Re: [Maria-developers] 93493a0e9b5: MDEV-24176 Server crashes after insert in the table with virtual column generated using date_format() and if()

Hi, Aleksey, Here's a review of the combined `git diff 4daf9d7c3ee0 f67dcf6ba5f2`:

diff --git a/mysql-test/suite/vcol/r/vcol_syntax.result b/mysql-test/suite/vcol/r/vcol_syntax.result index 0063f38ea36..c5c8a33c0ec 100644 --- a/mysql-test/suite/vcol/r/vcol_syntax.result +++ b/mysql-test/suite/vcol/r/vcol_syntax.result @@ -94,6 +94,68 @@ create table t1 (a int, v_a int generated always as (a)); update t1 as x set a = 1; alter table t1 force; drop table t1; +create table t1 ( +id int not null auto_increment primary key, +order_date_time datetime not null, +order_date date generated always as (convert(order_date_time, date)), +language_id binary(16) null +); +update t1 as tx set order_date= null; +alter table t1 modify column language_id binary(16) not null; +drop table t1; # -# End of 10.2 tests +# MDEV-24176 Server crashes after insert in the table with virtual column generated using date_format() and if() # +create table t1 (d1 date not null, d2 date not null, +gd text as (concat(d1,if(d1 <> d2, date_format(d2, 'to %y-%m-%d '), ''))) ); +insert into t1(d1,d2) values +('2020-09-01','2020-09-01'),('2020-05-01','2020-09-01');

would be good to have a SELECT here, to verify the server not only not crashes, but actually inserts something

+drop table t1; +# MDEV-25772 (duplicate) and LOCK TABLES case +create table t1 (d1 datetime , v_d1 tinyint(1) as (d1 < curdate())); +insert into t1 (d1) values ('2021-09-11 08:38:23'), ('2021-09-01 08:38:23'); +lock tables t1 write; +select * from t1 where v_d1=1; +d1 v_d1 +2021-09-11 08:38:23 1 +2021-09-01 08:38:23 1 +select * from t1; +d1 v_d1 +2021-09-11 08:38:23 1 +2021-09-01 08:38:23 1 +unlock tables; +drop table t1; +# MDEV-26432 (duplicate) +create table t1 (v2 int, v1 int as ((user() like 'x'))) ; +select 1 from t1 where v1=1 ; +1 +select * from t1; +v2 v1 +drop table t1; +create table t1 (v2 int as ( user () like 'x')); +select 1 from t1 order by v2 ; +1 +alter table t1 add i int; +drop table t1; +# MDEV-26437 (duplicate) +create table v0 (v2 int not null, +v1 bigint as (case 'x' when current_user() then v2 end)); +select v2 as v3 from v0 where v1 like 'x' escape 'x'; +v3 +insert into v0 (v2) values (-128); +drop table v0; +create table t1 (vi int as (case 'x' when current_user() then 1 end)); +select 1 from t1 where vi=1; +1 +show create table t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `vi` int(11) GENERATED ALWAYS AS (case 'x' when current_user() then 1 end) VIRTUAL +) ENGINE=MyISAM DEFAULT CHARSET=latin1 +drop table t1; +create table t1 (vi int as (case 'x' when current_user() then 1 end)); +select 1 from t1 where vi=1; +1 +select 1 from t1 where vi=1; +1 +drop table t1; diff --git a/sql/field.cc b/sql/field.cc index 4e6bc6b8341..297edd9e75c 100644 --- a/sql/field.cc +++ b/sql/field.cc @@ -2453,6 +2453,7 @@ int Field::set_default() if (default_value) { Query_arena backup_arena; + /* TODO: this imposes memory leak until table flush */

could you add an example here? in what case, exactly, there can be a memory leak? you have more comments like that below, I'd suggest to add one example somewhere, and change other comments to say "see ... for an example"

table->in_use->set_n_backup_active_arena(table->expr_arena, &backup_arena); int rc= default_value->expr->save_in_field(this, 0); table->in_use->restore_active_arena(table->expr_arena, &backup_arena); diff --git a/sql/item.h b/sql/item.h index 2a904c1691a..e3028ae412c 100644 --- a/sql/item.h +++ b/sql/item.h @@ -2587,6 +2587,12 @@ class Item_ident :public Item_result_field const char *db_name; const char *table_name; const char *field_name; + /* + NOTE: came from TABLE::alias_name_used and this is only a hint! It works + only in need_correct_ident() condition. On other cases it is FALSE even if + table_name is alias! It cannot be TRUE in these cases, lots of spaghetti + logic depends on that. + */

this is a copy of the comment in table.h you've changed the comment in table.h, but missed this one.

bool alias_name_used; /* true if item was resolved against alias */ /* Cached value of index for this field in table->field array, used by prep. diff --git a/sql/sql_class.h b/sql/sql_class.h index 3f0fba8fc10..8b521f90108 100644 --- a/sql/sql_class.h +++ b/sql/sql_class.h @@ -1781,6 +1781,25 @@ class Drop_table_error_handler : public Internal_error_handler };

+struct Silence_warnings : public Internal_error_handler +{ +public: + virtual bool handle_condition(THD *, + uint, + const char* sqlstate, + Sql_condition::enum_warning_level *level, + const char* msg, + Sql_condition ** cond_hdl) + { + *cond_hdl= NULL; + if (*level == Sql_condition::WARN_LEVEL_WARN) + return TRUE; + + return FALSE; + } +};

Why do you disable warnings around fix_session_expr() ?

+ + /** Internal error handler to process an error from MDL_context::upgrade_lock() and mysql_lock_tables(). Used by implementations of HANDLER READ and diff --git a/sql/item.cc b/sql/item.cc index 3ff0219c3b3..438bf36060e 100644 --- a/sql/item.cc +++ b/sql/item.cc @@ -5507,7 +5506,7 @@ bool Item_field::fix_fields(THD *thd, Item **reference) if (context) { select= context->select_lex; - lex_s= context->select_lex->parent_lex; + lex_s= select ? select->parent_lex : NULL;

There's no this if() in 10.2 anymore, it was removed in d6ee351bbb66. How should this hunk be modified for d6ee351bbb66 ?

} else { @@ -5709,8 +5708,6 @@ bool Item_field::fix_fields(THD *thd, Item **reference) } #endif fixed= 1; - if (field->vcol_info) - fix_session_vcol_expr_for_read(thd, field, field->vcol_info);

Did you revert the optimization from 7450cb7f69db? It was "re-fix vcols on demand, not always for every SELECT" and as far as I can see now you again always re-fix everything, is that so?

if (thd->variables.sql_mode & MODE_ONLY_FULL_GROUP_BY && !outer_fixed && select && diff --git a/sql/sql_base.cc b/sql/sql_base.cc index 5173df260d5..09af805d60c 100644 --- a/sql/sql_base.cc +++ b/sql/sql_base.cc @@ -746,6 +746,8 @@ void close_thread_tables(THD *thd) /* Table might be in use by some outer statement. */ DBUG_PRINT("tcache", ("table: '%s' query_id: %lu", table->s->table_name.str, (ulong) table->query_id)); + if (thd->locked_tables_mode) + table->vcol_cleanup_expr(thd);

Why do you check for thd->locked_tables_mode ? It seems that you'll do vcol_cleanup_expr() unconditionally on any code path. Either here or later in close_thread_table(). So why not just do it always here?

if (thd->locked_tables_mode <= LTM_LOCK_TABLES || table->query_id == thd->query_id) { diff --git a/sql/temporary_tables.cc b/sql/temporary_tables.cc index 005a520ff64..f06dec3a7ff 100644 --- a/sql/temporary_tables.cc +++ b/sql/temporary_tables.cc @@ -1128,6 +1128,13 @@ TABLE *THD::open_temporary_table(TMP_TABLE_SHARE *share, table->pos_in_table_list= 0; table->query_id= query_id;

+ if (table->vcol_fix_expr(this)) + { + my_free(table);

Hmm, you sure? I'd expect that after successful open_table_from_share() you'd need much more than just my_free() to close the table.

+ DBUG_RETURN(NULL); + } + + /* Add table to the head of table list. */ share->all_tmp_tables.push_front(table);

diff --git a/sql/table.h b/sql/table.h index 38b63d285c6..ab1d96538c0 100644 --- a/sql/table.h +++ b/sql/table.h @@ -1374,8 +1374,13 @@ struct TABLE */ bool auto_increment_field_not_null; bool insert_or_update; /* Can be used by the handler */ + /* + NOTE: alias_name_used is only a hint! It works only in need_correct_ident() + condition. On other cases it is FALSE even if table_name is alias!

As I asked earlier, do you have any test case that proves this claim?

+ */ bool alias_name_used; /* true if table_name is alias */ bool get_fields_in_item_tree; /* Signal to fix_field */ + List<Virtual_column_info> vcol_cleanup_list;

If you have a list of all items that need cleanup, may be can also use it to refix items? Meaning, you move it to TABLE_SHARE, remove need_refix, instead write - if (table->s->need_refix) + if (!table->s->vcol_refix_list.is_empty()) and, of course, don't pop elements on cleanup, but iterate the list in a non-destructive way.

private: bool m_needs_reopen; bool created; /* For tmp tables. TRUE <=> tmp table was actually created.*/ diff --git a/sql/table.cc b/sql/table.cc index d4f8170e0af..4bed87d7740 100644 --- a/sql/table.cc +++ b/sql/table.cc @@ -1005,6 +1004,22 @@ static void mysql57_calculate_null_position(TABLE_SHARE *share, bool parse_vcol_defs(THD *thd, MEM_ROOT *mem_root, TABLE *table, bool *error_reported, vcol_init_mode mode) { + struct check_vcol_forward_refs + { + static bool check(Field *field, Virtual_column_info *vcol) + { + return vcol && + vcol->expr->walk(&Item::check_field_expression_processor, 0, field); + } + static bool check(Field *field) + { + if (check(field, field->vcol_info) || + check(field, field->check_constraint) || + check(field, field->default_value)) + return true; + return false; + } + };

Hm, somehow I haven't seen this pattern before. nice.

CHARSET_INFO *save_character_set_client= thd->variables.character_set_client; CHARSET_INFO *save_collation= thd->variables.collation_connection; Query_arena *backup_stmt_arena_ptr= thd->stmt_arena; @@ -2831,36 +2841,162 @@ static bool fix_vcol_expr(THD *thd, Virtual_column_info *vcol) @note this is done for all vcols for INSERT/UPDATE/DELETE, and only as needed for SELECTs. */ -bool fix_session_vcol_expr(THD *thd, Virtual_column_info *vcol) +bool Virtual_column_info::fix_session_expr(THD *thd, TABLE *table) { - DBUG_ENTER("fix_session_vcol_expr"); - if (!(vcol->flags & (VCOL_TIME_FUNC|VCOL_SESSION_FUNC))) - DBUG_RETURN(0); + if (!need_refix()) + return false;

- vcol->expr->walk(&Item::cleanup_excluding_fields_processor, 0, 0); - DBUG_ASSERT(!vcol->expr->fixed); - DBUG_RETURN(fix_vcol_expr(thd, vcol)); + DBUG_ASSERT(!expr->fixed); + if (expr->walk(&Item::change_context_processor, 0, thd->lex->current_context())) + return true;

Why do you need to change the context here?

+ table->vcol_cleanup_list.push_back(this, thd->mem_root); + if (fix_expr(thd)) + return true; + if (expr->walk(&Item::change_context_processor, 0, NULL)) + return true; + return false; +} + + +bool Virtual_column_info::cleanup_session_expr() +{ + DBUG_ASSERT(need_refix()); + if (expr->walk(&Item::cleanup_excluding_fields_processor, 0, 0)) + return true; + return false; }

-/** invoke fix_session_vcol_expr for a vcol

- @note this is called for generated column or a DEFAULT expression from - their corresponding fix_fields on SELECT. -*/ -bool fix_session_vcol_expr_for_read(THD *thd, Field *field, - Virtual_column_info *vcol) +class Vcol_expr_context { - DBUG_ENTER("fix_session_vcol_expr_for_read"); - TABLE_LIST *tl= field->table->pos_in_table_list; - if (!tl || tl->lock_type >= TL_WRITE_ALLOW_WRITE) - DBUG_RETURN(0); - Security_context *save_security_ctx= thd->security_ctx; - if (tl->security_ctx) + bool inited; + THD *thd; + TABLE *table; + LEX *old_lex; + LEX lex; + table_map old_map; + bool old_want_privilege; + Security_context *save_security_ctx; + sql_mode_t save_sql_mode; + Silence_warnings disable_warnings; + +public: + Vcol_expr_context(THD *_thd, TABLE *_table) : + inited(false), + thd(_thd), + table(_table), + old_lex(thd->lex), + old_map(table->map), + old_want_privilege(table->grant.want_privilege), + save_security_ctx(thd->security_ctx), + save_sql_mode(thd->variables.sql_mode) {} + bool init(); + + ~Vcol_expr_context(); +}; + + +bool Vcol_expr_context::init() +{ + /* + As this is vcol expression we must narrow down name resolution to + single table. + */ + if (init_lex_with_single_table(thd, table, &lex))

Do you have a test that fails otherwise?

+ { + my_error(ER_OUT_OF_RESOURCES, MYF(0)); + table->map= old_map; + return true; + } + + thd->push_internal_handler(&disable_warnings); + table->grant.want_privilege= false;

1. why? 2. it's not bool, it's a set of privileges, don't use false here.

+ lex.sql_command= old_lex->sql_command; + thd->variables.sql_mode= 0; + + /* + NOTE: we refix also tmp tables used in ALTER TABLE,

Why? I don't see how a tmp table from ALTER can possibly be used in two different statements. There should be no need to re-fix it. Just fixing once, on open, should be enough.

+ they have (pos_in_table_list == NULL). + */ + TABLE_LIST const *tl= table->pos_in_table_list; + DBUG_ASSERT(tl || table->s->tmp_table); + + if (tl && tl->security_ctx) thd->security_ctx= tl->security_ctx; - bool res= fix_session_vcol_expr(thd, vcol); + + inited= true; + return false; +} + +Vcol_expr_context::~Vcol_expr_context() +{ + if (!inited) + return; + table->grant.want_privilege= old_want_privilege; + thd->pop_internal_handler(); + end_lex_with_single_table(thd, table, old_lex); + table->map= old_map; thd->security_ctx= save_security_ctx; - DBUG_RETURN(res); + thd->variables.sql_mode= save_sql_mode; +} + + +bool TABLE::vcol_fix_expr(THD *thd) +{ + DBUG_ASSERT(pos_in_table_list || s->tmp_table); + if ((pos_in_table_list && pos_in_table_list->placeholder()) || + !s->vcol_need_refix) + return false; + + if (!thd->stmt_arena->is_conventional() && + !vcol_cleanup_list.is_empty()) + { + /* NOTE: Under trigger we already have fixed expressions */ + return false; + } + DBUG_ASSERT(vcol_cleanup_list.is_empty()); + + Vcol_expr_context expr_ctx(thd, this); + if (expr_ctx.init()) + return true; + + for (Field **vf= vfield; vf && *vf; vf++) + if ((*vf)->vcol_info->fix_session_expr(thd, this)) + goto error; + + for (Field **df= default_field; df && *df; df++) + if ((*df)->default_value && + (*df)->default_value->fix_session_expr(thd, this)) + goto error; + + for (Virtual_column_info **cc= check_constraints; cc && *cc; cc++) + if ((*cc)->fix_session_expr(thd, this)) + goto error; + + return false; + +error: + DBUG_ASSERT(thd->get_stmt_da()->is_error()); + return true; +} + + +bool TABLE::vcol_cleanup_expr(THD *thd) +{ + if (vcol_cleanup_list.is_empty()) + return false; + + List_iterator<Virtual_column_info> it(vcol_cleanup_list); + bool result= false; + + while (Virtual_column_info *vcol= it++) + result|= vcol->cleanup_session_expr(); + + vcol_cleanup_list.empty(); + + DBUG_ASSERT(!result || thd->get_stmt_da()->is_error()); + return result; }

@@ -2939,14 +3072,17 @@ static bool fix_and_check_vcol_expr(THD *thd, TABLE *table, */ myf warn= table->s->frm_version < FRM_VER_EXPRESSSIONS ? ME_JUST_WARNING : 0; my_error(ER_VIRTUAL_COLUMN_FUNCTION_IS_NOT_ALLOWED, MYF(warn), - "AUTO_INCREMENT", vcol->get_vcol_type_name(), res.name); + "AUTO_INCREMENT", get_vcol_type_name(), res.name); if (!warn) DBUG_RETURN(1); } - vcol->flags= res.errors; + flags= res.errors;

- if (vcol->flags & VCOL_SESSION_FUNC) - table->s->vcols_need_refixing= true; + if (need_refix())

Old code only refixed VCOL_SESSION_FUNC, because those Items can change the medata on fix_fields. See the comment for 73a220aac384 Refixing VCOL_TIME_FUNC seems to be redundant

+ { + table->s->vcol_need_refix= true; + cleanup_session_expr();

why?

+ }

DBUG_RETURN(0); } @@ -3011,11 +3147,13 @@ unpack_vcol_info_from_frm(THD *thd, MEM_ROOT *mem_root, TABLE *table, if (error) goto end;

+ lex.sql_command= old_lex->sql_command;

why?

+ vcol_storage.vcol_info->set_vcol_type(vcol->get_vcol_type()); vcol_storage.vcol_info->stored_in_db= vcol->stored_in_db; vcol_storage.vcol_info->name= vcol->name; vcol_storage.vcol_info->utf8= vcol->utf8; - if (!fix_and_check_vcol_expr(thd, table, vcol_storage.vcol_info)) + if (!vcol_storage.vcol_info->fix_and_check_expr(thd, table)) { *vcol_ptr= vcol_info= vcol_storage.vcol_info; // Expression ok DBUG_ASSERT(vcol_info->expr);

Regards, Sergei VP of MariaDB Server Engineering and security@mariadb.org