Bug#35476172: MySQL server fails when executing query

The problem here is when a partition clause in a CREATE TABLE statement
contains a subquery.
This is not valid syntax, however our problem here is that the subquery
is attached to the main query expression of the SQL command.
If this CREATE TABLE statement also contains a source query expression
for initial population of the table, this query expression will be
resolved before the table is created. But the mentioned subquery is an
incomplete structure and the resolving may thus fail.

The fix for the problem is to disallow subqueries in partition
expressions by clearing the member LEX::expr_allows_subselect while
contextualizing the partition expression. This means that such invalid
expressions will cause a syntax error.

Also renamed the expr_allows_subselect member to the more standard
looking expr_allows_subquery.

Change-Id: I40796351e37561404d372a10cd8e960c18535512

Author: roylyseng

mysql-test/r/partition_error.result

@@ -1476,7 +1476,8 @@ ERROR HY000: This partition function is not allowed
 create table t1 (a int)
 partition by range (a + (select count(*) from t1))
 (partition p1 values less than (1));
-ERROR HY000: This partition function is not allowed
+ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(select count(*) from t1))
+(partition p1 values less than (1))' at line 2
 create table t1 (a char(10))
 partition by hash (extractvalue(a,'a'));
 ERROR HY000: This partition function is not allowed
@@ -1938,3 +1939,30 @@ Warning	4095	Delimiter ':' in position 2 in datetime value '00:00:00' at row 1 i
 Warning	1441	Datetime function: from_days field overflow
 DROP TABLE t1;
 SET sql_mode=default;
+# Bug#35476172: MySQL server fails when executing query
+CREATE TABLE t0(c1 INTEGER);
+CREATE TABLE t1(c3 INTEGER)
+PARTITION BY HASH ((SELECT c1 FROM t0));
+ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(SELECT c1 FROM t0))' at line 2
+CREATE TABLE t1(c3 INTEGER)
+PARTITION BY HASH ((SELECT c1 FROM t0))
+AS TABLE t0;
+ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(SELECT c1 FROM t0))
+AS TABLE t0' at line 2
+CREATE TABLE t1(c3 INTEGER)
+PARTITION BY RANGE ((SELECT c1 FROM t0)) (PARTITION a1 VALUES LESS THAN (1));
+ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(SELECT c1 FROM t0)) (PARTITION a1 VALUES LESS THAN (1))' at line 2
+CREATE TABLE t1(c3 INTEGER)
+PARTITION BY RANGE ((SELECT c1 FROM t0)) (PARTITION a1 VALUES LESS THAN (1))
+AS TABLE t0;
+ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(SELECT c1 FROM t0)) (PARTITION a1 VALUES LESS THAN (1))
+AS TABLE t0' at line 2
+CREATE TABLE t1(c3 INTEGER)
+PARTITION BY LIST ((SELECT c1 FROM t0)) (PARTITION p0 VALUES IN (0));
+ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(SELECT c1 FROM t0)) (PARTITION p0 VALUES IN (0))' at line 2
+CREATE TABLE t1(c3 INTEGER)
+PARTITION BY LIST ((SELECT c1 FROM t0)) (PARTITION p0 VALUES IN (0))
+AS TABLE t0;
+ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(SELECT c1 FROM t0)) (PARTITION p0 VALUES IN (0))
+AS TABLE t0' at line 2
+DROP TABLE t0;

mysql-test/t/partition_error.test

@@ -1648,7 +1648,7 @@ partition by hash (NOW()+a);
 -- error ER_PARTITION_FUNCTION_IS_NOT_ALLOWED
 create table t1 (a int)
 partition by hash (extract(hour from convert_tz(a, '+00:00', '+00:00')));
--- error ER_PARTITION_FUNCTION_IS_NOT_ALLOWED
+-- error ER_PARSE_ERROR
 create table t1 (a int)
 partition by range (a + (select count(*) from t1))
 (partition p1 values less than (1));
@@ -2132,3 +2132,36 @@ SELECT FROM_DAYS(4294967660), FROM_DAYS(4294967661), FROM_DAYS(4294967663);
 INSERT t1 VALUES(ADDTIME(0,0)), (FROM_DAYS(3652499));
 DROP TABLE t1;
 SET sql_mode=default;
+
+--echo # Bug#35476172: MySQL server fails when executing query
+
+CREATE TABLE t0(c1 INTEGER);
+
+--error ER_PARSE_ERROR
+CREATE TABLE t1(c3 INTEGER)
+PARTITION BY HASH ((SELECT c1 FROM t0));
+
+--error ER_PARSE_ERROR
+CREATE TABLE t1(c3 INTEGER)
+PARTITION BY HASH ((SELECT c1 FROM t0))
+AS TABLE t0;
+
+--error ER_PARSE_ERROR
+CREATE TABLE t1(c3 INTEGER)
+PARTITION BY RANGE ((SELECT c1 FROM t0)) (PARTITION a1 VALUES LESS THAN (1));
+
+--error ER_PARSE_ERROR
+CREATE TABLE t1(c3 INTEGER)
+PARTITION BY RANGE ((SELECT c1 FROM t0)) (PARTITION a1 VALUES LESS THAN (1))
+AS TABLE t0;
+
+--error ER_PARSE_ERROR
+CREATE TABLE t1(c3 INTEGER)
+PARTITION BY LIST ((SELECT c1 FROM t0)) (PARTITION p0 VALUES IN (0));
+
+--error ER_PARSE_ERROR
+CREATE TABLE t1(c3 INTEGER)
+PARTITION BY LIST ((SELECT c1 FROM t0)) (PARTITION p0 VALUES IN (0))
+AS TABLE t0;
+
+DROP TABLE t0;

sql/parse_tree_handler.cc

@@ -85,7 +85,7 @@ bool PT_handler_read_base::do_contextualize(Parse_context *pc) {
   }
 
   // ban subqueries in WHERE and LIMIT clauses
-  lex->expr_allows_subselect = false;
+  lex->expr_allows_subquery = false;
 
   Item *one = new (thd->mem_root) Item_int(1);
   if (one == nullptr) return true;  // OOM
@@ -107,7 +107,7 @@ bool PT_handler_read_base::do_contextualize(Parse_context *pc) {
   if (m_opt_limit_clause != nullptr && m_opt_limit_clause->contextualize(pc))
     return true;
 
-  lex->expr_allows_subselect = true;
+  lex->expr_allows_subquery = true;
 
   /* Stored functions are not supported for HANDLER READ. */
   if (lex->uses_stored_routines()) {
@@ -142,11 +142,11 @@ Sql_cmd *PT_handler_index_scan::make_cmd(THD *thd) {
 Sql_cmd *PT_handler_index_range_scan::make_cmd(THD *thd) {
   thd->lex->sql_command = SQLCOM_HA_READ;
 
-  thd->lex->expr_allows_subselect = false;
+  thd->lex->expr_allows_subquery = false;
   Parse_context pc(thd, thd->lex->current_query_block());
   if (m_keypart_values->contextualize(&pc) || super::do_contextualize(&pc))
     return nullptr;
-  thd->lex->expr_allows_subselect = true;
+  thd->lex->expr_allows_subquery = true;
 
   return new (thd->mem_root)
       Sql_cmd_handler_read(enum_ha_read_modes::RKEY, m_index,

sql/parse_tree_nodes.cc

@@ -4373,7 +4373,7 @@ bool PT_subquery::do_contextualize(Parse_context *pc) {
   if (super::do_contextualize(pc)) return true;
 
   LEX *lex = pc->thd->lex;
-  if (!lex->expr_allows_subselect || lex->sql_command == SQLCOM_PURGE) {
+  if (!lex->expr_allows_subquery || lex->sql_command == SQLCOM_PURGE) {
     error(pc, m_pos);
     return true;
   }

sql/parse_tree_partitions.cc

@@ -387,8 +387,11 @@ bool PT_part_type_def::itemize_part_expr(Partition_parse_context *pc,
                                          const POS &pos, Item **item) {
   LEX *const lex = pc->thd->lex;
   lex->safe_to_cache_query = true;
+  lex->expr_allows_subquery = false;
   if ((*item)->itemize(pc, item)) return true;
 
+  lex->expr_allows_subquery = true;
+
   if (!lex->safe_to_cache_query) {
     error(pc, pos, ER_THD(pc->thd, ER_WRONG_EXPR_IN_PARTITION_FUNC_ERROR));
     return true;

sql/sql_lex.cc

@@ -442,7 +442,7 @@ void LEX::reset() {
   m_sql_cmd = nullptr;
   query_tables = nullptr;
   reset_query_tables_list(false);
-  expr_allows_subselect = true;
+  expr_allows_subquery = true;
   use_only_table_context = false;
   contains_plaintext_password = false;
   keep_diagnostics = DA_KEEP_NOTHING;

sql/sql_lex.h

@@ -4057,7 +4057,7 @@ struct LEX : public Query_tables_list {
     KILL, HA_READ, CREATE/ALTER EVENT etc. Set this to `false` to get
     syntax error back.
   */
-  bool expr_allows_subselect;
+  bool expr_allows_subquery{true};
   /**
     If currently re-parsing a CTE's definition, this is the offset in bytes
     of that definition in the original statement which had the WITH

sql/table.cc

@@ -2614,8 +2614,8 @@ bool unpack_value_generator(THD *thd, TABLE *table,
   const CHARSET_INFO *save_character_set_client =
       thd->variables.character_set_client;
   // Subquery is not allowed in generated expression
-  const bool save_allow_subselects = thd->lex->expr_allows_subselect;
-  thd->lex->expr_allows_subselect = false;
+  const bool save_allows_subquery = thd->lex->expr_allows_subquery;
+  thd->lex->expr_allows_subquery = false;
   // allow_sum_func is also 0, banning group aggregates and window functions.
   assert(thd->lex->allow_sum_func == 0);
 
@@ -2650,7 +2650,7 @@ bool unpack_value_generator(THD *thd, TABLE *table,
     thd->swap_query_arena(save_arena, &val_generator_arena);
     thd->variables.character_set_client = save_character_set_client;
     thd->want_privilege = save_old_privilege;
-    thd->lex->expr_allows_subselect = save_allow_subselects;
+    thd->lex->expr_allows_subquery = save_allows_subquery;
   };
 
   // Properties that need to be restored before leaving the scope if an
@@ -2675,7 +2675,7 @@ bool unpack_value_generator(THD *thd, TABLE *table,
   assert((*val_generator)->expr_item != nullptr &&
          (*val_generator)->expr_str.str == nullptr);
 
-  thd->lex->expr_allows_subselect = save_allow_subselects;
+  thd->lex->expr_allows_subquery = save_allows_subquery;
 
   // Set the stored_in_db attribute of the column it depends on (if any)
   if (field != nullptr) (*val_generator)->set_field_stored(field->stored_in_db);