into mysql-5.0-bugteam branch (epotemkin:2850) Bug#48508 List-Archive: http://lists.mysql.com/commits/92340 X-Bug: 48508 Message-Id: <0KTZ0025AKNIR150@fe-emea-10.sun.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="Boundary_(ID_UpMzNTfWIrOofGJFGgz0iQ)" --Boundary_(ID_UpMzNTfWIrOofGJFGgz0iQ) MIME-version: 1.0 Content-type: text/plain; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Content-disposition: inline #At file:///work/bzrroot/48508-bug-5.0-bugteam/ based on revid:alexey.kopytov@stripped 2850 Evgeny Potemkin 2009-12-01 Bug#48508: Crash on prepared statement re-execution. Actually there is two different bugs. The first one caused crash on queries with WHERE condition over views containing WHERE condition. A wrong check for prepared statement phase led to items for view fields being allocated in the execution memory and freed at the end of execution. Thus the optimized WHERE condition refers to unallocated memory on the second execution and server crashed. The second one caused by the Item_cond::compile function not saving changes it made to the item tree. Thus on the next execution changes weren't reverted and server crashed on dereferencing of unallocated space. The new helper function called is_stmt_prepare_or_first_stmt_execute is added to the Query_arena class. The find_field_in_view function now uses is_stmt_prepare_or_first_stmt_execute() to check whether newly created view items should be freed at the end of the query execution. The Item_cond::compile function now saves changes it makes to item tree. @ mysql-test/r/ps.result Added a test case for the bug#48508. @ mysql-test/t/ps.test Added a test case for the bug#48508. @ sql/item_cmpfunc.cc Bug#48508: Crash on prepared statement re-execution. The Item_cond::compile function now saves changes it makes to item tree. @ sql/sql_base.cc Bug#48508: Crash on prepared statement re-execution. The find_field_in_view function now uses is_stmt_prepare_or_first_stmt_execute() to check whether newly created view items should be freed at the end of the query execution. @ sql/sql_class.h Bug#48508: Crash on prepared statement re-execution. The Query_arena::is_stmt_prepare_or_first_sp_execute function now correctly do its check. modified: mysql-test/r/ps.result mysql-test/t/ps.test sql/item_cmpfunc.cc sql/sql_base.cc sql/sql_class.h === modified file 'mysql-test/r/ps.result' --- a/mysql-test/r/ps.result 2009-02-27 16:07:58 +0000 +++ b/mysql-test/r/ps.result 2009-12-01 18:28:45 +0000 @@ -1891,4 +1891,27 @@ execute stmt using @arg; ? -12345.5432100000 deallocate prepare stmt; +# +# Bug#48508: Crash on prepared statement re-execution. +# +create table t1(b int); +insert into t1 values (0); +create view v1 AS select 1 as a from t1 where b; +prepare stmt from "select * from v1 where a"; +execute stmt; +a +execute stmt; +a +drop table t1; +drop view v1; +create table t1(a bigint); +create table t2(b tinyint); +insert into t2 values (null); +prepare stmt from "select 1 from t1 join t2 on a xor b where b > 1 and a =1"; +execute stmt; +1 +execute stmt; +1 +drop table t1,t2; +# End of 5.0 tests. === modified file 'mysql-test/t/ps.test' --- a/mysql-test/t/ps.test 2009-02-25 10:37:30 +0000 +++ b/mysql-test/t/ps.test 2009-12-01 18:28:45 +0000 @@ -1973,4 +1973,25 @@ select @arg; execute stmt using @arg; deallocate prepare stmt; +--echo # +--echo # Bug#48508: Crash on prepared statement re-execution. +--echo # +create table t1(b int); +insert into t1 values (0); +create view v1 AS select 1 as a from t1 where b; +prepare stmt from "select * from v1 where a"; +execute stmt; +execute stmt; +drop table t1; +drop view v1; + +create table t1(a bigint); +create table t2(b tinyint); +insert into t2 values (null); +prepare stmt from "select 1 from t1 join t2 on a xor b where b > 1 and a =1"; +execute stmt; +execute stmt; +drop table t1,t2; +--echo # + --echo End of 5.0 tests. === modified file 'sql/item_cmpfunc.cc' --- a/sql/item_cmpfunc.cc 2009-08-28 15:51:31 +0000 +++ b/sql/item_cmpfunc.cc 2009-12-01 18:28:45 +0000 @@ -3907,7 +3907,7 @@ Item *Item_cond::compile(Item_analyzer a byte *arg_v= *arg_p; Item *new_item= item->compile(analyzer, &arg_v, transformer, arg_t); if (new_item && new_item != item) - li.replace(new_item); + current_thd->change_item_tree(li.ref(), new_item); } return Item_func::transform(transformer, arg_t); } === modified file 'sql/sql_base.cc' --- a/sql/sql_base.cc 2009-11-03 09:00:41 +0000 +++ b/sql/sql_base.cc 2009-12-01 18:28:45 +0000 @@ -3481,7 +3481,8 @@ find_field_in_view(THD *thd, TABLE_LIST if (!my_strcasecmp(system_charset_info, field_it.name(), name)) { // in PS use own arena or data will be freed after prepare - if (register_tree_change && thd->stmt_arena->is_stmt_prepare_or_first_sp_execute()) + if (register_tree_change && + thd->stmt_arena->is_stmt_prepare_or_first_stmt_execute()) arena= thd->activate_stmt_arena_if_needed(&backup); /* create_item() may, or may not create a new Item, depending on === modified file 'sql/sql_class.h' --- a/sql/sql_class.h 2009-10-20 04:42:10 +0000 +++ b/sql/sql_class.h 2009-12-01 18:28:45 +0000 @@ -759,6 +759,8 @@ public: { return state == INITIALIZED_FOR_SP; } inline bool is_stmt_prepare_or_first_sp_execute() const { return (int)state < (int)PREPARED; } + inline bool is_stmt_prepare_or_first_stmt_execute() const + { return (int)state <= (int)PREPARED; } inline bool is_first_stmt_execute() const { return state == PREPARED; } inline bool is_stmt_execute() const { return state == PREPARED || state == EXECUTED; } --Boundary_(ID_UpMzNTfWIrOofGJFGgz0iQ) MIME-version: 1.0 Content-type: text/bzr-bundle; CHARSET=US-ASCII; name="bzr/epotemkin@stripped" Content-transfer-encoding: 7BIT Content-disposition: inline; filename="bzr/epotemkin@stripped" # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: epotemkin@stripped # target_branch: file:///work/bzrroot/48508-bug-5.0-bugteam/ # testament_sha1: 01ac438111e0ca1f0c8e7725bd9d8b6fa03edcc2 # timestamp: 2009-12-01 21:28:52 +0300 # base_revision_id: alexey.kopytov@stripped\ # lc3vxqx624yh5gvv # # Begin bundle IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWcNDZwIABZ3fgFEQWff//35g fIC////6YAyPnewO74ONU1RVDzu5IzbWqttbN7NCgJejIAygRA0n6ieImaanqNPUb1JgTCMBGJkY 5gTE0GEyZMmRhME00yMTAEMAkUBNSeknlHhPSaMmp6INNPUABoAAGEpqaZRo9CDaRiAND1DQAAAA IpJoBGjEATQamjamqeamo9TaENAD1NBJCIaATUwEmGmhogSbJqeUMR6gPSNYX4WiyzwXZlfqJrSJ A/07vzLczDVpq+M1pHGpRjrqfUpQaViYNGZ+dNsa8K7RWNQ+sAHVD3jg4H/rYNbDs7IyIw4cMZxw i2Vfk7UDTbkv9Eg21acfYgvV433G+4TC+V51wrE7bzeLajShttjbaG67UtBzFaUsCu/NqoJB2wFg ncxhGhudQhJBCrCPEY5hjFgql3MTP39n7sbxjYVES7Cyqq4crO4YcsxIW2VbkFtRJ/YRXL6Ln/22 4wKqXKd7z7WsaAPuxg/cWSLAzMj4mMwuVZpuKBbVP/OBGaoNgRYtVmZaif8mmKa2dB9yWFItss1X Ik8JSIE/8TRtYzJ1H9yhcMBALoaDDgbCBxf7BjeXCM55l6zhr8h6qzcT4jGV+SimoIGNxsMrCw1E UqLhjiR9uo1+74eVC9P1eZea5+nBIPeZDEPGOioig5IF/AQazEIWyLyeAAiBoT7Btt9IHCGx784d ETjDKQUmt3D1otyGUYepBWV3GoM3iw1LaKWO5yv898cBeONOz7Ba7B6YUOU6mhubzGYyYG/UaK3z u4XwnfEXSojQWS6TvI2xDDEaKWICBbU1dnOhKjbJOI2VUpZ+aY3Er0mUYbfGL1M4AiFup7if4V1U 5R3+9CuQ8Ik4EhSopqQpQmLeypKydCkqV0DBAwtxLodh5uYzU5FRZbMT1SEiQ6CgTYtssrHLTu4w eolqsYDkW2wh3boQG0HGL/IcWVWotaFUge90Gdvt5VDDBMSsKCpISopV7Npdutqcz0tjq7bj4LU7 hMuZmsWFhvIruUvpiyCVBki42QlHkgY1DXbCrebjUBsPcjwYAxN1xfwoG1jJLExIyCXJltdQ4raD CZOTrWyqXjMCuCnPQW0EjecKsWrvYSuKyAxsqumBoYFh/z8Fg0jmqvBcl1rWr8MTHPbNpPSVdWwQ 1ihzAfRZqRA0yCZVShU2OZWG/67TOHs8mNVDzeDRs1S14ZZxrtp14yBhZjwKNdg6iVDcverhKZ6q hZFxcXr6fQDM0KzxTkOZ5t5WTv+783r83FnSyebv0XZ0bZd5WLtbLcytB2R27OsXORPvJLqI/Cqy FXWZVEmNR4SzKzSaB4N49hiajxYtMzWVHUXkyg9D+F5q3j5+axwXDYvFYq/q001wao4Jyq9RlJhn N9ZdruJlBrqicJULyNRzMy4vFvJ/LgL6Y2Pg8drlphDH0IuJB6Oz+Ve47tT9pcbHNzXLjQfu5S60 c/SmfKaWwgzBw1mRicrHve4MLq5R0hcbjjLKgnULoqiBYEkbAnI1DBMgWcpVmxLWyTMMaFRybKlo 9BZIJKTSUncYQQmIyyyMcjvg3j4lEGeE7kjWJMHaSC0g6tRBNhUmykt2JZqfIq01JzFF1Uq5IgTz hKtDsKqUQZUCQE/zwg5A8A45rHGIDqEPaYZeUV5nkRAsR55ciFygMNIceGIykQHADJCFIq9Ac29E nCt2hKJWCFKZEncPMZ/lC7sClpFJA2+3NMmmKP7U2flcf9VFTlgoL43ssBJHd0vgjVCcwJ8oDgch qTczSQzPnJWhZ8P40BfAMCYtpUemJif0JOKVzke4kSvBcz5rD4FZovU123e4kXmh+lBxHuPlcYat lMjoYFSW0C75qwwO/mfL5Y7D7dgljC6NNSc10ZoH7MCzLynuStDmOPfWSL9IFrBJbk4zPydz8hfq 7Bej9uGB1CDvPI9l9tC44ngvqpFZ4H1PUvOw7kYlCovKw3lhaF/1I0Y25iPVdfip+XinK2ZqHIA7 jthF2jqQrEOhxokeCnqCRqEnOhvJDHVgvVMfQCsY8Fe2JYGBjzcvp4gzsOcK1zxvZZ0siLRjSRHU pklENLBgMspCaTu7PvEQuZNTGjAZAYNNqFPU4pK78ys9j1oPDXkHQjQt2mG9aJHteUNQrFRBwLDi nNDqM02vtXIT3LTN2FhmdzT19G3I+ArQGMLkNazKRoyk5tKASAkIYsjLMMUxT0hWIhKhWXfFvEbz 8TcVkj39vrKl9V1DgY67kfFaz1KY2QyyUmhsG4zN1kxLA+ATDUWjT7CFdGG8tkVm+Kmo1Eq3IaY2 szNVYVbHFuOxe0gzMmV3jT5OI34AhgQ2TgPBkSmsDzYQ4wgft9TzSZFpUc23ccCaUfn2HwybXEBS 0TkwYycJkjeRmwZLpEiMkswJC1PKBhj1PgBAaFgDYznVMSRtV9uroafSAbDeRNJAgqqJtGczlM/J eSkExFp5lUNz9vQguKGaXet5u+yLeKLkmhSPB+IdX4UGhqBK70kuD0qSxCN718HpJbU3WiTDsBzc Obe7cYTDisZY61+z/kti7xKg/PqS4BuijzqEgTS1SX+G2JptoeuQTK66HWMQYPasKzTm3ny6qRc+ pGpqnrdIvS9jnw9yhyZ3moT996/My99ia2ECx2HnvIV0kAUmzbty8NWOXhfYHgObz5jg3pONEcGS BkjYtSU57+1yD5tAMClkRuiORSzLIU32kItWziSXQwmScStM8Ac9NKebN0THwfIPo1OvBl23u1sM 5AHADNsydTvw0m4B7P0pXlMT5bB4tZ5cX4gegkbSACge7Cb59NkZrrvIBmrU1Tiph720Kqw6acns J+9dOAF6ZNApaSQydTQusoJrknv+O03Nb40YtgBowZGi8ckpcGlq2OYDpsP+gHI0tsXKkQXQJasc xgZqzkEiTM6bF4NCd+NW9mtBbE2Ui0CTBDOUn62nqR1aUpgsJWLqnbuZUtg0Xvo4vSsK7gHAk4og HTMg5G1QoYx9bt9oMd7LxgZ/J72T1dWQYvx0uVInio1GsIgCFiCESQEj4z61tJsmjVm/gYB6jkBJ syynEHk9s/tUrn1yeJa67U3tY1ImiPJirmgQnbt6A3WDdcOloSy9k9zq0K+U3zDeNi63XrYPn5sp SZW6vm62Tk0bPF3aAQpffm7Gx1tnR2mgh+EglsxkeDExiAPL7j4s1sC8YGgTrJdidXR7WWdpVsEJ ZCGaBUlXTpEkxhopbC6PTW8nhy2PJ7ve27doj0wwFiK2lnoIZKGF2u4yYb0pCW4qpBfzctcbhBUx TVoyMRHepTtGrdhW+liW9U/TICkjE8iRBvxO0gmUlVa0juGRSeLqBmmOK9nxM2NxqByK4222223R n1nfOAECRtQZ2y5heug3ib8GiFgYtI/TQss5A/TUpUBSnssvV5/fiYQGEz13hrDUzpXdY8JzAwk0 Oqe2ZkCf7LfF+T9fcLrAnowKB0JA34iQtEGgSUkOfKuEIAgKqdUkW19SD8JpJZgDrungdwYFB4EP VYjZ+JiW4bzV+JB5MacWGFcOkzFUZAKaPfsByAJPVpwpYnbBfCyp+jhXUGh2foLg+n49X9jeFj+B +ow1NzaYnttSTC7tcwfd7U91u76FBYeExHyZvvpHBgJGDwJ8aj+u7Bjnjf0IWuwH8cHc+LppGAgK hfhm9J3IWixU72ZvnKYtzucbrnv9GxF3XHBoB5NvGqRDgR3UVNG+kk7X8mpsMn3O3a73eCb21pxb bbA9y3VSd+jG5z7N1/9Nx/8XckU4UJDDQ2cC --Boundary_(ID_UpMzNTfWIrOofGJFGgz0iQ)--