[MDEV-3725] LP:675248 - select->prep_where references on freed memory Created: 2010-11-14  Updated: 2015-02-02  Resolved: 2012-10-04

Status: Closed
Project: MariaDB Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Oleksandr Byelkin Assignee: Oleksandr Byelkin
Resolution: Fixed Votes: 0
Labels: Launchpad

Attachments: XML File LPexportBug675248.xml    

 Description   

The query with -ps-protocol crashes the rserver because select>prep_where references on freed memory (it was Item_outer_ref):

CREATE TABLE `t1` (
`pk` int(11) NOT NULL AUTO_INCREMENT,
`col_varchar_key` varchar(1) DEFAULT NULL,
PRIMARY KEY (`pk`),
KEY `col_varchar_key` (`col_varchar_key`)
) DEFAULT CHARSET=latin1;
INSERT INTO `t1` VALUES (10,'v');
INSERT INTO `t1` VALUES (11,'r');
CREATE TABLE `t2` (
`pk` int(11) NOT NULL AUTO_INCREMENT,
`col_varchar_key` varchar(1) DEFAULT NULL,
PRIMARY KEY (`pk`),
KEY `col_varchar_key` (`col_varchar_key`)
) DEFAULT CHARSET=latin1;
INSERT INTO `t2` VALUES (1,'r');
INSERT INTO `t2` VALUES (2,'c');
CREATE TABLE `t3` (
`pk` int(11) NOT NULL AUTO_INCREMENT,
`col_varchar_key` varchar(1) DEFAULT NULL,
PRIMARY KEY (`pk`),
KEY `col_varchar_key` (`col_varchar_key`)
) DEFAULT CHARSET=latin1;
INSERT INTO `t3` VALUES (1,'w');

SELECT SUM( DISTINCT table2 . `pk` ) AS field2 ,
(SELECT SUM( SUBQUERY1_t2 . `pk` ) AS SUBQUERY1_field1
FROM t2 AS SUBQUERY1_t2 STRAIGHT_JOIN
t3 AS SUBQUERY1_t3 ON (SUBQUERY1_t3 . `pk` = SUBQUERY1_t2 . `pk` )
WHERE table1 . `col_varchar_key` ) AS field3
FROM ( t1 AS table1 LEFT JOIN
( t2 AS table2 STRAIGHT_JOIN
t3 AS table3 ON (table3 . `pk` = table2 . `pk` ) )
ON (table3 . `col_varchar_key` = table1 . `col_varchar_key` ) )
WHERE ( table1 . `pk` < 5 ) OR ( table1 . `col_varchar_key` IS NOT NULL)
GROUP BY field3
HAVING (field3 <= 'h' AND field2 != 4) ;
drop tables t1, t2, t3;

 Comments   
Comment by Oleksandr Byelkin [ 2010-11-15 ]

Re: select->prep_where references on freed memory
Here is more simple test suite:

CREATE TABLE t1 (a int, b int);
insert into t1 values (1,1),(0,0);

CREATE TABLE t2 (c int);
insert into t2 values (1),(2);

select sum(a),(select sum(c) from t2 where table1.b) as sub
from t1 as table1 group by sub;

Comment by Oleksandr Byelkin [ 2010-11-15 ]

Re: select->prep_where references on freed memory
Test suite for usual execution:

CREATE TABLE t1 (a int, b int);
insert into t1 values (1,1),(0,0);

CREATE TABLE t2 (c int);
insert into t2 values (1),(2);

prepare stmt1 from "select sum(a),(select sum(c) from t2 where table1.b) as sub
from t1 as table1 group by sub";

execute stmt1;

drop table t1,t2;

Comment by Oleksandr Byelkin [ 2010-11-15 ]

Re: select->prep_where references on freed memory
Here is example of the bug during conversion Item_ref to Item_field

CREATE TABLE t1 (a int, b int);
insert into t1 values (1,1),(0,0);

CREATE TABLE t2 (c int);
insert into t2 values (1),(2);

prepare stmt1 from "select sum(a),(select sum(c) from t2 having table1.b) as sub
from t1 as table1";

execute stmt1;

drop table t1,t2;

Comment by Rasmus Johansson (Inactive) [ 2011-12-13 ]

Launchpad bug id: 675248

Generated at Thu Feb 08 06:50:45 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.