diff options
| author | Alexey Kopytov <Alexey.Kopytov@Sun.com> | 2010-08-24 14:35:48 +0400 |
|---|---|---|
| committer | Alexey Kopytov <Alexey.Kopytov@Sun.com> | 2010-08-24 14:35:48 +0400 |
| commit | cd4ca4b7a3d8e2971f76858895b36829d27fe845 (patch) | |
| tree | e632c3ba6d403157c6e6c9a0fb13660b8dcd7183 /mysql-test/t/join.test | |
| parent | 9ab59902a96e22e827fc2bb7681a7cf178c6c7f1 (diff) | |
| download | mariadb-git-cd4ca4b7a3d8e2971f76858895b36829d27fe845.tar.gz | |
Bug #55568: user variable assignments crash server when used
within query
The server could crash after materializing a derived table
which requires a temporary table for grouping.
When destroying the temporary table used to execute a query for
a derived table, JOIN::destroy() did not clean up Item_fields
pointing to fields in the temporary table. This led to
dereferencing a dangling pointer when printing out the items
tree later in the outer SELECT.
The solution is an addendum to the patch for bug37362: in
addition to cleaning up items in tmp_all_fields3, do the same
for items in tmp_all_fields1, since now we have an example
where this is necessary.
mysql-test/r/join.result:
Added test cases for bug#55568 and a duplicate bug #54468.
mysql-test/t/join.test:
Added test cases for bug#55568 and a duplicate bug #54468.
sql/field.cc:
Make sure field->table_name is not set to NULL in
Field::make_field() to avoid assertion failure in
Item_field::make_field() after cleaning up items
(the assertion fired in udf.test when running
the test suite with the patch applied).
sql/sql_select.cc:
In addition to cleaning up items in tmp_all_fields3, do the
same for items in tmp_all_fields1.
Introduce a new helper function to avoid code duplication.
sql/sql_select.h:
Introduce a new helper function to avoid code duplication in
JOIN::destroy().
Diffstat (limited to 'mysql-test/t/join.test')
| -rw-r--r-- | mysql-test/t/join.test | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/mysql-test/t/join.test b/mysql-test/t/join.test index 43b373c9703..6969be6fdc4 100644 --- a/mysql-test/t/join.test +++ b/mysql-test/t/join.test @@ -851,4 +851,50 @@ ENGINE=MERGE UNION=(t1,t2); SELECT t1.a FROM mm1,t1; DROP TABLE t1, t2, mm1; +--echo # +--echo # Bug #55568: user variable assignments crash server when used within +--echo # query +--echo # + +CREATE TABLE t1 (a INT); + +INSERT INTO t1 VALUES (0), (1); + +let $i=2; +while ($i) +{ + SELECT MULTIPOINT( + 1, + ( + SELECT MULTIPOINT( + MULTIPOINT( + 1, + (SELECT COUNT(*) FROM (SELECT 1 FROM t1 GROUP BY a,a) d) + ) + ) FROM t1 + ) + ) != COUNT(*) q FROM t1 GROUP BY a; + dec $i; +} + +DROP TABLE t1; + +--echo # +--echo # Bug #54468: crash after item's print() function when ordering/grouping +--echo # by subquery +--echo # + +CREATE TABLE t1(a INT, b INT); +INSERT INTO t1 VALUES (), (); + +SELECT 1 FROM t1 +GROUP BY +GREATEST(t1.a, + (SELECT 1 FROM + (SELECT t1.b FROM t1,t1 t2 + ORDER BY t1.a, t1.a LIMIT 1) AS d) + ); + +DROP TABLE t1; + --echo End of 5.1 tests |