Bug #22270139: SERVER CRASH WHEN TRYING TO COUNT THE

Sreeharsha Ramanavarapu · Sreeharsha Ramanavarapu · commit feda5a92ed84 · 2015-12-23T13:43:04.000+05:30
RESULTS OF A SUBQUERY USING FULLTEXT

Issue:
-----
These issues occur under the following conditions:

1) A derived table is merged into the outer query block.
2) The same match function is used in the select-list and
   where clause of the derived table.

The following are the problem areas:
a) When a select count(*) without group-by is used in the
outer-query, opt_sum_query tries to set the hints for the
where condition. This is not allowed since, hints for slave
(i.e., the where condition) are not accessed.

But this where condition already has a master that has been
set by the setup_ftfuncs. The result is an assert.

b) While merging the derived table into the outer query,
the fulltext function list is rebuilt. Only this time, the
order of the functions is flipped. This creates a problem
when deciding who-is-who's master. Since setup_ftfuncs
expects the early expression to be the master of the later
expression.

Because of this, the ft-functions in select and where lists
 are eachother's master. The result is a recursion of the
get_master function.


SOLUTION:
---------
sql/opt_sum.cc:
Since the where condition is supplied to the opt_sum_query
by default, setting hints should be done on the master.

sql/sql_resolver.cc:
Since we want the early-late expression order to be
maintained, use push_back.

sql/item_func.h:
In case of prepare-execute statements, we need to set the
master variable to NULL. This will be reset when the
execute statement will call setup_ftfuncs.
diff --git a/sql/item_func.h b/sql/item_func.h
@@ -2381,6 +2381,7 @@ class Item_func_match :public Item_real_func
     ft_handler= NULL;
     concat_ws= NULL;
     table_ref= NULL;           // required by Item_func_match::eq()
+    master= NULL;
     DBUG_VOID_RETURN;
   }
   virtual Item *key_item() const { return against; }
diff --git a/sql/opt_sum.cc b/sql/opt_sum.cc
@@ -373,7 +373,8 @@ int opt_sum_query(THD *thd,
                  !((Item_sum_count*) item)->get_arg(0)->maybe_null)       // 4
         {
           Item_func_match* fts_item= static_cast<Item_func_match*>(conds); 
-          fts_item->set_hints(NULL, FT_NO_RANKING, HA_POS_ERROR, false);
+          fts_item->get_master()->set_hints(NULL, FT_NO_RANKING,
+                                            HA_POS_ERROR, false);
           if (fts_item->init_search(thd))
             break;
           count= fts_item->get_count();
diff --git a/sql/sql_resolver.cc b/sql/sql_resolver.cc
@@ -2743,7 +2743,7 @@ bool SELECT_LEX::add_ftfunc_list(List<Item_func_match> *ftfuncs)
   List_iterator_fast<Item_func_match> li(*ftfuncs);
   while ((ifm= li++))
   {
-    if (ftfunc_list->push_front(ifm))
+    if (ftfunc_list->push_back(ifm))
       return true;        /* purecov: inspected */
   }
   return false;

Original file line number	Diff line number	Diff line change
`@@ -2381,6 +2381,7 @@ class Item_func_match :public Item_real_func`
`2381`	`2381`	`ft_handler= NULL;`
`2382`	`2382`	`concat_ws= NULL;`
`2383`	`2383`	`table_ref= NULL; // required by Item_func_match::eq()`
	`2384`	`+ master= NULL;`
`2384`	`2385`	`DBUG_VOID_RETURN;`
`2385`	`2386`	`}`
`2386`	`2387`	`virtual Item *key_item() const { return against; }`
Original file line number	Diff line number	Diff line change
`@@ -2743,7 +2743,7 @@ bool SELECT_LEX::add_ftfunc_list(List<Item_func_match> *ftfuncs)`
`2743`	`2743`	`List_iterator_fast<Item_func_match> li(*ftfuncs);`
`2744`	`2744`	`while ((ifm= li++))`
`2745`	`2745`	`{`
`2746`		`- if (ftfunc_list->push_front(ifm))`
	`2746`	`+ if (ftfunc_list->push_back(ifm))`
`2747`	`2747`	`return true; /* purecov: inspected */`
`2748`	`2748`	`}`
`2749`	`2749`	`return false;`