Bug#27660560 RECENT REGRESSION: CRASH IN CHECK_COVERING_PREFIX_KEYS.

Sergey Glukhov · dahlerlend · commit f4152e601332 · 2018-03-28T13:42:37.000+02:00
There are three problems in Item_func_like::check_covering_prefix_keys:

-Missing check for null value after val_str() call, added.

-Missing chech for THD::error after val_str() call, added.

-Calculation of the const part length of the wild pattern.
 It was calculated using prefix_length * wild_str-&gt;charset()-&gt;mbmaxlen,
 where prefix_length is number of characters. Then it compared with
 KEY_PART_INF::length mesured in bytes. It does not work properly
 for BLOB fields if wild_str-&gt;charset()-&gt;mbmaxlen is bigger than 1.
 Now prefix_length is passed to TABLE::update_covering_prefix_keys()
 and KEY_PART_INF::length is divided by mbmaxlen of the Field chararcter
 set.
diff --git a/mysql-test/r/func_prefix_key.result b/mysql-test/r/func_prefix_key.result
@@ -776,3 +776,32 @@ id	select_type	table	partitions	type	possible_keys	key	key_len	ref	rows	filtered
 Warnings:
 Note	1003	/* select#1 */ select count(0) AS `COUNT(*)` from `test`.`t1` where (`test`.`t1`.`b` like 'aaaa')
 DROP TABLE t1;
+#
+# Bug#27660560 RECENT REGRESSION: CRASH IN CHECK_COVERING_PREFIX_KEYS.
+#
+CREATE TABLE t1(f1 BLOB, KEY(f1(1))) ENGINE=INNODB;
+INSERT INTO t1 VALUES ('ccc'), ('aa');
+ANALYZE TABLE t1;
+Table	Op	Msg_type	Msg_text
+test.t1	analyze	status	OK
+SELECT (f1 LIKE null) from t1;
+(f1 LIKE null)
+NULL
+NULL
+SELECT 1 FROM t1 WHERE f1 NOT LIKE json_merge('' ,'+' );
+ERROR 22032: Invalid JSON text in argument 1 to function json_merge_preserve: "The document is empty." at position 0.
+SELECT 1 FROM t1 WHERE f1 LIKE json_contains('key2' ,'key4' );
+ERROR 22032: Invalid JSON text in argument 1 to function json_contains: "Invalid value." at position 0.
+SELECT 1 FROM t1 WHERE f1 LIKE json_depth(null);
+1
+EXPLAIN SELECT (f1 LIKE null) from t1;
+id	select_type	table	partitions	type	possible_keys	key	key_len	ref	rows	filtered	Extra
+1	SIMPLE	t1	NULL	index	NULL	f1	4	NULL	2	100.00	Using index
+Warnings:
+Note	1003	/* select#1 */ select (`test`.`t1`.`f1` like NULL) AS `(f1 LIKE null)` from `test`.`t1`
+EXPLAIN SELECT (f1 LIKE null) from t1 WHERE f1 LIKE 'a%';
+id	select_type	table	partitions	type	possible_keys	key	key_len	ref	rows	filtered	Extra
+1	SIMPLE	t1	NULL	range	f1	f1	4	NULL	1	100.00	Using where; Using index
+Warnings:
+Note	1003	/* select#1 */ select (`test`.`t1`.`f1` like NULL) AS `(f1 LIKE null)` from `test`.`t1` where (`test`.`t1`.`f1` like 'a%')
+DROP TABLE t1;
diff --git a/mysql-test/t/func_prefix_key.test b/mysql-test/t/func_prefix_key.test
@@ -90,3 +90,24 @@ ANALYZE TABLE t1;
 --echo # Index access is used since key is covering.
 EXPLAIN SELECT COUNT(*) FROM t1 WHERE b like 'aaaa';
 DROP TABLE t1;
+
+--echo #
+--echo # Bug#27660560 RECENT REGRESSION: CRASH IN CHECK_COVERING_PREFIX_KEYS.
+--echo #
+
+CREATE TABLE t1(f1 BLOB, KEY(f1(1))) ENGINE=INNODB;
+INSERT INTO t1 VALUES ('ccc'), ('aa');
+ANALYZE TABLE t1;
+
+SELECT (f1 LIKE null) from t1;
+--error ER_INVALID_JSON_TEXT_IN_PARAM
+SELECT 1 FROM t1 WHERE f1 NOT LIKE json_merge('' ,'+' );
+--error ER_INVALID_JSON_TEXT_IN_PARAM
+SELECT 1 FROM t1 WHERE f1 LIKE json_contains('key2' ,'key4' );
+SELECT 1 FROM t1 WHERE f1 LIKE json_depth(null);
+
+# Tests below should use index access.
+EXPLAIN SELECT (f1 LIKE null) from t1;
+EXPLAIN SELECT (f1 LIKE null) from t1 WHERE f1 LIKE 'a%';
+
+DROP TABLE t1;
diff --git a/sql/item_cmpfunc.cc b/sql/item_cmpfunc.cc
@@ -5374,34 +5374,31 @@ Item_func::optimize_type Item_func_like::select_optimize() const {
                                                    : OPTIMIZE_OP;
 }
 
-/**
-  The method updates covering keys depending on the
-  length of wild string prefix.
-*/
-
-void Item_func_like::check_covering_prefix_keys() {
+bool Item_func_like::check_covering_prefix_keys(THD *thd) {
   Item *first_arg = args[0]->real_item();
   Item *second_arg = args[1]->real_item();
   if (first_arg->type() == Item::FIELD_ITEM) {
     Field *field = down_cast<Item_field *>(first_arg)->field;
     Key_map covering_keys = field->get_covering_prefix_keys();
-    if (covering_keys.is_clear_all()) return;
+    if (covering_keys.is_clear_all()) return false;
     if (second_arg->const_item()) {
       size_t prefix_length = 0;
       String *wild_str = second_arg->val_str(&cmp.value2);
+      if (thd->is_error()) return true;
+      if (second_arg->is_null()) return false;
       if (my_is_prefixidx_cand(wild_str->charset(), wild_str->ptr(),
                                wild_str->ptr() + wild_str->length(), escape,
                                wild_many, &prefix_length))
-        field->table->update_covering_prefix_keys(
-            field, prefix_length * wild_str->charset()->mbmaxlen,
-            &covering_keys);
+        field->table->update_covering_prefix_keys(field, prefix_length,
+                                                  &covering_keys);
       else
         // Not comparing to a prefix, remove all prefix indexes
         field->table->covering_keys.subtract(field->part_of_prefixkey);
     } else
       // Second argument is not a const
       field->table->covering_keys.subtract(field->part_of_prefixkey);
   }
+  return false;
 }
 
 bool Item_func_like::fix_fields(THD *thd, Item **ref) {
@@ -5435,9 +5432,7 @@ bool Item_func_like::fix_fields(THD *thd, Item **ref) {
     if (eval_escape_clause(thd)) return true;
   }
 
-  check_covering_prefix_keys();
-
-  return false;
+  return check_covering_prefix_keys(thd);
 }
 
 void Item_func_like::cleanup() {
diff --git a/sql/item_cmpfunc.h b/sql/item_cmpfunc.h
@@ -1863,7 +1863,16 @@ class Item_func_like final : public Item_bool_func2 {
                              double rows_in_table) override;
 
  private:
-  void check_covering_prefix_keys();
+  /**
+    The method updates covering keys depending on the
+    length of wild string prefix.
+
+    @param thd Pointer to THD object.
+
+    @retval true if error happens during wild string prefix claculation,
+            false otherwise.
+  */
+  bool check_covering_prefix_keys(THD *thd);
 };
 
 class Item_cond : public Item_bool_func {
diff --git a/sql/table.cc b/sql/table.cc
@@ -7517,9 +7517,10 @@ void TABLE::update_covering_prefix_keys(Field *field, uint16 key_read_length,
       for (KEY_PART_INFO *part = key_info->key_part,
                          *part_end = part + actual_key_parts(key_info);
            part != part_end; ++part)
-        if ((part->key_part_flag & HA_PART_KEY_SEG) && field->eq(part->field) &&
-            part->length < key_read_length)
-          covering_keys.clear_bit(keyno);
+        if ((part->key_part_flag & HA_PART_KEY_SEG) && field->eq(part->field)) {
+          uint16 key_part_length = part->length / field->charset()->mbmaxlen;
+          if (key_part_length < key_read_length) covering_keys.clear_bit(keyno);
+        }
     }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -7517,9 +7517,10 @@ void TABLE::update_covering_prefix_keys(Field *field, uint16 key_read_length,`
`7517`	`7517`	`for (KEY_PART_INFO *part = key_info->key_part,`
`7518`	`7518`	`*part_end = part + actual_key_parts(key_info);`
`7519`	`7519`	`part != part_end; ++part)`
`7520`		`- if ((part->key_part_flag & HA_PART_KEY_SEG) && field->eq(part->field) &&`
`7521`		`- part->length < key_read_length)`
`7522`		`- covering_keys.clear_bit(keyno);`
	`7520`	`+ if ((part->key_part_flag & HA_PART_KEY_SEG) && field->eq(part->field)) {`
	`7521`	`+ uint16 key_part_length = part->length / field->charset()->mbmaxlen;`
	`7522`	`+ if (key_part_length < key_read_length) covering_keys.clear_bit(keyno);`
	`7523`	`+ }`
`7523`	`7524`	`}`
`7524`	`7525`	`}`
`7525`	`7526`