1
0
mirror of https://github.com/MariaDB/server.git synced 2025-10-24 07:13:33 +03:00
Files
mariadb/mysql-test/r/func_misc.result
Gleb Shchepa 80aa882497 Bug #54461: crash with longblob and union or update with subquery
Queries may crash, if
  1) the GREATEST or the LEAST function has a mixed list of
     numeric and LONGBLOB arguments and
  2) the result of such a function goes through an intermediate
     temporary table.

An Item that references a LONGBLOB field has max_length of
UINT_MAX32 == (2^32 - 1).

The current implementation of GREATEST/LEAST returns REAL
result for a mixed list of numeric and string arguments (that
contradicts with the current documentation, this contradiction
was discussed and it was decided to update the documentation).

The max_length of such a function call was calculated as a
maximum of argument max_length values (i.e. UINT_MAX32).

That max_length value of UINT_MAX32 was used as a length for
the intermediate temporary table Field_double to hold
GREATEST/LEAST function result.

The Field_double::val_str() method call on that field
allocates a String value.

Since an allocation of String reserves an additional byte
for a zero-termination, the size of String buffer was
set to (UINT_MAX32 + 1), that caused an integer overflow:
actually, an empty buffer of size 0 was allocated.

An initialization of the "first" byte of that zero-size
buffer with '\0' caused a crash.

The Item_func_min_max::fix_length_and_dec() has been
modified to calculate max_length for the REAL result like
we do it for arithmetical operators.


******
Bug #54461: crash with longblob and union or update with subquery

Queries may crash, if
  1) the GREATEST or the LEAST function has a mixed list of
     numeric and LONGBLOB arguments and
  2) the result of such a function goes through an intermediate
     temporary table.

An Item that references a LONGBLOB field has max_length of
UINT_MAX32 == (2^32 - 1).

The current implementation of GREATEST/LEAST returns REAL
result for a mixed list of numeric and string arguments (that
contradicts with the current documentation, this contradiction
was discussed and it was decided to update the documentation).

The max_length of such a function call was calculated as a
maximum of argument max_length values (i.e. UINT_MAX32).

That max_length value of UINT_MAX32 was used as a length for
the intermediate temporary table Field_double to hold
GREATEST/LEAST function result.

The Field_double::val_str() method call on that field
allocates a String value.

Since an allocation of String reserves an additional byte
for a zero-termination, the size of String buffer was
set to (UINT_MAX32 + 1), that caused an integer overflow:
actually, an empty buffer of size 0 was allocated.

An initialization of the "first" byte of that zero-size
buffer with '\0' caused a crash.

The Item_func_min_max::fix_length_and_dec() has been
modified to calculate max_length for the REAL result like
we do it for arithmetical operators.



mysql-test/r/func_misc.result:
  Test case for bug #54461.
  
  ******
  Test case for bug #54461.
mysql-test/t/func_misc.test:
  Test case for bug #54461.
  
  ******
  Test case for bug #54461.
sql/item_func.cc:
  Bug #54461: crash with longblob and union or update with subquery
  
  The Item_func_min_max::fix_length_and_dec() has been
  modified to calculate max_length for the REAL result like
  we do it for arithmetical operators.
  
  ******
  Bug #54461: crash with longblob and union or update with subquery
  
  The Item_func_min_max::fix_length_and_dec() has been
  modified to calculate max_length for the REAL result like
  we do it for arithmetical operators.
2010-08-01 22:12:36 +04:00

355 lines
10 KiB
Plaintext

DROP TABLE IF EXISTS t1, t2;
select format(1.5555,0),format(123.5555,1),format(1234.5555,2),format(12345.55555,3),format(123456.5555,4),format(1234567.5555,5),format("12345.2399",2);
format(1.5555,0) format(123.5555,1) format(1234.5555,2) format(12345.55555,3) format(123456.5555,4) format(1234567.5555,5) format("12345.2399",2)
2 123.6 1,234.56 12,345.556 123,456.5555 1,234,567.55550 12,345.24
select inet_ntoa(inet_aton("255.255.255.255.255.255.255.255"));
inet_ntoa(inet_aton("255.255.255.255.255.255.255.255"))
NULL
select inet_aton("255.255.255.255.255"),inet_aton("255.255.1.255"),inet_aton("0.1.255");
inet_aton("255.255.255.255.255") inet_aton("255.255.1.255") inet_aton("0.1.255")
1099511627775 4294902271 65791
select inet_ntoa(1099511627775),inet_ntoa(4294902271),inet_ntoa(511);
inet_ntoa(1099511627775) inet_ntoa(4294902271) inet_ntoa(511)
NULL 255.255.1.255 0.0.1.255
select hex(inet_aton('127'));
hex(inet_aton('127'))
7F
select hex(inet_aton('127.1'));
hex(inet_aton('127.1'))
7F000001
select hex(inet_aton('127.1.1'));
hex(inet_aton('127.1.1'))
7F010001
select length(uuid()), charset(uuid()), length(unhex(replace(uuid(),_utf8'-',_utf8'')));
length(uuid()) charset(uuid()) length(unhex(replace(uuid(),_utf8'-',_utf8'')))
36 utf8 16
set @a= uuid_short();
set @b= uuid_short();
select cast(@a - @b as signed);
cast(@a - @b as signed)
-1
select length(format('nan', 2)) > 0;
length(format('nan', 2)) > 0
1
Warnings:
Warning 1292 Truncated incorrect DOUBLE value: 'nan'
select concat("$",format(2500,2));
concat("$",format(2500,2))
$2,500.00
create table t1 ( a timestamp );
insert into t1 values ( '2004-01-06 12:34' );
select a from t1 where left(a+0,6) in ( left(20040106,6) );
a
2004-01-06 12:34:00
select a from t1 where left(a+0,6) = ( left(20040106,6) );
a
2004-01-06 12:34:00
select a from t1 where right(a+0,6) in ( right(20040106123400,6) );
a
2004-01-06 12:34:00
select a from t1 where right(a+0,6) = ( right(20040106123400,6) );
a
2004-01-06 12:34:00
select a from t1 where mid(a+0,6,3) in ( mid(20040106123400,6,3) );
a
2004-01-06 12:34:00
select a from t1 where mid(a+0,6,3) = ( mid(20040106123400,6,3) );
a
2004-01-06 12:34:00
drop table t1;
CREATE TABLE t1 (conn CHAR(7), connection_id INT);
INSERT INTO t1 VALUES ('default', CONNECTION_ID());
SELECT GET_LOCK('bug16501',600);
GET_LOCK('bug16501',600)
1
INSERT INTO t1 VALUES ('con1', CONNECTION_ID());
SELECT IS_USED_LOCK('bug16501') = connection_id
FROM t1
WHERE conn = 'default';
IS_USED_LOCK('bug16501') = connection_id
1
SELECT GET_LOCK('bug16501',600);
SELECT IS_USED_LOCK('bug16501') = CONNECTION_ID();
IS_USED_LOCK('bug16501') = CONNECTION_ID()
1
SELECT RELEASE_LOCK('bug16501');
RELEASE_LOCK('bug16501')
1
GET_LOCK('bug16501',600)
1
SELECT IS_USED_LOCK('bug16501') = connection_id
FROM t1
WHERE conn = 'con1';
IS_USED_LOCK('bug16501') = connection_id
1
SELECT IS_USED_LOCK('bug16501') = CONNECTION_ID();
IS_USED_LOCK('bug16501') = CONNECTION_ID()
1
SELECT RELEASE_LOCK('bug16501');
RELEASE_LOCK('bug16501')
1
SELECT IS_USED_LOCK('bug16501');
IS_USED_LOCK('bug16501')
NULL
DROP TABLE t1;
select export_set(3, _latin1'foo', _utf8'bar', ',', 4);
export_set(3, _latin1'foo', _utf8'bar', ',', 4)
foo,foo,bar,bar
End of 4.1 tests
create table t1 as select uuid(), length(uuid());
show create table t1;
Table Create Table
t1 CREATE TABLE `t1` (
`uuid()` varchar(36) CHARACTER SET utf8 NOT NULL DEFAULT '',
`length(uuid())` int(10) NOT NULL DEFAULT '0'
) ENGINE=MyISAM DEFAULT CHARSET=latin1
drop table t1;
#------------------------------------------------------------------------
# Tests for Bug#6760 and Bug#12689
SET @row_count = 4;
SET @sleep_time_per_result_row = 1;
SET @max_acceptable_delay = 2;
SET @@global.query_cache_size = 1024 * 64;
DROP TEMPORARY TABLE IF EXISTS t_history;
DROP TABLE IF EXISTS t1;
CREATE TEMPORARY TABLE t_history (attempt SMALLINT,
start_ts DATETIME, end_ts DATETIME,
start_cached INTEGER, end_cached INTEGER);
CREATE TABLE t1 (f1 BIGINT);
INSERT INTO t1 VALUES (1);
INSERT INTO t1 VALUES (1);
INSERT INTO t1 VALUES (1);
INSERT INTO t1 VALUES (1);
INSERT INTO t_history
SET attempt = 4 - 4 + 1, start_ts = NOW(),
start_cached = 0;
SELECT *, SLEEP(@sleep_time_per_result_row) FROM t1;
f1 SLEEP(@sleep_time_per_result_row)
1 0
1 0
1 0
1 0
UPDATE t_history SET end_ts = NOW()
WHERE attempt = 4 - 4 + 1;
UPDATE t_history SET end_cached = 0
WHERE attempt = 4 - 4 + 1;
INSERT INTO t_history
SET attempt = 4 - 3 + 1, start_ts = NOW(),
start_cached = 0;
SELECT *, SLEEP(@sleep_time_per_result_row) FROM t1;
f1 SLEEP(@sleep_time_per_result_row)
1 0
1 0
1 0
1 0
UPDATE t_history SET end_ts = NOW()
WHERE attempt = 4 - 3 + 1;
UPDATE t_history SET end_cached = 0
WHERE attempt = 4 - 3 + 1;
INSERT INTO t_history
SET attempt = 4 - 2 + 1, start_ts = NOW(),
start_cached = 0;
SELECT *, SLEEP(@sleep_time_per_result_row) FROM t1;
f1 SLEEP(@sleep_time_per_result_row)
1 0
1 0
1 0
1 0
UPDATE t_history SET end_ts = NOW()
WHERE attempt = 4 - 2 + 1;
UPDATE t_history SET end_cached = 0
WHERE attempt = 4 - 2 + 1;
INSERT INTO t_history
SET attempt = 4 - 1 + 1, start_ts = NOW(),
start_cached = 0;
SELECT *, SLEEP(@sleep_time_per_result_row) FROM t1;
f1 SLEEP(@sleep_time_per_result_row)
1 0
1 0
1 0
1 0
UPDATE t_history SET end_ts = NOW()
WHERE attempt = 4 - 1 + 1;
UPDATE t_history SET end_cached = 0
WHERE attempt = 4 - 1 + 1;
# Test 1: Does the query with SLEEP need a reasonable time?
SELECT COUNT(*) >= 4 - 1 INTO @aux1 FROM t_history
WHERE TIMEDIFF(end_ts,start_ts) - @sleep_time_per_result_row * @row_count
BETWEEN 0 AND @max_acceptable_delay;
SELECT @aux1 AS "Expect 1";
Expect 1
1
# Test 2: Does the query with SLEEP need a reasonable time even in case
# of the non first execution?
SELECT COUNT(*) >= 4 - 1 - 1 INTO @aux2 FROM t_history
WHERE TIMEDIFF(end_ts,start_ts) - @sleep_time_per_result_row * @row_count
BETWEEN 0 AND @max_acceptable_delay
AND attempt > 1;
SELECT @aux2 AS "Expect 1";
Expect 1
1
# Test 3: The query with SLEEP must be not cached.
SELECT COUNT(*) = 4 INTO @aux3 FROM t_history
WHERE end_cached = start_cached;
SELECT @aux3 AS "Expect 1";
Expect 1
1
DROP TABLE t1;
DROP TEMPORARY TABLE t_history;
SET @@global.query_cache_size = default;
create table t1 select INET_ATON('255.255.0.1') as `a`;
show create table t1;
Table Create Table
t1 CREATE TABLE `t1` (
`a` bigint(21) unsigned DEFAULT NULL
) ENGINE=MyISAM DEFAULT CHARSET=latin1
drop table t1;
drop table if exists table_26093;
drop function if exists func_26093_a;
drop function if exists func_26093_b;
create table table_26093(a int);
insert into table_26093 values
(1), (2), (3), (4), (5),
(6), (7), (8), (9), (10);
create function func_26093_a(x int) returns int
begin
set @invoked := @invoked + 1;
return x;
end//
create function func_26093_b(x int, y int) returns int
begin
set @invoked := @invoked + 1;
return x;
end//
select avg(a) from table_26093;
avg(a)
5.5000
select benchmark(100, (select avg(a) from table_26093));
benchmark(100, (select avg(a) from table_26093))
0
set @invoked := 0;
select benchmark(100, (select avg(func_26093_a(a)) from table_26093));
benchmark(100, (select avg(func_26093_a(a)) from table_26093))
0
select @invoked;
@invoked
10
set @invoked := 0;
select benchmark(100, (select avg(func_26093_b(a, rand())) from table_26093));
benchmark(100, (select avg(func_26093_b(a, rand())) from table_26093))
0
select @invoked;
@invoked
1000
select benchmark(100, (select (a) from table_26093));
ERROR 21000: Subquery returns more than 1 row
select benchmark(100, (select 1, 1));
ERROR 21000: Operand should contain 1 column(s)
drop table table_26093;
drop function func_26093_a;
drop function func_26093_b;
SELECT NAME_CONST('test', NOW());
ERROR HY000: Incorrect arguments to NAME_CONST
SELECT NAME_CONST('test', UPPER('test'));
ERROR HY000: Incorrect arguments to NAME_CONST
SELECT NAME_CONST('test', NULL);
test
NULL
SELECT NAME_CONST('test', 1);
test
1
SELECT NAME_CONST('test', -1);
test
-1
SELECT NAME_CONST('test', 1.0);
test
1.0
SELECT NAME_CONST('test', -1.0);
test
-1.0
SELECT NAME_CONST('test', 'test');
test
test
CREATE TABLE t1 (a INT);
INSERT INTO t1 VALUES (1),(2),(3);
SELECT NAME_CONST('flag',1) * MAX(a) FROM t1;
NAME_CONST('flag',1) * MAX(a)
3
SELECT NAME_CONST('flag',1.5) * MAX(a) FROM t1;
NAME_CONST('flag',1.5) * MAX(a)
4.5
SELECT NAME_CONST('flag',-1) * MAX(a) FROM t1;
NAME_CONST('flag',-1) * MAX(a)
-3
SELECT NAME_CONST('flag',-1.5) * MAX(a) FROM t1;
NAME_CONST('flag',-1.5) * MAX(a)
-4.5
SELECT NAME_CONST('flag', SQRT(4)) * MAX(a) FROM t1;
ERROR HY000: Incorrect arguments to NAME_CONST
SELECT NAME_CONST('flag',-SQRT(4)) * MAX(a) FROM t1;
ERROR HY000: Incorrect arguments to NAME_CONST
DROP TABLE t1;
CREATE TABLE t1 (a int);
INSERT INTO t1 VALUES (5), (2);
SELECT NAME_CONST(x,2) FROM (SELECT a x FROM t1) t;
ERROR HY000: Incorrect arguments to NAME_CONST
DROP TABLE t1;
CREATE TABLE t1(a INT);
INSERT INTO t1 VALUES (), (), ();
SELECT NAME_CONST(a, '1') FROM t1;
ERROR HY000: Incorrect arguments to NAME_CONST
SET INSERT_ID= NAME_CONST(a, a);
ERROR HY000: Incorrect arguments to NAME_CONST
DROP TABLE t1;
create table t1 (a int not null);
insert into t1 values (-1), (-2);
select min(a) from t1 group by inet_ntoa(a);
min(a)
-2
drop table t1;
SELECT NAME_CONST('var', 'value') COLLATE latin1_general_cs;
NAME_CONST('var', 'value') COLLATE latin1_general_cs
value
select @@session.time_zone into @save_tz;
set @@session.time_zone='UTC';
select uuid() into @my_uuid;
select mid(@my_uuid,15,1);
mid(@my_uuid,15,1)
1
select 24 * 60 * 60 * 1000 * 1000 * 10 into @my_uuid_one_day;
select concat('0',mid(@my_uuid,16,3),mid(@my_uuid,10,4),left(@my_uuid,8)) into @my_uuidate;
select floor(conv(@my_uuidate,16,10)/@my_uuid_one_day) into @my_uuid_date;
select 141427 + datediff(curdate(),'1970-01-01') into @my_uuid_synthetic;
select @my_uuid_date - @my_uuid_synthetic;
@my_uuid_date - @my_uuid_synthetic
0
set @@session.time_zone=@save_tz;
CREATE TABLE t1 (a DATE);
SELECT * FROM t1 WHERE a = NAME_CONST('reportDate',
_binary'2009-01-09' COLLATE 'binary');
a
DROP TABLE t1;
select NAME_CONST('_id',1234) as id;
id
1234
End of 5.0 tests
select connection_id() > 0;
connection_id() > 0
1
#
# Bug #54461: crash with longblob and union or update with subquery
#
CREATE TABLE t1 (a INT, b LONGBLOB);
INSERT INTO t1 VALUES (1, '2'), (2, '3'), (3, '2');
SELECT DISTINCT LEAST(a, (SELECT b FROM t1 LIMIT 1)) FROM t1 UNION SELECT 1;
LEAST(a, (SELECT b FROM t1 LIMIT 1))
1
2
SELECT DISTINCT GREATEST(a, (SELECT b FROM t1 LIMIT 1)) FROM t1 UNION SELECT 1;
GREATEST(a, (SELECT b FROM t1 LIMIT 1))
2
3
1
DROP TABLE t1;
End of tests