[Commits] 7a0b026c629: MDEV-17781: Server crashes in next_linear_tab

17 Dec 2018

revision-id: 7a0b026c6295604fd5c5e26d47e5de4e085041dd (mariadb-10.2.19-64-g7a0b026c629)
parent(s): 32eeed21297f0e5a2836daca058e38dbe3a82bc4
author: Varun Gupta
committer: Varun Gupta
timestamp: 2018-12-17 23:45:46 +0530
message:

MDEV-17781: Server crashes in next_linear_tab

For degenerate joins we may have JOIN::table_list as NULL, so instead
of using JOIN::top_join_tab_count use the function JOIN::exec_join_tab_cnt
to get the number of tables joined at the top level.

---
 mysql-test/r/win.result | 18 ++++++++++++++++++
 mysql-test/t/win.test   | 14 ++++++++++++++
 sql/sql_select.cc       |  2 +-
 3 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/mysql-test/r/win.result b/mysql-test/r/win.result
index e902d62326e..874fb6b2def 100644
--- a/mysql-test/r/win.result
+++ b/mysql-test/r/win.result
@@ -3470,3 +3470,21 @@ SELECT DISTINCT MIN(b1) OVER () FROM t1;
 MIN(b1) OVER ()
 1
 drop table t1;
+#
+# MDEV-17781: Server crashes in next_linear_tab
+#
+CREATE TABLE t1 (i1 int);
+explain
+(SELECT AVG(0) OVER (), MAX('2') FROM t1)
+UNION ALL
+(SELECT AVG(0) OVER (), MAX('2') FROM t1);
+id	select_type	table	type	possible_keys	key	key_len	ref	rows	Extra
+1	PRIMARY	NULL	NULL	NULL	NULL	NULL	NULL	NULL	No tables used
+2	UNION	NULL	NULL	NULL	NULL	NULL	NULL	NULL	No tables used
+(SELECT AVG(0) OVER (), MAX('2') FROM t1)
+UNION ALL
+(SELECT AVG(0) OVER (), MAX('2') FROM t1);
+AVG(0) OVER ()	MAX('2')
+0.0000	NULL
+0.0000	NULL
+drop table t1;
diff --git a/mysql-test/t/win.test b/mysql-test/t/win.test
index b0e1a16fae6..0cb70747b26 100644
--- a/mysql-test/t/win.test
+++ b/mysql-test/t/win.test
@@ -2227,3 +2227,17 @@ EXPLAIN
 SELECT DISTINCT MIN(b1) OVER () FROM t1;
 SELECT DISTINCT MIN(b1) OVER () FROM t1;
 drop table t1;
+
+--echo #
+--echo # MDEV-17781: Server crashes in next_linear_tab
+--echo #
+
+CREATE TABLE t1 (i1 int);
+explain
+(SELECT AVG(0) OVER (), MAX('2') FROM t1)
+UNION ALL
+(SELECT AVG(0) OVER (), MAX('2') FROM t1);
+(SELECT AVG(0) OVER (), MAX('2') FROM t1)
+UNION ALL
+(SELECT AVG(0) OVER (), MAX('2') FROM t1);
+drop table t1;
diff --git a/sql/sql_select.cc b/sql/sql_select.cc
index dc948ff676a..0ff80838a74 100644
--- a/sql/sql_select.cc
+++ b/sql/sql_select.cc
@@ -8864,7 +8864,7 @@ JOIN_TAB *next_linear_tab(JOIN* join, JOIN_TAB* tab,
   }
 
   /* If no more JOIN_TAB's on the top level */
-  if (++tab == join->join_tab + join->top_join_tab_count + join->aggr_tables)
+  if (++tab >= join->join_tab + join->exec_join_tab_cnt() + join->aggr_tables)
     return NULL;
 
   if (include_bush_roots == WITHOUT_BUSH_ROOTS && tab->bush_children)

    