MDEV-29926: ASAN heap-use-after-free in Explain_query::~Explain_querymariadb-10.3.37

Make sure that EXPLAIN object allocated on runtime arena.
author: Oleksandr Byelkin <sanja@mariadb.com> 2022-11-02 12:49:24 +0100
committer: Oleksandr Byelkin <sanja@mariadb.com> 2022-11-02 12:49:24 +0100
commit: 3303748fd13399ba39ce4d646153d086c5a09445 (patch)
tree: 276e1310dc75571400089496e41aee62ceae169e /sql/sql_select.cc
parent: 278fbe61d847337712c0f802cc8e0db85bf58bd7 (diff)
download: mariadb-git-mariadb-10.3.37.tar.gz
1 files changed, 9 insertions, 1 deletions
diff --git a/sql/sql_select.cc b/sql/sql_select.cc
index 70c0a80ba2a..0b330528452 100644
--- a/sql/sql_select.cc
+++ b/sql/sql_select.cc
@@ -1078,6 +1078,15 @@ JOIN::prepare(TABLE_LIST *tables_init,
   // simple check that we got usable conds
   dbug_print_item(conds);
 
+  /*
+    It is hack which force creating EXPLAIN object always on runt-time arena
+    (because very top JOIN::prepare executes always with runtime arena, but
+    constant subquery like (SELECT 'x') can be called with statement arena
+    during prepare phase of top SELECT).
+  */
+  if (!(thd->lex->context_analysis_only & CONTEXT_ANALYSIS_ONLY_PREPARE))
+      create_explain_query_if_not_exists(thd->lex, thd->mem_root);
+
   if (select_lex->handle_derived(thd->lex, DT_PREPARE))
     DBUG_RETURN(-1);
 
@@ -1521,7 +1530,6 @@ bool JOIN::build_explain()
 int JOIN::optimize()
 {
   int res= 0;
-  create_explain_query_if_not_exists(thd->lex, thd->mem_root);
   join_optimization_state init_state= optimization_state;
   if (optimization_state == JOIN::OPTIMIZATION_PHASE_1_DONE)
     res= optimize_stage2();
author	Oleksandr Byelkin <sanja@mariadb.com>	2022-11-02 12:49:24 +0100
committer	Oleksandr Byelkin <sanja@mariadb.com>	2022-11-02 12:49:24 +0100
commit	3303748fd13399ba39ce4d646153d086c5a09445 (patch)
tree	276e1310dc75571400089496e41aee62ceae169e /sql/sql_select.cc
parent	278fbe61d847337712c0f802cc8e0db85bf58bd7 (diff)
download	mariadb-git-mariadb-10.3.37.tar.gz