diff options
| author | Martin Hansson <martin.hansson@sun.com> | 2010-01-12 15:16:26 +0100 |
|---|---|---|
| committer | Martin Hansson <martin.hansson@sun.com> | 2010-01-12 15:16:26 +0100 |
| commit | c8b5804f295ea109f56f29de8c350133f9070a6a (patch) | |
| tree | d747918bfcaba3b8bcd77aab0438cb1ba26c6a42 /sql | |
| parent | 3c9322e73f5b994b7ec13ed73e99ce4bc94694b8 (diff) | |
| download | mariadb-git-c8b5804f295ea109f56f29de8c350133f9070a6a.tar.gz | |
Bug#48157: crash in Item_field::used_tables
MySQL handles the join syntax "JOIN ... USING( field1,
... )" and natural joins by building the same parse tree as
a corresponding join with an "ON t1.field1 = t2.field1 ..."
expression would produce. This parse tree was not cleaned up
properly in the following scenario. If a thread tries to
lock some tables and finds that the tables were dropped and
re-created while waiting for the lock, it cleans up column
references in the statement by means a per-statement free
list. But if the statement was part of a stored procedure,
column references on the stored procedure's free list weren't
cleaned up and thus contained pointers to freed objects.
Fixed by adding a call to clean up the current prepared
statement's free list.
mysql-test/r/sp_sync.result:
Bug#48157: Test case
mysql-test/t/sp_sync.test:
Bug#48157: Test result
sql/item.h:
Bug#48157: Commented field.
sql/sql_parse.cc:
Bug#48157: Commented function.
sql/sql_update.cc:
Bug#48157: fix
Diffstat (limited to 'sql')
| -rw-r--r-- | sql/item.h | 7 | ||||
| -rw-r--r-- | sql/sql_parse.cc | 6 | ||||
| -rw-r--r-- | sql/sql_update.cc | 6 |
3 files changed, 16 insertions, 3 deletions
diff --git a/sql/item.h b/sql/item.h index 8f0e5874f3f..88e90924fcc 100644 --- a/sql/item.h +++ b/sql/item.h @@ -506,6 +506,13 @@ public: char * name; /* Name from select */ /* Original item name (if it was renamed)*/ char * orig_name; + /** + Intrusive list pointer for free list. If not null, points to the next + Item on some Query_arena's free list. For instance, stored procedures + have their own Query_arena's. + + @see Query_arena::free_list + */ Item *next; uint32 max_length; uint name_length; /* Length of name */ diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc index 69c9ddc7806..48743a2d48f 100644 --- a/sql/sql_parse.cc +++ b/sql/sql_parse.cc @@ -615,8 +615,10 @@ void free_items(Item *item) DBUG_VOID_RETURN; } -/* This works because items are allocated with sql_alloc() */ - +/** + This works because items are allocated with sql_alloc(). + @note The function also handles null pointers (empty list). +*/ void cleanup_items(Item *item) { DBUG_ENTER("cleanup_items"); diff --git a/sql/sql_update.cc b/sql/sql_update.cc index c988d746500..26f40c7fa9f 100644 --- a/sql/sql_update.cc +++ b/sql/sql_update.cc @@ -23,6 +23,7 @@ #include "sql_select.h" #include "sp_head.h" #include "sql_trigger.h" +#include "debug_sync.h" /* Return 0 if row hasn't changed */ @@ -1143,8 +1144,11 @@ reopen_tables: items from 'fields' list, so the cleanup above is necessary to. */ cleanup_items(thd->free_list); - + cleanup_items(thd->stmt_arena->free_list); close_tables_for_reopen(thd, &table_list); + + DEBUG_SYNC(thd, "multi_update_reopen_tables"); + goto reopen_tables; } |