From 1a3859fff09986a8ffc7b1b466ef565ce2b0bf42 Mon Sep 17 00:00:00 2001 From: Sergei Golubchik Date: Tue, 1 Nov 2022 13:22:34 +0100 Subject: MDEV-29924 Assertion `(((nr) % (1LL << 24)) % (int) log_10_int[6 - dec]) == 0' failed in my_time_packed_to_binary on SELECT when using TIME field when assigning the cached item to the Item_cache for the first time make sure to use Item_cache::setup(), not Item_cache::store(). Because the former copies the metadata (and allocates memory, in case of Item_cache_row), and Item_cache::decimal must be set for comparisons to work correctly. --- mysql-test/main/type_time_hires.result | 13 ++++++++++++- mysql-test/main/type_time_hires.test | 15 +++++++++++++-- sql/sql_class.cc | 4 +++- 3 files changed, 28 insertions(+), 4 deletions(-) diff --git a/mysql-test/main/type_time_hires.result b/mysql-test/main/type_time_hires.result index 5fa9d11591a..cf7dce59f1f 100644 --- a/mysql-test/main/type_time_hires.result +++ b/mysql-test/main/type_time_hires.result @@ -360,7 +360,7 @@ select cast(1e-6 as time(6)); cast(1e-6 as time(6)) 00:00:00.000001 # -# Start of 10.4 tests +# End of 5.5 tests # # # MDEV-20397 Support TIMESTAMP, DATETIME, TIME in ROUND() and TRUNCATE() @@ -907,3 +907,14 @@ a CEILING(a) CEILING_SP(a) CEILING(a)=CEILING_SP(a) DROP FUNCTION FLOOR_SP; DROP FUNCTION CEILING_SP; DROP TABLE t1; +# +# MDEV-29924 Assertion `(((nr) % (1LL << 24)) % (int) log_10_int[6 - dec]) == 0' failed in my_time_packed_to_binary on SELECT when using TIME field +# +create table t1 (c decimal(3,1),d time(6)); +insert into t1 values (null,0.1),(null,0.1), (0.1,0.2); +select c from t1 where c &items) { cache= val_item->get_cache(thd); set_op(val_item->type_handler()); + cache->setup(thd, val_item); } - cache->store(val_item); + else + cache->store(val_item); it->store(0, cache); } it->assigned(1); -- cgit v1.2.1 From 3303748fd13399ba39ce4d646153d086c5a09445 Mon Sep 17 00:00:00 2001 From: Oleksandr Byelkin Date: Wed, 2 Nov 2022 12:49:24 +0100 Subject: MDEV-29926: ASAN heap-use-after-free in Explain_query::~Explain_query Make sure that EXPLAIN object allocated on runtime arena. --- mysql-test/main/subselect.result | 11 +++++++++++ mysql-test/main/subselect.test | 14 ++++++++++++++ mysql-test/main/subselect_no_exists_to_in.result | 11 +++++++++++ mysql-test/main/subselect_no_mat.result | 11 +++++++++++ mysql-test/main/subselect_no_opts.result | 11 +++++++++++ mysql-test/main/subselect_no_scache.result | 11 +++++++++++ mysql-test/main/subselect_no_semijoin.result | 11 +++++++++++ sql/sql_select.cc | 10 +++++++++- 8 files changed, 89 insertions(+), 1 deletion(-) diff --git a/mysql-test/main/subselect.result b/mysql-test/main/subselect.result index 1d49e178c68..281ac022318 100644 --- a/mysql-test/main/subselect.result +++ b/mysql-test/main/subselect.result @@ -7369,3 +7369,14 @@ a 1 drop table t1,t2,t3; # End of 10.2 tests +# +# MDEV-29926: ASAN heap-use-after-free in Explain_query::~Explain_query +# +CREATE TABLE t (a VARCHAR(1)) CHARACTER SET utf8mb3; +EXECUTE IMMEDIATE "SELECT COUNT(*) FROM t WHERE a < (SELECT 'x')"; +COUNT(*) +0 +DROP TABLE t; +# +# End of 10.3 tests +# diff --git a/mysql-test/main/subselect.test b/mysql-test/main/subselect.test index 20358ed5d60..27092a60ca6 100644 --- a/mysql-test/main/subselect.test +++ b/mysql-test/main/subselect.test @@ -6308,3 +6308,17 @@ select a from t3 drop table t1,t2,t3; --echo # End of 10.2 tests + +--echo # +--echo # MDEV-29926: ASAN heap-use-after-free in Explain_query::~Explain_query +--echo # + +CREATE TABLE t (a VARCHAR(1)) CHARACTER SET utf8mb3; +EXECUTE IMMEDIATE "SELECT COUNT(*) FROM t WHERE a < (SELECT 'x')"; + +# Cleanup +DROP TABLE t; + +--echo # +--echo # End of 10.3 tests +--echo # diff --git a/mysql-test/main/subselect_no_exists_to_in.result b/mysql-test/main/subselect_no_exists_to_in.result index 737636359ba..7e694b52c85 100644 --- a/mysql-test/main/subselect_no_exists_to_in.result +++ b/mysql-test/main/subselect_no_exists_to_in.result @@ -7369,6 +7369,17 @@ a 1 drop table t1,t2,t3; # End of 10.2 tests +# +# MDEV-29926: ASAN heap-use-after-free in Explain_query::~Explain_query +# +CREATE TABLE t (a VARCHAR(1)) CHARACTER SET utf8mb3; +EXECUTE IMMEDIATE "SELECT COUNT(*) FROM t WHERE a < (SELECT 'x')"; +COUNT(*) +0 +DROP TABLE t; +# +# End of 10.3 tests +# set optimizer_switch=default; select @@optimizer_switch like '%exists_to_in=off%'; @@optimizer_switch like '%exists_to_in=off%' diff --git a/mysql-test/main/subselect_no_mat.result b/mysql-test/main/subselect_no_mat.result index 66586cf5f3a..fd3f234b4e0 100644 --- a/mysql-test/main/subselect_no_mat.result +++ b/mysql-test/main/subselect_no_mat.result @@ -7362,6 +7362,17 @@ a 1 drop table t1,t2,t3; # End of 10.2 tests +# +# MDEV-29926: ASAN heap-use-after-free in Explain_query::~Explain_query +# +CREATE TABLE t (a VARCHAR(1)) CHARACTER SET utf8mb3; +EXECUTE IMMEDIATE "SELECT COUNT(*) FROM t WHERE a < (SELECT 'x')"; +COUNT(*) +0 +DROP TABLE t; +# +# End of 10.3 tests +# set optimizer_switch=default; select @@optimizer_switch like '%materialization=on%'; @@optimizer_switch like '%materialization=on%' diff --git a/mysql-test/main/subselect_no_opts.result b/mysql-test/main/subselect_no_opts.result index f55978a591c..dc0e690b957 100644 --- a/mysql-test/main/subselect_no_opts.result +++ b/mysql-test/main/subselect_no_opts.result @@ -7360,4 +7360,15 @@ a 1 drop table t1,t2,t3; # End of 10.2 tests +# +# MDEV-29926: ASAN heap-use-after-free in Explain_query::~Explain_query +# +CREATE TABLE t (a VARCHAR(1)) CHARACTER SET utf8mb3; +EXECUTE IMMEDIATE "SELECT COUNT(*) FROM t WHERE a < (SELECT 'x')"; +COUNT(*) +0 +DROP TABLE t; +# +# End of 10.3 tests +# set @optimizer_switch_for_subselect_test=null; diff --git a/mysql-test/main/subselect_no_scache.result b/mysql-test/main/subselect_no_scache.result index 895a68338d8..6c8dbc40c3b 100644 --- a/mysql-test/main/subselect_no_scache.result +++ b/mysql-test/main/subselect_no_scache.result @@ -7375,6 +7375,17 @@ a 1 drop table t1,t2,t3; # End of 10.2 tests +# +# MDEV-29926: ASAN heap-use-after-free in Explain_query::~Explain_query +# +CREATE TABLE t (a VARCHAR(1)) CHARACTER SET utf8mb3; +EXECUTE IMMEDIATE "SELECT COUNT(*) FROM t WHERE a < (SELECT 'x')"; +COUNT(*) +0 +DROP TABLE t; +# +# End of 10.3 tests +# set optimizer_switch=default; select @@optimizer_switch like '%subquery_cache=on%'; @@optimizer_switch like '%subquery_cache=on%' diff --git a/mysql-test/main/subselect_no_semijoin.result b/mysql-test/main/subselect_no_semijoin.result index 8a0e6a6c325..1731e934c6c 100644 --- a/mysql-test/main/subselect_no_semijoin.result +++ b/mysql-test/main/subselect_no_semijoin.result @@ -7361,6 +7361,17 @@ a drop table t1,t2,t3; # End of 10.2 tests # +# MDEV-29926: ASAN heap-use-after-free in Explain_query::~Explain_query +# +CREATE TABLE t (a VARCHAR(1)) CHARACTER SET utf8mb3; +EXECUTE IMMEDIATE "SELECT COUNT(*) FROM t WHERE a < (SELECT 'x')"; +COUNT(*) +0 +DROP TABLE t; +# +# End of 10.3 tests +# +# # MDEV-19714: JOIN::pseudo_bits_cond is not visible in EXPLAIN FORMAT=JSON # CREATE TABLE t1 ( a INT ); diff --git a/sql/sql_select.cc b/sql/sql_select.cc index 70c0a80ba2a..0b330528452 100644 --- a/sql/sql_select.cc +++ b/sql/sql_select.cc @@ -1078,6 +1078,15 @@ JOIN::prepare(TABLE_LIST *tables_init, // simple check that we got usable conds dbug_print_item(conds); + /* + It is hack which force creating EXPLAIN object always on runt-time arena + (because very top JOIN::prepare executes always with runtime arena, but + constant subquery like (SELECT 'x') can be called with statement arena + during prepare phase of top SELECT). + */ + if (!(thd->lex->context_analysis_only & CONTEXT_ANALYSIS_ONLY_PREPARE)) + create_explain_query_if_not_exists(thd->lex, thd->mem_root); + if (select_lex->handle_derived(thd->lex, DT_PREPARE)) DBUG_RETURN(-1); @@ -1521,7 +1530,6 @@ bool JOIN::build_explain() int JOIN::optimize() { int res= 0; - create_explain_query_if_not_exists(thd->lex, thd->mem_root); join_optimization_state init_state= optimization_state; if (optimization_state == JOIN::OPTIMIZATION_PHASE_1_DONE) res= optimize_stage2(); -- cgit v1.2.1