diff options
author | Alexander Barkov <bar@mariadb.com> | 2020-09-03 11:31:06 +0400 |
---|---|---|
committer | Alexander Barkov <bar@mariadb.com> | 2020-09-03 11:31:06 +0400 |
commit | 1e17055936871e00fde3c5b3e4b137cf2f89beba (patch) | |
tree | 4e11460941c358fed505f696ab36653b0f8a5d43 | |
parent | 94a520ddbe39ae97de1135d98699cf2674e6b77e (diff) | |
download | mariadb-git-bb-10.1-bar.tar.gz |
MDEV-23535 SIGSEGV, SIGABRT and SIGILL in typeinfo for Item_func_set_collation (on optimized builds)bb-10.1-bar
This piece of the code in Item_func_or_sum::agg_item_set_converter:
if (!conv && ((*arg)->collation.repertoire == MY_REPERTOIRE_ASCII))
conv= new (thd->mem_root) Item_func_conv_charset(thd, *arg, coll.collation, 1);
was wrong because:
1. It could change Item_cache to Item_func_conv_charset
(with Item_cache in args[0]). Such Item type change is not supported:
The code in Item_singlerow_subselect::reset() expects only Item_cache,
to be able to call Item_cache::set_null(). So it erroneously
reinterpreted Item_func_conv_charset to Item_cache and calleds
a non-existing method set_null().
2. The 1 in the last parameter to Item_func_conv_charset() was also
a problem. In MariaDB versions where the reported query did not crash,
it erroneously returned "empty set" instead of one row, because
the 1 made subselects execute too earlier and return NULL.
Fix:
1. Removing the above two lines from Item_func_or_sum::agg_item_set_converter()
2. Adding the repertoire test inside the constructor of Item_func_conv_charset,
so it now detects itself as "safe" in more cases than before.
This is needed to avoid new "Illegal mix of collations" after
removing the wrong code in various scenarios when conversion
from pure ASCII happens, including in the reported scenario.
So now this sequence:
Item_cache(Item_func_concat)
is converted to this compatible sequence (the top Item is still Item_cache):
NEW_Item_cache(Item_func_conv_charset(Item_func_concat)))
Before the fix it was replaced to this incompatible sequence:
Item_func_conv_charset(OLD_Item_cache(Item_func_concat)))
-rw-r--r-- | mysql-test/r/ctype_utf8.result | 12 | ||||
-rw-r--r-- | mysql-test/r/subselect_innodb.result | 14 | ||||
-rw-r--r-- | mysql-test/t/ctype_utf8.test | 12 | ||||
-rw-r--r-- | mysql-test/t/subselect_innodb.test | 16 | ||||
-rw-r--r-- | sql/item.cc | 2 | ||||
-rw-r--r-- | sql/item_strfunc.h | 10 |
6 files changed, 63 insertions, 3 deletions
diff --git a/mysql-test/r/ctype_utf8.result b/mysql-test/r/ctype_utf8.result index 8b35305a79b..b614444fd2a 100644 --- a/mysql-test/r/ctype_utf8.result +++ b/mysql-test/r/ctype_utf8.result @@ -10583,5 +10583,17 @@ SELECT CONVERT(1, CHAR) IN ('100', '10', '1'); CONVERT(1, CHAR) IN ('100', '10', '1') 1 # +# MDEV-23535 SIGSEGV, SIGABRT and SIGILL in typeinfo for Item_func_set_collation (on optimized builds) +# +SET NAMES utf8; +CREATE OR REPLACE TABLE t1(a DATETIME) ENGINE=MYISAM; +INSERT INTO t1 VALUES ('2019-03-10 02:55:05'); +CREATE OR REPLACE TABLE t2(a VARCHAR(50) CHARACTER SET latin1) ENGINE=MYISAM; +INSERT INTO t2 VALUES ('2019-03-10 02:55:05'); +SELECT * FROM t1 WHERE (SELECT 1,CONCAT(a) FROM t1) = (SELECT 1,CONCAT(a) FROM t2); +a +2019-03-10 02:55:05 +DROP TABLE t1, t2; +# # End of 10.1 tests # diff --git a/mysql-test/r/subselect_innodb.result b/mysql-test/r/subselect_innodb.result index 240a6ab47e4..bfdf5525cad 100644 --- a/mysql-test/r/subselect_innodb.result +++ b/mysql-test/r/subselect_innodb.result @@ -615,3 +615,17 @@ id select_type table type possible_keys key key_len ref rows filtered Extra Warnings: Note 1003 select `test`.`t1`.`f1` AS `f1`,`test`.`t2`.`f2` AS `f2`,`test`.`t3`.`f3` AS `f3` from `test`.`t1` join `test`.`t2` semi join (`test`.`t4`) join `test`.`t3` where ((`test`.`t4`.`f4` = 1) and (`test`.`t1`.`f1` >= `test`.`t2`.`f2`)) DROP TABLE t1,t2,t3,t4; +# +# MDEV-23535: SIGSEGV, SIGABRT and SIGILL in typeinfo for Item_func_set_collation (on optimized builds) +# +set @save_character_set_connection=@@character_set_connection; +set character_set_connection='utf8'; +CREATE TABLE t1(a DATETIME, b VARCHAR(50)) ENGINE=INNODB; +INSERT INTO t1 VALUES ('2019-03-10 02:55:05', '2019-03-10 02:55:05'); +CREATE TABLE t2(a VARCHAR(50)) ENGINE=INNODB; +INSERT INTO t2 VALUES ('2019-03-10 02:55:05'); +SELECT * FROM t1 WHERE (SELECT 1,CONCAT(a) FROM t1) = (SELECT 1,CONCAT(a) FROM t2); +a b +2019-03-10 02:55:05 2019-03-10 02:55:05 +DROP TABLE t1,t2; +set character_set_connection=@save_character_set_connection; diff --git a/mysql-test/t/ctype_utf8.test b/mysql-test/t/ctype_utf8.test index 7abcc693926..90f7b0fb75c 100644 --- a/mysql-test/t/ctype_utf8.test +++ b/mysql-test/t/ctype_utf8.test @@ -2040,6 +2040,18 @@ SELECT CONVERT(1, CHAR) IN ('100', 10, '101'); SELECT CONVERT(1, CHAR) IN ('100', 10, '1'); SELECT CONVERT(1, CHAR) IN ('100', '10', '1'); +--echo # +--echo # MDEV-23535 SIGSEGV, SIGABRT and SIGILL in typeinfo for Item_func_set_collation (on optimized builds) +--echo # + +SET NAMES utf8; +CREATE OR REPLACE TABLE t1(a DATETIME) ENGINE=MYISAM; +INSERT INTO t1 VALUES ('2019-03-10 02:55:05'); +CREATE OR REPLACE TABLE t2(a VARCHAR(50) CHARACTER SET latin1) ENGINE=MYISAM; +INSERT INTO t2 VALUES ('2019-03-10 02:55:05'); +SELECT * FROM t1 WHERE (SELECT 1,CONCAT(a) FROM t1) = (SELECT 1,CONCAT(a) FROM t2); +DROP TABLE t1, t2; + --echo # --echo # End of 10.1 tests diff --git a/mysql-test/t/subselect_innodb.test b/mysql-test/t/subselect_innodb.test index 544bcd994ed..2c117fe00d6 100644 --- a/mysql-test/t/subselect_innodb.test +++ b/mysql-test/t/subselect_innodb.test @@ -611,3 +611,19 @@ FROM t1 DROP TABLE t1,t2,t3,t4; + +--echo # +--echo # MDEV-23535: SIGSEGV, SIGABRT and SIGILL in typeinfo for Item_func_set_collation (on optimized builds) +--echo # + +set @save_character_set_connection=@@character_set_connection; +set character_set_connection='utf8'; + +CREATE TABLE t1(a DATETIME, b VARCHAR(50)) ENGINE=INNODB; +INSERT INTO t1 VALUES ('2019-03-10 02:55:05', '2019-03-10 02:55:05'); +CREATE TABLE t2(a VARCHAR(50)) ENGINE=INNODB; +INSERT INTO t2 VALUES ('2019-03-10 02:55:05'); +SELECT * FROM t1 WHERE (SELECT 1,CONCAT(a) FROM t1) = (SELECT 1,CONCAT(a) FROM t2); +DROP TABLE t1,t2; + +set character_set_connection=@save_character_set_connection; diff --git a/sql/item.cc b/sql/item.cc index 2e12b8d8b64..8792b1c3f32 100644 --- a/sql/item.cc +++ b/sql/item.cc @@ -2188,8 +2188,6 @@ bool Item_func_or_sum::agg_item_set_converter(const DTCollation &coll, Item* conv= (*arg)->safe_charset_converter(thd, coll.collation); if (conv == *arg) continue; - if (!conv && ((*arg)->collation.repertoire == MY_REPERTOIRE_ASCII)) - conv= new (thd->mem_root) Item_func_conv_charset(thd, *arg, coll.collation, 1); if (!conv) { diff --git a/sql/item_strfunc.h b/sql/item_strfunc.h index 9ea9ff97016..6989639ae67 100644 --- a/sql/item_strfunc.h +++ b/sql/item_strfunc.h @@ -1053,11 +1053,19 @@ public: /* Conversion from and to "binary" is safe. Conversion to Unicode is safe. + Conversion from an expression with the ASCII repertoire + to any character set that can store characters U+0000..U+007F + is safe: + - All supported multibyte character sets can store U+0000..U+007F + - All supported 7bit character sets can store U+0000..U+007F + except those marked with MY_CS_NONASCII (e.g. swe7). Other kind of conversions are potentially lossy. */ safe= (args[0]->collation.collation == &my_charset_bin || cs == &my_charset_bin || - (cs->state & MY_CS_UNICODE)); + (cs->state & MY_CS_UNICODE) || + (args[0]->collation.repertoire == MY_REPERTOIRE_ASCII && + (cs->mbmaxlen > 1 || !(cs->state & MY_CS_NONASCII)))); } } String *val_str(String *); |