select->prep_where references on freed memory

Bug #675248 reported by Oleksandr "Sanja" Byelkin
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MariaDB
Fix Released
High
Oleksandr "Sanja" Byelkin
5.1
Fix Released
High
Oleksandr "Sanja" Byelkin

Bug Description

The query with --ps-protocol crashes the rserver because select->prep_where references on freed memory (it was Item_outer_ref):

CREATE TABLE `t1` (
  `pk` int(11) NOT NULL AUTO_INCREMENT,
  `col_varchar_key` varchar(1) DEFAULT NULL,
  PRIMARY KEY (`pk`),
  KEY `col_varchar_key` (`col_varchar_key`)
) DEFAULT CHARSET=latin1;
INSERT INTO `t1` VALUES (10,'v');
INSERT INTO `t1` VALUES (11,'r');
CREATE TABLE `t2` (
  `pk` int(11) NOT NULL AUTO_INCREMENT,
  `col_varchar_key` varchar(1) DEFAULT NULL,
  PRIMARY KEY (`pk`),
  KEY `col_varchar_key` (`col_varchar_key`)
) DEFAULT CHARSET=latin1;
INSERT INTO `t2` VALUES (1,'r');
INSERT INTO `t2` VALUES (2,'c');
CREATE TABLE `t3` (
  `pk` int(11) NOT NULL AUTO_INCREMENT,
  `col_varchar_key` varchar(1) DEFAULT NULL,
  PRIMARY KEY (`pk`),
  KEY `col_varchar_key` (`col_varchar_key`)
) DEFAULT CHARSET=latin1;
INSERT INTO `t3` VALUES (1,'w');

SELECT SUM( DISTINCT table2 . `pk` ) AS field2 ,
(SELECT SUM( SUBQUERY1_t2 . `pk` ) AS SUBQUERY1_field1
 FROM t2 AS SUBQUERY1_t2 STRAIGHT_JOIN
      t3 AS SUBQUERY1_t3 ON (SUBQUERY1_t3 . `pk` = SUBQUERY1_t2 . `pk` )
 WHERE table1 . `col_varchar_key` ) AS field3
FROM ( t1 AS table1 LEFT JOIN
       ( t2 AS table2 STRAIGHT_JOIN
         t3 AS table3 ON (table3 . `pk` = table2 . `pk` ) )
       ON (table3 . `col_varchar_key` = table1 . `col_varchar_key` ) )
WHERE ( table1 . `pk` < 5 ) OR ( table1 . `col_varchar_key` IS NOT NULL)
GROUP BY field3
HAVING (field3 <= 'h' AND field2 != 4) ;
drop tables t1, t2, t3;

Changed in maria:
assignee: nobody → Oleksandr "Sanja" Byelkin (sanja-byelkin)
Revision history for this message
Oleksandr "Sanja" Byelkin (sanja-byelkin) wrote :

Here is more simple test suite:

CREATE TABLE t1 (a int, b int);
insert into t1 values (1,1),(0,0);

CREATE TABLE t2 (c int);
insert into t2 values (1),(2);

select sum(a),(select sum(c) from t2 where table1.b) as sub
from t1 as table1 group by sub;

Revision history for this message
Oleksandr "Sanja" Byelkin (sanja-byelkin) wrote :

Test suite for usual execution:

CREATE TABLE t1 (a int, b int);
insert into t1 values (1,1),(0,0);

CREATE TABLE t2 (c int);
insert into t2 values (1),(2);

prepare stmt1 from "select sum(a),(select sum(c) from t2 where table1.b) as sub
from t1 as table1 group by sub";

execute stmt1;

drop table t1,t2;

Changed in maria:
status: New → In Progress
importance: Undecided → Medium
importance: Medium → High
milestone: none → 5.1
Revision history for this message
Oleksandr "Sanja" Byelkin (sanja-byelkin) wrote :

Here is example of the bug during conversion Item_ref to Item_field

CREATE TABLE t1 (a int, b int);
insert into t1 values (1,1),(0,0);

CREATE TABLE t2 (c int);
insert into t2 values (1),(2);

prepare stmt1 from "select sum(a),(select sum(c) from t2 having table1.b) as sub
from t1 as table1";

execute stmt1;

drop table t1,t2;

Changed in maria:
status: In Progress → Fix Committed
Changed in maria:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.