• Rucha Deodhar's avatar
    Crash in INSERT...SELECT..RETURNING with subquery · 7865c8c9
    Rucha Deodhar authored
    Underlying causes of all bugs mentioned below are same. This patch fixes
    all of them:
    1) MDEV-25028: ASAN use-after-poison in
    base_list_iterator::next or Assertion `sl->join == 0' upon
    INSERT .. RETURNING via PS
    2) MDEV-25187: Assertion `inited == NONE || table->open_by_handler'
    failed or Direct leak in init_dynamic_array2 upon INSERT .. RETURNING
    and memory leak in init_dynamic_array2
    3) MDEV-28740: crash in INSERT RETURNING subquery in prepared statements
    4) MDEV-27165: crash in base_list_iterator::next
    5) MDEV-29686: Assertion `slave == 0' failed in
    st_select_lex_node::attach_single
    
    Analysis:
    consider this statement:
    INSERT(1)...SELECT(2)...(SELECT(3)...) RETURNING (SELECT(4)...)
    
    When RETURNING is encountered, add_slave() changes how selects are linked.
    It makes the builtin_select(1) slave of SELECT(2). This causes
    losing of already existing slave(3) (which is nested select of SELECT of
    INSERT...SELECT). When really, builtin_select (1) shouldn't be slave to
    SELECT(2) because it is not nested within it. Also, push_select() to use
    correct context also changed how select are linked.
    During reinit_stmt_before_use(), we expect the selects to
    be cleaned-up and have join=0. Since these selects are not linked correctly,
    clean-up doesn't happen correctly so join is not NULL. Hence the crash.
    
    Fix:
    IF we are parsing RETURNING, make is_parsing_returning= true for
    current select. get rid of add_slave(). In place of push_select(), used
    push_context() to have correct context (the context of builtin_select)
    to resolve items in item_list. And add these items to item_list of
    builtin_select.
    7865c8c9
sql_yacc.yy 583 KB