revision-id: d6fd177a5f0d0984da4aec46de04bbc84bce00a2 (mariadb-10.3.26-101-gd6fd177) parent(s): 11c4e9be19916d3dc4f77647aa99781ddacc88d7 author: Igor Babaev committer: Igor Babaev timestamp: 2021-03-03 09:16:15 -0800 message: MDEV-22786 Crashes with nested table value constructors The bug caused crashes of the server when processing queries with nested table value constructors (TVC) . It happened because the grammar rules to parse TVC used the same global lists for both nested TVC and nesting TVC. As a result invalid select trees were constructed for queries with nested TVC and this led to crashes at the prepare stage. This patch provides its own lists structures for each TVC nest level. Besides the patch fixes a bug in the function wrap_tvc() that missed inheritance of the SELECT_LEX::exclude_from_table_unique_test for selects that wrapped TVCs. This inheritance is critical for specifications of derived tables that employ nested TVCs. --- mysql-test/main/table_value_constr.result | 8 ++++++++ mysql-test/main/table_value_constr.test | 3 +++ sql/sql_lex.cc | 2 -- 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/mysql-test/main/table_value_constr.result b/mysql-test/main/table_value_constr.result index 0d18df1..ff6d19a 100644 --- a/mysql-test/main/table_value_constr.result +++ b/mysql-test/main/table_value_constr.result @@ -3053,5 +3053,13 @@ select * from (values ((values ((select a from t1 where a=7))))) dt; select * from (values ((values ((select (values(2)) from t1 where a=8))))) dt; (values ((select (values(2)) from t1 where a=8))) NULL +insert into t1(a) values ((values (2))), ((values (3))); +select * from t1; +a +3 +7 +1 +2 +3 drop table t1; End of 10.3 tests diff --git a/mysql-test/main/table_value_constr.test b/mysql-test/main/table_value_constr.test index ec147e6..3e976f8 100644 --- a/mysql-test/main/table_value_constr.test +++ b/mysql-test/main/table_value_constr.test @@ -1623,6 +1623,9 @@ select * from (values ((values ((select a from t1 where a=7))))) dt; select * from (values ((values ((select (values(2)) from t1 where a=8))))) dt; +insert into t1(a) values ((values (2))), ((values (3))); +select * from t1; + drop table t1; --echo End of 10.3 tests diff --git a/sql/sql_lex.cc b/sql/sql_lex.cc index 495b27c..c2bc838 100644 --- a/sql/sql_lex.cc +++ b/sql/sql_lex.cc @@ -8324,7 +8324,6 @@ void LEX::tvc_start() mysql_init_select(this); else save_values_list_state(); - field_list.empty(); many_values.empty(); insert_list= 0; } @@ -8336,7 +8335,6 @@ bool LEX::tvc_start_derived() unlikely(mysql_new_select(this, 1, NULL))) return true; save_values_list_state(); - field_list.empty(); many_values.empty(); insert_list= 0; return false;