MDEV-22464 Server crash on UPDATE with nested subquery

Uninitialized ref_pointer_array[] because setup_fields() got empty fields list. mysql_multi_update() for some reason does that by substituting the fields list with empty total_list for the mysql_select() call (looks like wrong merge since total_list is not used anywhere else and is always empty). The fix would be to return back the original fields list. But this fails update_use_source.test case: --error ER_BAD_FIELD_ERROR update v1 set t1c1=2 order by 1; Actually not failing the above seems to be ok. The other fix would be to keep resolve_in_select_list false (and that keeps outer context from being resolved in Item_ref::fix_fields()). This fix is more consistent with how SELECT behaves: --error ER_SUBQUERY_NO_1_ROW select a from t1 where a= (select 2 from t1 having (a = 3)); So this patch implements this fix.

MDEV-22464 Server crash on UPDATE with nested subquery
Uninitialized ref_pointer_array[] because setup_fields() got empty fields list. mysql_multi_update() for some reason does that by substituting the fields list with empty total_list for the mysql_select() call (looks like wrong merge since total_list is not used anywhere else and is always empty). The fix would be to return back the original fields list. But this fails update_use_source.test case: --error ER_BAD_FIELD_ERROR update v1 set t1c1=2 order by 1; Actually not failing the above seems to be ok. The other fix would be to keep resolve_in_select_list false (and that keeps outer context from being resolved in Item_ref::fix_fields()). This fix is more consistent with how SELECT behaves: --error ER_SUBQUERY_NO_1_ROW select a from t1 where a= (select 2 from t1 having (a = 3)); So this patch implements this fix.
ff77a09b · Aleksey Midenkov · 1e70b287 · ff77a09b · ff77a09b · ff77a09b
Commit ff77a09b authored Oct 11, 2021 by Aleksey Midenkov
Showing with 23 additions and 1 deletion

mysql-test/main/multi_update.result mysql-test/main/multi_update.result +10 -0

mysql-test/main/multi_update.test mysql-test/main/multi_update.test +11 -0

sql/sql_select.cc sql/sql_select.cc +2 -1

No files found.
--- a/mysql-test/main/multi_update.result
+++ b/mysql-test/main/multi_update.result
@@ -1151,3 +1151,13 @@ b
 1
 3
 drop tables t1, t2;
+#
+# MDEV-22464 Server crash on UPDATE with nested subquery
+#
+create table t1 (a int) ;
+insert into t1 (a) values (1),(2),(3) ;
+select a from t1 where a= (select 2 from t1 having (a = 3));
+ERROR 21000: Subquery returns more than 1 row
+update t1 set a= (select 2 from t1 having (a = 3));
+ERROR 21000: Subquery returns more than 1 row
+drop tables t1;
--- a/mysql-test/main/multi_update.test
+++ b/mysql-test/main/multi_update.test
@@ -1087,3 +1087,14 @@ update t1 left join t2 on a = b set b= 3 order by b;
 select * from t2;

 drop tables t1, t2;
+
+--echo #
+--echo # MDEV-22464 Server crash on UPDATE with nested subquery
+--echo #
+create table t1 (a int) ;
+insert into t1 (a) values (1),(2),(3) ;
+--error ER_SUBQUERY_NO_1_ROW
+select a from t1 where a= (select 2 from t1 having (a = 3));
+--error ER_SUBQUERY_NO_1_ROW
+update t1 set a= (select 2 from t1 having (a = 3));
+drop tables t1;
--- a/sql/sql_select.cc
+++ b/sql/sql_select.cc
@@ -4268,7 +4268,8 @@ mysql_select(THD *thd,
  bool free_join= 1;
  DBUG_ENTER("mysql_select");

-  select_lex->context.resolve_in_select_list= TRUE;
+  if (!fields.is_empty())
+    select_lex->context.resolve_in_select_list= true;
  JOIN *join;
  if (select_lex->join != 0)
  {