MDEV-22001: Server crashes in st_select_lex_unit::exclude_level upon execution of SP

dmitryshulga · dmitryshulga · commit f439cfdf9369 · 2022-07-12T17:18:48.000+07:00
Running some statements that use IN subqueries outside context of a regular query could result in server abnormal termination. The reason for failure is that internal structures SELECT_LEX/SELECT_LEX_UNIT created on behalf of parsed query were initialized incorrectly. Incorrect initialization of the structures SELECT_LEX/SELECT_LEX_UNIT was introduced by the commit de745ec (MDEV-11953: support of brackets in UNION/EXCEPT/INTERSECT operations) pushed into 10.4, that is the reason this bug report is not reproduced in 10.3. To fix the issue the method SLECTE_LEX::register_unit is used for proper initialization of the data structures SELECT_LEX/SELECT_LEX_UNIT. Additionally, the method SELECT_LEX::get_slave() was removed from the source code base since for those use cases where it is used it can be replaced by the method first_inner_unit().
diff --git a/mysql-test/main/sp-bugs.result b/mysql-test/main/sp-bugs.result
@@ -353,3 +353,13 @@ drop table _t1;
 #
 # End of 10.3 tests
 #
+#
+#  MDEV-22001: Server crashes in st_select_lex_unit::exclude_level upon execution of SP
+#
+BEGIN NOT ATOMIC DECLARE a INT DEFAULT 0 IN ( SELECT 1 ) OR 2 ; END $
+BEGIN NOT ATOMIC DECLARE a INT DEFAULT 0 IN ( SELECT 1 ) OR (SELECT 2) ; END $
+KILL  (('x' IN ( SELECT 1)) MOD 44);
+ERROR HY000: Unknown thread id: 0
+#
+# End of 10.4 tests
+#
diff --git a/mysql-test/main/sp-bugs.test b/mysql-test/main/sp-bugs.test
@@ -371,3 +371,18 @@ drop table _t1;
 --echo #
 --echo # End of 10.3 tests
 --echo #
+
+--echo #
+--echo #  MDEV-22001: Server crashes in st_select_lex_unit::exclude_level upon execution of SP
+--echo #
+--delimiter $
+BEGIN NOT ATOMIC DECLARE a INT DEFAULT 0 IN ( SELECT 1 ) OR 2 ; END $
+BEGIN NOT ATOMIC DECLARE a INT DEFAULT 0 IN ( SELECT 1 ) OR (SELECT 2) ; END $
+--delimiter ;
+
+--error ER_NO_SUCH_THREAD
+KILL  (('x' IN ( SELECT 1)) MOD 44);
+
+--echo #
+--echo # End of 10.4 tests
+--echo #
diff --git a/sql/sql_lex.cc b/sql/sql_lex.cc
@@ -9684,11 +9684,13 @@ void LEX::relink_hack(st_select_lex *select_lex)
 {
   if (!select_stack_top) // Statements of the second type
   {
-    if (!select_lex->get_master()->get_master())
-      ((st_select_lex *) select_lex->get_master())->
-        set_master(&builtin_select);
-    if (!builtin_select.get_slave())
-      builtin_select.set_slave(select_lex->get_master());
+    if (!select_lex->outer_select() &&
+        !builtin_select.first_inner_unit())
+    {
+      builtin_select.register_unit(select_lex->master_unit(),
+                                   &builtin_select.context);
+      builtin_select.add_statistics(select_lex->master_unit());
+    }
   }
 }
 
diff --git a/sql/sql_lex.h b/sql/sql_lex.h
@@ -738,7 +738,6 @@ class st_select_lex_node {
   }
 
   inline st_select_lex_node* get_master() { return master; }
-  inline st_select_lex_node* get_slave() { return slave; }
   void include_down(st_select_lex_node *upper);
   void add_slave(st_select_lex_node *slave_arg);
   void include_neighbour(st_select_lex_node *before);

Original file line number	Diff line number	Diff line change
`@@ -353,3 +353,13 @@ drop table _t1;`
`353`	`353`	`#`
`354`	`354`	`# End of 10.3 tests`
`355`	`355`	`#`
	`356`	`+#`
	`357`	`+# MDEV-22001: Server crashes in st_select_lex_unit::exclude_level upon execution of SP`
	`358`	`+#`
	`359`	`+BEGIN NOT ATOMIC DECLARE a INT DEFAULT 0 IN ( SELECT 1 ) OR 2 ; END $`
	`360`	`+BEGIN NOT ATOMIC DECLARE a INT DEFAULT 0 IN ( SELECT 1 ) OR (SELECT 2) ; END $`
	`361`	`+KILL (('x' IN ( SELECT 1)) MOD 44);`
	`362`	`+ERROR HY000: Unknown thread id: 0`
	`363`	`+#`
	`364`	`+# End of 10.4 tests`
	`365`	`+#`
Original file line number	Diff line number	Diff line change
`@@ -9684,11 +9684,13 @@ void LEX::relink_hack(st_select_lex *select_lex)`
`9684`	`9684`	`{`
`9685`	`9685`	`if (!select_stack_top) // Statements of the second type`
`9686`	`9686`	`{`
`9687`		`- if (!select_lex->get_master()->get_master())`
`9688`		`- ((st_select_lex *) select_lex->get_master())->`
`9689`		`- set_master(&builtin_select);`
`9690`		`- if (!builtin_select.get_slave())`
`9691`		`- builtin_select.set_slave(select_lex->get_master());`
	`9687`	`+ if (!select_lex->outer_select() &&`
	`9688`	`+ !builtin_select.first_inner_unit())`
	`9689`	`+ {`
	`9690`	`+ builtin_select.register_unit(select_lex->master_unit(),`
	`9691`	`+ &builtin_select.context);`
	`9692`	`+ builtin_select.add_statistics(select_lex->master_unit());`
	`9693`	`+ }`
`9692`	`9694`	`}`
`9693`	`9695`	`}`
`9694`	`9696`
Original file line number	Diff line number	Diff line change
`@@ -738,7 +738,6 @@ class st_select_lex_node {`
`738`	`738`	`}`
`739`	`739`
`740`	`740`	`inline st_select_lex_node* get_master() { return master; }`
`741`		`- inline st_select_lex_node* get_slave() { return slave; }`
`742`	`741`	`void include_down(st_select_lex_node *upper);`
`743`	`742`	`void add_slave(st_select_lex_node *slave_arg);`
`744`	`743`	`void include_neighbour(st_select_lex_node *before);`