From abffce9cadb9db491e76f681f8a4c055f5d70958 Mon Sep 17 00:00:00 2001
From: unknown <ramil@mysql.com>
Date: Thu, 23 Mar 2006 18:09:35 +0400
Subject: [PATCH] Fix for bug #18306: MySQL crashes and restarts using subquery

mysql-test/r/subselect.result:
  Fix for bug #18306: MySQL crashes and restarts using subquery
  test case
mysql-test/t/subselect.test:
  Fix for bug #18306: MySQL crashes and restarts using subquery
  test case
sql/opt_range.cc:
  Fix for bug #18306: MySQL crashes and restarts using subquery
  Restore thd->mem_root because
  during the cond->val_int() evaluation we can come across a subselect
  item which may allocate memory on the thd->mem_root and assumes
  all the memory allocated has the same life span as the subselect
  item itself.
---
 mysql-test/r/subselect.result |  6 ++++++
 mysql-test/t/subselect.test   | 11 +++++++++++
 sql/opt_range.cc              | 15 ++++++++++++---
 3 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/mysql-test/r/subselect.result b/mysql-test/r/subselect.result
index d605e81aa93..d8561915564 100644
--- a/mysql-test/r/subselect.result
+++ b/mysql-test/r/subselect.result
@@ -3163,3 +3163,9 @@ t
 crash1
 crash1
 drop table t1;
+create table t1 (c int, key(c));
+insert into t1 values (1142477582), (1142455969);
+create table t2 (a int, b int);
+insert into t2 values (2, 1), (1, 0);
+delete from t1 where c <= 1140006215 and (select b from t2 where a = 2) = 1;
+drop table t1, t2;
diff --git a/mysql-test/t/subselect.test b/mysql-test/t/subselect.test
index 368020dd721..1ef80bdd7ac 100644
--- a/mysql-test/t/subselect.test
+++ b/mysql-test/t/subselect.test
@@ -2074,3 +2074,14 @@ create table t1( f1 int,f2 int);
 insert into t1 values (1,1),(2,2);
 select tt.t from (select 'crash1' as t, f2 from t1) as tt left join t1 on tt.t = 'crash2' and tt.f2 = t1.f2 where tt.t = 'crash1';
 drop table t1;
+
+#
+# Bug #18306: server crash on delete using subquery.
+#
+
+create table t1 (c int, key(c));                              
+insert into t1 values (1142477582), (1142455969);
+create table t2 (a int, b int);
+insert into t2 values (2, 1), (1, 0);
+delete from t1 where c <= 1140006215 and (select b from t2 where a = 2) = 1;
+drop table t1, t2;
diff --git a/sql/opt_range.cc b/sql/opt_range.cc
index 04cc0baa0aa..634c9db18a8 100644
--- a/sql/opt_range.cc
+++ b/sql/opt_range.cc
@@ -3604,9 +3604,18 @@ static SEL_TREE *get_mm_tree(PARAM *param,COND *cond)
   /* Here when simple cond */
   if (cond->const_item())
   {
-    if (cond->val_int())
-      DBUG_RETURN(new SEL_TREE(SEL_TREE::ALWAYS));
-    DBUG_RETURN(new SEL_TREE(SEL_TREE::IMPOSSIBLE));
+    /*
+      During the cond->val_int() evaluation we can come across a subselect 
+      item which may allocate memory on the thd->mem_root and assumes 
+      all the memory allocated has the same life span as the subselect 
+      item itself. So we have to restore the thread's mem_root here.
+    */
+    MEM_ROOT *tmp_root= param->mem_root;
+    param->thd->mem_root= param->old_root;
+    tree= cond->val_int() ? new(tmp_root) SEL_TREE(SEL_TREE::ALWAYS) :
+                            new(tmp_root) SEL_TREE(SEL_TREE::IMPOSSIBLE);
+    param->thd->mem_root= tmp_root;
+    DBUG_RETURN(tree);
   }
 
   table_map ref_tables= 0;