Commit 27ac666f authored by Martin Hansson's avatar Martin Hansson

Bug#48157: crash in Item_field::used_tables

      
MySQL handles the join syntax "JOIN ... USING( field1,
... )" and natural joins by building the same parse tree as
a corresponding join with an "ON t1.field1 = t2.field1 ..."
expression would produce. This parse tree was not cleaned up
properly in the following scenario. If a thread tries to
lock some tables and finds that the tables were dropped and
re-created while waiting for the lock, it cleans up column
references in the statement by means a per-statement free
list. But if the statement was part of a stored procedure,
column references on the stored procedure's free list
weren't cleaned up and thus contained pointers to freed
objects.
      
Fixed by adding a call to clean up the current prepared
statement's free list.

This is a backport from MySQL 5.1
parent 4e75f7c0
...@@ -470,6 +470,13 @@ class Item { ...@@ -470,6 +470,13 @@ class Item {
my_string name; /* Name from select */ my_string name; /* Name from select */
/* Original item name (if it was renamed)*/ /* Original item name (if it was renamed)*/
my_string orig_name; my_string orig_name;
/**
Intrusive list pointer for free list. If not null, points to the next
Item on some Query_arena's free list. For instance, stored procedures
have their own Query_arena's.
@see Query_arena::free_list
*/
Item *next; Item *next;
uint32 max_length; uint32 max_length;
uint name_length; /* Length of name */ uint name_length; /* Length of name */
......
...@@ -1411,8 +1411,10 @@ pthread_handler_t handle_bootstrap(void *arg) ...@@ -1411,8 +1411,10 @@ pthread_handler_t handle_bootstrap(void *arg)
} }
/* This works because items are allocated with sql_alloc() */ /**
This works because items are allocated with sql_alloc().
@note The function also handles null pointers (empty list).
*/
void cleanup_items(Item *item) void cleanup_items(Item *item)
{ {
DBUG_ENTER("cleanup_items"); DBUG_ENTER("cleanup_items");
......
...@@ -908,8 +908,9 @@ int mysql_multi_update_prepare(THD *thd) ...@@ -908,8 +908,9 @@ int mysql_multi_update_prepare(THD *thd)
items from 'fields' list, so the cleanup above is necessary to. items from 'fields' list, so the cleanup above is necessary to.
*/ */
cleanup_items(thd->free_list); cleanup_items(thd->free_list);
cleanup_items(thd->stmt_arena->free_list);
close_tables_for_reopen(thd, &table_list); close_tables_for_reopen(thd, &table_list);
goto reopen_tables; goto reopen_tables;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment