MDEV-10466 Server crashed in SEL_ARG::store_min() with extended_keys=on

This bug could manifest itself in a very rare cases when the optimizer chose an execution plan by which a joined table was accessed by a table scan and the optimizer was checking whether ranges checked for each record could improve this plan. In such cases the optimizer evaluates range conditions over a table that depend on other tables. For such conditions the constructed SEL_ARG trees are marked as MAYBE_KEY. If a SEL_ARG object constructed for a sargable condition marked as RANGE_KEY had the same first key part as a MAYBE_KEY SEL_ARG object and the key_and() function was called for this pair of SEL_ARG objects then an invalid SEL_ARG object could be constructed that ultimately could lead to a crash before the execution phase.
2025-07-29 05:21:33 +03:00 · 2020-03-14 19:58:57 -07:00
parent 5af12e4635
commit 407b0a6ae7
3 changed files with 51 additions and 1 deletions
--- a/sql/opt_range.cc
+++ b/sql/opt_range.cc
@ -8837,7 +8837,7 @@ key_and(RANGE_OPT_PARAM *param, SEL_ARG *key1, SEL_ARG *key2, uint clone_flag)
      if (key2->next_key_part)
      {
 	key1->use_count--;			// Incremented in and_all_keys
-	return and_all_keys(param, key1, key2, clone_flag);
+        return and_all_keys(param, key1, key2->next_key_part, clone_flag);
      }
      key2->use_count--;			// Key2 doesn't have a tree
    }