MariaDB

Item_in_subselect::val_int incorrectly called for a DELETE statement in prepared mode resulting in failed assert.

Bug #704337 reported by Timour Katchaounov
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MariaDB
Fix Released
Critical
Timour Katchaounov
MariaDB 5.3

Bug Description

When run with --ps-protocol the test file subselect.test crashes with
a failed assert as follows:

DELETE FROM t1 WHERE topic IN (SELECT DISTINCT topic FROM t2 WHERE NOT
EXISTS(SELECT * FROM t3 WHERE numeropost=topic))

Results in Item_in_subselect::val_int() being called incorrectly,
resulting in a failed assert.

    function=0xd178a0 "virtual longlong Item_in_subselect::val_int()") at assert.c:81
#7 0x000000000064787b in Item_in_subselect::val_int (this=0x4eea150) at item_subselect.cc:1287
#8 0x000000000070ba76 in SQL_SELECT::skip_record (this=0x4e8efa0, thd=0x3d0d018) at opt_range.h:916
#9 0x000000000078d7cc in mysql_delete (thd=0x3d0d018, table_list=0x3df6140, conds=0x4eea150, order=0x3df56b0, limit=18446744073709551615, options=0,
    reset_auto_increment=false) at sql_delete.cc:321
#10 0x00000000006bcc39 in mysql_execute_command (thd=0x3d0d018) at sql_parse.cc:3313
#11 0x0000000000781c37 in Prepared_statement::execute (this=0x4ec8a58, expanded_query=0x7f6b31f7a950, open_cursor=false) at sql_prepare.cc:3631
#12 0x0000000000780de3 in Prepared_statement::execute_loop (this=0x4ec8a58, expanded_query=0x7f6b31f7a950, open_cursor=false, packet=0x3c951f2 "",
    packet_end=0x3c951f2 "") at sql_prepare.cc:3306
#13 0x000000000077ebb9 in mysqld_stmt_execute (thd=0x3d0d018, packet_arg=0x3c951e9 "T\001", packet_length=9) at sql_prepare.cc:2516
#14 0x00000000006b6ffe in dispatch_command (command=COM_STMT_EXECUTE, thd=0x3d0d018, packet=0x3c951e9 "T\001", packet_length=9) at sql_parse.cc:1164
#15 0x00000000006b653e in do_command (thd=0x3d0d018) at sql_parse.cc:903

Related branches

lp:~maria-captains/maria/5.3-mwl89 (Merged)
Revision history for this message
Timour Katchaounov (timour) wrote :

Test case extracted from subselect.test:

CREATE TABLE t1 (
  mot varchar(30) character set latin1 NOT NULL default '',
  topic mediumint(8) unsigned NOT NULL default '0',
  date date NOT NULL default '0000-00-00',
  pseudo varchar(35) character set latin1 NOT NULL default '',
  PRIMARY KEY (mot,pseudo,date,topic),
  KEY pseudo (pseudo,date,topic),
  KEY topic (topic)
) ENGINE=MyISAM CHARSET=latin1 ROW_FORMAT=DYNAMIC;

CREATE TABLE t2 (
  mot varchar(30) character set latin1 NOT NULL default '',
  topic mediumint(8) unsigned NOT NULL default '0',
  date date NOT NULL default '0000-00-00',
  pseudo varchar(35) character set latin1 NOT NULL default '',
  PRIMARY KEY (mot,pseudo,date,topic),
  KEY pseudo (pseudo,date,topic),
  KEY topic (topic)
) ENGINE=MyISAM CHARSET=latin1 ROW_FORMAT=DYNAMIC;

CREATE TABLE t3 (
  numeropost mediumint(8) unsigned NOT NULL auto_increment,
  maxnumrep int(10) unsigned NOT NULL default '0',
  PRIMARY KEY (numeropost),
  UNIQUE KEY maxnumrep (maxnumrep)
) ENGINE=MyISAM CHARSET=latin1;

INSERT INTO t1 VALUES ('joce','1','','joce'),('test','2','','test');

INSERT INTO t2 VALUES ('joce','1','','joce'),('test','2','','test');

INSERT INTO t3 VALUES (1,1);

-- this statement works fine
DELETE FROM t1
WHERE topic IN (SELECT DISTINCT topic FROM t2
                WHERE NOT EXISTS(SELECT * FROM t3 WHERE numeropost=topic));

prepare st1 from "
DELETE FROM t1
WHERE topic IN (SELECT DISTINCT topic FROM t2
                WHERE NOT EXISTS(SELECT * FROM t3 WHERE numeropost=topic));
";

-- this statement results in a failed assert
execute st1;

Changed in maria:
assignee: nobody → Timour Katchaounov (timour)
milestone: none → 5.3
importance: Undecided → Critical
status: New → In Progress
Revision history for this message
Timour Katchaounov (timour) wrote :

Much simpler test case:

create table t1 (c1 int);
create table t2 (c2 int);
insert into t1 values (1),(2);
insert into t2 values (2),(3);

prepare st1 from "DELETE FROM t1 WHERE c1 IN (SELECT c2 FROM t2)";
execute st1;

Timour Katchaounov (timour)
Changed in maria:
status: In Progress → Fix Committed
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.