diff options
| author | Tor Didriksen <tor.didriksen@oracle.com> | 2011-07-11 11:20:19 +0200 |
|---|---|---|
| committer | Tor Didriksen <tor.didriksen@oracle.com> | 2011-07-11 11:20:19 +0200 |
| commit | 9827d4aa638c706041966efc49a3ac5a5726b4bf (patch) | |
| tree | 447c4abb8f8fd47c3d9542cb3edbae4195395cdc | |
| parent | 5c65318ceebb9f5b4c4e4116ac5b14b8dd341e2f (diff) | |
| download | mariadb-git-9827d4aa638c706041966efc49a3ac5a5726b4bf.tar.gz | |
Bug#11765255 - 58201: VALGRIND/CRASH WHEN ORDERING BY MULTIPLE AGGREGATE FUNCTIONS
We must allocate a larger ref_pointer_array. We failed to account for extra
items allocated here:
#0 find_order_in_list
uint el= all_fields.elements;
all_fields.push_front(order_item); /* Add new field to field list. */
ref_pointer_array[el]= order_item;
order->item= ref_pointer_array + el;
#1 setup_order
#2 setup_without_group
#3 JOIN::prepare
| -rw-r--r-- | mysql-test/r/order_by.result | 7 | ||||
| -rw-r--r-- | mysql-test/r/union.result | 57 | ||||
| -rw-r--r-- | mysql-test/t/order_by.test | 7 | ||||
| -rw-r--r-- | mysql-test/t/union.test | 41 | ||||
| -rw-r--r-- | sql/sql_lex.cc | 3 | ||||
| -rw-r--r-- | sql/sql_union.cc | 39 |
6 files changed, 145 insertions, 9 deletions
diff --git a/mysql-test/r/order_by.result b/mysql-test/r/order_by.result index 90b03711191..0c522aef290 100644 --- a/mysql-test/r/order_by.result +++ b/mysql-test/r/order_by.result @@ -1664,4 +1664,11 @@ a 1 3 1 2 1 DROP TABLE t1; +# +# Bug#11765255 58201: +# VALGRIND/CRASH WHEN ORDERING BY MULTIPLE AGGREGATE FUNCTIONS +# +select 1 order by max(1) + min(1); +1 +1 End of 5.1 tests diff --git a/mysql-test/r/union.result b/mysql-test/r/union.result index 1ee313a2b46..9966cb0f0d0 100644 --- a/mysql-test/r/union.result +++ b/mysql-test/r/union.result @@ -1647,4 +1647,61 @@ b 1 2 DROP TABLE t1,t2; +# +# Bug#11765255 58201: +# VALGRIND/CRASH WHEN ORDERING BY MULTIPLE AGGREGATE FUNCTIONS +# +select 1 as foo +union +select 2 +union +select 3 +union +select 4 +order by max(42) + max(1) + max(1) + max(1) + max(1) + max(1) +; +foo +1 +prepare stmt1 from 'select 1 as foo +union +select 2 +union +select 3 +union +select 4 +order by max(42) + max(1) + max(1) + max(1) + max(1) + max(1) +'; +execute stmt1; +foo +1 +execute stmt1; +foo +1 +select 1 as foo +union +select 2 +union +select 3 +union +(select 4) +order by max(42) + max(1) + max(1) + max(1) + max(1) + max(1) +; +foo +1 +prepare stmt1 from 'select 1 as foo +union +select 2 +union +select 3 +union +(select 4) +order by max(42) + max(1) + max(1) + max(1) + max(1) + max(1) +'; +execute stmt1; +foo +1 +execute stmt1; +foo +1 +deallocate prepare stmt1; End of 5.1 tests diff --git a/mysql-test/t/order_by.test b/mysql-test/t/order_by.test index e310d960c97..dec64ffc69d 100644 --- a/mysql-test/t/order_by.test +++ b/mysql-test/t/order_by.test @@ -1508,4 +1508,11 @@ SELECT DISTINCT a,1 FROM t1 WHERE a <> 1 ORDER BY a DESC; DROP TABLE t1; +--echo # +--echo # Bug#11765255 58201: +--echo # VALGRIND/CRASH WHEN ORDERING BY MULTIPLE AGGREGATE FUNCTIONS +--echo # + +select 1 order by max(1) + min(1); + --echo End of 5.1 tests diff --git a/mysql-test/t/union.test b/mysql-test/t/union.test index c8d5ea0f8e5..d61c02be45c 100644 --- a/mysql-test/t/union.test +++ b/mysql-test/t/union.test @@ -1156,4 +1156,45 @@ SELECT * FROM t2 UNION SELECT * FROM t2 DROP TABLE t1,t2; +--echo # +--echo # Bug#11765255 58201: +--echo # VALGRIND/CRASH WHEN ORDERING BY MULTIPLE AGGREGATE FUNCTIONS +--echo # + +let $my_stmt= +select 1 as foo +union +select 2 +union +select 3 +union +select 4 +order by max(42) + max(1) + max(1) + max(1) + max(1) + max(1) +; + +eval $my_stmt; + +eval prepare stmt1 from '$my_stmt'; +execute stmt1; +execute stmt1; + +let $my_stmt= +select 1 as foo +union +select 2 +union +select 3 +union +(select 4) +order by max(42) + max(1) + max(1) + max(1) + max(1) + max(1) +; + +eval $my_stmt; + +eval prepare stmt1 from '$my_stmt'; +execute stmt1; +execute stmt1; + +deallocate prepare stmt1; + --echo End of 5.1 tests diff --git a/sql/sql_lex.cc b/sql/sql_lex.cc index f0289ab86ce..a7b23746155 100644 --- a/sql/sql_lex.cc +++ b/sql/sql_lex.cc @@ -1987,6 +1987,9 @@ bool st_select_lex::setup_ref_array(THD *thd, uint order_group_num) if (ref_pointer_array) return 0; + // find_order_in_list() may need some extra space, so multiply by two. + order_group_num*= 2; + /* We have to create array in prepared statement memory if it is prepared statement diff --git a/sql/sql_union.cc b/sql/sql_union.cc index a70de945492..2be47d95a26 100644 --- a/sql/sql_union.cc +++ b/sql/sql_union.cc @@ -1,5 +1,4 @@ -/* - Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved. +/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -403,15 +402,27 @@ bool st_select_lex_unit::prepare(THD *thd_arg, select_result *sel_result, fake_select_lex->table_list.empty(); DBUG_RETURN(TRUE); } + + /* + Fake st_select_lex should have item list for correct ref_array + allocation. + */ fake_select_lex->item_list= item_list; thd_arg->lex->current_select= fake_select_lex; + + /* + We need to add up n_sum_items in order to make the correct + allocation in setup_ref_array(). + */ + fake_select_lex->n_child_sum_items+= global_parameters->n_sum_items; + saved_error= fake_select_lex->join-> prepare(&fake_select_lex->ref_pointer_array, fake_select_lex->table_list.first, 0, 0, - fake_select_lex->order_list.elements, - fake_select_lex->order_list.first, + global_parameters->order_list.elements, // og_num + global_parameters->order_list.first, // order NULL, NULL, NULL, fake_select_lex, this); fake_select_lex->table_list.empty(); @@ -579,11 +590,21 @@ bool st_select_lex_unit::exec() } fake_select_lex->join->no_const_tables= TRUE; - /* - Fake st_select_lex should have item list for correctref_array - allocation. - */ - fake_select_lex->item_list= item_list; + /* + Fake st_select_lex should have item list for correct ref_array + allocation. + */ + fake_select_lex->item_list= item_list; + + /* + We need to add up n_sum_items in order to make the correct + allocation in setup_ref_array(). + Don't add more sum_items if we have already done JOIN::prepare + for this (with a different join object) + */ + if (!fake_select_lex->ref_pointer_array) + fake_select_lex->n_child_sum_items+= global_parameters->n_sum_items; + saved_error= mysql_select(thd, &fake_select_lex->ref_pointer_array, &result_table_list, 0, item_list, NULL, |