database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-08-07 00:04:31 +03:00
Code Activity

MDEV-31432 tmp_table field accessed after free

Browse Source 
Before this patch, the code in Item_field::print() used
this convention (described in sql_explain.h:ExplainDataStructureLifetime):

- By default, the table that Item_field refers to is accessible.
- ANALYZE and SHOW {EXPLAIN|ANALYZE} may print Items after some
  temporary tables have been dropped. They use
  QT_DONT_ACCESS_TMP_TABLES flag. When it is ON, Item_field::print
  will not access the table it refers to, if it is a temp.table

The bug was that EXPLAIN statement also may compute subqueries (depending
on subquery context and @@expensive_subquery_limit setting). After the
computation, the subquery calls JOIN::cleanup(true) which drops some of
its temporary tables. Calling Item_field::print() that refer to such table
will cause an access to free'd memory.

In this patch, we take into account that query optimization can compute
a subquery and discard its temporary tables. Item_field::print() now
assumes that any temporary table might have already been dropped.
This means QT_DONT_ACCESS_TMP_TABLES flag is not needed - we imply it is
always present.

But we also make one exception: derived tables are not freed in
JOIN::cleanup() call. They are freed later in close_thread_tables(),
at the same time when regular tables are closed.
Because of that, Item_field::print may assume that temp.tables
representing derived tables are available.

Initial patch by: Rex Jonston
Reviewed by: Monty <monty@mariadb.org>
This commit is contained in:
Sergei Petrunia
2023-08-14 11:09:51 +03:00
parent 9cd2989589
commit 8aaacb5509
15 changed files with 199 additions and 157 deletions
Download Patch File Download Diff File Expand all files Collapse all files

131
sql/sql_explain.cc
View File

@@ -39,8 +39,8 @@ const char *unit_operation_text[4]=
const char *pushed_derived_text= "PUSHED DERIVED";
const char *pushed_select_text= "PUSHED SELECT";
static void write_item(Json_writer *writer, Item *item, bool no_tmp_tbl);
static void append_item_to_str(String *out, Item *item, bool no_tmp_tbl);
static void write_item(Json_writer *writer, Item *item);
static void append_item_to_str(String *out, Item *item);
Explain_query::Explain_query(THD *thd_arg, MEM_ROOT *root) :
mem_root(root), upd_del_plan(nullptr), insert_plan(nullptr),
@@ -196,7 +196,7 @@ int Explain_query::send_explain(THD *thd, bool extended)
int res= 0;
if (thd->lex->explain_json)
print_explain_json(result, thd->lex->analyze_stmt, false /*is_show_cmd*/);
print_explain_json(result, thd->lex->analyze_stmt);
else
{
res= print_explain(result, lex->describe, thd->lex->analyze_stmt);
@@ -252,16 +252,8 @@ int Explain_query::print_explain(select_result_sink *output,
}
/*
@param is_show_cmd TRUE<=> This is a SHOW EXPLAIN|ANALYZE command.
(These commands may be called at late stage in
the query processing, we need to pass no_tmp_tbl=true
to other print functions)
*/
int Explain_query::print_explain_json(select_result_sink *output,
bool is_analyze,
bool is_show_cmd,
ulonglong query_time_in_progress_ms)
{
Json_writer writer;
@@ -275,25 +267,17 @@ int Explain_query::print_explain_json(select_result_sink *output,
writer.add_member("r_query_time_in_progress_ms").
add_ull(query_time_in_progress_ms);
/*
If we are printing ANALYZE FORMAT=JSON output, take into account that
query's temporary tables have already been freed. See sql_explain.h,
sql_explain.h:ExplainDataStructureLifetime for details.
*/
if (is_analyze)
is_show_cmd= true;
if (upd_del_plan)
upd_del_plan->print_explain_json(this, &writer, is_analyze, is_show_cmd);
upd_del_plan->print_explain_json(this, &writer, is_analyze);
else if (insert_plan)
insert_plan->print_explain_json(this, &writer, is_analyze, is_show_cmd);
insert_plan->print_explain_json(this, &writer, is_analyze);
else
{
/* Start printing from node with id=1 */
Explain_node *node= get_node(1);
if (!node)
return 1; /* No query plan */
node->print_explain_json(this, &writer, is_analyze, is_show_cmd);
node->print_explain_json(this, &writer, is_analyze);
}
writer.end_object();
@@ -656,8 +640,7 @@ int Explain_union::print_explain(Explain_query *query,
void Explain_union::print_explain_json(Explain_query *query,
Json_writer *writer, bool is_analyze,
bool no_tmp_tbl)
Json_writer *writer, bool is_analyze)
{
Json_writer_nesting_guard guard(writer);
char table_name_buffer[SAFE_NAME_LEN];
@@ -702,12 +685,12 @@ void Explain_union::print_explain_json(Explain_query *query,
//writer->add_member("dependent").add_str("TODO");
//writer->add_member("cacheable").add_str("TODO");
Explain_select *sel= query->get_select(union_members.at(i));
sel->print_explain_json(query, writer, is_analyze, no_tmp_tbl);
sel->print_explain_json(query, writer, is_analyze);
writer->end_object();
}
writer->end_array();
print_explain_json_for_children(query, writer, is_analyze, no_tmp_tbl);
print_explain_json_for_children(query, writer, is_analyze);
writer->end_object(); // union_result
writer->end_object(); // query_block
@@ -769,8 +752,7 @@ bool is_connection_printable_in_json(enum Explain_node::explain_connection_type
void Explain_node::print_explain_json_for_children(Explain_query *query,
Json_writer *writer,
bool is_analyze,
bool no_tmp_tbl)
bool is_analyze)
{
Json_writer_nesting_guard guard(writer);
@@ -797,7 +779,7 @@ void Explain_node::print_explain_json_for_children(Explain_query *query,
}
writer->start_object();
node->print_explain_json(query, writer, is_analyze, no_tmp_tbl);
node->print_explain_json(query, writer, is_analyze);
writer->end_object();
}
@@ -977,8 +959,7 @@ void Explain_select::add_linkage(Json_writer *writer)
}
void Explain_select::print_explain_json(Explain_query *query,
Json_writer *writer, bool is_analyze,
bool no_tmp_tbl)
Json_writer *writer, bool is_analyze)
{
Json_writer_nesting_guard guard(writer);
@@ -1000,7 +981,7 @@ void Explain_select::print_explain_json(Explain_query *query,
message);
writer->end_object();
print_explain_json_for_children(query, writer, is_analyze, no_tmp_tbl);
print_explain_json_for_children(query, writer, is_analyze);
writer->end_object();
}
else
@@ -1022,17 +1003,17 @@ void Explain_select::print_explain_json(Explain_query *query,
if (exec_const_cond)
{
writer->add_member("const_condition");
write_item(writer, exec_const_cond, no_tmp_tbl);
write_item(writer, exec_const_cond);
}
if (outer_ref_cond)
{
writer->add_member("outer_ref_condition");
write_item(writer, outer_ref_cond, no_tmp_tbl);
write_item(writer, outer_ref_cond);
}
if (pseudo_bits_cond)
{
writer->add_member("pseudo_bits_condition");
write_item(writer, pseudo_bits_cond, no_tmp_tbl);
write_item(writer, pseudo_bits_cond);
}
/* we do not print HAVING which always evaluates to TRUE */
@@ -1040,7 +1021,7 @@ void Explain_select::print_explain_json(Explain_query *query,
{
writer->add_member("having_condition");
if (likely(having))
write_item(writer, having, no_tmp_tbl);
write_item(writer, having);
else
{
/* Normally we should not go this branch, left just for safety */
@@ -1064,7 +1045,7 @@ void Explain_select::print_explain_json(Explain_query *query,
{
writer->add_member("filesort").start_object();
auto aggr_node= (Explain_aggr_filesort*)node;
aggr_node->print_json_members(writer, is_analyze, no_tmp_tbl);
aggr_node->print_json_members(writer, is_analyze);
break;
}
case AGGR_OP_REMOVE_DUPLICATES:
@@ -1075,7 +1056,7 @@ void Explain_select::print_explain_json(Explain_query *query,
//TODO: make print_json_members virtual?
writer->add_member("window_functions_computation").start_object();
auto aggr_node= (Explain_aggr_window_funcs*)node;
aggr_node->print_json_members(writer, is_analyze, no_tmp_tbl);
aggr_node->print_json_members(writer, is_analyze);
break;
}
default:
@@ -1084,8 +1065,7 @@ void Explain_select::print_explain_json(Explain_query *query,
started_objects++;
}
Explain_basic_join::print_explain_json_interns(query, writer, is_analyze,
no_tmp_tbl);
Explain_basic_join::print_explain_json_interns(query, writer, is_analyze);
for (;started_objects; started_objects--)
writer->end_object();
@@ -1114,8 +1094,7 @@ Explain_aggr_filesort::Explain_aggr_filesort(MEM_ROOT *mem_root,
void Explain_aggr_filesort::print_json_members(Json_writer *writer,
bool is_analyze,
bool no_tmp_tbl)
bool is_analyze)
{
char item_buf[256];
String str(item_buf, sizeof(item_buf), &my_charset_bin);
@@ -1135,7 +1114,7 @@ void Explain_aggr_filesort::print_json_members(Json_writer *writer,
{
str.append(STRING_WITH_LEN(", "));
}
append_item_to_str(&str, item, no_tmp_tbl);
append_item_to_str(&str, item);
if (*direction == ORDER::ORDER_DESC)
str.append(STRING_WITH_LEN(" desc"));
}
@@ -1148,8 +1127,7 @@ void Explain_aggr_filesort::print_json_members(Json_writer *writer,
void Explain_aggr_window_funcs::print_json_members(Json_writer *writer,
bool is_analyze,
bool no_tmp_tbl)
bool is_analyze)
{
Explain_aggr_filesort *srt;
List_iterator<Explain_aggr_filesort> it(sorts);
@@ -1158,19 +1136,19 @@ void Explain_aggr_window_funcs::print_json_members(Json_writer *writer,
{
Json_writer_object sort(writer);
Json_writer_object filesort(writer, "filesort");
srt->print_json_members(writer, is_analyze, no_tmp_tbl);
srt->print_json_members(writer, is_analyze);
}
}
void Explain_basic_join::print_explain_json(Explain_query *query,
Json_writer *writer,
bool is_analyze, bool no_tmp_tbl)
bool is_analyze)
{
writer->add_member("query_block").start_object();
writer->add_member("select_id").add_ll(select_id);
print_explain_json_interns(query, writer, is_analyze, no_tmp_tbl);
print_explain_json_interns(query, writer, is_analyze);
writer->end_object();
}
@@ -1179,7 +1157,7 @@ void Explain_basic_join::print_explain_json(Explain_query *query,
void Explain_basic_join::
print_explain_json_interns(Explain_query *query,
Json_writer *writer,
bool is_analyze, bool no_tmp_tbl)
bool is_analyze)
{
{
Json_writer_array loop(writer, "nested_loop");
@@ -1192,7 +1170,7 @@ print_explain_json_interns(Explain_query *query,
writer->start_array();
}
join_tabs[i]->print_explain_json(query, writer, is_analyze, no_tmp_tbl);
join_tabs[i]->print_explain_json(query, writer, is_analyze);
if (join_tabs[i]->end_dups_weedout)
{
@@ -1201,7 +1179,7 @@ print_explain_json_interns(Explain_query *query,
}
}
} // "nested_loop"
print_explain_json_for_children(query, writer, is_analyze, no_tmp_tbl);
print_explain_json_for_children(query, writer, is_analyze);
}
@@ -1601,7 +1579,7 @@ const char *String_list::append_str(MEM_ROOT *mem_root, const char *str)
}
static void write_item(Json_writer *writer, Item *item, bool no_tmp_tbl)
static void write_item(Json_writer *writer, Item *item)
{
THD *thd= current_thd;
char item_buf[256];
@@ -1611,27 +1589,25 @@ static void write_item(Json_writer *writer, Item *item, bool no_tmp_tbl)
ulonglong save_option_bits= thd->variables.option_bits;
thd->variables.option_bits &= ~OPTION_QUOTE_SHOW_CREATE;
auto qtype= QT_EXPLAIN | (no_tmp_tbl? QT_DONT_ACCESS_TMP_TABLES : 0);
item->print(&str, (enum_query_type)qtype);
item->print(&str, QT_EXPLAIN);
thd->variables.option_bits= save_option_bits;
writer->add_str(str.c_ptr_safe());
}
static void append_item_to_str(String *out, Item *item, bool no_tmp_tbl)
static void append_item_to_str(String *out, Item *item)
{
THD *thd= current_thd;
ulonglong save_option_bits= thd->variables.option_bits;
thd->variables.option_bits &= ~OPTION_QUOTE_SHOW_CREATE;
auto qtype= QT_EXPLAIN | (no_tmp_tbl? QT_DONT_ACCESS_TMP_TABLES : 0);
item->print(out, (enum_query_type)qtype);
item->print(out, QT_EXPLAIN);
thd->variables.option_bits= save_option_bits;
}
void Explain_table_access::tag_to_json(Json_writer *writer,
enum explain_extra_tag tag,
bool no_tmp_tbl)
enum explain_extra_tag tag)
{
switch (tag)
{
@@ -1655,11 +1631,11 @@ void Explain_table_access::tag_to_json(Json_writer *writer,
break;
case ET_USING_INDEX_CONDITION:
writer->add_member("index_condition");
write_item(writer, pushed_index_cond, no_tmp_tbl);
write_item(writer, pushed_index_cond);
break;
case ET_USING_INDEX_CONDITION_BKA:
writer->add_member("index_condition_bka");
write_item(writer, pushed_index_cond, no_tmp_tbl);
write_item(writer, pushed_index_cond);
break;
case ET_USING_WHERE:
{
@@ -1673,7 +1649,7 @@ void Explain_table_access::tag_to_json(Json_writer *writer,
if (item)
{
writer->add_member("attached_condition");
write_item(writer, item, no_tmp_tbl);
write_item(writer, item);
}
}
break;
@@ -1807,7 +1783,7 @@ static void trace_engine_stats(handler *file, Json_writer *writer)
void Explain_table_access::print_explain_json(Explain_query *query,
Json_writer *writer,
bool is_analyze, bool no_tmp_tbl)
bool is_analyze)
{
Json_writer_object jsobj(writer);
@@ -1838,7 +1814,7 @@ void Explain_table_access::print_explain_json(Explain_query *query,
}
}
writer->add_member("filesort").start_object();
pre_join_sort->print_json_members(writer, is_analyze, no_tmp_tbl);
pre_join_sort->print_json_members(writer, is_analyze);
}
if (bka_type.is_using_jbuf())
@@ -1976,7 +1952,7 @@ void Explain_table_access::print_explain_json(Explain_query *query,
for (int i=0; i < (int)extra_tags.elements(); i++)
{
tag_to_json(writer, extra_tags.at(i), no_tmp_tbl);
tag_to_json(writer, extra_tags.at(i));
}
if (full_scan_on_null_key)
@@ -1997,7 +1973,7 @@ void Explain_table_access::print_explain_json(Explain_query *query,
if (where_cond)
{
writer->add_member("attached_condition");
write_item(writer, where_cond, no_tmp_tbl);
write_item(writer, where_cond);
}
if (is_analyze)
@@ -2044,7 +2020,7 @@ void Explain_table_access::print_explain_json(Explain_query *query,
{
writer->add_member("lateral").add_ll(1);
}
node->print_explain_json(query, writer, is_analyze, no_tmp_tbl);
node->print_explain_json(query, writer, is_analyze);
writer->end_object();
}
if (non_merged_sjm_number)
@@ -2054,7 +2030,7 @@ void Explain_table_access::print_explain_json(Explain_query *query,
writer->add_member("unique").add_ll(1);
Explain_node *node= query->get_node(non_merged_sjm_number);
node->connection_type= Explain_node::EXPLAIN_NODE_NON_MERGED_SJ;
node->print_explain_json(query, writer, is_analyze, no_tmp_tbl);
node->print_explain_json(query, writer, is_analyze);
writer->end_object();
}
if (sjm_nest)
@@ -2062,7 +2038,7 @@ void Explain_table_access::print_explain_json(Explain_query *query,
/* This is a non-merged semi-join table. Print its contents here */
writer->add_member("materialized").start_object();
writer->add_member("unique").add_ll(1);
sjm_nest->print_explain_json(query, writer, is_analyze, no_tmp_tbl);
sjm_nest->print_explain_json(query, writer, is_analyze);
writer->end_object();
}
@@ -2368,8 +2344,7 @@ int Explain_delete::print_explain(Explain_query *query,
void Explain_delete::print_explain_json(Explain_query *query,
Json_writer *writer,
bool is_analyze,
bool no_tmp_tbl)
bool is_analyze)
{
Json_writer_nesting_guard guard(writer);
@@ -2384,7 +2359,7 @@ void Explain_delete::print_explain_json(Explain_query *query,
writer->end_object(); // query_block
return;
}
Explain_update::print_explain_json(query, writer, is_analyze, no_tmp_tbl);
Explain_update::print_explain_json(query, writer, is_analyze);
}
@@ -2487,8 +2462,7 @@ int Explain_update::print_explain(Explain_query *query,
void Explain_update::print_explain_json(Explain_query *query,
Json_writer *writer,
bool is_analyze,
bool no_tmp_tbl)
bool is_analyze)
{
Json_writer_nesting_guard guard(writer);
@@ -2655,7 +2629,7 @@ void Explain_update::print_explain_json(Explain_query *query,
if (where_cond)
{
writer->add_member("attached_condition");
write_item(writer, where_cond, no_tmp_tbl);
write_item(writer, where_cond);
}
/*** The part of plan that is before the buffering/sorting ends here ***/
@@ -2667,7 +2641,7 @@ void Explain_update::print_explain_json(Explain_query *query,
writer->end_object(); // table
print_explain_json_for_children(query, writer, is_analyze, no_tmp_tbl);
print_explain_json_for_children(query, writer, is_analyze);
writer->end_object(); // query_block
}
@@ -2697,8 +2671,7 @@ int Explain_insert::print_explain(Explain_query *query,
}
void Explain_insert::print_explain_json(Explain_query *query,
Json_writer *writer, bool is_analyze,
bool no_tmp_tbl)
Json_writer *writer, bool is_analyze)
{
Json_writer_nesting_guard guard(writer);
@@ -2707,7 +2680,7 @@ void Explain_insert::print_explain_json(Explain_query *query,
writer->add_member("table").start_object();
writer->add_member("table_name").add_str(table_name.c_ptr());
writer->end_object(); // table
print_explain_json_for_children(query, writer, is_analyze, no_tmp_tbl);
print_explain_json_for_children(query, writer, is_analyze);
writer->end_object(); // query_block
}