Bug#36313072: mysqld crash in Item_ref::real_item

Chaithra Gopalareddy · Chaithra Gopalareddy · commit db5b9ce91505 · 2024-03-14T12:44:31.000+05:30
While resolving an expression in QUALIFY clause, if the expression is
resolved against a field in a table or a merged view, it is added to
the select expression list as a hidden item. In the case when
the resolver later reduces the QUALIFY clause to an always false or an
always true condition, it removes the expressions present in the
QUALIFY clause and replaces them with a TRUE or FALSE condition.
Care is taken to not remove these expressions when there
are still references to these objects. However, for the case where the
hidden item is added to the select expression list, reference count is
not incremented correctly resulting in removal of the expressions.
This leads to problems later when the added hidden item is looked at.
Solution is to increment the reference count when the hidden item is
added to the select expression list. We already increment the ref count
once, which accounts for the reference from Item_ref object we are
trying to resolve. Now we account for the presence in the select
expression list.

Change-Id: Ife3e51f1f38fe030ab2381c2ef7354d033dff5bf
diff --git a/mysql-test/r/qualify_hypergraph.result b/mysql-test/r/qualify_hypergraph.result
@@ -555,3 +555,10 @@ GROUP BY id, x WITH ROLLUP WINDOW w AS (ORDER BY id) QUALIFY x <> 1;
 id	ROW_NUMBER() OVER w
 5	10
 DROP TABLE t;
+#
+# Bug#36313072: mysqld crash in Item_ref::real_item
+#
+CREATE TABLE t1 (f1 INTEGER);
+SELECT NTILE(1) OVER() FROM (SELECT * FROM t1) as dt QUALIFY f1 AND FALSE;
+NTILE(1) OVER()
+DROP TABLE t1;
diff --git a/mysql-test/t/qualify_hypergraph.test b/mysql-test/t/qualify_hypergraph.test
@@ -377,3 +377,13 @@ SELECT id, ROW_NUMBER() OVER w FROM (SELECT * FROM t) AS dt
 GROUP BY id, x WITH ROLLUP WINDOW w AS (ORDER BY id) QUALIFY x <> 1;
 
 DROP TABLE t;
+
+--echo #
+--echo # Bug#36313072: mysqld crash in Item_ref::real_item
+--echo #
+
+CREATE TABLE t1 (f1 INTEGER);
+
+SELECT NTILE(1) OVER() FROM (SELECT * FROM t1) as dt QUALIFY f1 AND FALSE;
+
+DROP TABLE t1;
diff --git a/sql/item.cc b/sql/item.cc
@@ -8325,12 +8325,17 @@ bool Item_ref::fix_fields(THD *thd, Item **reference) {
           // Add the view reference to the select expression list as hidden
           // item.
           m_ref_item = qb->add_hidden_item(*reference);
+          // Increment the reference count as the expression is now part
+          // of the select list. The call to link_referenced_item()
+          // later will account for the reference from this Item_ref object.
+          (*reference)->increment_ref_count();
           *reference = this;
         } else {
           Item_field *fld = new Item_field(
               thd, context, from_field->table->pos_in_table_list, from_field);
           if (fld == nullptr) return true;
           m_ref_item = qb->add_hidden_item(fld);
+          fld->increment_ref_count();
         }
       }
     }

Original file line number	Diff line number	Diff line change
`@@ -8325,12 +8325,17 @@ bool Item_ref::fix_fields(THD thd, Item *reference) {`
`8325`	`8325`	`// Add the view reference to the select expression list as hidden`
`8326`	`8326`	`// item.`
`8327`	`8327`	`m_ref_item = qb->add_hidden_item(*reference);`
	`8328`	`+ // Increment the reference count as the expression is now part`
	`8329`	`+ // of the select list. The call to link_referenced_item()`
	`8330`	`+ // later will account for the reference from this Item_ref object.`
	`8331`	`+ (*reference)->increment_ref_count();`
`8328`	`8332`	`*reference = this;`
`8329`	`8333`	`} else {`
`8330`	`8334`	`Item_field *fld = new Item_field(`
`8331`	`8335`	`thd, context, from_field->table->pos_in_table_list, from_field);`
`8332`	`8336`	`if (fld == nullptr) return true;`
`8333`	`8337`	`m_ref_item = qb->add_hidden_item(fld);`
	`8338`	`+ fld->increment_ref_count();`
`8334`	`8339`	`}`
`8335`	`8340`	`}`
`8336`	`8341`	`}`