mirror of
https://github.com/MariaDB/server.git
synced 2025-01-18 04:53:01 +01:00
6df6c8ee95
crashes server!
The problem affects the scenario when index merge is followed by a filesort
and the sort buffer is not big enough for all the sort keys.
In this case the filesort function will read the data to the end through the
index merge quick access method (and thus closing the cursor etc),
but will leave the pointer to the quick select method in place.
It will then create a temporary file to hold the results of the filesort and
will add it as a sort output file (in sort.io_cache).
Note that filesort will copy the original 'sort' structure in an automatic
variable and restore it after it's done.
As a result at exiting filesort() we have a sort.io_cache filled in and
nothing else (as a result of close of the cursors at end of reading data
through index merge).
Now create_sort_index() will note that there is a select and will clean it up
(as it's been used already by filesort() reading the data in). While doing that
a special case in the index merge destructor will clean up the sort.io_cache,
assuming it's an output of the index merge method and is not needed anymore.
As a result the code that tries to read the data back from the filesort output
will get no data in both memory and disk and will crash.
Fixed similarly to how filesort() does it : by copying the sort.io_cache structure
to a local variable, removing the pointer to the io_cache (so that it's not freed
by QUICK_INDEX_MERGE_SELECT::~QUICK_INDEX_MERGE_SELECT) and restoring the original
structure (together with the valid pointer) after the cleanup is done.
This is a safe thing to do because all the structures are already cleaned up by
hitting the end of the index merge's read method (QUICK_INDEX_MERGE_SELECT::get_next())
and the cleanup code being written in a way that tolerates repeating cleanups.
mysql-test/r/index_merge.result:
Bug #44810: test case
mysql-test/t/index_merge.test:
Bug #44810: test case
sql/sql_select.cc:
Bug #44810: preserve the io_cache produced by filesort while cleaning up
the index merge quick access method (QUICK_INDEX_MERGE_SELECT).
|
||
|---|---|---|
| .. | ||
| examples | ||
| share | ||
| .cvsignore | ||
| add_errmsg | ||
| client_settings.h | ||
| CMakeLists.txt | ||
| custom_conf.h | ||
| derror.cc | ||
| des_key_file.cc | ||
| discover.cc | ||
| field.cc | ||
| field.h | ||
| field_conv.cc | ||
| filesort.cc | ||
| frm_crypt.cc | ||
| gen_lex_hash.cc | ||
| gstream.cc | ||
| gstream.h | ||
| ha_archive.cc | ||
| ha_archive.h | ||
| ha_berkeley.cc | ||
| ha_berkeley.h | ||
| ha_blackhole.cc | ||
| ha_blackhole.h | ||
| ha_federated.cc | ||
| ha_federated.h | ||
| ha_heap.cc | ||
| ha_heap.h | ||
| ha_innodb.cc | ||
| ha_innodb.h | ||
| ha_myisam.cc | ||
| ha_myisam.h | ||
| ha_myisammrg.cc | ||
| ha_myisammrg.h | ||
| ha_ndbcluster.cc | ||
| ha_ndbcluster.h | ||
| ha_ndbcluster_cond.cc | ||
| ha_ndbcluster_cond.h | ||
| handler.cc | ||
| handler.h | ||
| hash_filo.cc | ||
| hash_filo.h | ||
| hostname.cc | ||
| init.cc | ||
| item.cc | ||
| item.h | ||
| item_buff.cc | ||
| item_cmpfunc.cc | ||
| item_cmpfunc.h | ||
| item_create.cc | ||
| item_create.h | ||
| item_func.cc | ||
| item_func.h | ||
| item_geofunc.cc | ||
| item_geofunc.h | ||
| item_row.cc | ||
| item_row.h | ||
| item_strfunc.cc | ||
| item_strfunc.h | ||
| item_subselect.cc | ||
| item_subselect.h | ||
| item_sum.cc | ||
| item_sum.h | ||
| item_timefunc.cc | ||
| item_timefunc.h | ||
| item_uniq.cc | ||
| item_uniq.h | ||
| key.cc | ||
| lex.h | ||
| lex_symbol.h | ||
| lock.cc | ||
| log.cc | ||
| log_event.cc | ||
| log_event.h | ||
| Makefile.am | ||
| matherr.c | ||
| message.h | ||
| message.mc | ||
| message.rc | ||
| mf_iocache.cc | ||
| MSG00001.bin | ||
| my_decimal.cc | ||
| my_decimal.h | ||
| my_lock.c | ||
| mysql_priv.h | ||
| mysqld.cc | ||
| mysqld_suffix.h | ||
| net_serv.cc | ||
| nt_servc.cc | ||
| nt_servc.h | ||
| opt_range.cc | ||
| opt_range.h | ||
| opt_sum.cc | ||
| parse_file.cc | ||
| parse_file.h | ||
| password.c | ||
| procedure.cc | ||
| procedure.h | ||
| protocol.cc | ||
| protocol.h | ||
| records.cc | ||
| repl_failsafe.cc | ||
| repl_failsafe.h | ||
| set_var.cc | ||
| set_var.h | ||
| slave.cc | ||
| slave.h | ||
| sp.cc | ||
| sp.h | ||
| sp_cache.cc | ||
| sp_cache.h | ||
| sp_head.cc | ||
| sp_head.h | ||
| sp_pcontext.cc | ||
| sp_pcontext.h | ||
| sp_rcontext.cc | ||
| sp_rcontext.h | ||
| spatial.cc | ||
| spatial.h | ||
| sql_acl.cc | ||
| sql_acl.h | ||
| sql_analyse.cc | ||
| sql_analyse.h | ||
| sql_array.h | ||
| sql_base.cc | ||
| sql_bitmap.h | ||
| sql_cache.cc | ||
| sql_cache.h | ||
| sql_class.cc | ||
| sql_class.h | ||
| sql_client.cc | ||
| sql_crypt.cc | ||
| sql_crypt.h | ||
| sql_cursor.cc | ||
| sql_cursor.h | ||
| sql_db.cc | ||
| sql_delete.cc | ||
| sql_derived.cc | ||
| sql_do.cc | ||
| sql_error.cc | ||
| sql_error.h | ||
| sql_handler.cc | ||
| sql_help.cc | ||
| sql_insert.cc | ||
| sql_lex.cc | ||
| sql_lex.h | ||
| sql_list.cc | ||
| sql_list.h | ||
| sql_load.cc | ||
| sql_locale.cc | ||
| sql_manager.cc | ||
| sql_manager.h | ||
| sql_map.cc | ||
| sql_map.h | ||
| sql_olap.cc | ||
| sql_parse.cc | ||
| sql_prepare.cc | ||
| sql_profile.cc | ||
| sql_profile.h | ||
| sql_rename.cc | ||
| sql_repl.cc | ||
| sql_repl.h | ||
| sql_select.cc | ||
| sql_select.h | ||
| sql_show.cc | ||
| sql_sort.h | ||
| sql_state.c | ||
| sql_string.cc | ||
| sql_string.h | ||
| sql_table.cc | ||
| sql_test.cc | ||
| sql_trigger.cc | ||
| sql_trigger.h | ||
| sql_udf.cc | ||
| sql_udf.h | ||
| sql_union.cc | ||
| sql_update.cc | ||
| sql_view.cc | ||
| sql_view.h | ||
| sql_yacc.yy | ||
| stacktrace.c | ||
| stacktrace.h | ||
| strfunc.cc | ||
| structs.h | ||
| table.cc | ||
| table.h | ||
| thr_malloc.cc | ||
| time.cc | ||
| tzfile.h | ||
| tztime.cc | ||
| tztime.h | ||
| udf_example.c | ||
| udf_example.def | ||
| uniques.cc | ||
| unireg.cc | ||
| unireg.h | ||
| watchdog_mysqld | ||