MDEV-29926: ASAN heap-use-after-free in Explain_query::~Explain_query

Make sure that EXPLAIN object allocated on runtime arena.

MDEV-29926: ASAN heap-use-after-free in Explain_query::~Explain_query
Make sure that EXPLAIN object allocated on runtime arena.
3303748f · Oleksandr Byelkin · 278fbe61 · 3303748f · 3303748f · 3303748f
Commit 3303748f authored Nov 02, 2022 by Oleksandr Byelkin
8 changed files
--- a/mysql-test/main/subselect.result
+++ b/mysql-test/main/subselect.result
@@ -7369,3 +7369,14 @@ a
 1
 drop table t1,t2,t3;
 # End of 10.2 tests
+#
+# MDEV-29926: ASAN heap-use-after-free in Explain_query::~Explain_query
+#
+CREATE TABLE t (a VARCHAR(1)) CHARACTER SET utf8mb3;
+EXECUTE IMMEDIATE "SELECT COUNT(*) FROM t WHERE a < (SELECT 'x')";
+COUNT(*)
+0
+DROP TABLE t;
+#
+# End of 10.3 tests
+#
--- a/mysql-test/main/subselect.test
+++ b/mysql-test/main/subselect.test
@@ -6308,3 +6308,17 @@ select a from t3
 drop table t1,t2,t3;

 --echo # End of 10.2 tests
+
+--echo #
+--echo # MDEV-29926: ASAN heap-use-after-free in Explain_query::~Explain_query
+--echo #
+
+CREATE TABLE t (a VARCHAR(1)) CHARACTER SET utf8mb3;
+EXECUTE IMMEDIATE "SELECT COUNT(*) FROM t WHERE a < (SELECT 'x')";
+
+# Cleanup
+DROP TABLE t;
+
+--echo #
+--echo # End of 10.3 tests
+--echo #
--- a/mysql-test/main/subselect_no_exists_to_in.result
+++ b/mysql-test/main/subselect_no_exists_to_in.result
@@ -7369,6 +7369,17 @@ a
 1
 drop table t1,t2,t3;
 # End of 10.2 tests
+#
+# MDEV-29926: ASAN heap-use-after-free in Explain_query::~Explain_query
+#
+CREATE TABLE t (a VARCHAR(1)) CHARACTER SET utf8mb3;
+EXECUTE IMMEDIATE "SELECT COUNT(*) FROM t WHERE a < (SELECT 'x')";
+COUNT(*)
+0
+DROP TABLE t;
+#
+# End of 10.3 tests
+#
 set optimizer_switch=default;
 select @@optimizer_switch like '%exists_to_in=off%';
 @@optimizer_switch like '%exists_to_in=off%'

--- a/mysql-test/main/subselect_no_mat.result
+++ b/mysql-test/main/subselect_no_mat.result
@@ -7362,6 +7362,17 @@ a
 1
 drop table t1,t2,t3;
 # End of 10.2 tests
+#
+# MDEV-29926: ASAN heap-use-after-free in Explain_query::~Explain_query
+#
+CREATE TABLE t (a VARCHAR(1)) CHARACTER SET utf8mb3;
+EXECUTE IMMEDIATE "SELECT COUNT(*) FROM t WHERE a < (SELECT 'x')";
+COUNT(*)
+0
+DROP TABLE t;
+#
+# End of 10.3 tests
+#
 set optimizer_switch=default;
 select @@optimizer_switch like '%materialization=on%';
 @@optimizer_switch like '%materialization=on%'

--- a/mysql-test/main/subselect_no_opts.result
+++ b/mysql-test/main/subselect_no_opts.result
@@ -7360,4 +7360,15 @@ a
 1
 drop table t1,t2,t3;
 # End of 10.2 tests
+#
+# MDEV-29926: ASAN heap-use-after-free in Explain_query::~Explain_query
+#
+CREATE TABLE t (a VARCHAR(1)) CHARACTER SET utf8mb3;
+EXECUTE IMMEDIATE "SELECT COUNT(*) FROM t WHERE a < (SELECT 'x')";
+COUNT(*)
+0
+DROP TABLE t;
+#
+# End of 10.3 tests
+#
 set @optimizer_switch_for_subselect_test=null;
--- a/mysql-test/main/subselect_no_scache.result
+++ b/mysql-test/main/subselect_no_scache.result
@@ -7375,6 +7375,17 @@ a
 1
 drop table t1,t2,t3;
 # End of 10.2 tests
+#
+# MDEV-29926: ASAN heap-use-after-free in Explain_query::~Explain_query
+#
+CREATE TABLE t (a VARCHAR(1)) CHARACTER SET utf8mb3;
+EXECUTE IMMEDIATE "SELECT COUNT(*) FROM t WHERE a < (SELECT 'x')";
+COUNT(*)
+0
+DROP TABLE t;
+#
+# End of 10.3 tests
+#
 set optimizer_switch=default;
 select @@optimizer_switch like '%subquery_cache=on%';
 @@optimizer_switch like '%subquery_cache=on%'

--- a/mysql-test/main/subselect_no_semijoin.result
+++ b/mysql-test/main/subselect_no_semijoin.result
@@ -7361,6 +7361,17 @@ a
 drop table t1,t2,t3;
 # End of 10.2 tests
 #
+# MDEV-29926: ASAN heap-use-after-free in Explain_query::~Explain_query
+#
+CREATE TABLE t (a VARCHAR(1)) CHARACTER SET utf8mb3;
+EXECUTE IMMEDIATE "SELECT COUNT(*) FROM t WHERE a < (SELECT 'x')";
+COUNT(*)
+0
+DROP TABLE t;
+#
+# End of 10.3 tests
+#
+#
 # MDEV-19714: JOIN::pseudo_bits_cond is not visible in EXPLAIN FORMAT=JSON
 #
 CREATE TABLE t1 ( a INT );

--- a/sql/sql_select.cc
+++ b/sql/sql_select.cc
@@ -1078,6 +1078,15 @@ JOIN::prepare(TABLE_LIST *tables_init,
  // simple check that we got usable conds
  dbug_print_item(conds);

+  /*
+    It is hack which force creating EXPLAIN object always on runt-time arena
+    (because very top JOIN::prepare executes always with runtime arena, but
+    constant subquery like (SELECT 'x') can be called with statement arena
+    during prepare phase of top SELECT).
+  */
+  if (!(thd->lex->context_analysis_only & CONTEXT_ANALYSIS_ONLY_PREPARE))
+      create_explain_query_if_not_exists(thd->lex, thd->mem_root);
+
  if (select_lex->handle_derived(thd->lex, DT_PREPARE))
    DBUG_RETURN(-1);

@@ -1521,7 +1530,6 @@ bool JOIN::build_explain()
 int JOIN::optimize()
 {
  int res= 0;
-  create_explain_query_if_not_exists(thd->lex, thd->mem_root);
  join_optimization_state init_state= optimization_state;
  if (optimization_state == JOIN::OPTIMIZATION_PHASE_1_DONE)
    res= optimize_stage2();