diff options
-rw-r--r-- | mysql-test/main/subselect.result | 11 | ||||
-rw-r--r-- | mysql-test/main/subselect.test | 14 | ||||
-rw-r--r-- | mysql-test/main/subselect_no_exists_to_in.result | 11 | ||||
-rw-r--r-- | mysql-test/main/subselect_no_mat.result | 11 | ||||
-rw-r--r-- | mysql-test/main/subselect_no_opts.result | 11 | ||||
-rw-r--r-- | mysql-test/main/subselect_no_scache.result | 11 | ||||
-rw-r--r-- | mysql-test/main/subselect_no_semijoin.result | 11 | ||||
-rw-r--r-- | sql/sql_select.cc | 10 |
8 files changed, 89 insertions, 1 deletions
diff --git a/mysql-test/main/subselect.result b/mysql-test/main/subselect.result index 1d49e178c68..281ac022318 100644 --- a/mysql-test/main/subselect.result +++ b/mysql-test/main/subselect.result @@ -7369,3 +7369,14 @@ a 1 drop table t1,t2,t3; # End of 10.2 tests +# +# MDEV-29926: ASAN heap-use-after-free in Explain_query::~Explain_query +# +CREATE TABLE t (a VARCHAR(1)) CHARACTER SET utf8mb3; +EXECUTE IMMEDIATE "SELECT COUNT(*) FROM t WHERE a < (SELECT 'x')"; +COUNT(*) +0 +DROP TABLE t; +# +# End of 10.3 tests +# diff --git a/mysql-test/main/subselect.test b/mysql-test/main/subselect.test index 20358ed5d60..27092a60ca6 100644 --- a/mysql-test/main/subselect.test +++ b/mysql-test/main/subselect.test @@ -6308,3 +6308,17 @@ select a from t3 drop table t1,t2,t3; --echo # End of 10.2 tests + +--echo # +--echo # MDEV-29926: ASAN heap-use-after-free in Explain_query::~Explain_query +--echo # + +CREATE TABLE t (a VARCHAR(1)) CHARACTER SET utf8mb3; +EXECUTE IMMEDIATE "SELECT COUNT(*) FROM t WHERE a < (SELECT 'x')"; + +# Cleanup +DROP TABLE t; + +--echo # +--echo # End of 10.3 tests +--echo # diff --git a/mysql-test/main/subselect_no_exists_to_in.result b/mysql-test/main/subselect_no_exists_to_in.result index 737636359ba..7e694b52c85 100644 --- a/mysql-test/main/subselect_no_exists_to_in.result +++ b/mysql-test/main/subselect_no_exists_to_in.result @@ -7369,6 +7369,17 @@ a 1 drop table t1,t2,t3; # End of 10.2 tests +# +# MDEV-29926: ASAN heap-use-after-free in Explain_query::~Explain_query +# +CREATE TABLE t (a VARCHAR(1)) CHARACTER SET utf8mb3; +EXECUTE IMMEDIATE "SELECT COUNT(*) FROM t WHERE a < (SELECT 'x')"; +COUNT(*) +0 +DROP TABLE t; +# +# End of 10.3 tests +# set optimizer_switch=default; select @@optimizer_switch like '%exists_to_in=off%'; @@optimizer_switch like '%exists_to_in=off%' diff --git a/mysql-test/main/subselect_no_mat.result b/mysql-test/main/subselect_no_mat.result index 66586cf5f3a..fd3f234b4e0 100644 --- a/mysql-test/main/subselect_no_mat.result +++ b/mysql-test/main/subselect_no_mat.result @@ -7362,6 +7362,17 @@ a 1 drop table t1,t2,t3; # End of 10.2 tests +# +# MDEV-29926: ASAN heap-use-after-free in Explain_query::~Explain_query +# +CREATE TABLE t (a VARCHAR(1)) CHARACTER SET utf8mb3; +EXECUTE IMMEDIATE "SELECT COUNT(*) FROM t WHERE a < (SELECT 'x')"; +COUNT(*) +0 +DROP TABLE t; +# +# End of 10.3 tests +# set optimizer_switch=default; select @@optimizer_switch like '%materialization=on%'; @@optimizer_switch like '%materialization=on%' diff --git a/mysql-test/main/subselect_no_opts.result b/mysql-test/main/subselect_no_opts.result index f55978a591c..dc0e690b957 100644 --- a/mysql-test/main/subselect_no_opts.result +++ b/mysql-test/main/subselect_no_opts.result @@ -7360,4 +7360,15 @@ a 1 drop table t1,t2,t3; # End of 10.2 tests +# +# MDEV-29926: ASAN heap-use-after-free in Explain_query::~Explain_query +# +CREATE TABLE t (a VARCHAR(1)) CHARACTER SET utf8mb3; +EXECUTE IMMEDIATE "SELECT COUNT(*) FROM t WHERE a < (SELECT 'x')"; +COUNT(*) +0 +DROP TABLE t; +# +# End of 10.3 tests +# set @optimizer_switch_for_subselect_test=null; diff --git a/mysql-test/main/subselect_no_scache.result b/mysql-test/main/subselect_no_scache.result index 895a68338d8..6c8dbc40c3b 100644 --- a/mysql-test/main/subselect_no_scache.result +++ b/mysql-test/main/subselect_no_scache.result @@ -7375,6 +7375,17 @@ a 1 drop table t1,t2,t3; # End of 10.2 tests +# +# MDEV-29926: ASAN heap-use-after-free in Explain_query::~Explain_query +# +CREATE TABLE t (a VARCHAR(1)) CHARACTER SET utf8mb3; +EXECUTE IMMEDIATE "SELECT COUNT(*) FROM t WHERE a < (SELECT 'x')"; +COUNT(*) +0 +DROP TABLE t; +# +# End of 10.3 tests +# set optimizer_switch=default; select @@optimizer_switch like '%subquery_cache=on%'; @@optimizer_switch like '%subquery_cache=on%' diff --git a/mysql-test/main/subselect_no_semijoin.result b/mysql-test/main/subselect_no_semijoin.result index 8a0e6a6c325..1731e934c6c 100644 --- a/mysql-test/main/subselect_no_semijoin.result +++ b/mysql-test/main/subselect_no_semijoin.result @@ -7361,6 +7361,17 @@ a drop table t1,t2,t3; # End of 10.2 tests # +# MDEV-29926: ASAN heap-use-after-free in Explain_query::~Explain_query +# +CREATE TABLE t (a VARCHAR(1)) CHARACTER SET utf8mb3; +EXECUTE IMMEDIATE "SELECT COUNT(*) FROM t WHERE a < (SELECT 'x')"; +COUNT(*) +0 +DROP TABLE t; +# +# End of 10.3 tests +# +# # MDEV-19714: JOIN::pseudo_bits_cond is not visible in EXPLAIN FORMAT=JSON # CREATE TABLE t1 ( a INT ); diff --git a/sql/sql_select.cc b/sql/sql_select.cc index 70c0a80ba2a..0b330528452 100644 --- a/sql/sql_select.cc +++ b/sql/sql_select.cc @@ -1078,6 +1078,15 @@ JOIN::prepare(TABLE_LIST *tables_init, // simple check that we got usable conds dbug_print_item(conds); + /* + It is hack which force creating EXPLAIN object always on runt-time arena + (because very top JOIN::prepare executes always with runtime arena, but + constant subquery like (SELECT 'x') can be called with statement arena + during prepare phase of top SELECT). + */ + if (!(thd->lex->context_analysis_only & CONTEXT_ANALYSIS_ONLY_PREPARE)) + create_explain_query_if_not_exists(thd->lex, thd->mem_root); + if (select_lex->handle_derived(thd->lex, DT_PREPARE)) DBUG_RETURN(-1); @@ -1521,7 +1530,6 @@ bool JOIN::build_explain() int JOIN::optimize() { int res= 0; - create_explain_query_if_not_exists(thd->lex, thd->mem_root); join_optimization_state init_state= optimization_state; if (optimization_state == JOIN::OPTIMIZATION_PHASE_1_DONE) res= optimize_stage2(); |