1
0
mirror of https://github.com/MariaDB/server.git synced 2025-10-22 19:52:58 +03:00
Files
mariadb/mysql-test/r
Gleb Shchepa 086130e3c0 backport of bug #54476 fix from 5.1-bugteam to 5.0-bugteam.
Original revid: alexey.kopytov@sun.com-20100723115254-jjwmhq97b9wl932l

 > Bug #54476: crash when group_concat and 'with rollup' in
 >                      prepared statements
 >
 > Using GROUP_CONCAT() together with the WITH ROLLUP modifier
 > could crash the server.
 >
 > The reason was a combination of several facts:
 >
 > 1. The Item_func_group_concat class stores pointers to ORDER
 > objects representing the columns in the ORDER BY clause of
 > GROUP_CONCAT().
 >
 > 2. find_order_in_list() called from
 > Item_func_group_concat::setup() modifies the ORDER objects so
 > that their 'item' member points to the arguments list
 > allocated in the Item_func_group_concat constructor.
 >
 > 3. In some cases (e.g. in JOIN::rollup_make_fields) a copy of
 > the original Item_func_group_concat object could be created by
 > using the Item_func_group_concat::Item_func_group_concat(THD
 > *thd, Item_func_group_concat *item) copy constructor. The
 > latter essentially creates a shallow copy of the source
 > object. Memory for the arguments array is allocated on
 > thd->mem_root, but the pointers for arguments and ORDER are
 > copied verbatim.
 >
 > What happens in the test case is that when executing the query
 > for the first time, after a copy of the original
 > Item_func_group_concat object has been created by
 > JOIN::rollup_make_fields(), find_order_in_list() is called for
 > this new object. It then resolves ORDER BY by modifying the
 > ORDER objects so that they point to elements of the arguments
 > array which is local to the cloned object. When thd->mem_root
 > is freed upon completing the execution, pointers in the ORDER
 > objects become invalid. Those ORDER objects, however, are also
 > shared with the original Item_func_group_concat object which is
 > preserved between executions of a prepared statement. So the
 > first call to find_order_in_list() for the original object on
 > the second execution tries to dereference an invalid pointer.
 >
 > The solution is to create copies of the ORDER objects when
 > copying Item_func_group_concat to not leave any stale pointers
 > in other instances with different lifecycles.


mysql-test/r/func_gconcat.result:
  Test case for bug #54476.
mysql-test/t/func_gconcat.test:
  Test case for bug #54476.
sql/item_sum.cc:
  Copy the ORDER objects pointed to by the elements of the
  'order' array in the copy constructor of
  Item_func_group_concat.
sql/table.h:
  Removed the unused 'item_copy' member of the ORDER class.
2010-12-14 23:52:53 +03:00
..
2009-05-31 20:10:59 +08:00
2007-11-06 20:31:40 +02:00
2009-11-03 19:58:54 +03:00
2007-12-13 15:47:23 +04:00
2007-10-19 17:07:08 +02:00
2009-02-06 18:25:08 +01:00
2007-11-02 13:40:34 +03:00
2009-11-23 14:38:08 -08:00
2007-10-26 08:42:33 +02:00
2008-01-27 16:41:29 +01:00
2007-11-05 20:18:22 +01:00
2007-11-20 20:15:20 +04:00
2009-02-27 16:11:15 +02:00
2007-11-30 18:06:28 +01:00
2009-12-10 11:44:19 +08:00
2008-04-04 01:16:55 +04:00
2008-08-26 14:21:07 +05:00
2008-03-14 20:51:32 +01:00
2010-03-10 19:28:49 +04:00