Hi, Oleksandr! On Jan 21, Oleksandr Byelkin wrote:

revision-id: 47bb2dcbcc8c3cdca43baf6259f2434a746c7b03 (mariadb-5.5.58-42-g47bb2dcbcc8) parent(s): c0e964dcf1787a101f6e9c115751c0d02b0fac1b author: Oleksandr Byelkin committer: Oleksandr Byelkin timestamp: 2018-01-21 23:48:32 +0100 message:

MDEV-14786: Server crashes in Item_cond::transform on 2nd execution of SP querying from a view

MDEV-14957: JOIN::prepare gets unusable "conds" as argument

Do not touch merged derived (it is irreversible)

Fix first argument of in_optimizer for calls possible before fix_fields()

diff --git a/sql/item.cc b/sql/item.cc index 332e027adf1..562c0bec78d 100644 --- a/sql/item.cc +++ b/sql/item.cc @@ -10010,7 +10010,7 @@ const char *dbug_print_item(Item *item) if (!item) return "(Item*)NULL"; item->print(&str ,QT_ORDINARY); - if (str.c_ptr() == buf) + if (str.ptr() == buf)

c_ptr_safe() here. It's MDEV-14981.

return buf; else return "Couldn't fit into buffer"; diff --git a/sql/item.h b/sql/item.h index 4d0860af547..add408602fc 100644 --- a/sql/item.h +++ b/sql/item.h @@ -4478,4 +4478,11 @@ class Item_iterator_row: public Item_iterator void close() {} };

+#ifdef DBUG_OFF +static inline const char *dbug_print_item(Item *item) { return NULL; } +#else +extern const char *dbug_print_item(Item *item); +#endif

Put it not at the end, but at the beginning - above 'class Protocol;' That's where someone had it in 10.2, it'll be easier to merge if you add it in the same place. And no 'extern' in the #else branch, just as in 10.2.

#endif /* SQL_ITEM_INCLUDED */ diff --git a/sql/item_cmpfunc.cc b/sql/item_cmpfunc.cc index 62e76922c0e..a40340baae9 100644 --- a/sql/item_cmpfunc.cc +++ b/sql/item_cmpfunc.cc @@ -1443,6 +1443,33 @@ bool Item_in_optimizer::eval_not_null_tables(uchar *opt_arg) }

+void Item_in_optimizer::print(String *str, enum_query_type query_type) +{ + restore_first_argumet(); + Item_func::print(str, query_type); +} + + +/** + "Restore" first argument before fix_fields() call (after it is harmless). + + @Note: Main pointer to left part of IN/ALL/ANY subselect is subselect's + lest_expr (see Item_in_optimizer::fix_left) so changes made during + fix_fields will be rolled back there which can make + Item_in_optimizer::args[0] unusable on second execution before fix_left() + call. This call fix the pointer. +*/ + +void Item_in_optimizer::restore_first_argumet() +{ + if (args[1]->type() == Item::SUBSELECT_ITEM && + ((Item_subselect *)args[1])->is_in_predicate()) + { + args[0]= ((Item_in_subselect *)args[1])->left_expr; + } +}

Any way to trigger the bug without dbug_print_item() ? Regards, Sergei Chief Architect MariaDB and security@mariadb.org