Fixed bug#20746926: GENERATED COLUMNS: INVALID READ OF THD WHEN WARNINGS

Benny Wang · Benny Wang · commit 0214d2c072fe · 2015-05-19T09:37:46.000+02:00
This bug is caused by cached THD pointer of some Item objects.

There are several kinds of Item objects which cache the THD pointer to try to
lessen the impact of current_thd. However, generated column expression is only
parsed and fixed once during open table first time. Moreover, the table is
cached and shared by all sessions. If the Items which cache THD pointer as
part of generated expression, obviously, such an generated expression can't be
shared by all sessions. If they were, it would result in invalid read and
memory leak.

Because there are only 3 Item objects which have effect on generated
expression. The solution is to remove to cache THD but use current_thd
instead.
diff --git a/mysql-test/suite/gcol/r/gcol_bug20746926.result b/mysql-test/suite/gcol/r/gcol_bug20746926.result
@@ -0,0 +1,27 @@
+#Bug #20746926: GENERATED COLUMNS: INVALID READ OF THD WHEN WARNINGS
+#
+# Testing cmp_item_datetime
+set sql_mode='';
+create table t1 (
+a date not null,
+b mediumtext generated always as ((a not in (a,a))) virtual,
+c timestamp generated always as ((a not in (b,b))) stored not null
+);
+insert t1(a) values(7777777777);
+Warnings:
+Warning	1265	Data truncated for column 'a' at row 1
+Warning	1292	Incorrect date value: '0' for column 'a' at row 1
+show warnings;
+Level	Code	Message
+Warning	1265	Data truncated for column 'a' at row 1
+Warning	1292	Incorrect date value: '0' for column 'a' at row 1
+set sql_mode='';
+insert t1(a) values(6666666666);
+Warnings:
+Warning	1265	Data truncated for column 'a' at row 1
+Warning	1292	Incorrect date value: '0' for column 'a' at row 1
+show warnings;
+Level	Code	Message
+Warning	1265	Data truncated for column 'a' at row 1
+Warning	1292	Incorrect date value: '0' for column 'a' at row 1
+drop table t1;
diff --git a/mysql-test/suite/gcol/t/gcol_bug20746926.test b/mysql-test/suite/gcol/t/gcol_bug20746926.test
@@ -0,0 +1,28 @@
+--echo #Bug #20746926: GENERATED COLUMNS: INVALID READ OF THD WHEN WARNINGS
+--echo #
+--echo # Testing cmp_item_datetime
+connect(con1,localhost,root,,);
+--disable_warnings
+set sql_mode='';
+--enable_warnings
+create table t1 (
+a date not null,
+b mediumtext generated always as ((a not in (a,a))) virtual,
+c timestamp generated always as ((a not in (b,b))) stored not null
+);
+insert t1(a) values(7777777777);
+show warnings;
+disconnect con1;
+--source include/wait_until_disconnected.inc
+
+connect(con2,localhost,root,,);
+--disable_warnings
+set sql_mode='';
+--enable_warnings
+insert t1(a) values(6666666666);
+show warnings;
+
+drop table t1;
+disconnect con2;
+--source include/wait_until_disconnected.inc
+connection default;
diff --git a/sql/item_cmpfunc.cc b/sql/item_cmpfunc.cc
@@ -1103,7 +1103,6 @@ int Arg_comparator::set_cmp_func(Item_result_field *owner_arg,
                                  Item_result type)
 {
   ulonglong const_value= (ulonglong)-1;
-  thd= current_thd;
   owner= owner_arg;
   set_null= set_null && owner_arg;
   a= a1;
@@ -1189,6 +1188,7 @@ int Arg_comparator::set_cmp_func(Item_result_field *owner_arg,
     type= DECIMAL_RESULT;
   }
 
+  THD *thd= current_thd;
   a= cache_converted_constant(thd, a, &a_cache, type);
   b= cache_converted_constant(thd, b, &b_cache, type);
   return set_compare_func(owner_arg, type);
@@ -1267,7 +1267,7 @@ Item** Arg_comparator::cache_converted_constant(THD *thd_arg, Item **value,
                                                 Item_result type)
 {
   /* Don't need cache if doing context analysis only. */
-  if (!thd->lex->is_ps_or_view_context_analysis() &&
+  if (!thd_arg->lex->is_ps_or_view_context_analysis() &&
       (*value)->const_item() && type != (*value)->result_type())
   {
     Item_cache *cache= Item_cache::get_cache(*value, type);
@@ -1282,7 +1282,6 @@ Item** Arg_comparator::cache_converted_constant(THD *thd_arg, Item **value,
 void Arg_comparator::set_datetime_cmp_func(Item_result_field *owner_arg,
                                            Item **a1, Item **b1)
 {
-  thd= current_thd;
   owner= owner_arg;
   a= a1;
   b= b1;
@@ -1456,6 +1455,7 @@ int Arg_comparator::compare_datetime()
 {
   bool a_is_null, b_is_null;
   longlong a_value, b_value;
+  THD *thd= current_thd;
 
   /* Get DATE/DATETIME/TIME value of the 'a' item. */
   a_value= (*get_value_a_func)(thd, &a, &a_cache, *b, &a_is_null);
@@ -4451,7 +4451,7 @@ void in_datetime::set(uint pos,Item *item)
   bool is_null;
   struct packed_longlong *buff= &base[pos];
 
-  buff->val= get_datetime_value(thd, &tmp_item, 0, warn_item, &is_null);
+  buff->val= get_datetime_value(current_thd, &tmp_item, 0, warn_item, &is_null);
   buff->unsigned_flag= 1L;
 }
 
@@ -4460,7 +4460,7 @@ uchar *in_datetime::get_value(Item *item)
 {
   bool is_null;
   Item **tmp_item= lval_cache ? &lval_cache : &item;
-  tmp.val= get_datetime_value(thd, &tmp_item, &lval_cache, warn_item, &is_null);
+  tmp.val= get_datetime_value(current_thd, &tmp_item, &lval_cache, warn_item, &is_null);
   if (item->null_value)
     return 0;
   tmp.unsigned_flag= 1L;
@@ -4755,7 +4755,7 @@ void cmp_item_datetime::store_value(Item *item)
 {
   bool is_null;
   Item **tmp_item= lval_cache ? &lval_cache : &item;
-  value= get_datetime_value(thd, &tmp_item, &lval_cache, warn_item, &is_null);
+  value= get_datetime_value(current_thd, &tmp_item, &lval_cache, warn_item, &is_null);
   set_null_value(item->null_value);
 }
 
@@ -4765,7 +4765,7 @@ int cmp_item_datetime::cmp(Item *arg)
   bool is_null;
   Item **tmp_item= &arg;
   const bool rc= value !=
-    get_datetime_value(thd, &tmp_item, 0, warn_item, &is_null);
+    get_datetime_value(current_thd, &tmp_item, 0, warn_item, &is_null);
   return (m_null_value || arg->null_value) ? UNKNOWN : rc;
 }
 
diff --git a/sql/item_cmpfunc.h b/sql/item_cmpfunc.h
@@ -41,7 +41,6 @@ class Arg_comparator: public Sql_alloc
   Arg_comparator *comparators;   // used only for compare_row()
   double precision;
   /* Fields used in DATE/DATETIME comparison. */
-  THD *thd;
   enum_field_types a_type, b_type; // Types of a and b items
   Item *a_cache, *b_cache;         // Cached values of a and b items
   bool is_nulls_eq;                // TRUE <=> compare for the EQUAL_FUNC
@@ -59,9 +58,9 @@ class Arg_comparator: public Sql_alloc
   /* Allow owner function to use string buffers. */
   String value1, value2;
 
-  Arg_comparator(): comparators(0), thd(0), a_cache(0), b_cache(0), set_null(TRUE),
+  Arg_comparator(): comparators(0), a_cache(0), b_cache(0), set_null(TRUE),
     get_value_a_func(0), get_value_b_func(0) {};
-  Arg_comparator(Item **a1, Item **a2): a(a1), b(a2), comparators(0), thd(0),
+  Arg_comparator(Item **a1, Item **a2): a(a1), b(a2), comparators(0),
     a_cache(0), b_cache(0), set_null(TRUE),
     get_value_a_func(0), get_value_b_func(0) {};
 
@@ -1279,14 +1278,13 @@ class in_time_as_longlong :public in_longlong
 class in_datetime :public in_longlong
 {
 public:
-  THD *thd;
   /* An item used to issue warnings. */
   Item *warn_item;
   /* Cache for the left item. */
   Item *lval_cache;
 
   in_datetime(THD *thd_arg, Item *warn_item_arg, uint elements)
-    : in_longlong(thd_arg, elements), thd(thd_arg), warn_item(warn_item_arg),
+    : in_longlong(thd_arg, elements), warn_item(warn_item_arg),
       lval_cache(0)
   {};
   void set(uint pos,Item *item);
@@ -1467,14 +1465,13 @@ class cmp_item_datetime : public cmp_item_scalar
 {
   longlong value;
 public:
-  THD *thd;
   /* Item used for issuing warnings. */
   Item *warn_item;
   /* Cache for the left item. */
   Item *lval_cache;
 
   cmp_item_datetime(Item *warn_item_arg)
-    :thd(current_thd), warn_item(warn_item_arg), lval_cache(0) {}
+    :warn_item(warn_item_arg), lval_cache(0) {}
   void store_value(Item *item);
   int cmp(Item *arg);
   int compare(const cmp_item *ci) const;
diff --git a/sql/item_func.cc b/sql/item_func.cc
@@ -3265,7 +3265,6 @@ void Item_func_min_max::fix_length_and_dec()
                                                        args, arg_count);
     if (datetime_found)
     {
-      thd= current_thd;
       compare_as_dates= TRUE;
       /*
         We should not do this:
@@ -3318,6 +3317,7 @@ uint Item_func_min_max::cmp_datetimes(longlong *value)
   {
     Item **arg= args + i;
     bool is_null;
+    THD *thd= current_thd;
     longlong res= get_datetime_value(thd, &arg, 0, datetime_item, &is_null);
 
     /* Check if we need to stop (because of error or KILL)  and stop the loop */
diff --git a/sql/item_func.h b/sql/item_func.h
@@ -1291,7 +1291,6 @@ class Item_func_min_max :public Item_func
   bool compare_as_dates;
   /* An item used for issuing warnings while string to DATETIME conversion. */
   Item *datetime_item;
-  THD *thd;
 protected:
   enum_field_types cached_field_type;
   uint cmp_datetimes(longlong *value);

Original file line number	Diff line number	Diff line change
`@@ -3265,7 +3265,6 @@ void Item_func_min_max::fix_length_and_dec()`
`3265`	`3265`	`args, arg_count);`
`3266`	`3266`	`if (datetime_found)`
`3267`	`3267`	`{`
`3268`		`- thd= current_thd;`
`3269`	`3268`	`compare_as_dates= TRUE;`
`3270`	`3269`	`/*`
`3271`	`3270`	`We should not do this:`
`@@ -3318,6 +3317,7 @@ uint Item_func_min_max::cmp_datetimes(longlong *value)`
`3318`	`3317`	`{`
`3319`	`3318`	`Item **arg= args + i;`
`3320`	`3319`	`bool is_null;`
	`3320`	`+ THD *thd= current_thd;`
`3321`	`3321`	`longlong res= get_datetime_value(thd, &arg, 0, datetime_item, &is_null);`
`3322`	`3322`
`3323`	`3323`	`/* Check if we need to stop (because of error or KILL) and stop the loop */`