maria-developers team mailing list archive

Thread
Date

Re: 47bb2dcbcc8: MDEV-14786: Server crashes in Item_cond::transform on 2nd execution of SP querying from a view

To: maria-developers@xxxxxxxxxxxxxxxxxxx
From: Sergei Golubchik <serg@xxxxxxxxxxx>
Date: Mon, 22 Jan 2018 15:10:14 +0100
Cc: sanja@xxxxxxxxxxx
In-reply-to: <5a6518e3.5599df0a.efe55.7365@mx.google.com>
User-agent: Mutt/1.7.2 (2016-11-26)

Hi, Oleksandr!

On Jan 21, Oleksandr Byelkin wrote:
> revision-id: 47bb2dcbcc8c3cdca43baf6259f2434a746c7b03 (mariadb-5.5.58-42-g47bb2dcbcc8)
> parent(s): c0e964dcf1787a101f6e9c115751c0d02b0fac1b
> author: Oleksandr Byelkin
> committer: Oleksandr Byelkin
> timestamp: 2018-01-21 23:48:32 +0100
> message:
> 
> MDEV-14786: Server crashes in Item_cond::transform on 2nd execution of SP querying from a view
> 
> MDEV-14957: JOIN::prepare gets unusable "conds" as argument
> 
> Do not touch merged derived (it is irreversible)
> 
> Fix first argument of in_optimizer for calls possible before fix_fields()
> 
> diff --git a/sql/item.cc b/sql/item.cc
> index 332e027adf1..562c0bec78d 100644
> --- a/sql/item.cc
> +++ b/sql/item.cc
> @@ -10010,7 +10010,7 @@ const char *dbug_print_item(Item *item)
>    if (!item)
>      return "(Item*)NULL";
>    item->print(&str ,QT_ORDINARY);
> -  if (str.c_ptr() == buf)
> +  if (str.ptr() == buf)

c_ptr_safe() here.
It's MDEV-14981.

>      return buf;
>    else
>      return "Couldn't fit into buffer";
> diff --git a/sql/item.h b/sql/item.h
> index 4d0860af547..add408602fc 100644
> --- a/sql/item.h
> +++ b/sql/item.h
> @@ -4478,4 +4478,11 @@ class Item_iterator_row: public Item_iterator
>    void close() {}
>  };
>  
> +#ifdef DBUG_OFF
> +static inline const char *dbug_print_item(Item *item) { return NULL; }
> +#else
> +extern const char *dbug_print_item(Item *item);
> +#endif

Put it not at the end, but at the beginning - above 'class Protocol;'

That's where someone had it in 10.2, it'll be easier to merge if you add
it in the same place. And no 'extern' in the #else branch, just as in
10.2.

>  #endif /* SQL_ITEM_INCLUDED */
> diff --git a/sql/item_cmpfunc.cc b/sql/item_cmpfunc.cc
> index 62e76922c0e..a40340baae9 100644
> --- a/sql/item_cmpfunc.cc
> +++ b/sql/item_cmpfunc.cc
> @@ -1443,6 +1443,33 @@ bool Item_in_optimizer::eval_not_null_tables(uchar *opt_arg)
>  }
>  
>  
> +void Item_in_optimizer::print(String *str, enum_query_type query_type)
> +{
> +   restore_first_argumet();
> +   Item_func::print(str, query_type);
> +}
> +
> +
> +/**
> +  "Restore" first argument before fix_fields() call (after it is harmless).
> +
> +  @Note: Main pointer to left part of IN/ALL/ANY subselect is subselect's
> +  lest_expr (see Item_in_optimizer::fix_left) so changes made during
> +  fix_fields will be rolled back there which can make
> +  Item_in_optimizer::args[0] unusable on second execution before fix_left()
> +  call. This call fix the pointer.
> +*/
> +
> +void Item_in_optimizer::restore_first_argumet()
> +{
> +  if (args[1]->type() == Item::SUBSELECT_ITEM &&
> +      ((Item_subselect *)args[1])->is_in_predicate())
> +  {
> +    args[0]= ((Item_in_subselect *)args[1])->left_expr;
> +  }
> +}

Any way to trigger the bug without dbug_print_item() ?

Regards,
Sergei
Chief Architect MariaDB
and security@xxxxxxxxxxx