Bug#21606400: Segfault in Item_ident::fix_after_pullout with semijoin

roylyseng · roylyseng · commit d049cc15642d · 2015-10-01T15:51:16.000+02:00
The problem here occurs when a subquery's query block is removed
during transformation of an IN subquery or a scalar subquery, and
semi-join is not applicable, and Item::remove_dependence_processor()
is used to modify items below the subquery to be removed.

One such item is an Item_direct_ref which is added in the
transformation of an IN subquery, see e.g
Item_in_subselect::single_value_transformer(). The Item_direct_ref
may be created with a dependent_from field pointing to the subquery
to be removed. In this case, dependent_from most be moved to the outer query block, but remove_dependence_processor() fails to handle this situation.

Luckily, Item_ident::fix_after_pullout() does exactly this, when first
making sure that the name resolution contexts of the eliminated query
block are merged with its parent.

The code snippet that merges name resolution contexts is made into a
new member function of SELECT_LEX, named merge_contexts().

Item::remove_dependence_processor() was also deleted.
diff --git a/sql/item.cc b/sql/item.cc
@@ -942,15 +942,6 @@ void Item_ident::cleanup()
   DBUG_VOID_RETURN;
 }
 
-bool Item_ident::remove_dependence_processor(uchar * arg)
-{
-  DBUG_ENTER("Item_ident::remove_dependence_processor");
-  if (depended_from == (st_select_lex *) arg)
-    depended_from= 0;
-  context= &((st_select_lex *) arg)->context;
-  DBUG_RETURN(0);
-}
-
 
 /**
   Store the pointer to this item field into a list if not already there.
diff --git a/sql/item.h b/sql/item.h
@@ -1815,7 +1815,6 @@ class Item : public Parse_tree_node
   */
   virtual bool intro_version(uchar *int_arg) { return false; }
 
-  virtual bool remove_dependence_processor(uchar * arg) { return false; }
   virtual bool remove_fixed(uchar * arg) { fixed= 0; return false; }
   virtual bool cleanup_processor(uchar *arg);
   virtual bool collect_item_field_processor(uchar * arg) { return 0; }
@@ -2628,7 +2627,6 @@ class Item_ident :public Item
   virtual void fix_after_pullout(st_select_lex *parent_select,
                                  st_select_lex *removed_select);
   void cleanup();
-  bool remove_dependence_processor(uchar * arg);
   virtual bool aggregate_check_distinct(uchar *arg);
   virtual bool aggregate_check_group(uchar *arg);
   Bool3 local_column(const st_select_lex *sl) const;
diff --git a/sql/item_subselect.cc b/sql/item_subselect.cc
@@ -1073,6 +1073,7 @@ Item_singlerow_subselect::select_transformer(SELECT_LEX *select)
 
   THD * const thd= unit->thd;
   Query_arena *arena= thd->stmt_arena;
+  SELECT_LEX *outer= select->outer_select();
  
   if (!unit->is_union() &&
       !select->table_list.elements &&
@@ -1111,12 +1112,11 @@ Item_singlerow_subselect::select_transformer(SELECT_LEX *select)
       Item_subselect *subs= (Item_subselect*)substitution;
       subs->unit->set_explain_marker_from(unit);
     }
-    /*
-      as far as we moved content to upper level, field which depend of
-      'upper' select is not really dependent => we remove this dependence
-    */
-    substitution->walk(&Item::remove_dependence_processor, WALK_POSTFIX,
-		       (uchar *) select->outer_select());
+    // Merge subquery's name resolution contexts into parent's
+    outer->merge_contexts(select);
+
+    // Fix query block contexts after merging the subquery
+    substitution->fix_after_pullout(outer, select);
     DBUG_RETURN(RES_REDUCE);
   }
   DBUG_RETURN(RES_OK);
@@ -1953,6 +1953,8 @@ Item_in_subselect::single_value_in_to_exists_transformer(SELECT_LEX *select,
   THD * const thd= unit->thd;
   DBUG_ENTER("Item_in_subselect::single_value_in_to_exists_transformer");
 
+  SELECT_LEX *outer= select->outer_select();
+
   OPT_TRACE_TRANSFORM(&thd->opt_trace, oto0, oto1, select->select_number,
                       "IN (SELECT)", "EXISTS (CORRELATED SELECT)");
   oto1.add("chosen", true);
@@ -2148,8 +2150,9 @@ Item_in_subselect::single_value_in_to_exists_transformer(SELECT_LEX *select,
           The expression is moved to the immediately outer query block, so it
           may no longer contain outer references.
         */
-        orig_item->walk(&Item::remove_dependence_processor, WALK_POSTFIX,
-                        (uchar *) select->outer_select());
+        outer->merge_contexts(select);
+        orig_item->fix_after_pullout(outer, select);
+
         /*
           fix_field of substitution item will be done in time of
           substituting.
diff --git a/sql/sql_lex.h b/sql/sql_lex.h
@@ -1399,6 +1399,9 @@ class st_select_lex: public Sql_alloc
   void reset_nj_counters(List<TABLE_LIST> *join_list= NULL);
   bool check_only_full_group_by(THD *thd);
 
+  /// Merge name resolution context objects of a subquery into its parent
+  void merge_contexts(SELECT_LEX *inner);
+
   /**
     Returns which subquery execution strategies can be used for this query block.
 
diff --git a/sql/sql_resolver.cc b/sql/sql_resolver.cc
@@ -2147,23 +2147,8 @@ SELECT_LEX::convert_subquery_to_semijoin(Item_exists_subselect *subq_pred)
   // Unlink the subquery's query expression:
   subq_select->master_unit()->exclude_level();
 
-  /*
-    Add Name res objects belonging to subquery to parent query block.
-    Update all name res objects to have this base query block.
-  */
-  for (Name_resolution_context *ctx= subq_select->first_context;
-       ctx != NULL;
-       ctx= ctx->next_context)
-  {
-    ctx->select_lex= this;
-    if (ctx->next_context == NULL)
-    {
-      ctx->next_context= first_context;
-      first_context= subq_select->first_context;
-      subq_select->first_context= NULL;
-      break;
-    }
-  }
+  // Merge subquery's name resolution contexts into parent's
+  merge_contexts(subq_select);
 
   repoint_contexts_of_join_nests(subq_select->top_join_list);
 
@@ -2377,23 +2362,8 @@ bool SELECT_LEX::merge_derived(THD *thd, TABLE_LIST *derived_table)
   // Don't try to access it:
   derived_table->set_derived_unit((SELECT_LEX_UNIT *)1);
 
-  /*
-    Add Name res objects belonging to subquery to parent query block.
-    Update all name res objects to have this base query block.
-  */
-  for (Name_resolution_context *ctx= derived_select->first_context;
-       ctx != NULL;
-       ctx= ctx->next_context)
-  {
-    ctx->select_lex= this;
-    if (ctx->next_context == NULL)
-    {
-      ctx->next_context= first_context;
-      first_context= derived_select->first_context;
-      derived_select->first_context= NULL;
-      break;
-    }
-  }
+  // Merge subquery's name resolution contexts into parent's
+  merge_contexts(derived_select);
 
   repoint_contexts_of_join_nests(derived_select->top_join_list);
 
@@ -2782,6 +2752,32 @@ void SELECT_LEX::repoint_contexts_of_join_nests(List<TABLE_LIST> join_list)
 }
 
 
+/**
+  Merge name resolution context objects belonging to an inner subquery
+  to parent query block.
+  Update all context objects to have this base query block.
+  Used when a subquery's query block is merged into its parent.
+
+  @param inner  Subquery for which context objects are to be merged.
+*/
+void SELECT_LEX::merge_contexts(SELECT_LEX *inner)
+{
+  for (Name_resolution_context *ctx= inner->first_context;
+       ctx != NULL;
+       ctx= ctx->next_context)
+  {
+    ctx->select_lex= this;
+    if (ctx->next_context == NULL)
+    {
+      ctx->next_context= first_context;
+      first_context= inner->first_context;
+      inner->first_context= NULL;
+      break;
+    }
+  }
+}
+
+
 /**
   Fix fields referenced from inner query blocks.
 
