Bug#21466850: Derived I_S based tables + MAX_INDEXES=128 causes crash

When MAX_INDEXES is > 64, Key_map uses a special template implementation.
However, the fields keys_in_use_for_group_by and keys_in_use_for_order_by
were not initialized when used by a temporary table.
This was OK when using a Bitmap<64> template, but causes failure when
using the special template.

The solution is to explicitly initialize the two fields.

In addition, it was detected that argument key_to_save to is_set()
in TABLE::use_index() could be negative, this was corrected.
To prevent further problems like this, more asserts on valid arguments
were added in sql_bitmap.h.

No test case was added to this bugfix: A special configuration is
needed to trigger the problem, and several queries in the test suite
are vulnerable (all queries with materialized derived tables with
equality test on non-indexed columns). However, the problem is not
met in any standard test suite, since none of them use the option
MAX_INDEXES=128.

Author: roylyseng

sql/sql_bitmap.h

@@ -1,4 +1,4 @@
-/* Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -130,8 +130,8 @@ template <> class Bitmap<64>
   void init() { clear_all(); }
   void init(uint prefix_to_set) { set_prefix(prefix_to_set); }
   uint length() const { return 64; }
-  void set_bit(uint n) { map|= ((ulonglong)1) << n; }
-  void clear_bit(uint n) { map&= ~(((ulonglong)1) << n); }
+  void set_bit(uint n) { DBUG_ASSERT(n < 64); map|= ((ulonglong)1) << n; }
+  void clear_bit(uint n) { DBUG_ASSERT(n < 64); map&= ~(((ulonglong)1) << n); }
   void set_prefix(uint n)
   {
     if (n >= length())
@@ -146,12 +146,21 @@ template <> class Bitmap<64>
   void intersect_extended(ulonglong map2) { map&= map2; }
   void subtract(const Bitmap<64>& map2) { map&= ~map2.map; }
   void merge(const Bitmap<64>& map2) { map|= map2.map; }
-  my_bool is_set(uint n) const { return MY_TEST(map & (((ulonglong)1) << n)); }
-  my_bool is_prefix(uint n) const { return map == (((ulonglong)1) << n)-1; }
+  my_bool is_set(uint n) const
+  { DBUG_ASSERT(n < 64); return MY_TEST(map & (((ulonglong)1) << n)); }
+  my_bool is_prefix(uint n) const
+  {
+    DBUG_ASSERT(n <= 64);
+    if (n < 64)
+      return map == (((ulonglong)1) << n)-1;
+    else
+      return map == ~(ulonglong)1;
+  }
   my_bool is_clear_all() const { return map == (ulonglong)0; }
   my_bool is_set_all() const { return map == ~(ulonglong)0; }
   my_bool is_subset(const Bitmap<64>& map2) const { return !(map & ~map2.map); }
-  my_bool is_overlapping(const Bitmap<64>& map2) const { return (map & map2.map)!= 0; }
+  my_bool is_overlapping(const Bitmap<64>& map2) const
+  { return (map & map2.map)!= 0; }
   my_bool operator==(const Bitmap<64>& map2) const { return map == map2.map; }
   my_bool operator!=(const Bitmap<64>& map2) const { return !(*this == map2); }
   char *print(char *buf) const { longlong2str(map,buf,16); return buf; }

sql/sql_tmp_table.cc

@@ -818,6 +818,8 @@ create_tmp_table(THD *thd, Temp_table_param *param, List<Item> &fields,
   table->covering_keys.init();
   table->merge_keys.init();
   table->keys_in_use_for_query.init();
+  table->keys_in_use_for_group_by.init();
+  table->keys_in_use_for_order_by.init();
 
   table->s= share;
   init_tmp_table_share(thd, share, "", 0, tmpname, tmpname);

sql/table.cc

@@ -6522,7 +6522,7 @@ void TABLE::use_index(int key_to_save)
    */
   for (reg_field=field ; *reg_field; reg_field++)
   {
-    if(!(*reg_field)->part_of_key.is_set(key_to_save))
+    if (key_to_save < 0 || !(*reg_field)->part_of_key.is_set(key_to_save))
       (*reg_field)->key_start.clear_all();
     (*reg_field)->part_of_key.clear_all();
     (*reg_field)->part_of_sortkey.clear_all();