MDEV-15755 Query crashing MariaDB in cleanup_after_query

set the pointer to NULL to avoid double-free when the item is cleaned up many times (once in JOIN_TAB::cleanup(): tmp->jtbm_subselect->cleanup() and once at the end of the query, with all other items)

MDEV-15755 Query crashing MariaDB in cleanup_after_query
set the pointer to NULL to avoid double-free when the item is cleaned up many times (once in JOIN_TAB::cleanup(): tmp->jtbm_subselect->cleanup() and once at the end of the query, with all other items)
445ac662 · Sergei Golubchik · 93efa48a · 445ac662 · 445ac662 · 445ac662
Commit 445ac662 authored May 14, 2018 by Sergei Golubchik
3 changed files
--- a/mysql-test/r/subselect-crash_15755.result
+++ b/mysql-test/r/subselect-crash_15755.result
--- a/mysql-test/t/subselect-crash_15755.test
+++ b/mysql-test/t/subselect-crash_15755.test
+--source include/have_innodb.inc
+set global innodb_stats_persistent= 1;
+drop table if exists t1;
+create table t1 (
+  f1 bigint(20) default 0,
+  f2 varchar(50) default '',
+  f3 int(10) default 0,
+  f4 bigint(20) default 0,
+  f5 bigint(20) default 0,
+  f6 varchar(50) default '',
+  f7 varchar(64) default '',
+  f8 varchar(30) default '',
+  f9 varchar(30) default '',
+  f10 bigint(20) default 0,
+  f11 bigint(20) default 0,
+  f12 bigint(20) default 0,
+  f13 bigint(20) default 0,
+  f14 varchar(50) default '',
+  f15 varchar(100) default '',
+  f16 varchar(30) default '',
+  f17 varchar(40) default '',
+  f18 varchar(30) default '',
+  f19 varchar(10) default '',
+  f20 varchar(30) default '',
+  f21 int(10) default 0,
+  f22 int(10) default 0,
+  f23 int(10) default 0,
+  f24 int(10) default 0,
+  f25 varchar(20) default '',
+  f26 varchar(20) default '',
+  f27 varchar(100) default '',
+  f28 varchar(55) default '',
+  f29 varchar(20) default '',
+  f30 varchar(100) default '',
+  f31 varchar(30) default '',
+  f32 varchar(20) default '',
+  f33 int(10) default 0,
+  f34 int(10) default 0,
+  f35 varchar(30) default '',
+  f36 varchar(30) default '',
+  f37 varchar(30) default '',
+  f38 varchar(20) default '',
+  f39 tinyint(4) default 0,
+  f40 tinyint(4) default 0,
+  f41 bigint(20) default 0,
+  f42 varchar(50) default '',
+  f43 varchar(50) default '',
+  f44 varchar(50) default '',
+  f45 int(10) default 0,
+  f46 tinyint(1) default 0
+) engine=innodb row_format=dynamic;
+ 
+insert into t1 () values (),(),(),(),(),(),(),(),(),(),(),(),(),(),(),();
+insert into t1 select * from t1;
+insert into t1 select * from t1;
+insert into t1 select * from t1;
+insert into t1 select * from t1;
+select * from t1 where f2 in (select f2 from t1 group by f2 having count(distinct f3) = 1);
+drop table t1;
+set global innodb_stats_persistent= 0;
--- a/sql/item_subselect.cc
+++ b/sql/item_subselect.cc
@@ -156,6 +156,7 @@ void Item_subselect::cleanup()
  reset();
  filesort_buffer.free_sort_buffer();
  my_free(sortbuffer.str);
+  sortbuffer= null_lex_str;

  value_assigned= 0;
  expr_cache= 0;