From adaa891ae7113069e402b40637dd9ddbd96d27bc Mon Sep 17 00:00:00 2001 From: Oleksandr Byelkin Date: Thu, 12 Apr 2018 14:55:43 +0200 Subject: MDEV-13699: Assertion `!new_field->field_name.str || strlen(new_field->field_name.str) == new_field->field_name.length' failed in create_tmp_table on 2nd execution of PS with semijoin The problem was that SJ (semi-join) used secondary list (array) of subquery select list. The items there was prepared once then cleaned up (but not really freed from memory because it was made in statement memory). Original list was not prepared after first execution because select was removed by conversion to SJ. The solution is to use original list but prepare it first. --- mysql-test/t/subselect_sj.test | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) (limited to 'mysql-test/t') diff --git a/mysql-test/t/subselect_sj.test b/mysql-test/t/subselect_sj.test index acee1a67d63..0a35a61ecd3 100644 --- a/mysql-test/t/subselect_sj.test +++ b/mysql-test/t/subselect_sj.test @@ -2841,5 +2841,35 @@ eval EXPLAIN EXTENDED $q2; DROP TABLE t1,t2,t3,t4; +--echo # +--echo # MDEV-13699: Assertion `!new_field->field_name.str || +--echo # strlen(new_field->field_name.str) == new_field->field_name.length' +--echo # failed in create_tmp_table on 2nd execution of PS with semijoin +--echo # + +CREATE TABLE t1 (a INT); +INSERT INTO t1 VALUES (1),(2); + +CREATE TABLE t2 (b INT); +INSERT INTO t2 VALUES (3),(4); + +CREATE TABLE t3 (c INT); +CREATE ALGORITHM=MERGE VIEW v3 AS SELECT * FROM t3; +INSERT INTO t3 VALUES (5),(6); + +PREPARE stmt FROM + "SELECT * FROM t1 + WHERE EXISTS ( + SELECT * FROM t2 WHERE t1.a IN ( SELECT c AS fld FROM v3 ) + )"; +EXECUTE stmt; +EXECUTE stmt; +EXECUTE stmt; + +drop view v3; +drop table t1,t2,t3; + +--echo # End of 5.5 test + # The following command must be the last one the file set optimizer_switch=@subselect_sj_tmp; -- cgit v1.2.1 From eb057dce2027b673b7b140bae42963774027e0a5 Mon Sep 17 00:00:00 2001 From: Igor Babaev Date: Tue, 24 Apr 2018 15:51:49 -0700 Subject: MDEV-15035 Wrong results when calling a stored procedure multiple times with different arguments. If the ON expression of an outer join is an OR formula with one of the disjunct being a constant formula then the expression cannot be null-rejected if the constant formula is true. Otherwise it can be null-rejected and if so the outer join can be converted into inner join. This optimization was added in the patch for mdev-4817. Yet the code had a defect: if the query was used in a stored procedure with parameters and the constant item contained some of them then the value of this constant item depended on the values of the parameters. With some parameters it may be true, for others not. The validity of conversion to inner join is checked only once and it happens only for the first call of procedure. So if the parameters in the first call allowed the conversion it was done and next calls used the transformed query though there could be calls whose parameters made the conversion invalid. Fixed by cheking whether the constant disjunct in the ON expression originally contained an SP parameter. If so the expression is not considered as null-rejected. For this check a new item's attribute was intruduced: Item::with_param. It is calculated for each item by fix fields() functions. Also moved the call of optimize_constant_subqueries() in JOIN::optimize after the call of simplify_joins(). The reason for this is that after the optimization introduced by the patch for mdev-4817 simplify_joins() can use the results of execution of non-expensive constant subqueries and this is not valid. --- mysql-test/t/sp-innodb.test | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) (limited to 'mysql-test/t') diff --git a/mysql-test/t/sp-innodb.test b/mysql-test/t/sp-innodb.test index 23715166a02..e44a853e713 100644 --- a/mysql-test/t/sp-innodb.test +++ b/mysql-test/t/sp-innodb.test @@ -158,5 +158,47 @@ SET @@innodb_lock_wait_timeout= @innodb_lock_wait_timeout_saved; --echo # BUG 16041903: End of test case --echo # +--echo # +--echo # MDEV-15035: SP using query with outer join and a parameter +--echo # in ON expression +--echo # + +CREATE TABLE t1 ( + id int NOT NULL, + PRIMARY KEY (id) +) ENGINE=InnoDB; + +INSERT INTO t1 VALUES (1), (2); + +CREATE TABLE t2 ( + id int NOT NULL, + id_foo int NOT NULL, + PRIMARY KEY (id) +) ENGINE=InnoDB; + +INSERT INTO t2 VALUES (1, 1); + +--disable_warnings +DROP PROCEDURE IF EXISTS test_proc; +--enable_warnings + +DELIMITER |; +CREATE PROCEDURE test_proc(IN param int) +LANGUAGE SQL +READS SQL DATA +BEGIN + SELECT DISTINCT f.id + FROM t1 f + LEFT OUTER JOIN t2 b ON b.id_foo = f.id + WHERE (param <> 0 OR b.id IS NOT NULL); +END| +DELIMITER ;| + +CALL test_proc(0); +CALL test_proc(1); + +DROP PROCEDURE IF EXISTS test_proc; +DROP TABLE t1, t2; + # Wait till we reached the initial number of concurrent sessions --source include/wait_until_count_sessions.inc -- cgit v1.2.1 From fab383aac0a713b48765d0464428199470ae8c0a Mon Sep 17 00:00:00 2001 From: Sergei Golubchik Date: Mon, 30 Apr 2018 23:06:09 +0200 Subject: Use after free in authentication --- mysql-test/t/connect_debug.test | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 mysql-test/t/connect_debug.test (limited to 'mysql-test/t') diff --git a/mysql-test/t/connect_debug.test b/mysql-test/t/connect_debug.test new file mode 100644 index 00000000000..299b605b2cd --- /dev/null +++ b/mysql-test/t/connect_debug.test @@ -0,0 +1,12 @@ +source include/have_debug.inc; +set @old_dbug=@@global.debug_dbug; + +# +# use after free if need plugin change and auth aborted +# +set global debug_dbug='+d,auth_disconnect'; +create user 'bad' identified by 'worse'; +--error 1 +--exec $MYSQL --default-auth=mysql_old_password --user=bad --password=worse +set global debug_dbug=@old_dbug; +drop user bad; -- cgit v1.2.1