mirror/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2026-04-28 11:15:33 +02:00
Code Issues Projects Releases Packages Wiki Activity

Fixed bug lp:825018

Browse source 
Analysis:
During the first execution of the query through the stored
procedure, the optimization phase calls
substitute_for_best_equal_field(), which calls
Item_in_optimizer::transform(). The latter replaces
Item_in_subselect::left_expr with args[0] via assignment.
In this test case args[0] is an Item_outer_ref which is
created/deallocated for each re-execution. As a result,
during the second execution Item_in_subselect::left_expr
pointed to freed memory, which resulted in a crash.

Solution:
The solution is to use change_item_tree(), so that the
origianal left expression is restored after each execution.
This commit is contained in:
unknown 2011-08-23 15:39:15 +03:00
commit c1a6dbe5b2
3 changed files with 75 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
sql/item_cmpfunc.cc
View file

@ -1804,7 +1804,7 @@ Item *Item_in_optimizer::transform(Item_transformer transformer, uchar *argument
Item_subselect::ANY_SUBS));
Item_in_subselect *in_arg= (Item_in_subselect*)args[1];
in_arg->left_expr= args[0];
current_thd->change_item_tree(&in_arg->left_expr, args[0]);
}
return (this->*transformer)(argument);
}