Bug#19855522 ASSERTION `N < M_SIZE' FAILED. | ABORT IN BOUNDS_CHECKED_ARRAY

Tor Didriksen · Tor Didriksen · commit 7826e013f08b · 2014-11-03T14:30:00.000+01:00
create_distinct_group() may need some extra space, so do a similar counting
in setup_ref_array() to have enough space in st_select_lex::ref_pointer_array

Also: shrinking an existing ref_pointer_array, as introduced by 
WL#5953 - Optimize away useless subquery clauses
has to be reversed. The '*' wildcards are fixed in the prepare phase,
but not in the execute phase.
diff --git a/sql/sql_lex.cc b/sql/sql_lex.cc
@@ -2521,6 +2521,28 @@ bool st_select_lex::setup_ref_array(THD *thd)
   // find_order_in_list() may need some extra space, so multiply by two.
   order_group_num*= 2;
 
+  // create_distinct_group() may need some extra space
+  const bool select_distinct= MY_TEST(options & SELECT_DISTINCT);
+  if (select_distinct)
+  {
+    uint bitcount= 0;
+    Item *item;
+    List_iterator<Item> li(item_list);
+    while ((item= li++))
+    {
+      /*
+        Same test as in create_distinct_group, when it pushes new items to the
+        end of ref_pointer_array. An extra test for 'fixed' which, at this
+        stage, will be true only for columns inserted for a '*' wildcard.
+      */
+      if (item->fixed &&
+          item->type() == Item::FIELD_ITEM &&
+          item->field_type() == MYSQL_TYPE_BIT)
+        ++bitcount;
+    }
+    order_group_num+= bitcount;
+  }
+
   /*
     We have to create array in prepared statement memory if it is
     prepared statement
@@ -2543,23 +2565,14 @@ bool st_select_lex::setup_ref_array(THD *thd)
                       order_group_num));
   if (!ref_pointer_array.is_null() && ref_pointer_array.size() >= n_elems)
   {
-    /*
-      The Query may have been permanently transformed by removal of
-      ORDER BY or GROUP BY. Memory has already been allocated, but by
-      reducing the size of ref_pointer_array a tight bound is
-      maintained by Bounds_checked_array
-    */
-    if (ref_pointer_array.size() > n_elems)
-      ref_pointer_array.resize(n_elems);
-
     /*
       We need to take 'n_sum_items' into account when allocating the array,
       and this may actually increase during the optimization phase due to
       MIN/MAX rewrite in Item_in_subselect::single_value_transformer.
       In the usual case we can reuse the array from the prepare phase.
       If we need a bigger array, we must allocate a new one.
      */
-    if (ref_pointer_array.size() == n_elems)
+    if (ref_pointer_array.size() >= n_elems)
       return false;
   }
   /*
diff --git a/sql/sql_optimizer.cc b/sql/sql_optimizer.cc
@@ -10054,6 +10054,7 @@ create_distinct_group(THD *thd, Ref_ptr_array ref_pointer_array,
           additional hidden field for grouping because later it will be
           converted to a LONG field. Original field will remain of the
           BIT type and will be returned to a client.
+          @note setup_ref_array() needs to account for the extra space.
         */
         Item_field *new_item= new Item_field(thd, (Item_field*)item);
         int el= all_fields.elements;
