MDEV-32299 Segfault when preparing unreferenced select in recursive CTE

midenok · midenok · commit 9f70e0a76ce2 · 2025-12-23T13:42:45.000+03:00
With_element::prepare_unreferenced() contains query from recursive CTE
which is upper owner of unreferenced CTE itself. Such recursive
derived table is resolved into its expression and it tries to resolve
fields or any other data from subqueries which are not yet
prepared. These subqueries are preparing in upper frames of the same
stack after prepare_unreferenced() finishes.

That does not happen when recursion happens in referenced CTE because
in that case there are links between the derived tables defined by the
parser and descending into such recursion descends further into all
the dependency queries. No such link exists in unreferenced query
therefore it misses its upper dependencies.

The fix moves prepare_unreferenced() later after JOIN::prepare() so it
has the chance to access all the prepared data.

There may be another fix of failing unreferenced queries with error as
such kind of queries seem to be not usable.
diff --git a/mysql-test/main/cte_recursive.result b/mysql-test/main/cte_recursive.result
@@ -5975,4 +5975,111 @@ drop table t1;
 #
 SELECT ( WITH RECURSIVE x AS ( WITH x AS ( SELECT 1 FROM t14 ) SELECT x ) , t14 AS ( SELECT 1 UNION SELECT 'x' FROM x ) SELECT x FROM x WHERE ( SELECT x FROM x ) ) ;
 ERROR 42S22: Unknown column 'x' in 'SELECT'
+#
+# MDEV-32299 Segfault when preparing unreferenced select in recursive CTE
+#
+SELECT ( WITH RECURSIVE x AS ( SELECT * FROM ( SELECT UTC_TIMESTAMP FROM ( SELECT ( WITH x AS ( WITH x AS ( SELECT * FROM x ) SELECT 1 ) SELECT 1 ) ) x ) x UNION SELECT NULL ) ( SELECT x FROM x ) ) ;
+ERROR 42S22: Unknown column 'x' in 'SELECT'
+select (
+with recursive x as (
+select * from (
+select utc_timestamp
+from (
+select (
+with x as (
+with x as (
+select * from x
+)
+select 1
+)
+select 1
+) s
+) y
+) z
+union
+select null
+)
+(select x from x)
+);
+ERROR 42S22: Unknown column 'x' in 'SELECT'
+select (
+with recursive r as (
+select * from (
+with a as (
+select * from r
+)
+select 1
+) y
+union
+select 1
+)
+(select * from r)
+);
+(
+with recursive r as (
+select * from (
+with a as (
+select * from r
+)
+select 1
+) y
+union
+select 1
+)
+(select * from r)
+)
+1
+create table t1 (x int);
+with recursive r as (
+select f1 from (
+with a as (
+select x from t1
+)
+select 1 as f1
+) y
+union
+select null
+)
+(select * from r);
+f1
+1
+NULL
+with recursive r as (
+select f1 from (
+with a as (
+select f2 from t1
+)
+select 1 as f1
+) y
+union
+select null
+)
+(select * from r);
+ERROR 42S22: Unknown column 'f2' in 'SELECT'
+drop table t1;
+with recursive r as (
+select 1 as f1
+union
+select f1 from (
+with a as (
+select f1 from r
+)
+select 1 as f1
+) y
+)
+(select f1 from r);
+f1
+1
+with recursive r as (
+select 1 as f1
+union
+select f1 from (
+with a as (
+select f2 from r
+)
+select 1 as f1
+) y
+)
+(select f1 from r);
+ERROR 42S22: Unknown column 'f2' in 'SELECT'
 # End of 10.6 tests
diff --git a/mysql-test/main/cte_recursive.test b/mysql-test/main/cte_recursive.test
@@ -3,6 +3,8 @@
 --source include/no_msan_without_big.inc
 --source include/not_valgrind.inc
 --source include/have_innodb.inc
+# --view-protocol fails due to MDEV-37119 for MDEV-32299
+--source include/no_view_protocol.inc
 
 create table t1 (a int, b varchar(32));
 insert into t1 values
@@ -4064,4 +4066,121 @@ drop table t1;
 --error ER_BAD_FIELD_ERROR
 SELECT ( WITH RECURSIVE x AS ( WITH x AS ( SELECT 1 FROM t14 ) SELECT x ) , t14 AS ( SELECT 1 UNION SELECT 'x' FROM x ) SELECT x FROM x WHERE ( SELECT x FROM x ) ) ;
 
+--echo #
+--echo # MDEV-32299 Segfault when preparing unreferenced select in recursive CTE
+--echo #
+
+# As in bug report
+--error ER_BAD_FIELD_ERROR
+SELECT ( WITH RECURSIVE x AS ( SELECT * FROM ( SELECT UTC_TIMESTAMP FROM ( SELECT ( WITH x AS ( WITH x AS ( SELECT * FROM x ) SELECT 1 ) SELECT 1 ) ) x ) x UNION SELECT NULL ) ( SELECT x FROM x ) ) ;
+
+#0  0x00005555569dff7b in TABLE_LIST::reset_const_table (this=0x7fffe0019938) at ../src/sql/table.cc:9615
+#1  0x00005555569dffd4 in TABLE_LIST::reset_const_table (this=0x7fffe001a8c0) at ../src/sql/table.cc:9622
+--error ER_BAD_FIELD_ERROR
+select (
+  with recursive x as (
+    select * from (
+      select utc_timestamp
+      from (
+        select (
+          with x as (
+            with x as (
+              select * from x
+            )
+            select 1
+          )
+          select 1
+        ) s
+      ) y
+    ) z
+
+    union
+
+    select null
+  )
+  (select x from x)
+);
+
+#6  0x00007ffff7639206 in __assert_fail (assertion=0x555555e121b6 "table_ref->table || table_ref->view", file=0x555555cdf138 "../src/sql/table.cc", line=7305, function=0x555555e30e24 "void Field_iterator_table_ref::set_field_iterator()") at ./assert/assert.c:101
+#7  0x00005555569da013 in Field_iterator_table_ref::set_field_iterator (this=0x7ffff0a9afc0) at ../src/sql/table.cc:7305
+select (
+  with recursive r as (
+    select * from (
+      with a as (
+          select * from r
+      )
+      select 1
+    ) y
+
+    union
+
+    select 1
+  )
+  (select * from r)
+);
+
+# Field resolution in unreferenced:
+create table t1 (x int);
+
+with recursive r as (
+  select f1 from (
+    with a as (
+        select x from t1
+    )
+    select 1 as f1
+  ) y
+
+  union
+
+  select null
+)
+(select * from r);
+
+--error ER_BAD_FIELD_ERROR
+with recursive r as (
+  select f1 from (
+    with a as (
+        select f2 from t1
+    )
+    select 1 as f1
+  ) y
+
+  union
+
+  select null
+)
+(select * from r);
+
+drop table t1;
+
+with recursive r as (
+  select 1 as f1
+
+  union
+
+  select f1 from (
+    with a as (
+        select f1 from r
+    )
+    select 1 as f1
+  ) y
+)
+(select f1 from r);
+
+--error ER_BAD_FIELD_ERROR
+with recursive r as (
+  select 1 as f1
+
+  union
+
+  select f1 from (
+    with a as (
+        select f2 from r
+    )
+    select 1 as f1
+  ) y
+)
+(select f1 from r);
+
+
 --echo # End of 10.6 tests
diff --git a/sql/sql_cte.cc b/sql/sql_cte.cc
@@ -100,6 +100,19 @@ bool LEX::check_dependencies_in_with_clauses()
 }
 
 
+bool LEX::prepare_unreferenced_in_with_clauses()
+{
+  for (With_clause *with_clause= with_clauses_list;
+       with_clause;
+       with_clause= with_clause->next_with_clause)
+  {
+    if (with_clause->prepare_unreferenced_elements(thd))
+      return true;
+  }
+  return false;
+}
+
+
 /**
   @brief
     Resolve table references to CTE from a sub-chain of table references
diff --git a/sql/sql_cte.h b/sql/sql_cte.h
@@ -438,9 +438,7 @@ class With_clause : public Sql_alloc
   void print(THD *thd, String *str, enum_query_type query_type);
 
   friend class With_element;
-
-  friend
-  bool LEX::check_dependencies_in_with_clauses();
+  friend struct LEX;
 };
 
 inline
diff --git a/sql/sql_lex.h b/sql/sql_lex.h
@@ -4954,6 +4954,7 @@ struct LEX: public Query_tables_list
                               DDL_options ddl_options);
 
   bool check_dependencies_in_with_clauses();
+  bool prepare_unreferenced_in_with_clauses();
   bool check_cte_dependencies_and_resolve_references();
   bool resolve_references_to_cte(TABLE_LIST *tables,
                                  TABLE_LIST **tables_last,
diff --git a/sql/sql_prepare.cc b/sql/sql_prepare.cc
@@ -1628,6 +1628,10 @@ static int mysql_test_select(Prepared_statement *stmt,
   */
   if (unit->prepare(unit->derived, 0, 0))
     goto error;
+
+  if (thd->lex->prepare_unreferenced_in_with_clauses())
+    goto error;
+
   if (!lex->describe && !thd->lex->analyze_stmt && !stmt->is_sql_prepare())
   {
     /* Make copy of item list, as change_columns may change it */
diff --git a/sql/sql_select.cc b/sql/sql_select.cc
@@ -1645,10 +1645,6 @@ JOIN::prepare(TABLE_LIST *tables_init, COND *conds_init, uint og_num,
     }
   }
 
-  With_clause *with_clause=select_lex->get_with_clause();
-  if (with_clause && with_clause->prepare_unreferenced_elements(thd))
-    DBUG_RETURN(1);
-
   With_element *with_elem= select_lex->get_with_element();
   if (with_elem &&
       select_lex->check_unrestricted_recursive(
@@ -5265,6 +5261,10 @@ mysql_select(THD *thd, TABLE_LIST *tables, List<Item> &fields, COND *conds,
   }
 
   thd->get_stmt_da()->reset_current_row_for_warning(1);
+
+  if (thd->lex->prepare_unreferenced_in_with_clauses())
+    goto err;
+
   /* Look for a table owned by an engine with the select_handler interface */
   select_lex->pushdown_select= find_select_handler(thd, select_lex);
 

Original file line number	Diff line number	Diff line change
`@@ -1645,10 +1645,6 @@ JOIN::prepare(TABLE_LIST tables_init, COND conds_init, uint og_num,`
`1645`	`1645`	`}`
`1646`	`1646`	`}`
`1647`	`1647`
`1648`		`- With_clause *with_clause=select_lex->get_with_clause();`
`1649`		`- if (with_clause && with_clause->prepare_unreferenced_elements(thd))`
`1650`		`- DBUG_RETURN(1);`
`1651`		`-`
`1652`	`1648`	`With_element *with_elem= select_lex->get_with_element();`
`1653`	`1649`	`if (with_elem &&`
`1654`	`1650`	`select_lex->check_unrestricted_recursive(`
`@@ -5265,6 +5261,10 @@ mysql_select(THD thd, TABLE_LIST tables, List<Item> &fields, COND *conds,`
`5265`	`5261`	`}`
`5266`	`5262`
`5267`	`5263`	`thd->get_stmt_da()->reset_current_row_for_warning(1);`
	`5264`	`+`
	`5265`	`+ if (thd->lex->prepare_unreferenced_in_with_clauses())`
	`5266`	`+ goto err;`
	`5267`	`+`
`5268`	`5268`	`/* Look for a table owned by an engine with the select_handler interface */`
`5269`	`5269`	`select_lex->pushdown_select= find_select_handler(thd, select_lex);`
`5270`	`5270`