MySQL Lists are EOL. Please join:

List:Internals« Previous MessageNext Message »
From:yang xiaoxin Date:December 11 2007 2:46am
Subject:analysis of bug #32911
View as plain text  
reason for this bug:

the node_name of Item_nodeset_func_axisbyname is initialized of the
address of n_arg which is passed from a temporary value "String" in
Item_xml_str_func::fix_length_and_dec():

2306 void Item_xml_str_func::fix_length_and_dec()
2307 {
2308   String *xp, tmp;
...
2333   xp= args[1]->val_str(&tmp);
...
2339   rc= my_xpath_parse(&xpath, xp->ptr(), xp->ptr() + xp->length());




236 class Item_nodeset_func_axisbyname :public Item_nodeset_func
237 {
238   const char *node_name;
239   uint node_namelen;
240 public:
241   Item_nodeset_func_axisbyname(Item *a, const char *n_arg, uint l_arg,
242                                String *pxml):
243     Item_nodeset_func(a, pxml), node_name(n_arg), node_namelen(l_arg) { }
...
252 };

when Item_xml_str_func::fix_length_and_dec returned, the value of
node_name is gone, so a simple patch for this can be like as:

--- item_xmlfunc.cc.orig        2006-02-27 21:25:09.000000000 +0000
+++ item_xmlfunc.cc     2007-12-11 02:07:40.000000000 +0000
@@ -2305,7 +2305,7 @@

 void Item_xml_str_func::fix_length_and_dec()
 {
-  String *xp, tmp;
+  static String *xp, tmp;
   MY_XPATH xpath;
   int rc;

test:
mysql>  SET @xpath = '//a';
Query OK, 0 rows affected (0.00 sec)

mysql>  SET @xml='<a>X</a><b>Y</b>';
Query OK, 0 rows affected (0.00 sec)

mysql>  SELECT ExtractValue(@xml, '//a');
+---------------------------+
| ExtractValue(@xml, '//a') |
+---------------------------+
| X                         |
+---------------------------+
1 row in set (0.00 sec)

mysql>  SELECT ExtractValue(@xml, @xpath);
+----------------------------+
| ExtractValue(@xml, @xpath) |
+----------------------------+
| X                          |
+----------------------------+
1 row in set (0.00 sec)

but this patch maybe is not thread safe
Thread
analysis of bug #32911yang xiaoxin11 Dec