From 4bc4d834fd194c9008c7abfb4e49972b416194ea Mon Sep 17 00:00:00 2001 From: "evgen@moonbone.local" <> Date: Tue, 14 Aug 2007 17:28:51 +0400 Subject: [PATCH 1/2] Bug#29948: Unchecked NULL pointer caused server crash. The cli_read_binary_rows function is used to fetch data from the server after a prepared statement execution. It accepts a statement handler and gets the connection handler from it. But when the auto-reconnect option is set the connection handler is reset to NULL after reconnection because the prepared statement is lost and the handler became useless. This case wasn't checked in the cli_read_binary_rows function and caused server crash. Now the cli_read_binary_rows function checks the connection handler to be not NULL and returns an error if it is. --- libmysql/libmysql.c | 10 +++++- tests/mysql_client_test.c | 75 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 84 insertions(+), 1 deletion(-) diff --git a/libmysql/libmysql.c b/libmysql/libmysql.c index 1a0aae414ed..85c56a7ea40 100644 --- a/libmysql/libmysql.c +++ b/libmysql/libmysql.c @@ -4679,9 +4679,17 @@ int cli_read_binary_rows(MYSQL_STMT *stmt) MYSQL *mysql= stmt->mysql; MYSQL_DATA *result= &stmt->result; MYSQL_ROWS *cur, **prev_ptr= &result->data; - NET *net = &mysql->net; + NET *net; + + if (!mysql) + { + set_stmt_error(stmt, CR_SERVER_LOST, unknown_sqlstate); + return 1; + } + DBUG_ENTER("cli_read_binary_rows"); + net = &mysql->net; mysql= mysql->last_used_con; while ((pkt_len= cli_safe_read(mysql)) != packet_error) diff --git a/tests/mysql_client_test.c b/tests/mysql_client_test.c index 75c86902972..ca76270d8b8 100644 --- a/tests/mysql_client_test.c +++ b/tests/mysql_client_test.c @@ -15735,6 +15735,80 @@ static void test_bug27592() } +static void test_bug29948() +{ + MYSQL *dbc=NULL; + MYSQL_STMT *stmt=NULL; + MYSQL_BIND bind; + + int res=0; + my_bool auto_reconnect=1, error=0, is_null=0; + char kill_buf[20]; + const char *query; + int buf; + unsigned long length; + + dbc = mysql_init(NULL); + DIE_UNLESS(dbc); + + mysql_options(dbc, MYSQL_OPT_RECONNECT, (char*)&auto_reconnect); + if (!mysql_real_connect(dbc, opt_host, opt_user, + opt_password, current_db, opt_port, + opt_unix_socket, + (CLIENT_FOUND_ROWS | CLIENT_MULTI_STATEMENTS | + CLIENT_MULTI_RESULTS))) + { + printf("connection failed: %s (%d)", mysql_error(dbc), + mysql_errno(dbc)); + exit(1); + } + + bind.buffer_type= MYSQL_TYPE_LONG; + bind.buffer= (char *)&buf; + bind.is_null= &is_null; + bind.error= &error; + bind.length= &length; + + res= mysql_query(dbc, "DROP TABLE IF EXISTS t1"); + myquery(res); + res= mysql_query(dbc, "CREATE TABLE t1 (a INT)"); + myquery(res); + res= mysql_query(dbc, "INSERT INTO t1 VALUES(1)"); + myquery(res); + + stmt= mysql_stmt_init(dbc); + check_stmt(stmt); + + buf= CURSOR_TYPE_READ_ONLY; + res= mysql_stmt_attr_set(stmt, STMT_ATTR_CURSOR_TYPE, (void *)&buf); + myquery(res); + + query= "SELECT * from t1 where a=?"; + res= mysql_stmt_prepare(stmt, query, strlen(query)); + myquery(res); + + res= mysql_stmt_bind_param(stmt, &bind); + myquery(res); + + res= mysql_stmt_execute(stmt); + check_execute(stmt, res); + + res= mysql_stmt_bind_result(stmt,&bind); + check_execute(stmt, res); + + sprintf(kill_buf, "kill %ld", dbc->thread_id); + mysql_query(dbc, kill_buf); + + res= mysql_stmt_store_result(stmt); + DIE_UNLESS(res); + + mysql_stmt_free_result(stmt); + mysql_stmt_close(stmt); + mysql_query(dbc, "DROP TABLE t1"); + mysql_close(dbc); +} + + /* Read and parse arguments and MySQL options from my.cnf */ @@ -16019,6 +16093,7 @@ static struct my_tests_st my_tests[]= { { "test_bug28505", test_bug28505 }, { "test_bug28934", test_bug28934 }, { "test_bug27592", test_bug27592 }, + { "test_bug29948", test_bug29948 }, { 0, 0 } }; From d790ec42e1de68d93e4c6c19580aa88f4d06dedb Mon Sep 17 00:00:00 2001 From: "igor@olga.mysql.com" <> Date: Wed, 15 Aug 2007 10:24:18 -0700 Subject: [PATCH 2/2] Fixed bug #30396. The bug caused memory corruption for some queries with top OR level in the WHERE condition if they contained equality predicates and other sargable predicates in disjunctive parts of the condition. The corruption happened because the upper bound of the memory allocated for KEY_FIELD and SARGABLE_PARAM internal structures containing info about potential lookup keys was calculated incorrectly in some cases. In particular it was calculated incorrectly when the WHERE condition was an OR formula with disjuncts being AND formulas including equalities and other sargable predicates. --- mysql-test/r/select.result | 57 ++++++++++++++++++++++++++++++++++++ mysql-test/t/select.test | 60 ++++++++++++++++++++++++++++++++++++++ sql/item_cmpfunc.h | 1 - sql/sql_base.cc | 1 + sql/sql_lex.cc | 1 + sql/sql_lex.h | 3 +- sql/sql_select.cc | 38 ++++++++---------------- 7 files changed, 133 insertions(+), 28 deletions(-) diff --git a/mysql-test/r/select.result b/mysql-test/r/select.result index 5930c36029f..2cf1316bb47 100644 --- a/mysql-test/r/select.result +++ b/mysql-test/r/select.result @@ -4005,4 +4005,61 @@ id select_type table type possible_keys key key_len ref rows Extra EXPLAIN SELECT c1 FROM t1 WHERE (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT (SELECT COUNT(c2))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) > 0; ERROR HY000: Too high level of nesting for select DROP TABLE t1; +CREATE TABLE t1 ( +c1 int(11) NOT NULL AUTO_INCREMENT, +c2 varchar(1000) DEFAULT NULL, +c3 bigint(20) DEFAULT NULL, +c4 bigint(20) DEFAULT NULL, +PRIMARY KEY (c1) +); +EXPLAIN EXTENDED +SELECT join_2.c1 +FROM +t1 AS join_0, +t1 AS join_1, +t1 AS join_2, +t1 AS join_3, +t1 AS join_4, +t1 AS join_5, +t1 AS join_6, +t1 AS join_7 +WHERE +join_0.c1=join_1.c1 AND +join_1.c1=join_2.c1 AND +join_2.c1=join_3.c1 AND +join_3.c1=join_4.c1 AND +join_4.c1=join_5.c1 AND +join_5.c1=join_6.c1 AND +join_6.c1=join_7.c1 +OR +join_0.c2 < '?' AND +join_1.c2 < '?' AND +join_2.c2 > '?' AND +join_2.c2 < '!' AND +join_3.c2 > '?' AND +join_4.c2 = '?' AND +join_5.c2 <> '?' AND +join_6.c2 <> '?' AND +join_7.c2 >= '?' AND +join_0.c1=join_1.c1 AND +join_1.c1=join_2.c1 AND +join_2.c1=join_3.c1 AND +join_3.c1=join_4.c1 AND +join_4.c1=join_5.c1 AND +join_5.c1=join_6.c1 AND +join_6.c1=join_7.c1 +GROUP BY +join_3.c1, +join_2.c1, +join_7.c1, +join_1.c1, +join_0.c1; +id select_type table type possible_keys key key_len ref rows Extra +1 SIMPLE NULL NULL NULL NULL NULL NULL NULL Impossible WHERE noticed after reading const tables +Warnings: +Note 1003 select '0' AS `c1` from `test`.`t1` `join_0` join `test`.`t1` `join_1` join `test`.`t1` `join_2` join `test`.`t1` `join_3` join `test`.`t1` `join_4` join `test`.`t1` `join_5` join `test`.`t1` `join_6` join `test`.`t1` `join_7` where 0 group by '0','0','0','0','0' +SHOW WARNINGS; +Level Code Message +Note 1003 select '0' AS `c1` from `test`.`t1` `join_0` join `test`.`t1` `join_1` join `test`.`t1` `join_2` join `test`.`t1` `join_3` join `test`.`t1` `join_4` join `test`.`t1` `join_5` join `test`.`t1` `join_6` join `test`.`t1` `join_7` where 0 group by '0','0','0','0','0' +DROP TABLE t1; End of 5.0 tests diff --git a/mysql-test/t/select.test b/mysql-test/t/select.test index 8bfa12539fa..abf55745080 100644 --- a/mysql-test/t/select.test +++ b/mysql-test/t/select.test @@ -3400,4 +3400,64 @@ eval EXPLAIN SELECT c1 FROM t1 WHERE $q > 0; DROP TABLE t1; +# +# Bug #30396: crash for a join with equalities and sargable predicates +# in disjunctive parts of the WHERE condition +# + +CREATE TABLE t1 ( + c1 int(11) NOT NULL AUTO_INCREMENT, + c2 varchar(1000) DEFAULT NULL, + c3 bigint(20) DEFAULT NULL, + c4 bigint(20) DEFAULT NULL, + PRIMARY KEY (c1) +); + +EXPLAIN EXTENDED +SELECT join_2.c1 +FROM + t1 AS join_0, + t1 AS join_1, + t1 AS join_2, + t1 AS join_3, + t1 AS join_4, + t1 AS join_5, + t1 AS join_6, + t1 AS join_7 +WHERE + join_0.c1=join_1.c1 AND + join_1.c1=join_2.c1 AND + join_2.c1=join_3.c1 AND + join_3.c1=join_4.c1 AND + join_4.c1=join_5.c1 AND + join_5.c1=join_6.c1 AND + join_6.c1=join_7.c1 + OR + join_0.c2 < '?' AND + join_1.c2 < '?' AND + join_2.c2 > '?' AND + join_2.c2 < '!' AND + join_3.c2 > '?' AND + join_4.c2 = '?' AND + join_5.c2 <> '?' AND + join_6.c2 <> '?' AND + join_7.c2 >= '?' AND + join_0.c1=join_1.c1 AND + join_1.c1=join_2.c1 AND + join_2.c1=join_3.c1 AND + join_3.c1=join_4.c1 AND + join_4.c1=join_5.c1 AND + join_5.c1=join_6.c1 AND + join_6.c1=join_7.c1 +GROUP BY + join_3.c1, + join_2.c1, + join_7.c1, + join_1.c1, + join_0.c1; + +SHOW WARNINGS; + +DROP TABLE t1; + --echo End of 5.0 tests diff --git a/sql/item_cmpfunc.h b/sql/item_cmpfunc.h index 9afc0507817..7b6eaef08ec 100644 --- a/sql/item_cmpfunc.h +++ b/sql/item_cmpfunc.h @@ -1506,7 +1506,6 @@ public: the current and level */ COND_EQUAL() { - max_members= 0; upper_levels= 0; } }; diff --git a/sql/sql_base.cc b/sql/sql_base.cc index 1c01248c283..e8562cdffbd 100644 --- a/sql/sql_base.cc +++ b/sql/sql_base.cc @@ -5611,6 +5611,7 @@ int setup_conds(THD *thd, TABLE_LIST *tables, TABLE_LIST *leaves, thd->set_query_id=1; select_lex->cond_count= 0; select_lex->between_count= 0; + select_lex->max_equal_elems= 0; for (table= tables; table; table= table->next_local) { diff --git a/sql/sql_lex.cc b/sql/sql_lex.cc index 7911da69862..d11c2b21635 100644 --- a/sql/sql_lex.cc +++ b/sql/sql_lex.cc @@ -1183,6 +1183,7 @@ void st_select_lex::init_query() */ parent_lex->push_context(&context); cond_count= between_count= with_wild= 0; + max_equal_elems= 0; conds_processed_with_permanent_arena= 0; ref_pointer_array= 0; select_n_where_fields= 0; diff --git a/sql/sql_lex.h b/sql/sql_lex.h index b9c6abd2b06..94015a9fe07 100644 --- a/sql/sql_lex.h +++ b/sql/sql_lex.h @@ -533,7 +533,8 @@ public: */ uint select_n_having_items; uint cond_count; /* number of arguments of and/or/xor in where/having/on */ - uint between_count; /* number of between predicates in where/having/on */ + uint between_count; /* number of between predicates in where/having/on */ + uint max_equal_elems; /* maximal number of elements in multiple equalities */ /* Number of fields used in select list or where clause of current select and all inner subselects. diff --git a/sql/sql_select.cc b/sql/sql_select.cc index ac8dc84f118..b7846a7433d 100644 --- a/sql/sql_select.cc +++ b/sql/sql_select.cc @@ -3524,10 +3524,7 @@ update_ref_and_keys(THD *thd, DYNAMIC_ARRAY *keyuse,JOIN_TAB *join_tab, uint and_level,i,found_eq_constant; KEY_FIELD *key_fields, *end, *field; uint sz; - uint m= 1; - - if (cond_equal && cond_equal->max_members) - m= cond_equal->max_members; + uint m= max(select_lex->max_equal_elems,1); /* We use the same piece of memory to store both KEY_FIELD @@ -3547,7 +3544,8 @@ update_ref_and_keys(THD *thd, DYNAMIC_ARRAY *keyuse,JOIN_TAB *join_tab, it is considered as sargable only for its first argument. Multiple equality can add elements that are filled after substitution of field arguments by equal fields. There - can be not more than cond_equal->max_members such substitutions. + can be not more than select_lex->max_equal_elems such + substitutions. */ sz= max(sizeof(KEY_FIELD),sizeof(SARGABLE_PARAM))* (((thd->lex->current_select->cond_count+1)*2 + @@ -7189,8 +7187,7 @@ static bool check_equality(THD *thd, Item *item, COND_EQUAL *cond_equal, just an argument of a comparison predicate. The function also determines the maximum number of members in equality lists of each Item_cond_and object assigning it to - cond_equal->max_members of this object and updating accordingly - the upper levels COND_EQUAL structures. + thd->lex->current_select->max_equal_elems. NOTES Multiple equality predicate =(f1,..fn) is equivalent to the conjuction of @@ -7235,7 +7232,6 @@ static COND *build_equal_items_for_cond(THD *thd, COND *cond, COND_EQUAL *inherited) { Item_equal *item_equal; - uint members; COND_EQUAL cond_equal; cond_equal.upper_levels= inherited; @@ -7273,19 +7269,8 @@ static COND *build_equal_items_for_cond(THD *thd, COND *cond, { item_equal->fix_length_and_dec(); item_equal->update_used_tables(); - members= item_equal->members(); - if (cond_equal.max_members < members) - cond_equal.max_members= members; - } - members= cond_equal.max_members; - if (inherited && inherited->max_members < members) - { - do - { - inherited->max_members= members; - inherited= inherited->upper_levels; - } - while (inherited); + set_if_bigger(thd->lex->current_select->max_equal_elems, + item_equal->members()); } ((Item_cond_and*)cond)->cond_equal= cond_equal; @@ -7340,10 +7325,12 @@ static COND *build_equal_items_for_cond(THD *thd, COND *cond, { item_equal->fix_length_and_dec(); item_equal->update_used_tables(); - return item_equal; } else - return eq_list.pop(); + item_equal= (Item_equal *) eq_list.pop(); + set_if_bigger(thd->lex->current_select->max_equal_elems, + item_equal->members()); + return item_equal; } else { @@ -7359,9 +7346,8 @@ static COND *build_equal_items_for_cond(THD *thd, COND *cond, { item_equal->fix_length_and_dec(); item_equal->update_used_tables(); - members= item_equal->members(); - if (cond_equal.max_members < members) - cond_equal.max_members= members; + set_if_bigger(thd->lex->current_select->max_equal_elems, + item_equal->members()); } and_cond->cond_equal= cond_equal; args->concat((List *)&cond_equal.current_level);