MDEV-22001: Server crashes in st_select_lex_unit::exclude_level upon …

…execution of SP Running some statements that use IN subqueries outside context of a regular query could result in server abnormal termination. The reason for failure is that internal structures SELECT_LEX/SELECT_LEX_UNIT created on behalf of parsed query were initialized incorrectly. Incorrect initialization of the structures SELECT_LEX/SELECT_LEX_UNIT was introduced by the commit de745ec (MDEV-11953: support of brackets in UNION/EXCEPT/INTERSECT operations) pushed into 10.4, that is the reason this bug report is not reproduced in 10.3. To fix the issue the method SLECTE_LEX::register_unit is used for proper initialization of the data structures SELECT_LEX/SELECT_LEX_UNIT. Additionally, the method SELECT_LEX::get_slave() was removed from the source code base since for those use cases where it is used it can be replaced by the method first_inner_unit().
MariaDB · Jul 12, 2022 · f439cfd · f439cfd
1 parent 9a0cbd3
commit f439cfd
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 6 deletions.
diff --git a/mysql-test/main/sp-bugs.result b/mysql-test/main/sp-bugs.result
@@ -353,3 +353,13 @@ drop table _t1;
 #
 # End of 10.3 tests
 #
+#
+#  MDEV-22001: Server crashes in st_select_lex_unit::exclude_level upon execution of SP
+#
+BEGIN NOT ATOMIC DECLARE a INT DEFAULT 0 IN ( SELECT 1 ) OR 2 ; END $
+BEGIN NOT ATOMIC DECLARE a INT DEFAULT 0 IN ( SELECT 1 ) OR (SELECT 2) ; END $
+KILL  (('x' IN ( SELECT 1)) MOD 44);
+ERROR HY000: Unknown thread id: 0
+#
+# End of 10.4 tests
+#
diff --git a/mysql-test/main/sp-bugs.test b/mysql-test/main/sp-bugs.test
@@ -371,3 +371,18 @@ drop table _t1;
 --echo #
 --echo # End of 10.3 tests
 --echo #
+
+--echo #
+--echo #  MDEV-22001: Server crashes in st_select_lex_unit::exclude_level upon execution of SP
+--echo #
+--delimiter $
+BEGIN NOT ATOMIC DECLARE a INT DEFAULT 0 IN ( SELECT 1 ) OR 2 ; END $
+BEGIN NOT ATOMIC DECLARE a INT DEFAULT 0 IN ( SELECT 1 ) OR (SELECT 2) ; END $
+--delimiter ;
+
+--error ER_NO_SUCH_THREAD
+KILL  (('x' IN ( SELECT 1)) MOD 44);
+
+--echo #
+--echo # End of 10.4 tests
+--echo #
diff --git a/sql/sql_lex.cc b/sql/sql_lex.cc
@@ -9684,11 +9684,13 @@ void LEX::relink_hack(st_select_lex *select_lex)
 {
   if (!select_stack_top) // Statements of the second type
   {
-    if (!select_lex->get_master()->get_master())
-      ((st_select_lex *) select_lex->get_master())->
-        set_master(&builtin_select);
-    if (!builtin_select.get_slave())
-      builtin_select.set_slave(select_lex->get_master());
+    if (!select_lex->outer_select() &&
+        !builtin_select.first_inner_unit())
+    {
+      builtin_select.register_unit(select_lex->master_unit(),
+                                   &builtin_select.context);
+      builtin_select.add_statistics(select_lex->master_unit());
+    }
   }
 }
 

diff --git a/sql/sql_lex.h b/sql/sql_lex.h
@@ -738,7 +738,6 @@ class st_select_lex_node {
   }
 
   inline st_select_lex_node* get_master() { return master; }
-  inline st_select_lex_node* get_slave() { return slave; }
   void include_down(st_select_lex_node *upper);
   void add_slave(st_select_lex_node *slave_arg);
   void include_neighbour(st_select_lex_node *before);