Bug#16095534 CRASH: PREPARED STATEMENT CRASHES IN ITEM_BOOL_FUNC2::FIX_LENGTH_AND_DEC

The problem happened due to broken left expression in Item_in_optimizer object. In case of the bug left expression is runtime created Item_outer_ref item which is deleted at the end of the statement and one of Item_in_optimizer arguments becomes bad when re-executed. The fix is to use real_item() instead of original left expression. Note: It feels a bit weird that after preparing, the field is directly part of the generated Item_func_eq, whereas in execution it is replaced with an Item_outer_ref wrapper object.

Bug#16095534 CRASH: PREPARED STATEMENT CRASHES IN ITEM_BOOL_FUNC2::FIX_LENGTH_AND_DEC
The problem happened due to broken left expression in Item_in_optimizer object. In case of the bug left expression is runtime created Item_outer_ref item which is deleted at the end of the statement and one of Item_in_optimizer arguments becomes bad when re-executed. The fix is to use real_item() instead of original left expression. Note: It feels a bit weird that after preparing, the field is directly part of the generated Item_func_eq, whereas in execution it is replaced with an Item_outer_ref wrapper object.
a2503315 · Sergey Glukhov · 068e6673 · a2503315
Commit a2503315 authored May 07, 2013 by Sergey Glukhov
Hide whitespace changes
Inline Side-by-side

Showing with 19 additions and 4 deletions

sql/item_subselect.cc sql/item_subselect.cc +19 -4

No files found.
--- a/sql/item_subselect.cc
+++ b/sql/item_subselect.cc
@@ -1054,8 +1054,15 @@ Item_in_subselect::single_value_transformer(JOIN *join,
      if (upper_item)
        upper_item->set_sub_test(item);
    }
-    /* fix fields is already called for  left expression */
+    /*
-    substitution= func->create(left_expr, subs);
+      fix fields is already called for  left expression.
+      Note that real_item() should be used instead of
+      original left expression because left_expr can be
+      runtime created Ref item which is deleted at the end
+      of the statement. Thus one of 'substitution' arguments
+      can be broken in case of PS.
+    */ 
+    substitution= func->create(left_expr->real_item(), subs);
    DBUG_RETURN(RES_OK);
  }
@@ -1249,8 +1256,16 @@ Item_in_subselect::single_value_transformer(JOIN *join,
        // select and is not outer anymore.
        item->walk(&Item::remove_dependence_processor, 0,
                           (uchar *) select_lex->outer_select());
-	item= func->create(left_expr, item);
+        item= func->create(left_expr->real_item(), item);
-	// fix_field of item will be done in time of substituting
+        /*
+          fix_field of substitution item will be done in time of
+          substituting.
+          Note that real_item() should be used instead of
+          original left expression because left_expr can be
+          runtime created Ref item which is deleted at the end
+          of the statement. Thus one of 'substitution' arguments
+          can be broken in case of PS.
+        */ 
 	substitution= item;
 	have_to_be_excluded= 1;
 	if (thd->lex->describe)