MDEV-32397, MDEV-32403 Crashes during join processing.

DaveGosselin-MariaDB · DaveGosselin-MariaDB · commit 9f64b2913fbb · 2025-10-20T10:08:19.000-04:00
Queries having the following form may cause a crash
  SELECT t1.a FROM ( SELECT a AS a1 FROM t1 ) dt
  JOIN t1 ON a1 LIKE EXISTS ( SELECT a + RAND () FROM t1 UNION SELECT a FROM t1);
because the table t1 has some JOIN cleanup operations performed prematurely
during the subselect.

In this particular case, the presence of RAND() makes the subquery
uncacheable, necessitating the need to execute the subquery multiple
times during join record evaluation.  Each time the subquery runs, it
creates its own JOIN structure which has references to the table t1.
When the subquery completes, JOIN::cleanup and functions called by it
result in ha_end_keyread() being called on table t1.  However, we are
not done with table t1 because the upper level `select t1.a from...`
query requires table t1 to be open.  To solve this, we make the executor
aware of when we're in subqueries like this and delay JOIN cleanup
until the end of the query.
diff --git a/mysql-test/main/subselect_union_rand.result b/mysql-test/main/subselect_union_rand.result
@@ -0,0 +1,13 @@
+CREATE TABLE t1 ( a double, key (a)) ;
+INSERT INTO t1 VALUES (1),(2),(-3);
+SELECT t1.a FROM ( SELECT a AS a1 FROM t1 ) dt
+JOIN t1 ON a1  LIKE EXISTS ( SELECT a + RAND () FROM t1 UNION SELECT a FROM t1) ;
+DROP TABLE t1;
+CREATE TABLE t1 ( a VARCHAR(100), b bool) ;
+INSERT INTO t1 VALUES ('-101',-87),('-95',59),(NULL,48);
+SELECT
+(SELECT 1 FROM  (SELECT 1 HAVING rand() ) dt1
+UNION
+SELECT a FROM t1  WHERE b IN  (SELECT a FROM t1) LIMIT 1)
+FROM t1;
+DROP TABLE t1;
diff --git a/mysql-test/main/subselect_union_rand.test b/mysql-test/main/subselect_union_rand.test
@@ -0,0 +1,28 @@
+#
+# MDEV-32397 join_read_first, keyread SEGV crash
+#
+CREATE TABLE t1 ( a double, key (a)) ;
+INSERT INTO t1 VALUES (1),(2),(-3);
+# We disable the result log because RAND() is unpredictable and seeding RAND
+# doesn't make it stable when using the PS protocol.
+--disable_result_log
+SELECT t1.a FROM ( SELECT a AS a1 FROM t1 ) dt
+JOIN t1 ON a1  LIKE EXISTS ( SELECT a + RAND () FROM t1 UNION SELECT a FROM t1) ;
+--enable_result_log
+DROP TABLE t1;
+
+#
+# MDEV-32403 test_if_quick_select: Segv
+#
+CREATE TABLE t1 ( a VARCHAR(100), b bool) ;
+INSERT INTO t1 VALUES ('-101',-87),('-95',59),(NULL,48);
+# We disable the result log because RAND() is unpredictable and seeding RAND
+# doesn't make it stable when using the PS protocol.
+--disable_result_log
+SELECT
+       (SELECT 1 FROM  (SELECT 1 HAVING rand() ) dt1
+	UNION
+	SELECT a FROM t1  WHERE b IN  (SELECT a FROM t1) LIMIT 1)
+FROM t1;
+--enable_result_log
+DROP TABLE t1;
diff --git a/sql/sql_lex.cc b/sql/sql_lex.cc
@@ -5071,6 +5071,20 @@ bool st_select_lex::optimize_unflattened_subqueries(bool const_only)
       if (empty_union_result)
         subquery_predicate->no_rows_in_result();
 
+      /*
+        If any one SELECT in the subquery has UNCACHEABLE_RAND, then all
+        SELECTs should be marked as uncacheable.
+      */
+      bool has_rand= false;
+      for (SELECT_LEX *sl= un->first_select(); sl && !has_rand;
+           sl= sl->next_select())
+        has_rand= sl->uncacheable & UNCACHEABLE_RAND;
+      if (has_rand)
+      {
+        for (SELECT_LEX *sl= un->first_select(); sl; sl= sl->next_select())
+          sl->uncacheable |= UNCACHEABLE_UNITED;
+      }
+
       if (is_correlated_unit)
       {
         /*
