revision-id: b2f86ebdd254d923daf6f29e64e61e19187044b9 (mariadb-10.2.15-35-gb2f86eb) parent(s): a31e99a89cc75804c9d118835b39d9780f504312 author: Igor Babaev committer: Igor Babaev timestamp: 2018-05-31 18:55:07 -0700 message: MDEV-16353 Server crash on query with CTE This bug caused crashes for queries with unreferenced non-recursive CTEs specified by unions.It happened because the function st_select_lex_unit::prepare() tried to use the value of the field 'derived' that could not be set for unferenced CTEs as there was no derived table associated with an unreferenced CTE. --- mysql-test/r/cte_nonrecursive.result | 16 ++++++++++++++++ mysql-test/t/cte_nonrecursive.test | 18 ++++++++++++++++++ sql/sql_union.cc | 2 +- 3 files changed, 35 insertions(+), 1 deletion(-) diff --git a/mysql-test/r/cte_nonrecursive.result b/mysql-test/r/cte_nonrecursive.result index 001df90..1d079c3 100644 --- a/mysql-test/r/cte_nonrecursive.result +++ b/mysql-test/r/cte_nonrecursive.result @@ -1462,3 +1462,19 @@ a b 4 5 4 3 DROP TABLE t1; +# +# MDEV-16353: unreferenced CTE specified by query with UNION +# +with cte as +(select 1 union select 2 union select 3) +select 1 as f; +f +1 +create table t1 (a int); +insert into t1 values (2), (1), (7), (1), (4); +with cte as +(select * from t1 where a < 2 union select * from t1 where a > 5) +select 2 as f; +f +2 +drop table t1; diff --git a/mysql-test/t/cte_nonrecursive.test b/mysql-test/t/cte_nonrecursive.test index 5e17704..98a7794 100644 --- a/mysql-test/t/cte_nonrecursive.test +++ b/mysql-test/t/cte_nonrecursive.test @@ -1012,3 +1012,21 @@ SELECT a FROM cte; WITH cte(a,b) AS (SELECT 4,5 UNION SELECT 4,3) SELECT a,b FROM cte; DROP TABLE t1; + +--echo # +--echo # MDEV-16353: unreferenced CTE specified by query with UNION +--echo # + +with cte as + (select 1 union select 2 union select 3) +select 1 as f; + +create table t1 (a int); +insert into t1 values (2), (1), (7), (1), (4); + +with cte as + (select * from t1 where a < 2 union select * from t1 where a > 5) +select 2 as f; + +drop table t1; + \ No newline at end of file diff --git a/sql/sql_union.cc b/sql/sql_union.cc index 13c19da..178d739 100644 --- a/sql/sql_union.cc +++ b/sql/sql_union.cc @@ -625,7 +625,7 @@ bool st_select_lex_unit::prepare(THD *thd_arg, select_result *sel_result, { if (with_element) { - if (derived->with->rename_columns_of_derived_unit(thd, this)) + if (with_element->rename_columns_of_derived_unit(thd, this)) goto err; if (check_duplicate_names(thd, sl->item_list, 0)) goto err;