• Alexey Kopytov's avatar
    Bug #55568: user variable assignments crash server when used · cd4ca4b7
    Alexey Kopytov authored
                within query
    
    The server could crash after materializing a derived table
    which requires a temporary table for grouping.
    
    When destroying the temporary table used to execute a query for
    a derived table, JOIN::destroy() did not clean up Item_fields
    pointing to fields in the temporary table. This led to
    dereferencing a dangling pointer when printing out the items
    tree later in the outer SELECT.
    
    The solution is an addendum to the patch for bug37362: in
    addition to cleaning up items in tmp_all_fields3, do the same
    for items in tmp_all_fields1, since now we have an example
    where this is necessary.
    
    
    mysql-test/r/join.result:
      Added test cases for bug#55568 and a duplicate bug #54468.
    mysql-test/t/join.test:
      Added test cases for bug#55568 and a duplicate bug #54468.
    sql/field.cc:
      Make sure field->table_name is not set to NULL in
      Field::make_field() to avoid assertion failure in 
      Item_field::make_field() after cleaning up items
      (the assertion fired in udf.test when running
      the test suite with the patch applied).
    sql/sql_select.cc:
      In addition to cleaning up items in tmp_all_fields3, do the
      same for items in tmp_all_fields1.
      Introduce a new helper function to avoid code duplication.
    sql/sql_select.h:
      Introduce a new helper function to avoid code duplication in
      JOIN::destroy().
    cd4ca4b7
sql_select.cc 548 KB