MDEV-27212 Crash in Item_equal::sort on second execution of stored procedurebb-10.2-igor

This bug could cause a crash of the server at the second call of a stored procedure when it executed a query containing a mergeable derived table / view whose specification used another mergeable derived_table or view and a subquery with outer reference in the select list of the specification. Such queries could cause the same problem when they were executed for the second time in a prepared mode. The problem appeared due to a typo mistake in the legacy code of the function create_view_field() that prevented building Item_direct_view_ref wrapper for the mentioned outer reference at the second execution of the query and setting the depended_from field for the outer reference. Approved by Oleksandr Byelkin <sanja@mariadb.com>
author: Igor Babaev <igor@askmonty.org> 2022-04-22 07:53:16 -0700
committer: Igor Babaev <igor@askmonty.org> 2022-04-25 09:30:42 -0700
commit: c5e68b6dcddbb6325c7684bfb4fba28e1c13e1ae (patch)
tree: 9113a7895af8769e327c57ba101bbd0a05d4d07e
parent: 1bcdc3e9eb1a393fd07403c874ac7d7edc6d8a0a (diff)
download: mariadb-git-bb-10.2-igor.tar.gz
3 files changed, 113 insertions, 1 deletions
diff --git a/mysql-test/r/derived_view.result b/mysql-test/r/derived_view.result
index 0c045e39271..31a92207442 100644
--- a/mysql-test/r/derived_view.result
+++ b/mysql-test/r/derived_view.result
@@ -3586,4 +3586,64 @@ f2	f3
 DROP PROCEDURE p1;
 DROP VIEW v1,v2,v3;
 DROP TABLE t1;
+#
+# MDEV-27212: 2-nd execution of PS for select with embedded derived tables
+#             and correlated subquery in select list of outer derived
+#
+create table t1 ( id int, id2 int ) engine=myisam;
+create table t2 ( x3 int , x1 int , x2 int, a1 int) engine=myisam;
+insert into t1 values (3, 2), (4, 2), (3, 4);
+insert into t2 values (1, 2, 2, 1), (1, 3, 3, 2), (2, 3, 3, 1);
+prepare stmt from "select id from t1
+join
+( select dt2.x1,
+( select sum(a1) from t2 where t2.x1 = dt2.x1 ) m
+from ( select x1 from t2 u where  x3 = 1 ) dt2
+) dt
+on t1.id = dt.x1
+where t1.id2 < dt.m";
+execute stmt;
+id
+3
+execute stmt;
+id
+3
+deallocate prepare stmt;
+create procedure sp1() select id from t1
+join
+( select dt2.x1,
+( select sum(a1) from t2 where t2.x1 = dt2.x1 ) m
+from ( select x1 from t2 u where  x3 = 1 ) dt2
+) dt
+on t1.id = dt.x1
+where t1.id2 < dt.m;
+call sp1();
+id
+3
+call sp1();
+id
+3
+create view v2 as select x1 from t2 u where  x3 = 1;
+create view v as
+select v2.x1,
+( select sum(a1) from t2 where t2.x1 = v2.x1 ) m from v2;
+prepare stmt from "select id from t1 join v on t1.id = v.x1 where t1.id2 < v.m";
+execute stmt;
+id
+3
+execute stmt;
+id
+3
+deallocate prepare stmt;
+create procedure sp2() select id from t1 join v on t1.id = v.x1 where t1.id2 < v.m;
+call sp2();
+id
+3
+call sp2();
+id
+3
+drop procedure sp1;
+drop procedure sp2;
+drop view v, v2;
+drop table t1,t2;
 # End of 10.2 tests
diff --git a/mysql-test/t/derived_view.test b/mysql-test/t/derived_view.test
index 0f3d9b224ba..f36401271cc 100644
--- a/mysql-test/t/derived_view.test
+++ b/mysql-test/t/derived_view.test
@@ -2376,4 +2376,56 @@ DROP PROCEDURE p1;
 DROP VIEW v1,v2,v3;
 DROP TABLE t1;
 
+--echo #
+--echo # MDEV-27212: 2-nd execution of PS for select with embedded derived tables
+--echo #             and correlated subquery in select list of outer derived
+--echo #
+create table t1 ( id int, id2 int ) engine=myisam;
+create table t2 ( x3 int , x1 int , x2 int, a1 int) engine=myisam;
+insert into t1 values (3, 2), (4, 2), (3, 4);
+insert into t2 values (1, 2, 2, 1), (1, 3, 3, 2), (2, 3, 3, 1);
+
+let $q=
+select id from t1
+               join
+               ( select dt2.x1,
+                        ( select sum(a1) from t2 where t2.x1 = dt2.x1 ) m
+                 from ( select x1 from t2 u where  x3 = 1 ) dt2
+               ) dt
+               on t1.id = dt.x1
+where t1.id2 < dt.m;
+
+eval prepare stmt from "$q";
+execute stmt;
+execute stmt;
+deallocate prepare stmt;
+
+eval create procedure sp1() $q;
+call sp1();
+call sp1();
+
+create view v2 as select x1 from t2 u where  x3 = 1;
+create view v as
+select v2.x1,
+       ( select sum(a1) from t2 where t2.x1 = v2.x1 ) m from v2;
+
+let $q=
+select id from t1 join v on t1.id = v.x1 where t1.id2 < v.m;
+
+eval prepare stmt from "$q";
+execute stmt;
+execute stmt;
+deallocate prepare stmt;
+
+eval create procedure sp2() $q;
+call sp2();
+call sp2();
+
+drop procedure sp1;
+drop procedure sp2;
+
+drop view v, v2;
+
+drop table t1,t2;
+
 --echo # End of 10.2 tests
diff --git a/sql/table.cc b/sql/table.cc
index a5f1a5d96cf..605a2e0ddbf 100644
--- a/sql/table.cc
+++ b/sql/table.cc
@@ -5984,7 +5984,7 @@ Item *Field_iterator_view::create_item(THD *thd)
 Item *create_view_field(THD *thd, TABLE_LIST *view, Item **field_ref,
                         const char *name)
 {
-  bool save_wrapper= thd->lex->select_lex.no_wrap_view_item;
+  bool save_wrapper= thd->lex->current_select->no_wrap_view_item;
   Item *field= *field_ref;
   DBUG_ENTER("create_view_field");
author	Igor Babaev <igor@askmonty.org>	2022-04-22 07:53:16 -0700
committer	Igor Babaev <igor@askmonty.org>	2022-04-25 09:30:42 -0700
commit	c5e68b6dcddbb6325c7684bfb4fba28e1c13e1ae (patch)
tree	9113a7895af8769e327c57ba101bbd0a05d4d07e
parent	1bcdc3e9eb1a393fd07403c874ac7d7edc6d8a0a (diff)
download	mariadb-git-bb-10.2-igor.tar.gz