Bug #34830 Item_ref & Item_direct_ref constructor call: mixed table & field names.
Submitted: 26 Feb 2008 12:20 Modified: 10 Apr 2008 13:54
Reporter: Gleb Shchepa Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:5.0+ OS:Any
Assigned to: Gleb Shchepa CPU Architecture:Any
Triage: D2 (Serious)

[26 Feb 2008 12:20] Gleb Shchepa
Description:
sql/sql_select.cc:
------------------
bool
fix_inner_refs(THD *thd, List<Item> &all_fields, SELECT_LEX *select,
                 Item **ref_pointer_array)
{
...
    new_ref= direct_ref ?
              new Item_direct_ref(ref->context, item_ref, ref->field_name,
                                                          ^^^^^^^^^^^^^^^^
                          ref->table_name, ref->alias_name_used) :
                          ^^^^^^^^^^^^^^^^
              new Item_ref(ref->context, item_ref, ref->field_name,
                                                   ^^^^^^^^^^^^^^^^
                          ref->table_name, ref->alias_name_used);
                          ^^^^^^^^^^^^^^^^
...

Order of ref->field_name and ref->table_name arguments should be changes because or definition of Item_ref and Item_direct_ref constructors (sql/item.h):

  Item_ref(Name_resolution_context *context_arg, Item **item,
           const char *table_name_arg, const char *field_name_arg,
                       ^^^^^^^^^^^^^^              ^^^^^^^^^^^^^^
           bool alias_name_used_arg= FALSE);

and

  Item_direct_ref(Name_resolution_context *context_arg, Item **item,
                  const char *table_name_arg,
                              ^^^^^^^^^^^^^^
                  const char *field_name_arg,
                              ^^^^^^^^^^^^^^
                  bool alias_name_used_arg= FALSE)

How to repeat:
No good idea at this moment, but the bug is visible in the debugger when I trace such queries as:

CREATE TABLE t1 (a INT, b INT);
SELECT ROW(1, a) IN (SELECT SUM(b), 2) FROM t1 GROUP BY a;

and place breakpoint at 'Item_direct_ref::Item_direct_ref(Name_resolution_context*, Item**, char const*, char const*, bool)'

(gdb) p table_name_arg
$1 = 0x86da393 "b"        # Should be "t1"
(gdb) p field_name_arg
$2 = 0x871dfa0 "t1"       # Should be "b"

Suggested fix:
===== sql_select.cc 1.558 vs edited =====
--- 1.558/sql/sql_select.cc	2008-01-27 09:45:30 +04:00
+++ edited/sql/sql_select.cc	2008-02-26 16:12:25 +04:00
@@ -360,10 +360,10 @@ fix_inner_refs(THD *thd, List<Item> &all
       }
     }
     new_ref= direct_ref ?
-              new Item_direct_ref(ref->context, item_ref, ref->field_name,
-                          ref->table_name, ref->alias_name_used) :
-              new Item_ref(ref->context, item_ref, ref->field_name,
-                          ref->table_name, ref->alias_name_used);
+              new Item_direct_ref(ref->context, item_ref, ref->table_name,
+                          ref->field_name, ref->alias_name_used) :
+              new Item_ref(ref->context, item_ref, ref->table_name,
+                          ref->field_name, ref->alias_name_used);
     if (!new_ref)
       return TRUE;
     ref->outer_ref= new_ref;
[28 Feb 2008 22:34] Miguel Solorzano
Thank you for the bug report. Verified as described in the feedback.
[29 Feb 2008 11:14] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/43212

ChangeSet@1.2592, 2008-02-29 15:11:11+04:00, gshchepa@host.loc +1 -0
  Fixed bug #34830: mixed table and field names in Item_ref
                    and Item_direct_ref constructor calls.
  
  Order of ref->field_name and ref->table_name arguments
  is of Item_ref and Item_direct_ref in the fix_inner_refs
  function is inverted.
[13 Mar 2008 19:27] Bugs System
Pushed into 6.0.5-alpha
[13 Mar 2008 19:35] Bugs System
Pushed into 5.1.24-rc
[13 Mar 2008 19:42] Bugs System
Pushed into 5.0.60
[3 Apr 2008 14:59] Jon Stephens
Pushed into 5.1.23-ndb-6.3.11.
[10 Apr 2008 13:54] Paul Dubois
Noted in 5.0.60, 5.1.24, 5.1.24-ndb-6.3.13, 6.0.5 changelogs.

Table and database names were mixed up in some places of the subquery
transformation procedure. This could affect debugging trace output
and further extensions of that procedure.