MDEV-416: Server crashes in SQL_SELECT::cleanup on EXPLAIN with SUM ( DISTINCT )

- When JOIN::cleanup(full==TRUE) is called, the select can be in two states: = Right after the create_sort_index() call, when join->join_tab[0] is used to read data produced by filesort(). = After create_sort_index(), and after JOIN::reinit() calls, when join->join_tab[0] has been reset to read the original data. - We didn't handle the second case correctly, which resulted in an attempt to free the same SQL_SELECT two times. The fix is to make sure we don't double-free.

MDEV-416: Server crashes in SQL_SELECT::cleanup on EXPLAIN with SUM ( DISTINCT )
- When JOIN::cleanup(full==TRUE) is called, the select can be in two states: = Right after the create_sort_index() call, when join->join_tab[0] is used to read data produced by filesort(). = After create_sort_index(), and after JOIN::reinit() calls, when join->join_tab[0] has been reset to read the original data. - We didn't handle the second case correctly, which resulted in an attempt to free the same SQL_SELECT two times. The fix is to make sure we don't double-free.
59e64b6c · Sergey Petrunya · aaa188da · 59e64b6c · 59e64b6c · 59e64b6c
Commit 59e64b6c authored Aug 02, 2012 by Sergey Petrunya
Showing with 40 additions and 3 deletions

mysql-test/r/show_explain.result mysql-test/r/show_explain.result +13 -0

mysql-test/t/show_explain.test mysql-test/t/show_explain.test +14 -0

sql/sql_select.cc sql/sql_select.cc +13 -3

No files found.
--- a/mysql-test/r/show_explain.result
+++ b/mysql-test/r/show_explain.result
@@ -998,5 +998,18 @@ Note	1003	SELECT b AS field1, b AS field2 FROM t1, t2, t3 WHERE d = b ORDER BY f
 field1	field2
 set debug_dbug='';
 DROP TABLE t1,t2,t3;
+#
+# MDEV-416: Server crashes in SQL_SELECT::cleanup on EXPLAIN with SUM ( DISTINCT ) in a non-correlated subquery (5.5-show-explain tree)
+#
+CREATE TABLE t1 (a INT);
+INSERT INTO t1 VALUES (1),(2);
+CREATE TABLE t2 (b INT);
+INSERT INTO t2 VALUES (8),(9);
+EXPLAIN SELECT * FROM t1 
+WHERE ( 8, 89 ) IN ( SELECT b, SUM( DISTINCT b ) FROM t2 GROUP BY b );
+id	select_type	table	type	possible_keys	key	key_len	ref	rows	Extra
+1	PRIMARY	NULL	NULL	NULL	NULL	NULL	NULL	NULL	Impossible WHERE
+2	SUBQUERY	t2	ALL	NULL	NULL	NULL	NULL	2	Using filesort
+DROP TABLE t1,t2;
 # End
 drop table t0;
--- a/mysql-test/t/show_explain.test
+++ b/mysql-test/t/show_explain.test
@@ -1026,5 +1026,19 @@ set debug_dbug='';

 DROP TABLE t1,t2,t3;

+--echo #
+--echo # MDEV-416: Server crashes in SQL_SELECT::cleanup on EXPLAIN with SUM ( DISTINCT ) in a non-correlated subquery (5.5-show-explain tree)
+--echo #
+CREATE TABLE t1 (a INT);
+INSERT INTO t1 VALUES (1),(2);
+
+CREATE TABLE t2 (b INT);
+INSERT INTO t2 VALUES (8),(9);
+
+EXPLAIN SELECT * FROM t1 
+WHERE ( 8, 89 ) IN ( SELECT b, SUM( DISTINCT b ) FROM t2 GROUP BY b );
+
+DROP TABLE t1,t2;
+
 --echo # End
 drop table t0;
--- a/sql/sql_select.cc
+++ b/sql/sql_select.cc
@@ -10731,9 +10731,22 @@ void JOIN::cleanup(bool full)

    if (full)
    {
+      JOIN_TAB *sort_tab= first_linear_tab(this, WITHOUT_CONST_TABLES);
+      if (pre_sort_join_tab)
+      {
+        if (sort_tab && sort_tab->select == pre_sort_join_tab->select)
+        {
+          pre_sort_join_tab->select= NULL;
+        }
+        else
+          clean_pre_sort_join_tab();
+      }
+
      for (tab= first_linear_tab(this, WITH_CONST_TABLES); tab; 
           tab= next_linear_tab(this, tab, WITH_BUSH_ROOTS))
+      {
 	tab->cleanup();
+      }
    }
    else
    {
@@ -10755,9 +10768,6 @@ void JOIN::cleanup(bool full)
  */
  if (full)
  {
-    if (pre_sort_join_tab)
-      clean_pre_sort_join_tab();
-
    if (tmp_join)
      tmp_table_param.copy_field= 0;
    group_fields.delete_elements();