Bug#32863713: RECENT REGRESSION: CTE CRASH IN

Chaithra Gopalareddy · dahlerlend · commit 28ec5fd1b435 · 2021-06-21T09:33:38.000+02:00
QUERY_BLOCK::MASTER_QUERY_EXPRESSION

To clone a derived table expression, we re-parse it. To re-parse the
expression, a new query block is created and used temporarily.
However, as part of an earlier fix, the query block to be used for parsing
was set to the query block provided in the context (derived table query
block or in case of a view ref, the merged derived table query block).
But, the query expression to use was still the query expression created
temporarily for parsing. Because of the mismatch between the query block
and the query expression that it belongs to, parser tries to access
an invalid query expression resulting in server exit.

We now set the query expression along with the query block to parse
the derived table expression.

Change-Id: If65b5b2d359d1c35c7e3984f301cb089e54e65d1
diff --git a/mysql-test/r/derived_condition_pushdown.result b/mysql-test/r/derived_condition_pushdown.result
@@ -1157,3 +1157,22 @@ SELECT g, ROW_NUMBER() OVER (PARTITION BY g) AS r FROM t1
 ) w ON w.g=t1.g AND w.r=1 WHERE w.g IS NULL;
 g
 DROP TABLE t1;
+#
+# BUG#32863713: CTE CRASH IN QUERY_BLOCK::MASTER_QUERY_EXPRESSION
+#
+CREATE TABLE t(f1 INTEGER);
+EXPLAIN SELECT a1, a2
+FROM (SELECT MAX(2) AS a1 FROM t) as dt1,
+(SELECT @a AS a2 FROM t) as dt2
+WHERE dt1.a1 <= dt2.a2;
+id	select_type	table	partitions	type	possible_keys	key	key_len	ref	rows	filtered	Extra
+1	PRIMARY	NULL	NULL	NULL	NULL	NULL	NULL	NULL	NULL	NULL	no matching row in const table
+2	DERIVED	t	NULL	ALL	NULL	NULL	NULL	NULL	1	100.00	NULL
+Warnings:
+Note	1003	/* select#1 */ select NULL AS `a1`,(@`a`) AS `a2` from (/* select#2 */ select max(2) AS `a1` from `test`.`t` having (max(2) <= <cache>((@`a`)))) `dt1` join `test`.`t`
+SELECT a1, a2
+FROM (SELECT MAX(f1) AS a1 FROM t) as dt1,
+(SELECT @a AS a2 FROM t) as dt2
+WHERE dt1.a1 <= dt2.a2;
+a1	a2
+DROP TABLE t;
diff --git a/mysql-test/t/derived_condition_pushdown.test b/mysql-test/t/derived_condition_pushdown.test
@@ -680,3 +680,22 @@ SELECT g, ROW_NUMBER() OVER (PARTITION BY g) AS r FROM t1
 ) w ON w.g=t1.g AND w.r=1 WHERE w.g IS NULL;
 
 DROP TABLE t1;
+
+--echo #
+--echo # BUG#32863713: CTE CRASH IN QUERY_BLOCK::MASTER_QUERY_EXPRESSION
+--echo #
+
+CREATE TABLE t(f1 INTEGER);
+# Checking if condition pushdown to a derived table does not
+# crash the server when one of derived table is merged.
+EXPLAIN SELECT a1, a2
+ FROM (SELECT MAX(2) AS a1 FROM t) as dt1,
+ (SELECT @a AS a2 FROM t) as dt2
+ WHERE dt1.a1 <= dt2.a2;
+
+SELECT a1, a2
+ FROM (SELECT MAX(f1) AS a1 FROM t) as dt1,
+ (SELECT @a AS a2 FROM t) as dt2
+ WHERE dt1.a1 <= dt2.a2;
+
+DROP TABLE t;
diff --git a/sql/sql_derived.cc b/sql/sql_derived.cc
@@ -565,6 +565,7 @@ Item *TABLE_LIST::get_clone_for_derived_expr(THD *thd, Item *item,
   // Set the correct query block to parse the item. In some cases, like
   // fulltext functions, parser needs to add them to ftfunc_list of the
   // query block.
+  thd->lex->unit = context->query_block->master_query_expression();
   thd->lex->set_current_query_block(context->query_block);
   bool result = parse_sql(thd, &parser_state, nullptr);
 
