diff options
| author | unknown <evgen@sunlight.local> | 2006-03-13 21:11:15 +0300 |
|---|---|---|
| committer | unknown <evgen@sunlight.local> | 2006-03-13 21:11:15 +0300 |
| commit | 8ba5a687ed1604b2e08e113b489200117f48d446 (patch) | |
| tree | 589678303b93995393da51781e0e153663b64360 /mysql-test/r/subselect.result | |
| parent | 19ed1c4b31e7cc22e4d59ebba68c827af4be7a47 (diff) | |
| download | mariadb-git-8ba5a687ed1604b2e08e113b489200117f48d446.tar.gz | |
Fixed bug#17366: Unchecked Item_int results in server crash
When there is conjunction of conds, the substitute_for_best_equal_field()
will call the eliminate_item_equal() function in loop to build final
expression. But if eliminate_item_equal() finds that some cond will always
evaluate to 0, then that cond will be substituted by Item_int with value ==
0. In this case on the next iteration eliminate_item_equal() will get that
Item_int and treat it as Item_cond. This is leads to memory corruption and
server crash on cleanup phase.
To the eliminate_item_equal() function was added DBUG_ASSERT for checking
that all items treaten as Item_cond are really Item_cond.
The substitute_for_best_equal_field() now checks that if
eliminate_item_equal() returns Item_int and it's value is 0 then this
value is returned as the result of whole conjunction.
mysql-test/t/subselect.test:
Added test for bug#17366: Unchecked Item_int results in server crash
mysql-test/r/subselect.result:
Added test for bug#17366: Unchecked Item_int results in server crash
sql/sql_select.cc:
Fixed bug#17366: Unchecked Item_int results in server crash
To the eliminate_item_equal() function was added DBUG_ASSERT for checking
that all items treaten as Item_cond are really Item_cond.
The substitute_for_best_equal_field() now checks that if
eliminate_item_equal() returns something other than Item_cond and if it is
then this value is returned as the result of whole conjunction.
Diffstat (limited to 'mysql-test/r/subselect.result')
| -rw-r--r-- | mysql-test/r/subselect.result | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/mysql-test/r/subselect.result b/mysql-test/r/subselect.result index 33b12c05f98..52b6be063b8 100644 --- a/mysql-test/r/subselect.result +++ b/mysql-test/r/subselect.result @@ -3157,3 +3157,10 @@ id select_type table type possible_keys key key_len ref rows Extra 1 PRIMARY t1 ALL NULL NULL NULL NULL 9 Using where 2 DEPENDENT SUBQUERY t1 index NULL a 8 NULL 9 Using filesort DROP TABLE t1; +create table t1( f1 int,f2 int); +insert into t1 values (1,1),(2,2); +select tt.t from (select 'crash1' as t, f2 from t1) as tt left join t1 on tt.t = 'crash2' and tt.f2 = t1.f2 where tt.t = 'crash1'; +t +crash1 +crash1 +drop table t1; |