From 6cb84346e1bde63ec79dd5e3a7d80f69bb106ead Mon Sep 17 00:00:00 2001 From: Sergei Golubchik Date: Thu, 17 Nov 2022 19:23:08 +0100 Subject: MDEV-17869 AddressSanitizer: use-after-poison in Item_change_list::rollback_item_tree_changes it's incorrect to use change_item_tree() to replace arguments of top-level AND/OR, because they (arguments) are stored in a List, so a pointer to an argument is in the list_node, and individual list_node's of top-level AND/OR can be deleted in Item_cond::build_equal_items(). In that case rollback_item_tree_changes() will modify the deleted object. Luckily, it's not needed to use change_item_tree() for top-level AND/OR, because the whole top-level item is copied and preserved in prep_where and prep_on, and restored from there. So, just don't. Additionally to the test case in the commit it fixes * ASAN failure of main.opt_tvc --ps * ASAN failure of main.having_cond_pushdown --ps --- sql/sql_lex.cc | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'sql/sql_lex.cc') diff --git a/sql/sql_lex.cc b/sql/sql_lex.cc index f31a128832b..ac570be78aa 100644 --- a/sql/sql_lex.cc +++ b/sql/sql_lex.cc @@ -10042,9 +10042,8 @@ st_select_lex::build_pushable_cond_for_having_pushdown(THD *thd, Item *cond) */ if (cond->get_extraction_flag() == FULL_EXTRACTION_FL) { - Item *result= cond->transform(thd, - &Item::multiple_equality_transformer, - (uchar *)this); + Item *result= cond->top_level_transform(thd, + &Item::multiple_equality_transformer, (uchar *)this); if (!result) return true; if (result->type() == Item::COND_ITEM && -- cgit v1.2.1