From 8c4ff24b5694ea50a5a665ec24d2dd14f3558158 Mon Sep 17 00:00:00 2001 From: unknown Date: Sat, 2 Jun 2007 11:44:16 -0700 Subject: [PATCH] Fixed bug #28728: a crash when executing EXPLAIN EXTENDED for a query using a derived table over a grouping subselect. This crash happens only when materialization of the derived tables requires creation of auxiliary temporary table, for example when a grouping operation is carried out with usage of a temporary table. The crash happened because EXPLAIN EXTENDED when printing the query expression made an attempt to use the objects created in the mem_root of the temporary table which has been already freed by the moment when printing is called. This bug appeared after the method Item_field::print() had been introduced. mysql-test/r/subselect.result: Added a test case for bug #28728. mysql-test/t/subselect.test: Added a test case for bug #28728. sql/sql_select.cc: Fixed bug #28728: a crash when executing EXPLAIN EXTENDED for a query using a derived table over a grouping subselect. The crash happened because EXPLAIN EXTENDED when printing the query expression made an attempt to use the objects created in the mem_root of the temporary table which has been already freed by the moment when printing is accomplished. The fix in JOIN::exec() ensures using existing objects when printing subselects for a derived tables by EXPLAIN EXTENDED. --- mysql-test/r/subselect.result | 10 ++++++++++ mysql-test/t/subselect.test | 14 ++++++++++++++ sql/sql_select.cc | 11 +++++++++++ 3 files changed, 35 insertions(+) diff --git a/mysql-test/r/subselect.result b/mysql-test/r/subselect.result index 92a4a6f3f5a..ba487cb859d 100644 --- a/mysql-test/r/subselect.result +++ b/mysql-test/r/subselect.result @@ -4071,4 +4071,14 @@ id st 2 GA 4 FL DROP TABLE t1,t2; +CREATE TABLE t1 (a int); +INSERT INTO t1 VALUES (1), (2); +EXPLAIN EXTENDED +SELECT * FROM (SELECT count(*) FROM t1 GROUP BY a) as res; +id select_type table type possible_keys key key_len ref rows Extra +1 PRIMARY ALL NULL NULL NULL NULL 2 +2 DERIVED t1 ALL NULL NULL NULL NULL 2 Using temporary; Using filesort +Warnings: +Note 1003 select `res`.`count(*)` AS `count(*)` from (select count(0) AS `count(*)` from `test`.`t1` group by `test`.`t1`.`a`) `res` +DROP TABLE t1; End of 5.0 tests. diff --git a/mysql-test/t/subselect.test b/mysql-test/t/subselect.test index 5840e434b64..d565070835e 100644 --- a/mysql-test/t/subselect.test +++ b/mysql-test/t/subselect.test @@ -2906,4 +2906,18 @@ SELECT id, st FROM t1 DROP TABLE t1,t2; +# +# Bug #28728: crash with EXPLAIN EXTENDED for a query with a derived table +# over a grouping subselect +# + +CREATE TABLE t1 (a int); + +INSERT INTO t1 VALUES (1), (2); + +EXPLAIN EXTENDED +SELECT * FROM (SELECT count(*) FROM t1 GROUP BY a) as res; + +DROP TABLE t1; + --echo End of 5.0 tests. diff --git a/sql/sql_select.cc b/sql/sql_select.cc index 78d213a45c4..41688794721 100644 --- a/sql/sql_select.cc +++ b/sql/sql_select.cc @@ -2075,6 +2075,17 @@ JOIN::exec() thd->examined_row_count+= curr_join->examined_rows; DBUG_PRINT("counts", ("thd->examined_row_count: %lu", (ulong) thd->examined_row_count)); + + /* + With EXPLAIN EXTENDED we have to restore original ref_array + for a derived table which is always materialized. + Otherwise we would not be able to print the query correctly. + */ + if (items0 && + (thd->lex->describe & DESCRIBE_EXTENDED) && + select_lex->linkage == DERIVED_TABLE_TYPE) + set_items_ref_array(items0); + DBUG_VOID_RETURN; }