Commit e57ea46d authored by Martin Hansson's avatar Martin Hansson

Bug#48157: crash in Item_field::used_tables

MySQL handles the join syntax "JOIN ... USING( field1,
... )" and natural joins by building the same parse tree as
a corresponding join with an "ON t1.field1 = t2.field1 ..."
expression would produce. This parse tree was not cleaned up
properly in the following scenario. If a thread tries to
lock some tables and finds that the tables were dropped and
re-created while waiting for the lock, it cleans up column
references in the statement by means a per-statement free
list. But if the statement was part of a stored procedure,
column references on the stored procedure's free list weren't
cleaned up and thus contained pointers to freed objects.

Fixed by adding a call to clean up the current prepared
statement's free list.
parent 684405a5
Tests of syncronization of stored procedure execution.
#
# Bug#48157: crash in Item_field::used_tables
#
CREATE TABLE t1 AS SELECT 1 AS a, 1 AS b;
CREATE TABLE t2 AS SELECT 1 AS a, 1 AS b;
CREATE PROCEDURE p1()
BEGIN
UPDATE t1 JOIN t2 USING( a, b ) SET t1.b = 1, t2.b = 1;
END|
LOCK TABLES t1 WRITE, t2 WRITE;
SET DEBUG_SYNC = 'multi_update_reopen_tables SIGNAL parked WAIT_FOR go';
CALL p1();
DROP TABLE t1, t2;
SET DEBUG_SYNC = 'now WAIT_FOR parked';
CREATE TABLE t1 AS SELECT 1 AS a, 1 AS b;
CREATE TABLE t2 AS SELECT 1 AS a, 1 AS b;
SET DEBUG_SYNC = 'now SIGNAL go';
# Without the DEBUG_SYNC supplied in the same patch as this test in the
# code, this test statement will hang.
DROP TABLE t1, t2;
DROP PROCEDURE p1;
SET DEBUG_SYNC = 'RESET';
--echo Tests of syncronization of stored procedure execution.
--source include/have_debug_sync.inc
--echo #
--echo # Bug#48157: crash in Item_field::used_tables
--echo #
CREATE TABLE t1 AS SELECT 1 AS a, 1 AS b;
CREATE TABLE t2 AS SELECT 1 AS a, 1 AS b;
DELIMITER |;
CREATE PROCEDURE p1()
BEGIN
UPDATE t1 JOIN t2 USING( a, b ) SET t1.b = 1, t2.b = 1;
END|
DELIMITER ;|
connect (con1,localhost,root,,);
connect (con2,localhost,root,,);
connection con1;
LOCK TABLES t1 WRITE, t2 WRITE;
connection con2;
LET $ID= `select connection_id()`;
SET DEBUG_SYNC = 'multi_update_reopen_tables SIGNAL parked WAIT_FOR go';
--send CALL p1()
connection con1;
let $wait_condition= SELECT 1 FROM information_schema.processlist WHERE ID = $ID AND
state = "Locked";
--source include/wait_condition.inc
DROP TABLE t1, t2;
SET DEBUG_SYNC = 'now WAIT_FOR parked';
CREATE TABLE t1 AS SELECT 1 AS a, 1 AS b;
CREATE TABLE t2 AS SELECT 1 AS a, 1 AS b;
SET DEBUG_SYNC = 'now SIGNAL go';
connection con2;
--reap
disconnect con1;
disconnect con2;
connection default;
--echo # Without the DEBUG_SYNC supplied in the same patch as this test in the
--echo # code, this test statement will hang.
DROP TABLE t1, t2;
DROP PROCEDURE p1;
SET DEBUG_SYNC = 'RESET';
...@@ -506,6 +506,13 @@ public: ...@@ -506,6 +506,13 @@ public:
char * name; /* Name from select */ char * name; /* Name from select */
/* Original item name (if it was renamed)*/ /* Original item name (if it was renamed)*/
char * orig_name; char * orig_name;
/**
Intrusive list pointer for free list. If not null, points to the next
Item on some Query_arena's free list. For instance, stored procedures
have their own Query_arena's.
@see Query_arena::free_list
*/
Item *next; Item *next;
uint32 max_length; uint32 max_length;
uint name_length; /* Length of name */ uint name_length; /* Length of name */
......
...@@ -615,8 +615,10 @@ void free_items(Item *item) ...@@ -615,8 +615,10 @@ void free_items(Item *item)
DBUG_VOID_RETURN; DBUG_VOID_RETURN;
} }
/* This works because items are allocated with sql_alloc() */ /**
This works because items are allocated with sql_alloc().
@note The function also handles null pointers (empty list).
*/
void cleanup_items(Item *item) void cleanup_items(Item *item)
{ {
DBUG_ENTER("cleanup_items"); DBUG_ENTER("cleanup_items");
......
...@@ -23,6 +23,7 @@ ...@@ -23,6 +23,7 @@
#include "sql_select.h" #include "sql_select.h"
#include "sp_head.h" #include "sp_head.h"
#include "sql_trigger.h" #include "sql_trigger.h"
#include "debug_sync.h"
/* Return 0 if row hasn't changed */ /* Return 0 if row hasn't changed */
...@@ -1143,8 +1144,11 @@ reopen_tables: ...@@ -1143,8 +1144,11 @@ reopen_tables:
items from 'fields' list, so the cleanup above is necessary to. items from 'fields' list, so the cleanup above is necessary to.
*/ */
cleanup_items(thd->free_list); cleanup_items(thd->free_list);
cleanup_items(thd->stmt_arena->free_list);
close_tables_for_reopen(thd, &table_list); close_tables_for_reopen(thd, &table_list);
DEBUG_SYNC(thd, "multi_update_reopen_tables");
goto reopen_tables; goto reopen_tables;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment