revision-id: 645d8a639d9dad265dd2c6da947beaac11969159 (mariadb-10.3.6-146-g645d8a6) parent(s): 55dd0776566000c5ea12e177df0c784b500ab7c1 author: Igor Babaev committer: Igor Babaev timestamp: 2018-10-07 12:16:59 -0700 message: MDEV-17360 Server crashes in optimize_keyuse This was a bug in the code of MDEV-12387 "Push conditions into materialized subqueries". The bug manifested itself in rather rare situations. An affected query must contain IN subquery predicate whose left operand was an outer field of a mergeable derived table or view and right operand was a materialized subquery. The erroneous code in fact stripped off the Item_direct_ref wrapper from the left operand of the IN subquery predicate when building equalities produced by the conversion of the predicate into a semi-join. As a result the left operand was not considered as an outer reference anymore and used_tables() was calculated incorrectly. This caused a crash in the function optimize_keyuse(). --- mysql-test/main/in_subq_cond_pushdown.result | 13 +++++++++++++ mysql-test/main/in_subq_cond_pushdown.test | 17 +++++++++++++++++ sql/opt_subselect.cc | 6 +++--- 3 files changed, 33 insertions(+), 3 deletions(-) diff --git a/mysql-test/main/in_subq_cond_pushdown.result b/mysql-test/main/in_subq_cond_pushdown.result index c9319a5..077edf7 100644 --- a/mysql-test/main/in_subq_cond_pushdown.result +++ b/mysql-test/main/in_subq_cond_pushdown.result @@ -3855,3 +3855,16 @@ ORDER BY t4.d a b c x x NULL DROP TABLE t1,t2,t3,t4; +# +# MDEV-17360: IN subquery predicate with outer reference in the left part +# that refers to a field of a mergeable derived table +# +CREATE TABLE t1 (id1 int) ENGINE=MYISAM; +INSERT INTO t1 VALUES (1814),(0),(NULL),(1); +CREATE TABLE t2 (id2 int) ENGINE=MYISAM; +SELECT 1 AS r FROM t2,t1,(SELECT * FROM t1) dt1 +WHERE NOT EXISTS (SELECT id2 FROM t2 +WHERE dt1.id1 IN (SELECT t2.id2 FROM t2 +HAVING t2.id2 >= 1)); +r +DROP TABLE t1,t2; diff --git a/mysql-test/main/in_subq_cond_pushdown.test b/mysql-test/main/in_subq_cond_pushdown.test index 3c673fb..4c0dd3d 100644 --- a/mysql-test/main/in_subq_cond_pushdown.test +++ b/mysql-test/main/in_subq_cond_pushdown.test @@ -821,3 +821,20 @@ WHERE (t1.a) IN ); DROP TABLE t1,t2,t3,t4; + +--echo # +--echo # MDEV-17360: IN subquery predicate with outer reference in the left part +--echo # that refers to a field of a mergeable derived table +--echo # + +CREATE TABLE t1 (id1 int) ENGINE=MYISAM; +INSERT INTO t1 VALUES (1814),(0),(NULL),(1); + +CREATE TABLE t2 (id2 int) ENGINE=MYISAM; + +SELECT 1 AS r FROM t2,t1,(SELECT * FROM t1) dt1 + WHERE NOT EXISTS (SELECT id2 FROM t2 + WHERE dt1.id1 IN (SELECT t2.id2 FROM t2 + HAVING t2.id2 >= 1)); + +DROP TABLE t1,t2; diff --git a/sql/opt_subselect.cc b/sql/opt_subselect.cc index d1877c6..4eeaefa 100644 --- a/sql/opt_subselect.cc +++ b/sql/opt_subselect.cc @@ -5512,7 +5512,7 @@ int select_value_catcher::send_data(List<Item> &items) /** @brief - Conjugate conditions after optimize_cond() call + Add new conditions after optimize_cond() call @param thd the thread handle @param cond the condition where to attach new conditions @@ -5561,8 +5561,8 @@ Item *and_new_conditions_to_optimized_cond(THD *thd, Item *cond, Item::Context(Item::ANY_SUBST, ((Item_func_equal *)item)->compare_type_handler(), ((Item_func_equal *)item)->compare_collation()), - ((Item_func *)item)->arguments()[0]->real_item(), - ((Item_func *)item)->arguments()[1]->real_item(), + ((Item_func *)item)->arguments()[0], + ((Item_func *)item)->arguments()[1], &new_cond_equal)) li.remove(); }