From 8db9aa496c59e48238ed5718d683fb6bf2ae2445 Mon Sep 17 00:00:00 2001 From: Sergei Petrunia Date: Tue, 26 Apr 2022 23:29:29 +0300 Subject: MDEV-28268: Server crashes in Expression_cache_tracker::fetch_current_stats (cherry-pick into preview-10.9-MDEV-27021-explain tree) Expression_cache_tmptable object uses an Expression_cache_tracker object to report the statistics. In the common scenario, Expression_cache_tmptable destructor sets tracker->cache=NULL. The tracker object survives after the expression cache is deleted and one may call cache_tracker->fetch_current_stats() for it with no harm. However a degenerate cache with no parameters does not set tracker->cache=NULL in Expression_cache_tmptable destructor which results in an attempt to use freed data in the cache_tracker->fetch_current_stats() call. Fixed by setting tracker->cache to NULL and wrapping the assignment into a function. --- mysql-test/main/subselect4.result | 90 +++++++++++++++++++++++++++++++++++++++ mysql-test/main/subselect4.test | 16 +++++++ 2 files changed, 106 insertions(+) (limited to 'mysql-test') diff --git a/mysql-test/main/subselect4.result b/mysql-test/main/subselect4.result index 2eba69149e3..c23352c6767 100644 --- a/mysql-test/main/subselect4.result +++ b/mysql-test/main/subselect4.result @@ -2906,6 +2906,96 @@ id select_type table type possible_keys key key_len ref rows Extra 2 DEPENDENT SUBQUERY tn eq_ref PRIMARY PRIMARY 32 test.tms.key1 1 Using where set optimizer_switch=@tmp_os; drop table t1, t10, t11; +# +# MDEV-28268: Server crashes in Expression_cache_tracker::fetch_current_stats +# +CREATE TABLE t1 (a INT, b INT); +INSERT INTO t1 VALUES (1,2),(3,4); +ANALYZE FORMAT=JSON +SELECT DISTINCT +(SELECT MIN(a) FROM t1 WHERE b <= ANY (SELECT a FROM t1)) AS f +FROM t1; +ANALYZE +{ + "query_block": { + "select_id": 1, + "r_loops": 1, + "r_total_time_ms": "REPLACED", + "duplicate_removal": { + "temporary_table": { + "nested_loop": [ + { + "table": { + "table_name": "t1", + "access_type": "ALL", + "r_loops": 1, + "rows": 2, + "r_rows": 2, + "r_table_time_ms": "REPLACED", + "r_other_time_ms": "REPLACED", + "filtered": 100, + "r_filtered": 100 + } + } + ], + "subqueries": [ + { + "expression_cache": { + "state": "disabled", + "r_loops": 0, + "query_block": { + "select_id": 2, + "r_loops": 1, + "r_total_time_ms": "REPLACED", + "nested_loop": [ + { + "table": { + "table_name": "t1", + "access_type": "ALL", + "r_loops": 1, + "rows": 2, + "r_rows": 2, + "r_table_time_ms": "REPLACED", + "r_other_time_ms": "REPLACED", + "filtered": 100, + "r_filtered": 50, + "attached_condition": "((t1.b,(subquery#3) >= 4))" + } + } + ], + "subqueries": [ + { + "query_block": { + "select_id": 3, + "r_loops": 1, + "r_total_time_ms": "REPLACED", + "nested_loop": [ + { + "table": { + "table_name": "t1", + "access_type": "ALL", + "r_loops": 1, + "rows": 2, + "r_rows": 2, + "r_table_time_ms": "REPLACED", + "r_other_time_ms": "REPLACED", + "filtered": 100, + "r_filtered": 100 + } + } + ] + } + } + ] + } + } + } + ] + } + } + } +} +DROP TABLE t1; # End of 10.2 tests # End of 10.3 tests # diff --git a/mysql-test/main/subselect4.test b/mysql-test/main/subselect4.test index cde9b4c25c3..95e73755226 100644 --- a/mysql-test/main/subselect4.test +++ b/mysql-test/main/subselect4.test @@ -2425,6 +2425,21 @@ set optimizer_switch=@tmp_os; drop table t1, t10, t11; +--echo # +--echo # MDEV-28268: Server crashes in Expression_cache_tracker::fetch_current_stats +--echo # +CREATE TABLE t1 (a INT, b INT); +INSERT INTO t1 VALUES (1,2),(3,4); + +--source include/analyze-format.inc +ANALYZE FORMAT=JSON +SELECT DISTINCT + (SELECT MIN(a) FROM t1 WHERE b <= ANY (SELECT a FROM t1)) AS f +FROM t1; + +# Cleanup +DROP TABLE t1; + --echo # End of 10.2 tests --echo # End of 10.3 tests @@ -2470,3 +2485,4 @@ select * from t1 where t1.a in (select t2.a from t2 order by t2.b); drop table t0, t1, t2; --echo # End of 10.4 tests + -- cgit v1.2.1