diff options
| author | Sergei Golubchik <serg@mariadb.org> | 2022-11-17 19:23:08 +0100 |
|---|---|---|
| committer | Sergei Golubchik <serg@mariadb.org> | 2023-01-09 18:06:06 +0100 |
| commit | 6cb84346e1bde63ec79dd5e3a7d80f69bb106ead (patch) | |
| tree | f11ecc392600892e8d8fe7132f838831a72b5737 /sql/sql_select.cc | |
| parent | df82d68421699f5d51df15f0e5c1a6aa78bced63 (diff) | |
| download | mariadb-git-6cb84346e1bde63ec79dd5e3a7d80f69bb106ead.tar.gz | |
MDEV-17869 AddressSanitizer: use-after-poison in Item_change_list::rollback_item_tree_changes
it's incorrect to use change_item_tree() to replace arguments
of top-level AND/OR, because they (arguments) are stored in a List,
so a pointer to an argument is in the list_node, and individual
list_node's of top-level AND/OR can be deleted in Item_cond::build_equal_items().
In that case rollback_item_tree_changes() will modify the deleted object.
Luckily, it's not needed to use change_item_tree() for top-level
AND/OR, because the whole top-level item is copied and preserved
in prep_where and prep_on, and restored from there.
So, just don't.
Additionally to the test case in the commit it fixes
* ASAN failure of main.opt_tvc --ps
* ASAN failure of main.having_cond_pushdown --ps
Diffstat (limited to 'sql/sql_select.cc')
| -rw-r--r-- | sql/sql_select.cc | 7 |
1 files changed, 3 insertions, 4 deletions
diff --git a/sql/sql_select.cc b/sql/sql_select.cc index d9922fddb8f..eb54484fa51 100644 --- a/sql/sql_select.cc +++ b/sql/sql_select.cc @@ -28295,11 +28295,11 @@ void JOIN::cache_const_exprs() return; if (conds) - conds->compile(thd, &Item::cache_const_expr_analyzer, &analyzer_arg, + conds->top_level_compile(thd, &Item::cache_const_expr_analyzer, &analyzer_arg, &Item::cache_const_expr_transformer, &cache_flag); cache_flag= FALSE; if (having) - having->compile(thd, &Item::cache_const_expr_analyzer, + having->top_level_compile(thd, &Item::cache_const_expr_analyzer, &analyzer_arg, &Item::cache_const_expr_transformer, &cache_flag); for (JOIN_TAB *tab= first_depth_first_tab(this); tab; @@ -28308,7 +28308,7 @@ void JOIN::cache_const_exprs() if (*tab->on_expr_ref) { cache_flag= FALSE; - (*tab->on_expr_ref)->compile(thd, &Item::cache_const_expr_analyzer, + (*tab->on_expr_ref)->top_level_compile(thd, &Item::cache_const_expr_analyzer, &analyzer_arg, &Item::cache_const_expr_transformer, &cache_flag); } } @@ -29365,7 +29365,6 @@ select_handler *SELECT_LEX::find_select_handler(THD *thd) } - /** @} (end of group Query_Optimizer) */ |