MDEV-28509 Dereferenced null pointer of type 'struct JOIN_TAB' in add_key_field #2821
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
|
spetrunia
reviewed
Nov 9, 2023
DaveGosselin-MariaDB
force-pushed
the
bb-10.4-mdev-28509
branch
from
acd5099
to
a5bda76
Compare
DaveGosselin-MariaDB
force-pushed
the
bb-10.4-mdev-28509
branch
from
a5bda76
to
e0517ee
Compare
DaveGosselin-MariaDB
force-pushed
the
bb-10.4-mdev-28509
branch
2 times, most recently
from
e03e3d2
to
d1dfc95
Compare
DaveGosselin-MariaDB
force-pushed
the
bb-10.4-mdev-28509
branch
from
d1dfc95
to
7cefbe5
Compare
DaveGosselin-MariaDB
requested review from
vuvova
and removed request for
spetrunia
vuvova
reviewed
Feb 23, 2024
sql/sql_select.cc
Outdated
| _work(); | ||
| } | ||
| }; | ||
|
|
There was a problem hiding this comment.
No, don't do that. You can use SCOPE_EXIT from include/scope.h
There was a problem hiding this comment.
I missed scope_exit, thank you; it does exactly what I need 👍
There was a problem hiding this comment.
uppercase. Like
SCOPE_EXIT([order] () {
...
});
DaveGosselin-MariaDB
force-pushed
the
bb-10.4-mdev-28509
branch
from
7cefbe5
to
552a005
Compare
DaveGosselin-MariaDB
force-pushed
the
bb-10.4-mdev-28509
branch
4 times, most recently
from
e8bb18d
to
a4a4699
Compare
…_key_field This patch fixes a crash when calculating join statistics during query optimization for queries with dangling WINDOW references. Put another way, the system may crash when a query defines a WINDOW but doesn't then refer to it. Item::marker is overloaded for different uses, the most typical refer to it as a bit field. However, the setup_group function uses it to mark that a field was found when traversing a GROUP BY. Originally, this marking set the Item::marker field to 1 to indicate that it was found. Later on in setup_group (and only when SQL mode ONLY_FULL_GROUP_BY is enabled), we would skip any such marked fields when checking that fields only referenced those found in the GROUP BY; otherwise, it would be silly to find fields of the GROUP BY within the GROUP BY field itself. Setting Item::marker to 1 seemed mostly harmless at that point in time. But later, in git sha 4d143a6, we introduced several changes: (1) the value of marker in setup_group was changed from 1 to UNDEF_POS, (2) Item::marker was changed from uint8 to int8 (which has since been changed to an int), and (3) UNDEF_POS which is defined to be -1 was also added. Queries that define WINDOWs internally will setup groups and orders as part of query processing via the setup_group function. Consequently because of the behavior described earlier above, such queries may have items with markers as UNDEF_POS (-1, or 0xffffffff) which is the same as marking all of the flag bits as set. This is disastrous for those users of Item::marker which refer to it as a bit field as some of those bits are mutually exclusive in meaning, and in many places we don't mask the bits we're interested in, we just compare the value of the field as a whole to some flag value with direct comparison. In particular, the method Item_direct_view_ref::grouping_field_transformer_for_where would incorrectly see that the ref's marker was set for substitution when it was actually -1, all bits set, taking the wrong execution path leading to the crash. Upon return from the setup_group function, we set the value of the marker flag to zero if we set it to -1. This preserves the marker behavior for 'full group by' (if configured) while not otherwise allowing the marker flag state to leak outside of this function.
DaveGosselin-MariaDB
force-pushed
the
bb-10.4-mdev-28509
branch
from
a4a4699
to
777ba7f
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This patch fixes a crash when calculating join statistics during query
optimization for queries with dangling WINDOW references. Put another way,
the system may crash when a query defines a WINDOW but doesn't then refer to
it.
Item::marker is overloaded for different uses, the most typical refer to it as
a bit field. However, the setup_group function uses it to mark that a field
was found when traversing a GROUP BY. Originally, this marking set the
Item::marker field to 1 to indicate that it was found. Later on in setup_group
(and only when SQL mode ONLY_FULL_GROUP_BY is enabled), we would skip any such
marked fields when checking that fields only referenced those found in the
GROUP BY; otherwise, it would be silly to find fields of the GROUP BY within
the GROUP BY field itself. Setting Item::marker to 1 seemed mostly harmless
at that point in time. But later, in git sha 4d143a6, we introduced
several changes: (1) the value of marker in setup_group was changed from 1 to
UNDEF_POS, (2) Item::marker was changed from uint8 to int8 (which has since
been changed to an int), and (3) UNDEF_POS which is defined to be -1 was also
added.
Queries that define WINDOWs internally will setup groups and orders as part
of query processing via the setup_group function. Consequently because of
the behavior described earlier above, such queries may have items with markers
as UNDEF_POS (-1, or 0xffffffff) which is the same as marking all of the flag
bits as set. This is disastrous for those users of Item::marker which refer
to it as a bit field as some of those bits are mutually exclusive in meaning,
and in many places we don't mask the bits we're interested in, we just
compare the value of the field as a whole to some flag value with direct
comparison. In particular, the method
Item_direct_view_ref::grouping_field_transformer_for_where would
incorrectly see that the ref's marker was set for substitution when it was
actually -1, all bits set, taking the wrong execution path leading to the
crash.
Upon return from the setup_group function, we set the value of the marker
flag to zero if we set it to -1. This preserves the marker behavior for
'full group by' (if configured) while not otherwise allowing the marker
flag state to leak outside of this function.