diff options
| author | Sergei Golubchik <serg@mariadb.org> | 2017-07-12 08:05:42 +0200 |
|---|---|---|
| committer | Sergei Golubchik <serg@mariadb.org> | 2017-07-12 10:39:02 +0200 |
| commit | c5975eaea174460e774e77717e972a8d32e6c8de (patch) | |
| tree | 2b42a0092094a1b908899e6f474e2623bb242937 | |
| parent | f305a7ce4bccbd56520d874e1d81a4f29bc17a96 (diff) | |
| download | mariadb-git-c5975eaea174460e774e77717e972a8d32e6c8de.tar.gz | |
MDEV-7339 Server crashes in Item_func_trig_cond::val_int
Item_in_subselect::pushed_cond_guards[] array is allocated only when
left_expr->maybe_null. And it is used (for row expressions) when
left_expr->element_index(i)->maybe_null.
For left_expr being a multi-column subquery, its maybe_null is
always false when the subquery doesn't use tables (see
Item_singlerow_subselect::fix_length_and_dec()
and subselect_single_select_engine::fix_length_and_dec()),
otherwise it's always true.
But row elements can be NULL regardless, so let's always allocate
pushed_cond_guards for multi-column subqueries, no matter whether
its maybe_null was forced to true or false.
| -rw-r--r-- | mysql-test/r/subselect_nulls.result | 6 | ||||
| -rw-r--r-- | mysql-test/t/subselect_nulls.test | 6 | ||||
| -rw-r--r-- | sql/item_subselect.cc | 3 |
3 files changed, 14 insertions, 1 deletions
diff --git a/mysql-test/r/subselect_nulls.result b/mysql-test/r/subselect_nulls.result index 584c184870d..08982371269 100644 --- a/mysql-test/r/subselect_nulls.result +++ b/mysql-test/r/subselect_nulls.result @@ -115,3 +115,9 @@ k d1 d2 set optimizer_switch= @tmp_subselect_nulls; drop table x1; drop table x2; +select (select 1, 2) in (select 3, 4); +(select 1, 2) in (select 3, 4) +0 +select (select NULL, NULL) in (select 3, 4); +(select NULL, NULL) in (select 3, 4) +NULL diff --git a/mysql-test/t/subselect_nulls.test b/mysql-test/t/subselect_nulls.test index 4b08e773b17..3e7b2189ed5 100644 --- a/mysql-test/t/subselect_nulls.test +++ b/mysql-test/t/subselect_nulls.test @@ -97,3 +97,9 @@ set optimizer_switch= @tmp_subselect_nulls; drop table x1; drop table x2; + +# +# MDEV-7339 Server crashes in Item_func_trig_cond::val_int +# +select (select 1, 2) in (select 3, 4); +select (select NULL, NULL) in (select 3, 4); diff --git a/sql/item_subselect.cc b/sql/item_subselect.cc index e0da946d190..068f32c99b9 100644 --- a/sql/item_subselect.cc +++ b/sql/item_subselect.cc @@ -2871,7 +2871,8 @@ bool Item_in_subselect::init_cond_guards() { DBUG_ASSERT(thd); uint cols_num= left_expr->cols(); - if (!abort_on_null && left_expr->maybe_null && !pushed_cond_guards) + if (!abort_on_null && !pushed_cond_guards && + (left_expr->maybe_null || cols_num > 1)) { if (!(pushed_cond_guards= (bool*)thd->alloc(sizeof(bool) * cols_num))) return TRUE; |