revision-id: 273cc529a8063206e2c432a7b5633001fe08a10f (mariadb-10.3.26-93-g273cc52) parent(s): 25ecf8ed4b4cbca69a9fa09c27bbd4e5c83fafe3 author: Igor Babaev committer: Igor Babaev timestamp: 2021-03-01 09:40:33 -0800 message: MDEV-24919 Crash with subselect formed by table value constructor and used in set function If a subselect is formed by a table value constructor (TVC) then the following transformation is applied at the prepare stage: VALUES (v1), ... (vn) => SELECT * FROM (VALUES (v1), ... (vn)) tvc_x. The transformation is performed by the function wrap_tvc() that resets THD::LEX::current select to the top level select of the result of the transformation. After the call of wrap_tvc() in the function Item_subselect::wrap_tvc_into_select() the field THD::LEX::current must be reset to the same select as before the call. It was not done. As a result if the subselect formed by a TVC was an argument of a set function then an assertion was hit in the function Item_sum::check_sum_func(). Approved by Oleksandr Byelkin <sanja@mariadb.com> --- mysql-test/main/table_value_constr.result | 6 ++++++ mysql-test/main/table_value_constr.test | 6 ++++++ sql/sql_tvc.cc | 15 +++++---------- 3 files changed, 17 insertions(+), 10 deletions(-) diff --git a/mysql-test/main/table_value_constr.result b/mysql-test/main/table_value_constr.result index 603f21a..d2965ab 100644 --- a/mysql-test/main/table_value_constr.result +++ b/mysql-test/main/table_value_constr.result @@ -2881,4 +2881,10 @@ NULL deallocate prepare stmt; drop view v1; drop table t1,t2,t3; +# +# MDEV-24919: subselect formed by TVC and used in set function +# +select sum((values(1))); +sum((values(1))) +1 End of 10.3 tests diff --git a/mysql-test/main/table_value_constr.test b/mysql-test/main/table_value_constr.test index 2246a19..88d0ac2 100644 --- a/mysql-test/main/table_value_constr.test +++ b/mysql-test/main/table_value_constr.test @@ -1516,4 +1516,10 @@ deallocate prepare stmt; drop view v1; drop table t1,t2,t3; +--echo # +--echo # MDEV-24919: subselect formed by TVC and used in set function +--echo # + +select sum((values(1))); + --echo End of 10.3 tests diff --git a/sql/sql_tvc.cc b/sql/sql_tvc.cc index 0a771b5..cb056b0 100644 --- a/sql/sql_tvc.cc +++ b/sql/sql_tvc.cc @@ -648,7 +648,7 @@ st_select_lex *wrap_tvc(THD *thd, st_select_lex *tvc_sl, st_select_lex *parent_select) { LEX *lex= thd->lex; - select_result *save_result= thd->lex->result; + select_result *save_result= lex->result; uint8 save_derived_tables= lex->derived_tables; thd->lex->result= NULL; @@ -729,13 +729,13 @@ st_select_lex *wrap_tvc(THD *thd, st_select_lex *tvc_sl, if (arena) thd->restore_active_arena(arena, &backup); - thd->lex->result= save_result; + lex->result= save_result; return wrapper_sl; err: if (arena) thd->restore_active_arena(arena, &backup); - thd->lex->result= save_result; + lex->result= save_result; lex->derived_tables= save_derived_tables; return 0; } @@ -819,14 +819,9 @@ Item_subselect::wrap_tvc_into_select(THD *thd, st_select_lex *tvc_sl) { if (engine->engine_type() == subselect_engine::SINGLE_SELECT_ENGINE) ((subselect_single_select_engine *) engine)->change_select(wrapper_sl); - lex->current_select= wrapper_sl; - return wrapper_sl; - } - else - { - lex->current_select= parent_select; - return 0; } + lex->current_select= parent_select; + return wrapper_sl; }