diff options
| author | Sergey Glukhov <sergey.glukhov@oracle.com> | 2013-05-07 13:10:58 +0400 |
|---|---|---|
| committer | Sergey Glukhov <sergey.glukhov@oracle.com> | 2013-05-07 13:10:58 +0400 |
| commit | 2ec9dcf6a1a7a0e8e4645ba447955d60a09ef202 (patch) | |
| tree | 15f9df0079fc15fc240aad39a4399ffce06b4cd7 /sql | |
| parent | bf7325bb6b1efbe5802fa3bf13154a28dbbffd1a (diff) | |
| download | mariadb-git-2ec9dcf6a1a7a0e8e4645ba447955d60a09ef202.tar.gz | |
Bug#16095534 CRASH: PREPARED STATEMENT CRASHES IN ITEM_BOOL_FUNC2::FIX_LENGTH_AND_DEC
The problem happened due to broken left expression in Item_in_optimizer object.
In case of the bug left expression is runtime created Item_outer_ref item which
is deleted at the end of the statement and one of Item_in_optimizer arguments
becomes bad when re-executed. The fix is to use real_item() instead of original
left expression. Note: It feels a bit weird that after preparing, the field is
directly part of the generated Item_func_eq, whereas in execution it is replaced
with an Item_outer_ref wrapper object.
sql/item_subselect.cc:
use left_expr->real_item() instead of original left expression
because left_expr can be runtime created Ref item which is deleted
at the end of the statement. Thus one of 'substitution' arguments
can be broken in case of PS.
Diffstat (limited to 'sql')
| -rw-r--r-- | sql/item_subselect.cc | 23 |
1 files changed, 19 insertions, 4 deletions
diff --git a/sql/item_subselect.cc b/sql/item_subselect.cc index 10be7abb589..d2c3f0db230 100644 --- a/sql/item_subselect.cc +++ b/sql/item_subselect.cc @@ -1054,8 +1054,15 @@ Item_in_subselect::single_value_transformer(JOIN *join, if (upper_item) upper_item->set_sub_test(item); } - /* fix fields is already called for left expression */ - substitution= func->create(left_expr, subs); + /* + fix fields is already called for left expression. + Note that real_item() should be used instead of + original left expression because left_expr can be + runtime created Ref item which is deleted at the end + of the statement. Thus one of 'substitution' arguments + can be broken in case of PS. + */ + substitution= func->create(left_expr->real_item(), subs); DBUG_RETURN(RES_OK); } @@ -1249,8 +1256,16 @@ Item_in_subselect::single_value_transformer(JOIN *join, // select and is not outer anymore. item->walk(&Item::remove_dependence_processor, 0, (uchar *) select_lex->outer_select()); - item= func->create(left_expr, item); - // fix_field of item will be done in time of substituting + item= func->create(left_expr->real_item(), item); + /* + fix_field of substitution item will be done in time of + substituting. + Note that real_item() should be used instead of + original left expression because left_expr can be + runtime created Ref item which is deleted at the end + of the statement. Thus one of 'substitution' arguments + can be broken in case of PS. + */ substitution= item; have_to_be_excluded= 1; if (thd->lex->describe) |