Fixed bug #30396.

The bug caused memory corruption for some queries with top OR level in the WHERE condition if they contained equality predicates and other sargable predicates in disjunctive parts of the condition. The corruption happened because the upper bound of the memory allocated for KEY_FIELD and SARGABLE_PARAM internal structures containing info about potential lookup keys was calculated incorrectly in some cases. In particular it was calculated incorrectly when the WHERE condition was an OR formula with disjuncts being AND formulas including equalities and other sargable predicates. mysql-test/r/select.result: Added a test case for bug #30396. mysql-test/t/select.test: Added a test case for bug #30396. sql/item_cmpfunc.h: Removed max_members from the COND_EQUAL class as not useful anymore. sql/sql_base.cc: Added the max_equal_elems field to the st_select_lex structure. sql/sql_lex.cc: Added the max_equal_elems field to the st_select_lex structure. sql/sql_lex.h: Added the max_equal_elems field to the st_select_lex structure. The field contains the maximal number of elements in multiple equalities built for the query conditions. sql/sql_select.cc: Fixed bug #30396. The bug caused memory corruption for some queries with top OR level in the WHERE condition if they contained equality predicates and other sargable predicates in disjunctive parts of the condition. The corruption happened because the upper bound of the memory allocated for KEY_FIELD and SARGABLE_PARAM internal structures containing info about potential lookup keys was calculated incorrectly in some cases. In particular it was calculated incorrectly when the WHERE condition was an OR formula with disjuncts being AND formulas including equalities and other sargable predicates. The max_equal_elems field to the st_select_lex structure is used now to calculate the above mentioned upper bound. The field contains the maximal number of elements in multiple equalities built for the query conditions.
2026-05-15 11:27:39 +02:00 · 2007-08-15 10:24:18 -07:00 · 2007-08-15 10:24:18 -07:00 · a8f8e5483e
commit a8f8e5483e
parent 83fdcb2b7b
7 changed files with 133 additions and 28 deletions
--- a/mysql-test/t/select.test
+++ b/mysql-test/t/select.test
@ -3400,4 +3400,64 @@ eval EXPLAIN SELECT c1 FROM t1 WHERE $q > 0;

 DROP TABLE t1;

+#
+# Bug #30396: crash for a join with equalities and sargable predicates
+#             in disjunctive parts of the WHERE condition 
+#
+
+CREATE TABLE t1 (
+  c1 int(11) NOT NULL AUTO_INCREMENT,
+  c2 varchar(1000) DEFAULT NULL,
+  c3 bigint(20) DEFAULT NULL,
+  c4 bigint(20) DEFAULT NULL,
+  PRIMARY KEY (c1)
+);
+
+EXPLAIN EXTENDED 
+SELECT  join_2.c1  
+FROM 
+	t1 AS join_0, 
+	t1 AS join_1, 
+	t1 AS join_2, 
+	t1 AS join_3, 
+	t1 AS join_4, 
+	t1 AS join_5, 
+	t1 AS join_6, 
+	t1 AS join_7
+WHERE 
+	join_0.c1=join_1.c1  AND 
+	join_1.c1=join_2.c1  AND 
+	join_2.c1=join_3.c1  AND 
+	join_3.c1=join_4.c1  AND 
+	join_4.c1=join_5.c1  AND 
+	join_5.c1=join_6.c1  AND 
+	join_6.c1=join_7.c1 
+         OR 
+	join_0.c2 < '?'  AND 
+	join_1.c2 < '?'  AND
+	join_2.c2 > '?'  AND
+	join_2.c2 < '!'  AND
+	join_3.c2 > '?'  AND 
+	join_4.c2 = '?'  AND 
+	join_5.c2 <> '?' AND
+	join_6.c2 <> '?' AND 
+	join_7.c2 >= '?' AND
+        join_0.c1=join_1.c1  AND 
+	join_1.c1=join_2.c1  AND 
+        join_2.c1=join_3.c1  AND
+	join_3.c1=join_4.c1  AND 
+	join_4.c1=join_5.c1  AND 
+	join_5.c1=join_6.c1  AND 
+	join_6.c1=join_7.c1
+GROUP BY 
+	join_3.c1,
+	join_2.c1,
+	join_7.c1,
+	join_1.c1,
+	join_0.c1;
+	
+SHOW WARNINGS;
+
+DROP TABLE t1;
+
 --echo End of 5.0 tests