[MDEV-8833] Crash of server on prepared statement with conversion to semi-join Created: 2015-09-23  Updated: 2016-09-02  Resolved: 2016-09-02

Status: Closed
Project: MariaDB Server
Component/s: Prepared Statements
Affects Version/s: 5.5.45, 10.0.21, 10.1.7
Fix Version/s: 5.5.52, 10.1.18, 10.0.28, 10.2.2

Type: Bug Priority: Major
Reporter: Oleksandr Byelkin Assignee: Oleksandr Byelkin
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Relates
relates to MDEV-7691 Assertion `outer_context || !*from_fi... Closed
relates to MDEV-7846 Server crashes in Item_subselect::fix... Closed
Sprint: 10.1.8-3, 10.1.8-4, 10.1.9-2, 10.1.9-3, 5.5.47-1, 10.0.23, 5.5.50

 Description   

INSERT INTO t2 VALUES (1),(4);

CREATE TABLE t3 (column3 INT) ENGINE=MyISAM;
INSERT INTO t3 VALUES (6),(8);

CREATE TABLE t4 (column4 INT) ENGINE=MyISAM;
INSERT INTO t4 VALUES (2),(5);

PREPARE stmt FROM "
SELECT (
SELECT MAX( table1.column1 ) AS field1
FROM t1 AS table1
WHERE table3.column3 IN ( SELECT table2.column2 AS field2 FROM t2 AS table2 )
) AS sq
FROM t3 AS table3, t4 AS table4";

EXECUTE stmt;
EXECUTE stmt;

deallocate prepare stmt;
drop table t1,t2,t3,t4;

 Comments   
Comment by Oleksandr Byelkin [ 2015-10-01 ]

The problem is that artificially created context created in hope on automatic 'fix_field' by cache has different select_lex which trigger fix_outer_field call which cause problems because context is artificial.

Comment by Oleksandr Byelkin [ 2015-10-05 ]

the problem is that the Item (left expr) which we "pull out" from inner subquery is actually external reference.
Artificial context created for it during pullout can't be processed by fix_outer_field() which will be called because the field is outer.

Mysql has no such problem because the do not create new name resolution context but 'fix' existing one.

Comment by Oleksandr Byelkin [ 2015-11-04 ]

I see 2 ways:
1) use Mysql way (a lot of rewriting)
2) somehow cache and restore outer field/dependency information

Comment by Oleksandr Byelkin [ 2015-11-09 ]

226a5d281a2498f0066cfee2ed4307b425f536e0 is looks like fix of MySQL

Comment by Oleksandr Byelkin [ 2015-11-10 ]

revision-id: 517e206b8d9855aea64f044b48f740a0df3a48c7 (mariadb-5.5.46-6-g517e206)
parent(s): 7e4da9b370d032db9015adb47ad2ff585aeaea5d
committer: Oleksandr Byelkin
timestamp: 2015-11-10 12:41:26 +0100
message:

MDEV-8833 Crash of server on prepared statement with conversion to semi-join

Correct context chain made to allow outer fields pullout.

Comment by Sergei Petrunia [ 2016-09-02 ]

Discussed with sanja : This addon to the patch looks like it won't hurt:
https://gist.github.com/spetrunia/3c9b5d5c7bb22db5661274b77702eb58

We're not sure when exactly contex->select_lex==NULL. Here's one example: https://gist.github.com/spetrunia/cc93df028313406b238f10c7c482afd9 .

Comment by Sergei Petrunia [ 2016-09-02 ]

Ok to push the patch with addon.

Generated at Thu Feb 08 07:30:08 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.