MDEV-26115 Crash when calling stored function in FOR loop argument

The 11.8 version with support for SPs returning ROWs.

Author: abarkov

mysql-test/main/sp-bugs2.result

@@ -59,4 +59,75 @@ call p2('2');
 drop table t1;
 drop procedure p1;
 drop procedure p2;
+#
+# MDEV-26115: Crash when calling stored function in FOR loop argument
+#
+CREATE OR REPLACE FUNCTION cnt()
+RETURNS INTEGER NO SQL
+BEGIN
+RETURN 3;
+END;
+$
+CREATE OR REPLACE PROCEDURE p1()
+NO SQL
+BEGIN
+DECLARE i INTEGER;
+FOR i IN 1..cnt() DO
+SELECT 1;
+END FOR;
+END;
+$
+CALL p1();
+1
+1
+1
+1
+1
+1
+CALL p1();
+1
+1
+1
+1
+1
+1
+# Clean up
+DROP FUNCTION cnt;
+DROP PROCEDURE p1;
 # End of 10.11 tests
+#
+# MDEV-26115: Crash when calling stored function in FOR loop argument
+#
+CREATE FUNCTION sp_returns_row() RETURNS ROW(a INT, b VARCHAR(32))
+NO SQL
+BEGIN
+RETURN ROW(1,'b1');
+END;
+$$
+CREATE FUNCTION sp_returns_int(r ROW(a INT, b VARCHAR(32))) RETURNS INT
+NO SQL
+RETURN r.a
+$$
+CREATE PROCEDURE p1()
+NO SQL
+BEGIN
+DECLARE i INTEGER;
+FOR i IN 0..sp_returns_int(sp_returns_row()) DO
+SELECT i;
+END FOR;
+END;
+$$
+CALL p1;
+i
+0
+i
+1
+CALL p1;
+i
+0
+i
+1
+DROP PROCEDURE p1;
+DROP FUNCTION sp_returns_int;
+DROP FUNCTION sp_returns_row;
+# End of 11.8 tests

mysql-test/main/sp-bugs2.test

@@ -67,4 +67,74 @@ drop table t1;
 drop procedure p1;
 drop procedure p2;
 
+--echo #
+--echo # MDEV-26115: Crash when calling stored function in FOR loop argument
+--echo #
+--delimiter $
+CREATE OR REPLACE FUNCTION cnt()
+RETURNS INTEGER NO SQL
+BEGIN
+   RETURN 3;
+END;
+$
+
+CREATE OR REPLACE PROCEDURE p1()
+NO SQL
+BEGIN
+   DECLARE i INTEGER;
+   FOR i IN 1..cnt() DO
+      SELECT 1;
+   END FOR;
+END;
+$
+
+--delimiter ;
+
+CALL p1();
+CALL p1();
+
+--echo # Clean up
+DROP FUNCTION cnt;
+DROP PROCEDURE p1;
+
+
 --echo # End of 10.11 tests
+
+--echo #
+--echo # MDEV-26115: Crash when calling stored function in FOR loop argument
+--echo #
+
+DELIMITER $$;
+
+CREATE FUNCTION sp_returns_row() RETURNS ROW(a INT, b VARCHAR(32))
+NO SQL
+BEGIN
+   RETURN ROW(1,'b1');
+END;
+$$
+
+CREATE FUNCTION sp_returns_int(r ROW(a INT, b VARCHAR(32))) RETURNS INT
+NO SQL
+RETURN r.a
+$$
+
+CREATE PROCEDURE p1()
+NO SQL
+BEGIN
+   DECLARE i INTEGER;
+   FOR i IN 0..sp_returns_int(sp_returns_row()) DO
+      SELECT i;
+   END FOR;
+END;
+$$
+
+DELIMITER ;$$
+
+CALL p1;
+CALL p1;
+
+DROP PROCEDURE p1;
+DROP FUNCTION sp_returns_int;
+DROP FUNCTION sp_returns_row;
+
+--echo # End of 11.8 tests

sql/item.cc

@@ -2932,9 +2932,6 @@ Item_sp::func_name_cstring(THD *thd, bool is_package_function) const
 void
 Item_sp::cleanup()
 {
-  delete sp_result_field;
-  sp_result_field= NULL;
-  sp_result_field_items= Item_args();
   m_sp= NULL;
   delete func_ctx;
   func_ctx= NULL;
@@ -3106,7 +3103,6 @@ Item_sp::init_result_field(THD *thd, uint max_length, uint maybe_null,
   DBUG_ENTER("Item_sp::init_result_field");
 
   DBUG_ASSERT(m_sp != NULL);
-  DBUG_ASSERT(sp_result_field == NULL);
 
   /*
      A Field needs to be attached to a Table.
@@ -3120,6 +3116,30 @@ Item_sp::init_result_field(THD *thd, uint max_length, uint maybe_null,
   dummy_table->s->table_name= Lex_ident_table(empty_clex_str);
   dummy_table->maybe_null= maybe_null;
 
+  if (sp_result_field) // Non-first execution
+  {
+    if (Field_row *field_row= dynamic_cast<Field_row*>(sp_result_field))
+    {
+      /*
+        At the end of the previous execution cleanup() was called for
+        all Item_field instances in sp_result_field_items, which set their
+        Item_field::field to nullptr. We need to restore them to pointers
+        to the Fields in the virtual table.
+      */
+      Virtual_tmp_table *tbl= field_row->virtual_tmp_table();
+      DBUG_ASSERT(tbl->s->fields == sp_result_field_items.argument_count());
+      for (uint i= 0; i < tbl->s->fields; i++)
+      {
+        Item *item= sp_result_field_items.arguments()[i];
+        Item_field *item_field= dynamic_cast<Item_field*>(item);
+        DBUG_ASSERT(item_field);
+        item_field->reset_field(tbl->field[i]);
+      }
+    }
+    DBUG_RETURN(FALSE);
+  }
+
+
   if (m_sp->m_return_field_def.is_column_type_ref())
   {
     // RETURNS TYPE OF t1.col1

sql/item.h

@@ -5891,6 +5891,11 @@ class Item_sp
 
   Item_sp(THD *thd, Name_resolution_context *context_arg, sp_name *name_arg);
   Item_sp(THD *thd, Item_sp *item);
+  virtual ~Item_sp()
+  {
+    delete sp_result_field;
+    sp_result_field= NULL;
+  }
   LEX_CSTRING func_name_cstring(THD *thd, bool is_package_function) const;
   void cleanup();
   bool sp_check_access(THD *thd);

sql/item_func.cc

@@ -6839,12 +6839,29 @@ Item_func_sp::fix_fields(THD *thd, Item **ref)
     DBUG_RETURN(TRUE);
   }
 
+  Query_arena *arena, backup;
+  /*
+    Allocation an instance of Item_func_sp used for initialization of
+    sp_result_field taken place inside the method init_result_field() is done
+    on sp_head's mem_root since Item_sp also allocated on this memory root.
+
+    Switching to SP/PS memory root is done explicitly before calling the method
+    init_result_field() instead doing that inside init_result_field()
+    since for the case when rollup aggregate function is handled
+    (@see Item_sum_sp::copy_or_same, @see JOIN::rollup_make_fields)
+    the runtime arena used for operations, so switching to SP/PS arena for this
+    case would result in assertion failure on second execution of the same
+    prepared statement because the memory root be already marked as read only.
+  */
+  arena= thd->activate_stmt_arena_if_needed(&backup);
   /*
     We must call init_result_field before Item_func::fix_fields()
     to make m_sp and result_field members available to fix_length_and_dec(),
     which is called from Item_func::fix_fields().
   */
   res= init_result_field(thd, max_length, maybe_null(), &null_value, &name);
+  if (arena)
+    thd->restore_active_arena(arena, &backup);
 
   if (res)
     DBUG_RETURN(TRUE);

sql/item_sum.cc

@@ -1362,8 +1362,16 @@ Item_sum_sp::fix_fields(THD *thd, Item **ref)
     return TRUE;
   }
 
-  if (init_result_field(thd, max_length, maybe_null(), &null_value, &name))
-    return TRUE;
+  Query_arena *arena, backup;
+  arena= thd->activate_stmt_arena_if_needed(&backup);
+
+  bool ret= init_result_field(thd, max_length, maybe_null(),
+                              &null_value, &name);
+  if (arena)
+    thd->restore_active_arena(arena, &backup);
+
+  if(ret)
+    return true;
 
   for (uint i= 0 ; i < arg_count ; i++)
   {