diff options
| author | Sergey Glukhov <sergey.glukhov@oracle.com> | 2013-05-07 13:10:58 +0400 |
|---|---|---|
| committer | Sergey Glukhov <sergey.glukhov@oracle.com> | 2013-05-07 13:10:58 +0400 |
| commit | a250331593873e1a737dd572ad91fdbde66718e7 (patch) | |
| tree | 15f9df0079fc15fc240aad39a4399ffce06b4cd7 /sql/item_subselect.cc | |
| parent | 068e6673a018f1bbf4ac4031ccda12f018c45485 (diff) | |
| download | mariadb-git-a250331593873e1a737dd572ad91fdbde66718e7.tar.gz | |
Bug#16095534 CRASH: PREPARED STATEMENT CRASHES IN ITEM_BOOL_FUNC2::FIX_LENGTH_AND_DEC
The problem happened due to broken left expression in Item_in_optimizer object.
In case of the bug left expression is runtime created Item_outer_ref item which
is deleted at the end of the statement and one of Item_in_optimizer arguments
becomes bad when re-executed. The fix is to use real_item() instead of original
left expression. Note: It feels a bit weird that after preparing, the field is
directly part of the generated Item_func_eq, whereas in execution it is replaced
with an Item_outer_ref wrapper object.
Diffstat (limited to 'sql/item_subselect.cc')
| -rw-r--r-- | sql/item_subselect.cc | 23 |
1 files changed, 19 insertions, 4 deletions
diff --git a/sql/item_subselect.cc b/sql/item_subselect.cc index 10be7abb589..d2c3f0db230 100644 --- a/sql/item_subselect.cc +++ b/sql/item_subselect.cc @@ -1054,8 +1054,15 @@ Item_in_subselect::single_value_transformer(JOIN *join, if (upper_item) upper_item->set_sub_test(item); } - /* fix fields is already called for left expression */ - substitution= func->create(left_expr, subs); + /* + fix fields is already called for left expression. + Note that real_item() should be used instead of + original left expression because left_expr can be + runtime created Ref item which is deleted at the end + of the statement. Thus one of 'substitution' arguments + can be broken in case of PS. + */ + substitution= func->create(left_expr->real_item(), subs); DBUG_RETURN(RES_OK); } @@ -1249,8 +1256,16 @@ Item_in_subselect::single_value_transformer(JOIN *join, // select and is not outer anymore. item->walk(&Item::remove_dependence_processor, 0, (uchar *) select_lex->outer_select()); - item= func->create(left_expr, item); - // fix_field of item will be done in time of substituting + item= func->create(left_expr->real_item(), item); + /* + fix_field of substitution item will be done in time of + substituting. + Note that real_item() should be used instead of + original left expression because left_expr can be + runtime created Ref item which is deleted at the end + of the statement. Thus one of 'substitution' arguments + can be broken in case of PS. + */ substitution= item; have_to_be_excluded= 1; if (thd->lex->describe) |