Commit 13e217b8 authored by Igor Babaev's avatar Igor Babaev

MDEV-17027 server crashes in Bitmap<64u>::merge

The function and_new_conditions_to_optimized_cond() incorrectly handled
the WHERE conditions with one multiple equality and one IN subquery predicate
that could be converted into a jtbm semi-join. This could cause crashes.

The fix code was prepared by Galina Shalygina.
parent 6eae037c
...@@ -3868,3 +3868,22 @@ WHERE dt1.id1 IN (SELECT t2.id2 FROM t2 ...@@ -3868,3 +3868,22 @@ WHERE dt1.id1 IN (SELECT t2.id2 FROM t2
HAVING t2.id2 >= 1)); HAVING t2.id2 >= 1));
r r
DROP TABLE t1,t2; DROP TABLE t1,t2;
#
# MDEV-17027: IN subquery predicate with outer reference in the left part
# conjuncted with equality predicate
#
CREATE TABLE t1 (pk int, i1 int, v1 varchar(1));
INSERT INTO t1 VALUES (3,2,'x'), (1,1,'y'), (4,2,'z');
CREATE TABLE t2 (pk int, i1 int, v1 varchar(1));
INSERT INTO t2 VALUES (5,2,'x'), (7,1,'x');
CREATE TABLE t3 (pk int, i1 int, v1 varchar(1));
INSERT INTO t3 VALUES (8,2,'x'), (7,1,'z');
SELECT t3.i1 FROM t3
WHERE EXISTS ( SELECT t2.v1 FROM t1,t2
WHERE t1.v1 = t2.v1 AND
t3.i1 IN (SELECT t.i1 FROM t1 as t
GROUP BY i1 HAVING t.i1 < 3));
i1
2
1
DROP TABLE t1,t2,t3;
...@@ -838,3 +838,25 @@ SELECT 1 AS r FROM t2,t1,(SELECT * FROM t1) dt1 ...@@ -838,3 +838,25 @@ SELECT 1 AS r FROM t2,t1,(SELECT * FROM t1) dt1
HAVING t2.id2 >= 1)); HAVING t2.id2 >= 1));
DROP TABLE t1,t2; DROP TABLE t1,t2;
--echo #
--echo # MDEV-17027: IN subquery predicate with outer reference in the left part
--echo # conjuncted with equality predicate
--echo #
CREATE TABLE t1 (pk int, i1 int, v1 varchar(1));
INSERT INTO t1 VALUES (3,2,'x'), (1,1,'y'), (4,2,'z');
CREATE TABLE t2 (pk int, i1 int, v1 varchar(1));
INSERT INTO t2 VALUES (5,2,'x'), (7,1,'x');
CREATE TABLE t3 (pk int, i1 int, v1 varchar(1));
INSERT INTO t3 VALUES (8,2,'x'), (7,1,'z');
SELECT t3.i1 FROM t3
WHERE EXISTS ( SELECT t2.v1 FROM t1,t2
WHERE t1.v1 = t2.v1 AND
t3.i1 IN (SELECT t.i1 FROM t1 as t
GROUP BY i1 HAVING t.i1 < 3));
DROP TABLE t1,t2,t3;
...@@ -5667,8 +5667,6 @@ Item *and_new_conditions_to_optimized_cond(THD *thd, Item *cond, ...@@ -5667,8 +5667,6 @@ Item *and_new_conditions_to_optimized_cond(THD *thd, Item *cond,
} }
} }
if (new_cond_equal.current_level.elements > 0)
{
if (is_mult_eq) if (is_mult_eq)
{ {
Item_equal *eq_cond= (Item_equal *)cond; Item_equal *eq_cond= (Item_equal *)cond;
...@@ -5681,7 +5679,11 @@ Item *and_new_conditions_to_optimized_cond(THD *thd, Item *cond, ...@@ -5681,7 +5679,11 @@ Item *and_new_conditions_to_optimized_cond(THD *thd, Item *cond,
if (equality->const_item() && !equality->val_int()) if (equality->const_item() && !equality->val_int())
is_simplified_cond= true; is_simplified_cond= true;
} }
(*cond_eq)->copy(new_cond_equal);
}
if (new_cond_equal.current_level.elements > 0)
{
if (new_cond_equal.current_level.elements + if (new_cond_equal.current_level.elements +
new_conds_list.elements == 1) new_conds_list.elements == 1)
{ {
...@@ -5691,8 +5693,6 @@ Item *and_new_conditions_to_optimized_cond(THD *thd, Item *cond, ...@@ -5691,8 +5693,6 @@ Item *and_new_conditions_to_optimized_cond(THD *thd, Item *cond,
if (equality->fix_fields(thd, NULL)) if (equality->fix_fields(thd, NULL))
return NULL; return NULL;
} }
(*cond_eq)->copy(new_cond_equal);
}
new_conds_list.append((List<Item> *)&new_cond_equal.current_level); new_conds_list.append((List<Item> *)&new_cond_equal.current_level);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment