Skip to content

M
MariaDB
Switch branch/tag
Find file BlameHistoryPermalink
  • unknown's avatar
    A fix and test case for Bug#5987 "subselect in bool function · bcc6f615
    unknown authored 
    crashes server (prepared statements)": the bug was that all boolean
items always recovered its original arguments at statement cleanup 
stage.
This collided with Item_subselect::select_transformer, which tries to 
permanently change the item tree to use a transformed subselect instead of
original one.
So we had this call sequence for prepare:
mysql_stmt_prepare -> JOIN::prepare -> 
Item_subselect::fix_fields -> the item tree gets transformed ->
Item_bool_rowready_func2::cleanup, item tree is recovered to original
state, while it shouldn't have been;
mysql_stmt_execute -> attempts to execute a broken tree -> crash.
Now instead of bluntly recovering all arguments of bool functions in 
Item_bool_rowready_func2::cleanup, we recover only those
which were changed, and do it in one place.
There still would exist a possibility for a collision with subselect
tranformation, if permanent and temporary changes were performed at the 
same stage.
But fortunately subselect transformation is always done first, so it 
doesn't conflict with the optimization done by propogate_cond_constants.
Now we have: 
mysql_stmt_prepare -> JOIN::prepare -> subselect transformation 
permanently changes the tree -> cleanup doesn't recover anything, 
because nothing was registered for recovery.
mysql_stmt_execute -> JOIN::prepare (the tree is already transformed, 
so it doesn't change), JOIN::optimize -> 
propogate_cond_constants -> temporary changes the item tree 
with constants -> JOIN::execute -> cleanup -> 
the changes done by propogate_cond_constants are recovered, as
they were registered for recovery.


mysql-test/r/ps.result:
  Bug#5987: test results fixed.
mysql-test/t/ps.test:
  A test for bug#5987 "subselect in bool function crashes server 
  (prepared statements)"
sql/item.cc:
  resolve_const_item is now responsible to register all changes of the 
  item tree for recovery
sql/item.h:
  resolve_const_item signagture changed
sql/item_cmpfunc.h:
  Arguments of boolean functions are now recovered using the 
  centralized registry of THD.
sql/sql_class.cc:
  It's crucial to add new items to the beginning of the recovery list,
  so that the recovery is performed in LIFO mode: otherwise if we 
  change one node of a tree twice, it will be recovered to some intermediate
  state.
sql/sql_select.cc:
  change_cond_ref_to_const and propogate_cond_constants are now responsible
  to register all changes of the item tree for recovery.
  The recovery is done using the centralized THD registry of
  changed tree items.
    bcc6f615
ps.result 10.6 KB
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7