Commit ff77a09b authored by Aleksey Midenkov's avatar Aleksey Midenkov

MDEV-22464 Server crash on UPDATE with nested subquery

Uninitialized ref_pointer_array[] because setup_fields() got empty
fields list.  mysql_multi_update() for some reason does that by
substituting the fields list with empty total_list for the
mysql_select() call (looks like wrong merge since total_list is not
used anywhere else and is always empty). The fix would be to return
back the original fields list. But this fails update_use_source.test
case:

  --error ER_BAD_FIELD_ERROR
  update v1 set t1c1=2 order by 1;

Actually not failing the above seems to be ok.

The other fix would be to keep resolve_in_select_list false (and that
keeps outer context from being resolved in
Item_ref::fix_fields()). This fix is more consistent with how SELECT
behaves:

  --error ER_SUBQUERY_NO_1_ROW
  select a from t1 where a= (select 2 from t1 having (a = 3));

So this patch implements this fix.
parent 1e70b287
...@@ -1151,3 +1151,13 @@ b ...@@ -1151,3 +1151,13 @@ b
1 1
3 3
drop tables t1, t2; drop tables t1, t2;
#
# MDEV-22464 Server crash on UPDATE with nested subquery
#
create table t1 (a int) ;
insert into t1 (a) values (1),(2),(3) ;
select a from t1 where a= (select 2 from t1 having (a = 3));
ERROR 21000: Subquery returns more than 1 row
update t1 set a= (select 2 from t1 having (a = 3));
ERROR 21000: Subquery returns more than 1 row
drop tables t1;
...@@ -1087,3 +1087,14 @@ update t1 left join t2 on a = b set b= 3 order by b; ...@@ -1087,3 +1087,14 @@ update t1 left join t2 on a = b set b= 3 order by b;
select * from t2; select * from t2;
drop tables t1, t2; drop tables t1, t2;
--echo #
--echo # MDEV-22464 Server crash on UPDATE with nested subquery
--echo #
create table t1 (a int) ;
insert into t1 (a) values (1),(2),(3) ;
--error ER_SUBQUERY_NO_1_ROW
select a from t1 where a= (select 2 from t1 having (a = 3));
--error ER_SUBQUERY_NO_1_ROW
update t1 set a= (select 2 from t1 having (a = 3));
drop tables t1;
...@@ -4268,7 +4268,8 @@ mysql_select(THD *thd, ...@@ -4268,7 +4268,8 @@ mysql_select(THD *thd,
bool free_join= 1; bool free_join= 1;
DBUG_ENTER("mysql_select"); DBUG_ENTER("mysql_select");
select_lex->context.resolve_in_select_list= TRUE; if (!fields.is_empty())
select_lex->context.resolve_in_select_list= true;
JOIN *join; JOIN *join;
if (select_lex->join != 0) if (select_lex->join != 0)
{ {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment