diff options
| author | Sergey Vojtovich <svoj@mariadb.org> | 2015-07-30 18:51:44 +0400 |
|---|---|---|
| committer | Sergey Vojtovich <svoj@mariadb.org> | 2015-07-31 13:05:10 +0400 |
| commit | 1ad294e06430d9fa2dd7e4dd84ffd7909aff0ca5 (patch) | |
| tree | 290968af678809c0b1702efa731ea78ae44654cb | |
| parent | fa765a45250176d1168ce5a61dee484c997604b6 (diff) | |
| download | mariadb-git-1ad294e06430d9fa2dd7e4dd84ffd7909aff0ca5.tar.gz | |
MDEV-7821 - Server crashes in Item_func_group_concat::fix_fields on 2nd
execution of PS
GROUP_CONCAT() with ORDER BY column position may crash server on PS reexecution.
The problem was that arguments array of GROUP_CONCAT() was adjusted to point to
temporary elements (resolved ORDER BY fields) during first execution.
This patch expands rev. 08763096cb to restore original arguments array as well.
| -rw-r--r-- | mysql-test/r/func_gconcat.result | 16 | ||||
| -rw-r--r-- | mysql-test/t/func_gconcat.test | 11 | ||||
| -rw-r--r-- | sql/item_sum.cc | 3 |
3 files changed, 30 insertions, 0 deletions
diff --git a/mysql-test/r/func_gconcat.result b/mysql-test/r/func_gconcat.result index f12a0c1127a..0bc31a5e85b 100644 --- a/mysql-test/r/func_gconcat.result +++ b/mysql-test/r/func_gconcat.result @@ -1103,3 +1103,19 @@ ORDER BY field; field c,c drop table t3, t2, t1; +# +# MDEV-7821 - Server crashes in Item_func_group_concat::fix_fields on 2nd +# execution of PS +# +CREATE TABLE t1(a INT); +INSERT INTO t1 VALUES(1),(2); +PREPARE stmt FROM "SELECT GROUP_CONCAT(t1a.a ORDER BY 1, t1a.a=0) FROM t1 AS t1a, t1 AS t1b GROUP BY t1a.a"; +EXECUTE stmt; +GROUP_CONCAT(t1a.a ORDER BY 1, t1a.a=0) +1,1 +2,2 +EXECUTE stmt; +GROUP_CONCAT(t1a.a ORDER BY 1, t1a.a=0) +1,1 +2,2 +DROP TABLE t1; diff --git a/mysql-test/t/func_gconcat.test b/mysql-test/t/func_gconcat.test index 42a30760a86..5550eebf1a3 100644 --- a/mysql-test/t/func_gconcat.test +++ b/mysql-test/t/func_gconcat.test @@ -821,3 +821,14 @@ FROM ( SELECT * FROM t2 ) AS sq2, t3 ORDER BY field; drop table t3, t2, t1; + +--echo # +--echo # MDEV-7821 - Server crashes in Item_func_group_concat::fix_fields on 2nd +--echo # execution of PS +--echo # +CREATE TABLE t1(a INT); +INSERT INTO t1 VALUES(1),(2); +PREPARE stmt FROM "SELECT GROUP_CONCAT(t1a.a ORDER BY 1, t1a.a=0) FROM t1 AS t1a, t1 AS t1b GROUP BY t1a.a"; +EXECUTE stmt; +EXECUTE stmt; +DROP TABLE t1; diff --git a/sql/item_sum.cc b/sql/item_sum.cc index d8970ca26b5..a24307b131b 100644 --- a/sql/item_sum.cc +++ b/sql/item_sum.cc @@ -3300,6 +3300,8 @@ void Item_func_group_concat::cleanup() from Item_func_group_concat::setup() to point to runtime created objects, we need to reset them back to the original arguments of the function. + + The very same applies to args array. */ ORDER **order_ptr= order; for (uint i= 0; i < arg_count_order; i++) @@ -3307,6 +3309,7 @@ void Item_func_group_concat::cleanup() (*order_ptr)->item= &args[arg_count_field + i]; order_ptr++; } + memcpy(args, orig_args, sizeof(Item *) * arg_count); DBUG_VOID_RETURN; } |