Bug#36226080: wl16142-Mysqld failure-String::c_ptr_safe

roylyseng · roylyseng · commit 3a8974c64129 · 2024-02-06T14:50:30.000+01:00
Step 2: Add ROUTINE_FIELD_ITEM type code.

Add this new type code and let class Item_splocal return it.

Also eliminated local variables m_type and m_result_type,
the latter can be derived at runtime from data_type().

This also made it possible to remove the redundant functions
sp_map_result_type() and sp_map_item_type().

Added some extra regression tests for use of LIMIT, NTILE, LEAD and LAG
with stored procedures, since there is now a different type code for
procedure variables and parameters that must be of integer type.

Change-Id: I1206c889407ac88982325ab508cbedb89b27e707
diff --git a/mysql-test/r/sp.result b/mysql-test/r/sp.result
@@ -7344,6 +7344,17 @@ set a = (select count(*) from t1 limit a, b);
 return a;
 end|
 ERROR 42000: Undeclared variable: b
+# Variables used in LIMIT and OFFSET must be of integer type
+create function f1() returns integer
+begin
+declare a integer;
+declare b, c real;
+set a = (select count(*) from t1 limit a, b);
+return a;
+end|
+ERROR 42000: The variable "b" has a non-integer based type near 'b);
+return a;
+end' at line 5
 create function f1()
 returns int
 begin
diff --git a/mysql-test/r/window_functions.result b/mysql-test/r/window_functions.result
@@ -9461,10 +9461,89 @@ DO LEAD(1, 18446744073709551615) OVER();
 ERROR HY000: Incorrect arguments to lead
 DO NTILE(18446744073709551615) OVER();
 ERROR HY000: Incorrect arguments to ntile
-CREATE PROCEDURE p1(n INT) DO NTILE(n) OVER();
+CREATE PROCEDURE p1(n INTEGER) DO NTILE(n) OVER();
 CALL p1(NULL);
 ERROR HY000: Incorrect arguments to ntile
 DROP PROCEDURE p1;
+CREATE PROCEDURE p1(n INTEGER) DO LEAD('x', n) OVER();
+CALL p1(NULL);
+ERROR HY000: Incorrect arguments to lead
+CALL p1(0);
+CALL p1(-1);
+ERROR HY000: Incorrect arguments to lead
+DROP PROCEDURE p1;
+CREATE PROCEDURE p1(n INTEGER) DO LAG('x', n) OVER();
+CALL p1(NULL);
+ERROR HY000: Incorrect arguments to lag
+CALL p1(0);
+CALL p1(-1);
+ERROR HY000: Incorrect arguments to lag
+DROP PROCEDURE p1;
+CREATE PROCEDURE p1(n DATE) DO NTILE(n) OVER();
+ERROR 42000: The variable "n" has a non-integer based type near 'n) OVER()' at line 1
+CREATE PROCEDURE p1()
+BEGIN
+DECLARE d DATE;
+DO NTILE(d) OVER();
+END
+//
+ERROR 42000: The variable "d" has a non-integer based type near 'd) OVER();
+END' at line 4
+CREATE PROCEDURE p2()
+BEGIN
+DECLARE d DATE;
+DO LEAD('x', d) OVER();
+END
+//
+ERROR 42000: The variable "d" has a non-integer based type near 'd) OVER();
+END' at line 4
+CREATE PROCEDURE p3()
+BEGIN
+DECLARE d DATE;
+DO LAG('x', d) OVER();
+END
+//
+ERROR 42000: The variable "d" has a non-integer based type near 'd) OVER();
+END' at line 4
+CREATE PROCEDURE p1(n INTEGER)
+BEGIN
+DECLARE i INTEGER;
+SET i = n;
+DO NTILE(i) OVER();
+END
+//
+CREATE PROCEDURE p2(n INTEGER)
+BEGIN
+DECLARE i INTEGER;
+SET i = n;
+DO LEAD('x', i) OVER();
+END
+//
+CREATE PROCEDURE p3(n INTEGER)
+BEGIN
+DECLARE i INTEGER;
+SET i = n;
+DO LAG('x', i) OVER();
+END
+//
+CALL p1(NULL);
+ERROR HY000: Incorrect arguments to ntile
+CALL p1(0);
+ERROR HY000: Incorrect arguments to ntile
+CALL p1(1);
+CALL p2(NULL);
+ERROR HY000: Incorrect arguments to lead
+CALL p2(0);
+CALL p2(-1);
+ERROR HY000: Incorrect arguments to lead
+CALL p3(NULL);
+ERROR HY000: Incorrect arguments to lag
+CALL p3(0);
+CALL p3(-1);
+ERROR HY000: Incorrect arguments to lag
+DROP PROCEDURE p1;
+DROP PROCEDURE p2;
+DROP PROCEDURE p3;
 SET @v = NULL;
 PREPARE stmt FROM 'DO NTILE(?) OVER()';
 EXECUTE stmt USING @v;
diff --git a/mysql-test/t/sp.test b/mysql-test/t/sp.test
@@ -8461,6 +8461,16 @@ begin
   return a;
 end|
 
+--echo # Variables used in LIMIT and OFFSET must be of integer type
+--error ER_PARSE_ERROR
+create function f1() returns integer
+begin
+  declare a integer;
+  declare b, c real;
+  set a = (select count(*) from t1 limit a, b);
+  return a;
+end|
+
 create function f1()
   returns int
 begin
diff --git a/mysql-test/t/window_functions.test b/mysql-test/t/window_functions.test
@@ -4231,11 +4231,103 @@ DO NTILE(18446744073709551615) OVER();
 
 # Negative coverage tests for some non-literal arguments:
 
-CREATE PROCEDURE p1(n INT) DO NTILE(n) OVER();
+CREATE PROCEDURE p1(n INTEGER) DO NTILE(n) OVER();
 --error ER_WRONG_ARGUMENTS
 CALL p1(NULL);
 DROP PROCEDURE p1;
 
+CREATE PROCEDURE p1(n INTEGER) DO LEAD('x', n) OVER();
+--error ER_WRONG_ARGUMENTS
+CALL p1(NULL);
+CALL p1(0);
+--error ER_WRONG_ARGUMENTS
+CALL p1(-1);
+DROP PROCEDURE p1;
+
+CREATE PROCEDURE p1(n INTEGER) DO LAG('x', n) OVER();
+--error ER_WRONG_ARGUMENTS
+CALL p1(NULL);
+CALL p1(0);
+--error ER_WRONG_ARGUMENTS
+CALL p1(-1);
+DROP PROCEDURE p1;
+
+--error ER_PARSE_ERROR
+CREATE PROCEDURE p1(n DATE) DO NTILE(n) OVER();
+
+delimiter //;
+--error ER_PARSE_ERROR
+CREATE PROCEDURE p1()
+BEGIN
+  DECLARE d DATE;
+  DO NTILE(d) OVER();
+END
+//
+
+--error ER_PARSE_ERROR
+CREATE PROCEDURE p2()
+BEGIN
+  DECLARE d DATE;
+  DO LEAD('x', d) OVER();
+END
+//
+
+--error ER_PARSE_ERROR
+CREATE PROCEDURE p3()
+BEGIN
+  DECLARE d DATE;
+  DO LAG('x', d) OVER();
+END
+//
+
+CREATE PROCEDURE p1(n INTEGER)
+BEGIN
+  DECLARE i INTEGER;
+  SET i = n;
+  DO NTILE(i) OVER();
+END
+//
+
+CREATE PROCEDURE p2(n INTEGER)
+BEGIN
+  DECLARE i INTEGER;
+  SET i = n;
+  DO LEAD('x', i) OVER();
+END
+//
+
+CREATE PROCEDURE p3(n INTEGER)
+BEGIN
+  DECLARE i INTEGER;
+  SET i = n;
+  DO LAG('x', i) OVER();
+END
+//
+
+delimiter ;//
+
+--error ER_WRONG_ARGUMENTS
+CALL p1(NULL);
+--error ER_WRONG_ARGUMENTS
+CALL p1(0);
+CALL p1(1);
+
+--error ER_WRONG_ARGUMENTS
+CALL p2(NULL);
+CALL p2(0);
+--error ER_WRONG_ARGUMENTS
+CALL p2(-1);
+
+--error ER_WRONG_ARGUMENTS
+CALL p3(NULL);
+CALL p3(0);
+--error ER_WRONG_ARGUMENTS
+CALL p3(-1);
+
+DROP PROCEDURE p1;
+DROP PROCEDURE p2;
+DROP PROCEDURE p3;
+
 SET @v = NULL;
 
 PREPARE stmt FROM 'DO NTILE(?) OVER()';
diff --git a/sql/item.cc b/sql/item.cc
@@ -76,7 +76,7 @@
 #include "sql/protocol.h"
 #include "sql/query_options.h"
 #include "sql/select_lex_visitor.h"
-#include "sql/sp.h"           // sp_map_item_type
+#include "sql/sp.h"           // sp_prepare_func_item
 #include "sql/sp_rcontext.h"  // sp_rcontext
 #include "sql/sql_base.h"     // view_ref_found
 #include "sql/sql_bitmap.h"
@@ -1961,10 +1961,7 @@ Item_splocal::Item_splocal(const Name_string sp_var_name, uint sp_var_idx,
       len_in_query(len_in_q) {
   set_nullable(true);
 
-  sp_var_type = real_type_to_type(sp_var_type);
-  m_type = sp_map_item_type(sp_var_type);
-  set_data_type(sp_var_type);
-  m_result_type = sp_map_result_type(sp_var_type);
+  set_data_type(real_type_to_type(sp_var_type));
 }
 
 Item *Item_splocal::this_item() {
diff --git a/sql/item.h b/sql/item.h
@@ -986,6 +986,7 @@ class Item : public Parse_tree_node {
     CACHE_ITEM,          ///< An internal item used to cache values.
     TYPE_HOLDER_ITEM,    ///< An internal item used to help aggregate a type.
     PARAM_ITEM,          ///< A dynamic parameter used in a prepared statement.
+    ROUTINE_FIELD_ITEM,  ///< A variable inside a routine (proc, func, trigger)
     TRIGGER_FIELD_ITEM,  ///< An OLD or NEW field, used in trigger definitions.
     XPATH_NODESET_ITEM,  ///< Used in XPATH expressions.
     VALUES_COLUMN_ITEM   ///< A value from a VALUES clause.
@@ -3896,9 +3897,6 @@ class Item_splocal final : public Item_sp_variable,
                            private Settable_routine_parameter {
   uint m_var_idx;
 
-  Type m_type;
-  Item_result m_result_type;
-
  public:
   /*
     If this variable is a parameter in LIMIT clause.
@@ -3941,10 +3939,12 @@ class Item_splocal final : public Item_sp_variable,
              enum_query_type query_type) const override;
 
  public:
-  inline uint get_var_idx() const { return m_var_idx; }
+  uint get_var_idx() const { return m_var_idx; }
 
-  inline enum Type type() const override { return m_type; }
-  inline Item_result result_type() const override { return m_result_type; }
+  Type type() const override { return ROUTINE_FIELD_ITEM; }
+  Item_result result_type() const override {
+    return type_to_result(data_type());
+  }
   bool val_json(Json_wrapper *result) override;
 
  private:
diff --git a/sql/item_func.h b/sql/item_func.h
@@ -3206,6 +3206,7 @@ class user_var_entry {
   /* Routines to access the value and its type */
   const char *ptr() const { return m_ptr; }
   size_t length() const { return m_length; }
+  /// The data type of this variable.
   Item_result type() const { return m_type; }
   /* Item-alike routines to access the value */
   double val_real(bool *null_value) const;
diff --git a/sql/parse_tree_items.cc b/sql/parse_tree_items.cc
@@ -693,7 +693,9 @@ bool PTI_int_splocal::do_itemize(Parse_context *pc, Item **res) {
   if (v == nullptr) {
     return true;  // undefined variable or OOM
   }
-  if (v->type() != Item::INT_ITEM) {
+  // Data type for a routine field is resolved during parsing, so this is OK:
+  if (v->type() == Item::ROUTINE_FIELD_ITEM &&
+      !is_integer_type(v->data_type())) {
     pc->thd->syntax_error_at(m_location, ER_SPVAR_NONINTEGER_TYPE, m_name.str);
     return true;
   }
diff --git a/sql/sp.cc b/sql/sp.cc
@@ -2279,50 +2279,6 @@ void sp_finish_parsing(THD *thd) {
   sp->m_parser_data.finish_parsing_sp_body(thd);
 }
 
-/// @return Item_result code corresponding to the RETURN-field type code.
-Item_result sp_map_result_type(enum enum_field_types type) {
-  switch (type) {
-    case MYSQL_TYPE_BIT:
-    case MYSQL_TYPE_BOOL:
-    case MYSQL_TYPE_TINY:
-    case MYSQL_TYPE_SHORT:
-    case MYSQL_TYPE_LONG:
-    case MYSQL_TYPE_LONGLONG:
-    case MYSQL_TYPE_INT24:
-      return INT_RESULT;
-    case MYSQL_TYPE_DECIMAL:
-    case MYSQL_TYPE_NEWDECIMAL:
-      return DECIMAL_RESULT;
-    case MYSQL_TYPE_FLOAT:
-    case MYSQL_TYPE_DOUBLE:
-      return REAL_RESULT;
-    default:
-      return STRING_RESULT;
-  }
-}
-
-/// @return Item::Type code corresponding to the RETURN-field type code.
-Item::Type sp_map_item_type(enum enum_field_types type) {
-  switch (type) {
-    case MYSQL_TYPE_BIT:
-    case MYSQL_TYPE_BOOL:
-    case MYSQL_TYPE_TINY:
-    case MYSQL_TYPE_SHORT:
-    case MYSQL_TYPE_LONG:
-    case MYSQL_TYPE_LONGLONG:
-    case MYSQL_TYPE_INT24:
-      return Item::INT_ITEM;
-    case MYSQL_TYPE_DECIMAL:
-    case MYSQL_TYPE_NEWDECIMAL:
-      return Item::DECIMAL_ITEM;
-    case MYSQL_TYPE_FLOAT:
-    case MYSQL_TYPE_DOUBLE:
-      return Item::REAL_ITEM;
-    default:
-      return Item::STRING_ITEM;
-  }
-}
-
 /**
   @param lex LEX-object, representing an SQL-statement inside SP.
 
diff --git a/sql/sp.h b/sql/sp.h
@@ -399,8 +399,6 @@ void sp_finish_parsing(THD *thd);
 
 ///////////////////////////////////////////////////////////////////////////
 
-Item_result sp_map_result_type(enum enum_field_types type);
-Item::Type sp_map_item_type(enum enum_field_types type);
 uint sp_get_flags_for_command(LEX *lex);
 
 bool sp_check_name(LEX_STRING *ident);
diff --git a/sql/sql_tmp_table.cc b/sql/sql_tmp_table.cc
@@ -472,6 +472,7 @@ Field *create_tmp_field(THD *thd, TABLE *table, Item *item, Item::Type type,
     case Item::NULL_ITEM:
     case Item::HEX_BIN_ITEM:
     case Item::PARAM_ITEM:
+    case Item::ROUTINE_FIELD_ITEM:
     case Item::SUM_FUNC_ITEM:
       if (type == Item::SUM_FUNC_ITEM && !is_wf) {
         Item_sum *item_sum = down_cast<Item_sum *>(item);

Original file line number	Diff line number	Diff line change
`@@ -693,7 +693,9 @@ bool PTI_int_splocal::do_itemize(Parse_context pc, Item *res) {`
`693`	`693`	`if (v == nullptr) {`
`694`	`694`	`return true; // undefined variable or OOM`
`695`	`695`	`}`
`696`		`- if (v->type() != Item::INT_ITEM) {`
	`696`	`+ // Data type for a routine field is resolved during parsing, so this is OK:`
	`697`	`+ if (v->type() == Item::ROUTINE_FIELD_ITEM &&`
	`698`	`+ !is_integer_type(v->data_type())) {`
`697`	`699`	`pc->thd->syntax_error_at(m_location, ER_SPVAR_NONINTEGER_TYPE, m_name.str);`
`698`	`700`	`return true;`
`699`	`701`	`}`