[Commits] 11fa88ef67b: MDEV-17362: SIGSEGV in JOIN::optimize_inner or Assertion `fixed == 0' failed in Item_equal::fix_fields, server crashes after 2nd execution of PS

2 Apr 2019

revision-id: 11fa88ef67bea74bd13ad688938a03d5b266db64 (mariadb-10.4.3-107-g11fa88ef67b)
parent(s): a90622644c11568c2bf982492d2f47bc164ddfef
author: Oleksandr Byelkin
committer: Oleksandr Byelkin
timestamp: 2019-04-02 15:04:45 +0200
message:

MDEV-17362: SIGSEGV in JOIN::optimize_inner or Assertion `fixed == 0' failed in  Item_equal::fix_fields, server crashes after 2nd execution of PS

Move reinitialisation of pushdown variables for every query, because it used now not only for derived tables.

---
 mysql-test/main/subselect_innodb.result | 20 ++++++++++++++++++++
 mysql-test/main/subselect_innodb.test   | 24 ++++++++++++++++++++++++
 sql/sql_derived.cc                      |  5 -----
 sql/sql_prepare.cc                      |  4 ++++
 sql/sql_select.cc                       |  6 ++++--
 5 files changed, 52 insertions(+), 7 deletions(-)

diff --git a/mysql-test/main/subselect_innodb.result b/mysql-test/main/subselect_innodb.result
index 0eb40c9be00..518158e3a04 100644
--- a/mysql-test/main/subselect_innodb.result
+++ b/mysql-test/main/subselect_innodb.result
@@ -616,3 +616,23 @@ id	select_type	table	type	possible_keys	key	key_len	ref	rows	filtered	Extra
 Warnings:
 Note	1003	select `test`.`t1`.`f1` AS `f1`,`test`.`t2`.`f2` AS `f2`,`test`.`t3`.`f3` AS `f3` from `test`.`t1` join `test`.`t2` semi join (`test`.`t4`) join `test`.`t3` where `test`.`t4`.`f4` = 1 and `test`.`t1`.`f1` >= `test`.`t2`.`f2`
 DROP TABLE t1,t2,t3,t4;
+# 
+# MDEV-17362: SIGSEGV in JOIN::optimize_inner or Assertion `fixed == 0'
+# failed in  Item_equal::fix_fields, server crashes after 2nd execution
+# of PS
+# 
+CREATE TABLE t1 (pk int primary key, i1 int, i2 int, v1 varchar(1), v2 varchar(1), KEY i1 (i1), KEY v2 (v2,i1)) ENGINE=InnoDB ;
+INSERT INTO t1 VALUES (12,1,1,'r','r');
+CREATE TABLE t2 (pk int, i1 int, i2 int, v1 varchar(1), v2 varchar(1)) ENGINE=InnoDB ;
+CREATE TABLE t3 (pk int, i1 int, i2 int, v1 varchar(1), v2 varchar(1)) ENGINE=InnoDB ;
+INSERT INTO t3 VALUES (19,1,9,NULL,NULL),(20,5,6,'r','r');
+prepare stmt from "
+SELECT 1 FROM t1
+WHERE t1.pk = t1.i1 
+	AND ((t1.pk,t1.i1) IN (SELECT t3.pk, COUNT(t3.pk) FROM t3
+          WHERE EXISTS (SELECT 1 FROM (t1 JOIN t3 ON (t3.i2 = t1.i1)) WHERE t3.v1 = t1.v1)));";
+execute stmt;
+1
+execute stmt;
+1
+drop table t1,t2,t3;
diff --git a/mysql-test/main/subselect_innodb.test b/mysql-test/main/subselect_innodb.test
index 544bcd994ed..214d692e793 100644
--- a/mysql-test/main/subselect_innodb.test
+++ b/mysql-test/main/subselect_innodb.test
@@ -611,3 +611,27 @@ FROM t1
 
 DROP TABLE t1,t2,t3,t4;
 
+--echo # 
+--echo # MDEV-17362: SIGSEGV in JOIN::optimize_inner or Assertion `fixed == 0'
+--echo # failed in  Item_equal::fix_fields, server crashes after 2nd execution
+--echo # of PS
+--echo # 
+
+CREATE TABLE t1 (pk int primary key, i1 int, i2 int, v1 varchar(1), v2 varchar(1), KEY i1 (i1), KEY v2 (v2,i1)) ENGINE=InnoDB ;
+INSERT INTO t1 VALUES (12,1,1,'r','r');
+ 
+CREATE TABLE t2 (pk int, i1 int, i2 int, v1 varchar(1), v2 varchar(1)) ENGINE=InnoDB ;
+ 
+CREATE TABLE t3 (pk int, i1 int, i2 int, v1 varchar(1), v2 varchar(1)) ENGINE=InnoDB ;
+INSERT INTO t3 VALUES (19,1,9,NULL,NULL),(20,5,6,'r','r');
+ 
+prepare stmt from "
+SELECT 1 FROM t1
+WHERE t1.pk = t1.i1 
+	AND ((t1.pk,t1.i1) IN (SELECT t3.pk, COUNT(t3.pk) FROM t3
+          WHERE EXISTS (SELECT 1 FROM (t1 JOIN t3 ON (t3.i2 = t1.i1)) WHERE t3.v1 = t1.v1)));";
+ 
+execute stmt;
+execute stmt;
+
+drop table t1,t2,t3;
diff --git a/sql/sql_derived.cc b/sql/sql_derived.cc
index 1ad97e4244d..f694707578c 100644
--- a/sql/sql_derived.cc
+++ b/sql/sql_derived.cc
@@ -1294,11 +1294,6 @@ bool mysql_derived_reinit(THD *thd, LEX *lex, TABLE_LIST *derived)
   unit->types.empty();
   /* for derived tables & PS (which can't be reset by Item_subselect) */
   unit->reinit_exec_mechanism();
-  for (st_select_lex *sl= unit->first_select(); sl; sl= sl->next_select())
-  {
-    sl->cond_pushed_into_where= NULL;
-    sl->cond_pushed_into_having= NULL;
-  }
   unit->set_thd(thd);
   DBUG_RETURN(FALSE);
 }
diff --git a/sql/sql_prepare.cc b/sql/sql_prepare.cc
index 8a722ad3952..c15f3a8c143 100644
--- a/sql/sql_prepare.cc
+++ b/sql/sql_prepare.cc
@@ -3026,6 +3026,10 @@ void reinit_stmt_before_use(THD *thd, LEX *lex)
         for (order= win_spec->order_list->first; order; order= order->next)
           order->item= &order->item_ptr;
       }
+
+      // Reinit Pushdown
+      sl->cond_pushed_into_where= NULL;
+      sl->cond_pushed_into_having= NULL;
     }
     if (sl->changed_elements & TOUCHED_SEL_DERIVED)
     {
diff --git a/sql/sql_select.cc b/sql/sql_select.cc
index e8b092b1b23..197ead809eb 100644
--- a/sql/sql_select.cc
+++ b/sql/sql_select.cc
@@ -13445,8 +13445,10 @@ void JOIN::join_free()
 void JOIN::cleanup(bool full)
 {
   DBUG_ENTER("JOIN::cleanup");
-  DBUG_PRINT("enter", ("full %u", (uint) full));
-  
+  DBUG_PRINT("enter", ("select: %d (%p)  join: %p  full: %u",
+                       select_lex->select_number, select_lex, this,
+                       (uint) full));
+
   if (full)
     have_query_plan= QEP_DELETED;

    