diff options
| author | Martin Hansson <martin.hansson@sun.com> | 2010-05-11 16:21:05 +0200 |
|---|---|---|
| committer | Martin Hansson <martin.hansson@sun.com> | 2010-05-11 16:21:05 +0200 |
| commit | 79e60f0a40d525fd1bdf924b4fef830e2aacb858 (patch) | |
| tree | f6fd3c01794fb11fc8ed4461e930af80f7ee8e13 | |
| parent | 1eada91053287af3d46da93b88d5feb30ed4ba27 (diff) | |
| download | mariadb-git-79e60f0a40d525fd1bdf924b4fef830e2aacb858.tar.gz | |
Bug#48157: crash in Item_field::used_tables
MySQL handles the join syntax "JOIN ... USING( field1,
... )" and natural joins by building the same parse tree as
a corresponding join with an "ON t1.field1 = t2.field1 ..."
expression would produce. This parse tree was not cleaned up
properly in the following scenario. If a thread tries to
lock some tables and finds that the tables were dropped and
re-created while waiting for the lock, it cleans up column
references in the statement by means a per-statement free
list. But if the statement was part of a stored procedure,
column references on the stored procedure's free list
weren't cleaned up and thus contained pointers to freed
objects.
Fixed by adding a call to clean up the current prepared
statement's free list.
This is a backport from MySQL 5.1
| -rw-r--r-- | sql/item.h | 7 | ||||
| -rw-r--r-- | sql/sql_parse.cc | 6 | ||||
| -rw-r--r-- | sql/sql_update.cc | 3 |
3 files changed, 13 insertions, 3 deletions
diff --git a/sql/item.h b/sql/item.h index 22eb0c08e2d..31d501dc5c3 100644 --- a/sql/item.h +++ b/sql/item.h @@ -470,6 +470,13 @@ public: my_string name; /* Name from select */ /* Original item name (if it was renamed)*/ my_string orig_name; + /** + Intrusive list pointer for free list. If not null, points to the next + Item on some Query_arena's free list. For instance, stored procedures + have their own Query_arena's. + + @see Query_arena::free_list + */ Item *next; uint32 max_length; uint name_length; /* Length of name */ diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc index 807d6c09a46..d0a4fff442f 100644 --- a/sql/sql_parse.cc +++ b/sql/sql_parse.cc @@ -1411,8 +1411,10 @@ end: } - /* This works because items are allocated with sql_alloc() */ - +/** + This works because items are allocated with sql_alloc(). + @note The function also handles null pointers (empty list). +*/ void cleanup_items(Item *item) { DBUG_ENTER("cleanup_items"); diff --git a/sql/sql_update.cc b/sql/sql_update.cc index 35ae0febcec..8d666c771ec 100644 --- a/sql/sql_update.cc +++ b/sql/sql_update.cc @@ -908,8 +908,9 @@ reopen_tables: items from 'fields' list, so the cleanup above is necessary to. */ cleanup_items(thd->free_list); - + cleanup_items(thd->stmt_arena->free_list); close_tables_for_reopen(thd, &table_list); + goto reopen_tables; } |