database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-27 18:02:13 +03:00
Code Activity

MDEV-17024 Crash on large query

Browse Source 
This problem manifested itself when a join query used two or more
materialized CTE such that each of them employed the same recursive CTE.
The bug caused a crash. The crash happened because the cleanup()
function was performed premature for recursive CTE. This clean up was
induced by the cleanup of the first CTE referenced the recusrsive CTE.
This cleanup destroyed the structures that would allow to read from the
temporary table containing the rows of the recursive CTE and an attempt to read
these rows for the second CTE referencing the recursive CTE triggered a
crash.
The clean up for a recursive CTE R should be performed after the cleanup
of the last materialized CTE that uses R.
This commit is contained in:
Igor Babaev
2018-09-07 20:10:04 -07:00
parent 59950df533
commit 4d991abd4f
7 changed files with 222 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
sql/sql_derived.cc
View File

@ -1083,6 +1083,7 @@ bool mysql_derived_fill(THD *thd, LEX *lex, TABLE_LIST *derived)
DBUG_ASSERT(derived->table && derived->table->is_created());
select_union *derived_result= derived->derived_result;
SELECT_LEX *save_current_select= lex->current_select;
bool derived_recursive_is_filled= false;
if (derived_is_recursive)
{
@ -1095,6 +1096,7 @@ bool mysql_derived_fill(THD *thd, LEX *lex, TABLE_LIST *derived)
{
/* In this case all iteration are performed */
res= derived->fill_recursive(thd);
derived_recursive_is_filled= true;
}
}
else if (unit->is_union())
@ -1150,7 +1152,9 @@ bool mysql_derived_fill(THD *thd, LEX *lex, TABLE_LIST *derived)
}
}
if (res || (!lex->describe && !derived_is_recursive))
if (res || (!lex->describe &&
(!derived_is_recursive ||
derived_recursive_is_filled)))
unit->cleanup();
lex->current_select= save_current_select;