maria-developers team mailing list archive

Thread
Date

Re: [Commits] 2430d1d: MDEV-7821 - Server crashes in Item_func_group_concat::fix_fields on 2nd

To: maria-developers@xxxxxxxxxxxxxxxxxxx, commits@xxxxxxxxxxx
From: Oleksandr Byelkin <sanja@xxxxxxxxxxxxxxxx>
Date: Fri, 31 Jul 2015 08:58:38 +0200
In-reply-to: <20150730145944.729912C4539@mail.askmonty.org>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.8.0

Hi!

On 30.07.15 16:59, Sergey Vojtovich wrote:

revision-id: 2430d1d7ccfcf429e45dbfe655a24d57a79ebf6c (mariadb-5.5.44-14-g2430d1d)
parent(s): 392df76bc3a40a5dd1956b12628dd6489a37be36
committer: Sergey Vojtovich
timestamp: 2015-07-30 18:51:44 +0400
message:

MDEV-7821 - Server crashes in Item_func_group_concat::fix_fields on 2nd
             execution of PS

GROUP_CONCAT() with ORDER BY column position may crash server on PS reexecution.

The problem was that arguments array of GROUP_CONCAT() was adjusted to point to
temporary elements (resolved ORDER BY fields) during first execution.

This patch expands rev. 08763096cb to restore original arguments array as well.


OK to push!


---
  mysql-test/r/func_gconcat.result | 16 ++++++++++++++++
  mysql-test/t/func_gconcat.test   | 11 +++++++++++
  sql/item_sum.cc                  |  3 +++
  3 files changed, 30 insertions(+)

diff --git a/mysql-test/r/func_gconcat.result b/mysql-test/r/func_gconcat.result
index f12a0c1..0bc31a5 100644
--- a/mysql-test/r/func_gconcat.result
+++ b/mysql-test/r/func_gconcat.result
@@ -1103,3 +1103,19 @@ ORDER BY field;
  field
  c,c
  drop table t3, t2, t1;
+#
+# MDEV-7821 - Server crashes in Item_func_group_concat::fix_fields on 2nd
+#             execution of PS
+#
+CREATE TABLE t1(a INT);
+INSERT INTO t1 VALUES(1),(2);
+PREPARE stmt FROM "SELECT GROUP_CONCAT(t1a.a ORDER BY 1, t1a.a=0) FROM t1 AS t1a, t1 AS t1b GROUP BY t1a.a";
+EXECUTE stmt;
+GROUP_CONCAT(t1a.a ORDER BY 1, t1a.a=0)
+1,1
+2,2
+EXECUTE stmt;
+GROUP_CONCAT(t1a.a ORDER BY 1, t1a.a=0)
+1,1
+2,2
+DROP TABLE t1;
diff --git a/mysql-test/t/func_gconcat.test b/mysql-test/t/func_gconcat.test
index 42a3076..5550eeb 100644
--- a/mysql-test/t/func_gconcat.test
+++ b/mysql-test/t/func_gconcat.test
@@ -821,3 +821,14 @@ FROM ( SELECT * FROM t2 ) AS sq2, t3
  ORDER BY field;

drop table t3, t2, t1;

+
+--echo #
+--echo # MDEV-7821 - Server crashes in Item_func_group_concat::fix_fields on 2nd
+--echo #             execution of PS
+--echo #
+CREATE TABLE t1(a INT);
+INSERT INTO t1 VALUES(1),(2);
+PREPARE stmt FROM "SELECT GROUP_CONCAT(t1a.a ORDER BY 1, t1a.a=0) FROM t1 AS t1a, t1 AS t1b GROUP BY t1a.a";
+EXECUTE stmt;
+EXECUTE stmt;
+DROP TABLE t1;
diff --git a/sql/item_sum.cc b/sql/item_sum.cc
index d8970ca..a24307b 100644
--- a/sql/item_sum.cc
+++ b/sql/item_sum.cc
@@ -3300,6 +3300,8 @@ void Item_func_group_concat::cleanup()
      from Item_func_group_concat::setup() to point to runtime
      created objects, we need to reset them back to the original
      arguments of the function.
+
+    The very same applies to args array.
    */
    ORDER **order_ptr= order;
    for (uint i= 0; i < arg_count_order; i++)
@@ -3307,6 +3309,7 @@ void Item_func_group_concat::cleanup()
      (*order_ptr)->item= &args[arg_count_field + i];
      order_ptr++;
    }
+  memcpy(args, orig_args, sizeof(Item *) * arg_count);
    DBUG_VOID_RETURN;
  }

_______________________________________________

commits mailing list
commits@xxxxxxxxxxx
https://lists.askmonty.org/cgi-bin/mailman/listinfo/commits