revision-id: 25870f48cf66c5984332120d1cb11db79ca1b5f6 (mariadb-10.3.6-172-g25870f4) parent(s): 31deef0953a5cf7259e1d064ae7f2e0dde922436 author: Igor Babaev committer: Igor Babaev timestamp: 2019-02-24 02:02:07 -0800 message: MDEV-18668 Server crash or ASAN use-after-poison in Item_equal_iterator / st_select_lex::pushdown_from_having_into_where upon query with impossible WHERE condition Do not push from HAVING into impossible WHERE --- mysql-test/main/having_cond_pushdown.result | 12 ++++++++++++ mysql-test/main/having_cond_pushdown.test | 13 +++++++++++++ sql/sql_select.cc | 6 +++++- 3 files changed, 30 insertions(+), 1 deletion(-) diff --git a/mysql-test/main/having_cond_pushdown.result b/mysql-test/main/having_cond_pushdown.result index 9d2fbce..ef7368b 100644 --- a/mysql-test/main/having_cond_pushdown.result +++ b/mysql-test/main/having_cond_pushdown.result @@ -1906,3 +1906,15 @@ EXPLAIN DROP TABLE t1,t2; DROP VIEW v1; DROP FUNCTION f1; +# +# MDEV-18668: pushdown from HAVING into impossible WHERE +# +CREATE TABLE t1 (a INT, b INT); +INSERT INTO t1 VALUES (1,1),(2,2); +SELECT a FROM t1 WHERE b = 1 AND b = 2 GROUP BY a HAVING a <= 3; +a +EXPLAIN +SELECT a FROM t1 WHERE b = 1 AND b = 2 GROUP BY a HAVING a <= 3; +id select_type table type possible_keys key key_len ref rows Extra +1 SIMPLE NULL NULL NULL NULL NULL NULL NULL Impossible WHERE +DROP TABLE t1; diff --git a/mysql-test/main/having_cond_pushdown.test b/mysql-test/main/having_cond_pushdown.test index 2af9d58..2fbb570 100644 --- a/mysql-test/main/having_cond_pushdown.test +++ b/mysql-test/main/having_cond_pushdown.test @@ -473,3 +473,16 @@ eval $no_pushdown explain format=json $query; DROP TABLE t1,t2; DROP VIEW v1; DROP FUNCTION f1; + +--echo # +--echo # MDEV-18668: pushdown from HAVING into impossible WHERE +--echo # + +CREATE TABLE t1 (a INT, b INT); +INSERT INTO t1 VALUES (1,1),(2,2); + +SELECT a FROM t1 WHERE b = 1 AND b = 2 GROUP BY a HAVING a <= 3; +EXPLAIN +SELECT a FROM t1 WHERE b = 1 AND b = 2 GROUP BY a HAVING a <= 3; + +DROP TABLE t1; diff --git a/sql/sql_select.cc b/sql/sql_select.cc index 5faadb1..4f98153 100644 --- a/sql/sql_select.cc +++ b/sql/sql_select.cc @@ -1929,8 +1929,11 @@ JOIN::optimize_inner() DBUG_RETURN(1); } + /* Do not push into WHERE from HAVING if cond_value == Item::COND_FALSE */ + if (thd->lex->sql_command == SQLCOM_SELECT && - optimizer_flag(thd, OPTIMIZER_SWITCH_COND_PUSHDOWN_FROM_HAVING)) + optimizer_flag(thd, OPTIMIZER_SWITCH_COND_PUSHDOWN_FROM_HAVING) && + cond_value != Item::COND_FALSE) { having= select_lex->pushdown_from_having_into_where(thd, having); @@ -15380,6 +15383,7 @@ Item *eliminate_item_equal(THD *thd, COND *cond, COND_EQUAL *upper_levels, @param cond condition to process @param cond_equal multiple equalities to take into consideration @param table_join_idx index to tables determining field preference + @param do_substitution if false: do not do any field substitution @note At the first glance full sort of fields in multiple equality