From 4ab4631b068587756e247652d000e87bdb460d1a Mon Sep 17 00:00:00 2001
From: unknown <aelkin@mysql.com>
Date: Fri, 5 May 2006 11:21:21 +0300
Subject: [PATCH 1/2] Bug#19136: Crashing log-bin and uninitialized user
 variables in a derived table

The reason of the bug is in that `get_var_with_binlog' performs missed
assingment of
the variables as side-effect. Doing that it eventually calls
`free_underlaid_joins' to pass as an argument `thd->lex->select_lex' of the lex
which belongs to the user query, not
to one which is emulated i.e SET @var1:=NULL.


`get_var_with_binlog' is refined to supply a temporary lex to sql_set_variables's stack.


mysql-test/r/rpl_user_variables.result:
  results changed
mysql-test/t/rpl_user_variables.test:
  a problematic query to be binlogged is added
sql/item_func.cc:
  BUG#19136: Crashing log-bin and uninitialized user variables

  The reason of the bug is in that how `get_var_with_binlog' performs missed
  assingment of the variables: `free_underlaid_joins' gets as an argument `thd->lex->select_lex'
  which belongs to the user query, not to one which is emulated i.e SET @var1:=NULL.

  `get_var_with_binlog' is refined to supply a temporary lex to sql_set_variables's stack.
---
 mysql-test/r/rpl_user_variables.result |  1 +
 mysql-test/t/rpl_user_variables.test   |  6 ++++++
 sql/item_func.cc                       | 10 ++++++++++
 3 files changed, 17 insertions(+)

diff --git a/mysql-test/r/rpl_user_variables.result b/mysql-test/r/rpl_user_variables.result
index 85768270ba3..8af2c3e0b22 100644
--- a/mysql-test/r/rpl_user_variables.result
+++ b/mysql-test/r/rpl_user_variables.result
@@ -105,5 +105,6 @@ slave-bin.000001	1370	User var	2	1370	@`a`=5
 slave-bin.000001	1412	Query	1	1412	use `test`; insert into t1 values (@a),(@a)
 slave-bin.000001	1478	User var	2	1478	@`a`=NULL
 slave-bin.000001	1503	Query	1	1503	use `test`; insert into t1 values (@a),(@a),(@a*5)
+insert into t1 select * FROM (select @var1 union  select @var2) AS t2;
 drop table t1;
 stop slave;
diff --git a/mysql-test/t/rpl_user_variables.test b/mysql-test/t/rpl_user_variables.test
index 5cf502e05bd..6597413c22e 100644
--- a/mysql-test/t/rpl_user_variables.test
+++ b/mysql-test/t/rpl_user_variables.test
@@ -47,9 +47,15 @@ connection slave;
 sync_with_master;
 select * from t1;
 show binlog events from 141;
+
+#
+# BUG19136: Crashing log-bin and uninitialized user variables in a derived table
+# just to check nothing bad happens anymore
 connection master;
+insert into t1 select * FROM (select @var1 union  select @var2) AS t2;
 drop table t1;
 save_master_pos;
+
 connection slave;
 sync_with_master;
 stop slave;
diff --git a/sql/item_func.cc b/sql/item_func.cc
index 174a8c55d01..15e272cdef8 100644
--- a/sql/item_func.cc
+++ b/sql/item_func.cc
@@ -2733,14 +2733,24 @@ int get_var_with_binlog(THD *thd, LEX_STRING &name,
       sql_set_variables(), we could instead manually call check() and update();
       this would save memory and time; but calling sql_set_variables() makes
       one unique place to maintain (sql_set_variables()). 
+
+      Manipulation with lex is necessary since free_underlaid_joins
+      is going to release memory belonging to the main query.
     */
 
     List<set_var_base> tmp_var_list;
+    LEX *sav_lex= thd->lex, lex_tmp;
+    thd->lex= &lex_tmp;
+    lex_start(thd, NULL, 0);
     tmp_var_list.push_back(new set_var_user(new Item_func_set_user_var(name,
                                                                        new Item_null())));
     /* Create the variable */
     if (sql_set_variables(thd, &tmp_var_list))
+    {
+      thd->lex= sav_lex;
       goto err;
+    }
+    thd->lex= sav_lex;
     if (!(var_entry= get_variable(&thd->user_vars, name, 0)))
       goto err;
   }

From c13144722aaf7892a64d6fdeffc130dcda041ab3 Mon Sep 17 00:00:00 2001
From: unknown <sergefp@mysql.com>
Date: Sat, 6 May 2006 13:15:00 +0400
Subject: [PATCH 2/2] BUG#16798: Inapplicable ref_or_null query plan and bad
 query result on random occasions The bug was as follows: When
 merge_key_fields() encounters "t.key=X OR t.key=Y" it will try to join them
 into ref_or_null access via "t.key=X OR NULL". In order to make this
 inference it checks if Y<=>NULL, ignoring the fact that value of Y may be not
 yet known.

The fix is that the check if Y<=>NULL is made only if value of Y is known (i.e. it is a
constant).
TODO: When merging to 5.0, replace used_tables() with const_item() everywhere in merge_key_fields().


mysql-test/r/innodb_mysql.result:
  Testcase for BUG16798
mysql-test/t/innodb_mysql.test:
  Testcase for BUG16798
sql/sql_select.cc:
  BUG#16798: Inapplicable ref_or_null query plan and bad query result on random occasions
  In merge_key_fields() don't call val->is_null() if the value of val is not known.
---
 mysql-test/r/innodb_mysql.result | 57 +++++++++++++++++++++++++++++++-
 mysql-test/t/innodb_mysql.test   | 56 ++++++++++++++++++++++++++++++-
 sql/sql_select.cc                |  3 +-
 3 files changed, 113 insertions(+), 3 deletions(-)

diff --git a/mysql-test/r/innodb_mysql.result b/mysql-test/r/innodb_mysql.result
index 878c5cb5451..2a4e3555e3b 100644
--- a/mysql-test/r/innodb_mysql.result
+++ b/mysql-test/r/innodb_mysql.result
@@ -1 +1,56 @@
-drop table if exists t1;
+drop table if exists t1,t2;
+create table t1 (
+c_id int(11) not null default '0',
+org_id int(11) default null,
+unique key contacts$c_id (c_id),
+key contacts$org_id (org_id)
+) engine=innodb;
+insert into t1 values 
+(2,null),(120,null),(141,null),(218,7), (128,1),
+(151,2),(234,2),(236,2),(243,2),(255,2),(259,2),(232,3),(235,3),(238,3),
+(246,3),(253,3),(269,3),(285,3),(291,3),(293,3),(131,4),(230,4),(231,4);
+create table t2 (
+slai_id int(11) not null default '0',
+owner_tbl int(11) default null,
+owner_id int(11) default null,
+sla_id int(11) default null,
+inc_web int(11) default null,
+inc_email int(11) default null,
+inc_chat int(11) default null,
+inc_csr int(11) default null,
+inc_total int(11) default null,
+time_billed int(11) default null,
+activedate timestamp null default null,
+expiredate timestamp null default null,
+state int(11) default null,
+sla_set int(11) default null,
+unique key t2$slai_id (slai_id),
+key t2$owner_id (owner_id),
+key t2$sla_id (sla_id)
+) engine=innodb;
+insert into t2(slai_id, owner_tbl, owner_id, sla_id) values
+(1,3,1,1), (3,3,10,2), (4,3,3,6), (5,3,2,5), (6,3,8,3), (7,3,9,7),
+(8,3,6,8), (9,3,4,9), (10,3,5,10), (11,3,11,11), (12,3,7,12);
+flush tables;
+select si.slai_id
+from t1 c join t2 si on
+((si.owner_tbl = 3 and si.owner_id = c.org_id) or 
+( si.owner_tbl = 2 and si.owner_id = c.c_id)) 
+where 
+c.c_id = 218 and expiredate is null;
+slai_id
+12
+select * from t1 where org_id is null;
+c_id	org_id
+2	NULL
+120	NULL
+141	NULL
+select si.slai_id
+from t1 c join t2 si on
+((si.owner_tbl = 3 and si.owner_id = c.org_id) or 
+( si.owner_tbl = 2 and si.owner_id = c.c_id)) 
+where 
+c.c_id = 218 and expiredate is null;
+slai_id
+12
+drop table t1, t2;
diff --git a/mysql-test/t/innodb_mysql.test b/mysql-test/t/innodb_mysql.test
index b942b9fbc0d..f31e4d64789 100644
--- a/mysql-test/t/innodb_mysql.test
+++ b/mysql-test/t/innodb_mysql.test
@@ -1,5 +1,59 @@
 -- source include/have_innodb.inc
 
 --disable_warnings
-drop table if exists t1;
+drop table if exists t1,t2;
 --enable_warnings
+
+# BUG#16798: Uninitialized row buffer reads in ref-or-null optimizer
+# (repeatable only w/innodb).
+create table t1 (
+  c_id int(11) not null default '0',
+  org_id int(11) default null,
+  unique key contacts$c_id (c_id),
+  key contacts$org_id (org_id)
+) engine=innodb;
+insert into t1 values 
+  (2,null),(120,null),(141,null),(218,7), (128,1),
+  (151,2),(234,2),(236,2),(243,2),(255,2),(259,2),(232,3),(235,3),(238,3),
+  (246,3),(253,3),(269,3),(285,3),(291,3),(293,3),(131,4),(230,4),(231,4);
+
+create table t2 (
+  slai_id int(11) not null default '0',
+  owner_tbl int(11) default null,
+  owner_id int(11) default null,
+  sla_id int(11) default null,
+  inc_web int(11) default null,
+  inc_email int(11) default null,
+  inc_chat int(11) default null,
+  inc_csr int(11) default null,
+  inc_total int(11) default null,
+  time_billed int(11) default null,
+  activedate timestamp null default null,
+  expiredate timestamp null default null,
+  state int(11) default null,
+  sla_set int(11) default null,
+  unique key t2$slai_id (slai_id),
+  key t2$owner_id (owner_id),
+  key t2$sla_id (sla_id)
+) engine=innodb;
+insert into t2(slai_id, owner_tbl, owner_id, sla_id) values
+  (1,3,1,1), (3,3,10,2), (4,3,3,6), (5,3,2,5), (6,3,8,3), (7,3,9,7),
+  (8,3,6,8), (9,3,4,9), (10,3,5,10), (11,3,11,11), (12,3,7,12);
+
+flush tables;
+select si.slai_id
+from t1 c join t2 si on
+  ((si.owner_tbl = 3 and si.owner_id = c.org_id) or 
+   ( si.owner_tbl = 2 and si.owner_id = c.c_id)) 
+where 
+  c.c_id = 218 and expiredate is null;
+  
+select * from t1 where org_id is null;
+select si.slai_id
+from t1 c join t2 si on
+  ((si.owner_tbl = 3 and si.owner_id = c.org_id) or 
+   ( si.owner_tbl = 2 and si.owner_id = c.c_id)) 
+where 
+  c.c_id = 218 and expiredate is null;
+
+drop table t1, t2;
diff --git a/sql/sql_select.cc b/sql/sql_select.cc
index 46dba61cfc5..4995a164226 100644
--- a/sql/sql_select.cc
+++ b/sql/sql_select.cc
@@ -2090,7 +2090,8 @@ merge_key_fields(KEY_FIELD *start,KEY_FIELD *new_fields,KEY_FIELD *end,
                                 new_fields->null_rejecting);
 	}
 	else if (old->eq_func && new_fields->eq_func &&
-		 (old->val->is_null() || new_fields->val->is_null()))
+		 ((!old->val->used_tables() && old->val->is_null()) || 
+                  new_fields->val->is_null()))
 	{
 	  /* field = expression OR field IS NULL */
 	  old->level= and_level;