revno: 4591.1.70
|
committer: Guilhem Bichot <guilhem.bichot@oracle.com>
|
branch nick: 5.6-3
|
timestamp: Sat 2012-11-24 15:45:56 +0100
|
message:
|
fix for Bug#13996639 CRASH IN ITEM_REF::FIX_FIELDS ON EXEC OF STORED
|
FUNCTION WITH ONLY_FULL_GROUP_BY. See per-file comments.
|
|
mysql-test/r/ps_ddl1.result:
|
side affect of the bugfix; this is a good change, as the removed comment says.
|
sql/sql_lex.cc:
|
LEX starts clean
|
sql/sql_optimizer.cc:
|
If optimize () fails, tag the Lex as "broken"
|
sql/sql_parse.cc:
|
At first execution of:
|
SELECT stored_func()
|
this happens:
|
1) body of stored_func is read from mysql.proc
|
2) body is parsed (sp_compile()) (for each substatement a LEX and some
|
Items are created)
|
3) parsing went ok so parse trees are cached (sp_cache_insert())
|
4) substatement starts executing (SELECT with a NOT IN (subq))
|
4.1) Item_in_subselect::fix_fields():
|
if (!(res= engine->prepare()))
|
{
|
(*ref)= substitution;
|
engine->prepare() calls JOIN::prepare() on subq, which calls
|
resolve_subquery() which starts IN2EXISTS transformation: adds
|
conditions (using some new Item_ref) to the subquery's WHERE, creates
|
Item_in_optimizer and puts it in 'substitution'. After
|
resolve_subquery(), JOIN::prepare() of subq fails in:
|
|
my_message(ER_MIX_OF_GROUP_FUNC_AND_FIELDS,
|
ER(ER_MIX_OF_GROUP_FUNC_AND_FIELDS), MYF(0));
|
DBUG_RETURN(-1);
|
|
So far, so good.
|
Thus engine->prepare() fails. Thus we don't do:
|
(*ref)= substitution;
|
i.e. the parent of the subquery continues to have its WHERE point to
|
Item_in_subselect. At this stage we have a broken parse tree, because
|
subq has been transformed but parent query points to pre-transform
|
subq. This mess is not rolled back (IN2EXISTS is a complex transform
|
which does not use change_item_tree()).
|
ER_MIX_OF_GROUP_FUNC_AND_FIELDS is sent to client.
|
So far, so good.
|
|
At 2nd execution of:
|
SELECT stored_func()
|
this happens:
|
1) cached parse trees of stored_func is read from cache
|
2) but this is the broken parse tree!
|
3) as the Item_ref depends on Item_in_optimizer::fix_fields() to set
|
its '*ref', and as Item_in_optimizer was not stored in parent query,
|
Item_in_optimizer::fix_fields() is not called, so
|
Item_ref::fix_fields() crashes.
|
|
Summary: first execution broke Item_in_subselect/LEX, 2nd execution reused it.
|
|
Solution: first execution marks the fact that it
|
broke LEX; 2nd execution sees the mark and asks for a
|
reprepare, which creates new parse trees, and thus works as the first
|
execution.
|
A new member m_broken is added to class LEX. It is set to "true" when
|
JOIN:: prepare () or JOIN:: optimize () fail, because it is possible
|
that those functions were doing transformations. It is set to "false"
|
when the Lex is initialized.
|
sql/sql_resolver.cc:
|
If prepare () fails, tag the Lex as "broken"
|