From 55852670ccc6f8173fef7b26b544213ac0829dc0 Mon Sep 17 00:00:00 2001
From: Ramil Kalimullin <ramil@mysql.com>
Date: Wed, 31 Mar 2010 17:00:56 +0400
Subject: [PATCH] Fix for bug#52397: another crash with explain extended and
 group_concat

Problem: EXPLAIN EXTENDED was trying to resolve references to
freed temporary table fields for GROUP_CONCAT()'s ORDER BY arguments.

Fix: use stored original GROUP_CONCAT()'s arguments in such a case.


mysql-test/r/func_gconcat.result:
  Fix for bug#52397: another crash with explain extended and group_concat
    - test result.
mysql-test/t/func_gconcat.test:
  Fix for bug#52397: another crash with explain extended and group_concat
    - test case.
sql/item_sum.cc:
  Fix for bug#52397: another crash with explain extended and group_concat
    - use "pargs", printing ORDER BY arguments in the
  Item_func_group_concat::print() instead of "order" to avoid
  possible reference resolving to (freed) temporary table fields.
---
 mysql-test/r/func_gconcat.result | 15 +++++++++++++++
 mysql-test/t/func_gconcat.test   | 12 ++++++++++++
 sql/item_sum.cc                  |  2 +-
 3 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/mysql-test/r/func_gconcat.result b/mysql-test/r/func_gconcat.result
index 8d1fcade88d..766f3b6bfaa 100644
--- a/mysql-test/r/func_gconcat.result
+++ b/mysql-test/r/func_gconcat.result
@@ -995,4 +995,19 @@ SELECT 1 FROM
 1
 1
 DROP TABLE t1;
+#
+# Bug #52397: another crash with explain extended and group_concat
+#
+CREATE TABLE t1 (a INT);
+INSERT INTO t1 VALUES (0), (0);
+EXPLAIN EXTENDED SELECT 1 FROM
+(SELECT GROUP_CONCAT(t1.a ORDER BY t1.a ASC) FROM 
+t1 t2, t1 GROUP BY t1.a) AS d;
+id	select_type	table	type	possible_keys	key	key_len	ref	rows	filtered	Extra
+1	PRIMARY	<derived2>	system	NULL	NULL	NULL	NULL	1	100.00	
+2	DERIVED	t2	ALL	NULL	NULL	NULL	NULL	2	100.00	Using temporary; Using filesort
+2	DERIVED	t1	ALL	NULL	NULL	NULL	NULL	2	100.00	Using join buffer
+Warnings:
+Note	1003	select 1 AS `1` from (select group_concat(`test`.`t1`.`a` order by `test`.`t1`.`a` ASC separator ',') AS `GROUP_CONCAT(t1.a ORDER BY t1.a ASC)` from `test`.`t1` `t2` join `test`.`t1` group by `test`.`t1`.`a`) `d`
+DROP TABLE t1;
 End of 5.0 tests
diff --git a/mysql-test/t/func_gconcat.test b/mysql-test/t/func_gconcat.test
index cfb4cdc9ecd..e832ea316eb 100644
--- a/mysql-test/t/func_gconcat.test
+++ b/mysql-test/t/func_gconcat.test
@@ -708,4 +708,16 @@ SELECT 1 FROM
 
 DROP TABLE t1;
 
+
+--echo #
+--echo # Bug #52397: another crash with explain extended and group_concat
+--echo #
+CREATE TABLE t1 (a INT);
+INSERT INTO t1 VALUES (0), (0);
+EXPLAIN EXTENDED SELECT 1 FROM
+  (SELECT GROUP_CONCAT(t1.a ORDER BY t1.a ASC) FROM 
+    t1 t2, t1 GROUP BY t1.a) AS d;
+DROP TABLE t1;
+
+
 --echo End of 5.0 tests
diff --git a/sql/item_sum.cc b/sql/item_sum.cc
index c36fb8b8d64..8c1e5501a1b 100644
--- a/sql/item_sum.cc
+++ b/sql/item_sum.cc
@@ -3420,7 +3420,7 @@ void Item_func_group_concat::print(String *str, enum_query_type query_type)
     {
       if (i)
         str->append(',');
-      (*order[i]->item)->print(str, query_type);
+      pargs[i + arg_count_field]->print(str, query_type);
       if (order[i]->asc)
         str->append(STRING_WITH_LEN(" ASC"));
       else