Fix for bug #18306: MySQL crashes and restarts using subquery (abffce9c) · Commits · Software / OSDI20 Artifacts / mariadb

mysql-test/r/subselect.result

+6 −0

Original line number	Diff line number	Diff line
		@@ -3163,3 +3163,9 @@ t
		crash1
		crash1
		drop table t1;
		create table t1 (c int, key(c));
		insert into t1 values (1142477582), (1142455969);
		create table t2 (a int, b int);
		insert into t2 values (2, 1), (1, 0);
		delete from t1 where c <= 1140006215 and (select b from t2 where a = 2) = 1;
		drop table t1, t2;

+11 −0

Original line number	Diff line number	Diff line
		@@ -2074,3 +2074,14 @@ create table t1( f1 int,f2 int);
		insert into t1 values (1,1),(2,2);
		select tt.t from (select 'crash1' as t, f2 from t1) as tt left join t1 on tt.t = 'crash2' and tt.f2 = t1.f2 where tt.t = 'crash1';
		drop table t1;

		#
		# Bug #18306: server crash on delete using subquery.
		#

		create table t1 (c int, key(c));
		insert into t1 values (1142477582), (1142455969);
		create table t2 (a int, b int);
		insert into t2 values (2, 1), (1, 0);
		delete from t1 where c <= 1140006215 and (select b from t2 where a = 2) = 1;
		drop table t1, t2;

+12 −3

Original line number	Diff line number	Diff line
		@@ -3604,9 +3604,18 @@ static SEL_TREE get_mm_tree(PARAM param,COND *cond)
		/* Here when simple cond */
		if (cond->const_item())
		{
		if (cond->val_int())
		DBUG_RETURN(new SEL_TREE(SEL_TREE::ALWAYS));
		DBUG_RETURN(new SEL_TREE(SEL_TREE::IMPOSSIBLE));
		/*
		During the cond->val_int() evaluation we can come across a subselect
		item which may allocate memory on the thd->mem_root and assumes
		all the memory allocated has the same life span as the subselect
		item itself. So we have to restore the thread's mem_root here.
		*/
		MEM_ROOT *tmp_root= param->mem_root;
		param->thd->mem_root= param->old_root;
		tree= cond->val_int() ? new(tmp_root) SEL_TREE(SEL_TREE::ALWAYS) :
		new(tmp_root) SEL_TREE(SEL_TREE::IMPOSSIBLE);
		param->thd->mem_root= tmp_root;
		DBUG_RETURN(tree);
		}

		table_map ref_tables= 0;