From 5f55d52113e383df4e786b9f1ebaf0217c463376 Mon Sep 17 00:00:00 2001 From: Gleb Shchepa <gshchepa@mysql.com> Date: Mon, 8 Jun 2009 01:40:53 +0500 Subject: [PATCH] Bug #44886: SIGSEGV in test_if_skip_sort_order() - uninitialized variable used as subscript Grouping select from a "constant" InnoDB table (a table of a single row) joined with other tables caused a crash. mysql-test/r/innodb_mysql.result: Added test case for bug bug #44886. mysql-test/t/innodb_mysql.test: Added test case for bug bug #44886. sql/sql_select.cc: Bug #44886: SIGSEGV in test_if_skip_sort_order() - uninitialized variable used as subscript 1. The test_if_order_by_key function returned unitialized used_key_parts parameter in case of a "constant" InnoDB table. Calling function uses this parameter values as an array index, thus sometimes it caused a crash. The test_if_order_by_key function has been modified to set used_key_parts to 0 (no need for ordering). 2. The test_if_skip_sort_order function has been modified to accept zero used_key_parts value and to prevent an array access by negative index. --- mysql-test/r/innodb_mysql.result | 17 +++++++++++++++++ mysql-test/t/innodb_mysql.test | 21 +++++++++++++++++++++ sql/sql_select.cc | 6 +++++- 3 files changed, 43 insertions(+), 1 deletion(-) diff --git a/mysql-test/r/innodb_mysql.result b/mysql-test/r/innodb_mysql.result index 7e4359e1f92..272782f6647 100644 --- a/mysql-test/r/innodb_mysql.result +++ b/mysql-test/r/innodb_mysql.result @@ -2120,4 +2120,21 @@ a b 4 14 5 5 DROP TABLE t1, t2, t3, t4; +# +# Bug#44886: SIGSEGV in test_if_skip_sort_order() - +# uninitialized variable used as subscript +# +CREATE TABLE t1 (a INT, b INT, c INT, d INT, PRIMARY KEY (b), KEY (a,c)) +ENGINE=InnoDB; +INSERT INTO t1 VALUES (1,1,1,0); +CREATE TABLE t2 (a INT, b INT, e INT, KEY (e)) ENGINE=InnoDB; +INSERT INTO t2 VALUES (1,1,2); +CREATE TABLE t3 (a INT, b INT) ENGINE=MyISAM; +INSERT INTO t3 VALUES (1, 1); +SELECT * FROM t1, t2, t3 +WHERE t1.a = t3.a AND (t1.b = t3.b OR t1.d) AND t2.b = t1.b AND t2.e = 2 +GROUP BY t1.b; +a b c d a b e a b +1 1 1 0 1 1 2 1 1 +DROP TABLE t1, t2, t3; End of 5.1 tests diff --git a/mysql-test/t/innodb_mysql.test b/mysql-test/t/innodb_mysql.test index 1b2b861dffb..3e1968b8007 100644 --- a/mysql-test/t/innodb_mysql.test +++ b/mysql-test/t/innodb_mysql.test @@ -359,4 +359,25 @@ SELECT * FROM t4; DROP TABLE t1, t2, t3, t4; +--echo # +--echo # Bug#44886: SIGSEGV in test_if_skip_sort_order() - +--echo # uninitialized variable used as subscript +--echo # + +CREATE TABLE t1 (a INT, b INT, c INT, d INT, PRIMARY KEY (b), KEY (a,c)) + ENGINE=InnoDB; +INSERT INTO t1 VALUES (1,1,1,0); + +CREATE TABLE t2 (a INT, b INT, e INT, KEY (e)) ENGINE=InnoDB; +INSERT INTO t2 VALUES (1,1,2); + +CREATE TABLE t3 (a INT, b INT) ENGINE=MyISAM; +INSERT INTO t3 VALUES (1, 1); + +SELECT * FROM t1, t2, t3 + WHERE t1.a = t3.a AND (t1.b = t3.b OR t1.d) AND t2.b = t1.b AND t2.e = 2 + GROUP BY t1.b; + +DROP TABLE t1, t2, t3; + --echo End of 5.1 tests diff --git a/sql/sql_select.cc b/sql/sql_select.cc index 06776f5f7b3..526b926d66d 100644 --- a/sql/sql_select.cc +++ b/sql/sql_select.cc @@ -12658,7 +12658,10 @@ static int test_if_order_by_key(ORDER *order, TABLE *table, uint idx, one row). The sorting doesn't matter. */ if (key_part == key_part_end && reverse == 0) + { + *used_key_parts= 0; DBUG_RETURN(1); + } } else DBUG_RETURN(0); @@ -13155,7 +13158,8 @@ test_if_skip_sort_order(JOIN_TAB *tab,ORDER *order,ha_rows select_limit, select_limit= table_records; if (group) { - rec_per_key= keyinfo->rec_per_key[used_key_parts-1]; + rec_per_key= used_key_parts ? keyinfo->rec_per_key[used_key_parts-1] + : 1; set_if_bigger(rec_per_key, 1); /* With a grouping query each group containing on average -- 2.30.9