diff options
author | Sergei Golubchik <serg@mariadb.org> | 2018-05-18 19:12:35 +0200 |
---|---|---|
committer | Sergei Golubchik <serg@mariadb.org> | 2018-05-19 22:12:39 +0200 |
commit | 1cc67e090ebca36f04fdd6fa91e27a9c10d764d2 (patch) | |
tree | d63b02ea30ca8af0f3ed9eea1af4946bbdbf92c0 /mysql-test/t | |
parent | 207e5ba3167f4d5d4d2e522ed7e2231204f4420f (diff) | |
download | mariadb-git-1cc67e090ebca36f04fdd6fa91e27a9c10d764d2.tar.gz |
MDEV-16153 Server crashes in Apc_target::disable, ASAN heap-use-after-free in Explain_query::~Explain_query upon/after EXECUTE IMMEDIATE
Explain_query must be created in the execution arena.
But JOIN::optimize_inner temporarily switches to the statement arena
under `if (sel->first_cond_optimization)`. This might cause
Explain_query to be allocated in the statement arena. Usually it is
harmless (although technically incorrect and a waste of memory), but
in case of EXECUTE IMMEDIATE, Prepared_statement object and its
statement arena are destroyed before log_slow_statement() call,
which uses Explain_query.
Fix:
1. Create Explain_query before switching arenas.
2. Before filling earlier-created Explain_query with data, set
thd->mem_root from the Explain_query::mem_root
Diffstat (limited to 'mysql-test/t')
-rw-r--r-- | mysql-test/t/explain_slowquerylog.test | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/mysql-test/t/explain_slowquerylog.test b/mysql-test/t/explain_slowquerylog.test index 6503a326eb8..ee90fbac4e6 100644 --- a/mysql-test/t/explain_slowquerylog.test +++ b/mysql-test/t/explain_slowquerylog.test @@ -61,3 +61,9 @@ SELECT 1; SET log_slow_rate_limit=@save1; SET long_query_time=@save2; +# +# MDEV-16153 Server crashes in Apc_target::disable, ASAN heap-use-after-free in Explain_query::~Explain_query upon/after EXECUTE IMMEDIATE +# +create table t1 (a int); +execute immediate "select * from t1 join t1 t2 on (t1.a>5) where exists (select 1)"; +drop table t1; |