Fix for

Guilhem Bichot · Guilhem Bichot · commit 0dea7c9c8802 · 2013-06-11T13:37:20.000+02:00
Bug#16739050 PREPARED STATEMENT: CRASH IN ITEM_REF::REAL_ITEM OR PURE
VIRTUAL FUNCTION CALL
and 2 duplicates:
don't reach to real items when creating prep_having. Details:

First, let's review some bugs fixed in older 5.6 versions.
==========================================================

About the fix for 12603457 and 12603141:
WHERE condition is "WHERE field".
JOIN::conds is made, by change_item_tree(), to point to item_outer_ref
which points to item_field.
At fix_prepare_information() we do:
  prep_where= JOIN::conds
When we rollback_item_tree_changes(), we restore conds, which does not
modify prep_where (only JOIN::conds was registered in the "list of
changes to roll back"...).
When next execution starts reinit_stmt_before_use() copies prep_where
into select_lex-&gt;where, which thus gets the now-destroyed
item_outer_ref, later this crashes.
Solution which was chosen: make reinit_stmt_before_use() copy
prep_where-&gt;real_item(), to reach to the field, avoiding the
now-destroyed item_outer_ref.
For uniformity, the same was done for prep_having.

About the fix for 12582849: (cousin of above)
WHERE condition is OR.
One argument of OR is made to point to item_outer_ref which points to
item_field.
At JOIN:: optimize:
  prep_where= copy of conds =&gt; makes a copy of OR (a new item_cond_or).
When we rollback_item_tree_changes(), we restore one pointer argument
of the original OR, which does not modify the pointer argument of the
copy of this OR (do not modify prep_where); the now-destroyed
item_outer_ref remains in prep_where. Then it crashes at next
execution.
Solution which was chosen: make the copy code (copy_andor_structure)
use real_item().

About the fix for Bug #16163596:
regression caused by the fix for 12603457 and 12603141.
In sql_yacc, "HAVING a" leads to the creation of an Item_ref named
"a". In having-&gt;fix_fields(), we find that "a" is actually a field, so
we make the Item_ref's ref point to this field.
At next execution, reinit_stmt_before_use()  uses real_item() which
makes the HAVING be item_field, not Item_ref anymore. This Item_ref
should have staid, it's a permanent, parse-time item.
There should never be Item_field in HAVING, see how sql_yacc creates
Item_ref instead of Item_field if in HAVING.
Removing this item_ref confused ROLLUP.
Solution which was chosen: undo the HAVING part of the fix for
12603457 and 12603141.

Now the new bugs.
=================

16317817:
HAVING condition is OR.
We resolve GROUP BY:
- initially order-&gt;item points to order-&gt;item_ptr which contains (per
parser) Item_field.
- in find_order_in_list(), *order_item (i.e. order-&gt;item_ptr) is made
to point to item_outer_ref, this change done in fix_fields() goes
through register_item_tree_change().
- again in find_order_in_list(), we append this item to
ref_pointer_array, and make order-&gt;item point to this new cell of the
array.
One argument of OR in HAVING is item_ref (per parser).
We resolve HAVING: this argument of OR is made to reference
order-&gt;item (id est: the ref_pointer_array cell which references the
item of GROUP BY). Keep in mind that Item_ref is Item**, not Item*.
Then we rollback_item_tree_changes(), which effectively restores
order-&gt;item_ptr.
reinit_stmt_before_use() restores order -&gt; item to point to order -&gt;
item_ptr. So GROUP BY is fine.
But the item_ref in HAVING still references the cell of
ref_pointer_array which was not restored.
reinit_stmt_before_use()  makes a copy of HAVING, which uses
copy_andor_structure, which reaches to the real items
(per the fix for 12582849), but as HAVING is "item_ref to destroyed
item_outer_ref to item_field", this crashes.
If it would not reach to the real item, the copy would stop at the
item_ref, then the soon-coming name resolution would create a new
item_outer_ref and point the item_ref to it, all fine.

16739050: similar to above

16317685:
HAVING condition is OR.
In HAVING, one Item_ref is made to reference COUNT;
reinit_stmt_before_use(),  using copy_andor_structure() which uses
real_item(), changes HAVING to COUNT, then ROLLUP crashes.

PROPOSED SOLUTION
=================

Avoid using real_item() in copy_andor_structure() when copying HAVING,
because it's only causing problems.
Keep real_item() when copying WHERE, in 5.6. We cannot remove it,
because of the "second copy" done in JOIN::optimize():
    sel-&gt;prep_where=
conds ? conds-&gt;copy_andor_structure(thd, true) : NULL;
which creates new AND/OR items which "argument pointers" will not be properly restored
(re-read 12582849 above), thus forcing us to reach to the real items.
In WL#7082 (5.7), the second copy will go away, so real_item() can be
removed (done in my prototype).
diff --git a/sql/item.cc b/sql/item.cc
@@ -5390,7 +5390,7 @@ bool Item_field::fix_fields(THD *thd, Item **reference)
               It's not an Item_field in the select list so we must make a new
               Item_ref to point to the Item in the select list and replace the
               Item_field created by the parser with the new Item_ref.
-
+              Ex: SELECT func1(col) as c ... ORDER BY func2(c);
               NOTE: If we are fixing an alias reference inside ORDER/GROUP BY
               item tree, then we use new Item_ref as an intermediate value
               to resolve referenced item only.
diff --git a/sql/item.h b/sql/item.h
@@ -1338,7 +1338,13 @@ class Item
   */
   virtual void no_rows_in_result() {}
   virtual Item *copy_or_same(THD *thd) { return this; }
-  virtual Item *copy_andor_structure(THD *thd) { return this; }
+  /**
+     @param real_items  True <=> in the copy, replace any Item_ref with its
+     real_item()
+     @todo this argument should be always false and removed in WL#7082.
+  */
+  virtual Item *copy_andor_structure(THD *thd, bool real_items= false)
+  { return real_items ? real_item() : this; }
   virtual Item *real_item() { return this; }
   virtual Item *get_tmp_table_item(THD *thd) { return copy_or_same(thd); }
 
diff --git a/sql/item_cmpfunc.cc b/sql/item_cmpfunc.cc
@@ -4739,11 +4739,12 @@ Item_cond::Item_cond(THD *thd, Item_cond *item)
 }
 
 
-void Item_cond::copy_andor_arguments(THD *thd, Item_cond *item)
+void Item_cond::copy_andor_arguments(THD *thd, Item_cond *item, bool real_items)
 {
   List_iterator_fast<Item> li(item->list);
   while (Item *it= li++)
-    list.push_back(it->real_item()->copy_andor_structure(thd));
+    list.push_back((real_items ? it->real_item() : it)->
+                   copy_andor_structure(thd, real_items));
 }
 
 
diff --git a/sql/item_cmpfunc.h b/sql/item_cmpfunc.h
@@ -1,7 +1,7 @@
 #ifndef ITEM_CMPFUNC_INCLUDED
 #define ITEM_CMPFUNC_INCLUDED
 
-/* Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -1682,7 +1682,7 @@ class Item_cond :public Item_bool_func
   friend int setup_conds(THD *thd, TABLE_LIST *tables, TABLE_LIST *leaves,
                          Item **conds);
   void top_level_item() { abort_on_null=1; }
-  void copy_andor_arguments(THD *thd, Item_cond *item);
+  void copy_andor_arguments(THD *thd, Item_cond *item, bool real_items= false);
   bool walk(Item_processor processor, bool walk_subquery, uchar *arg);
   Item *transform(Item_transformer transformer, uchar *arg);
   void traverse_cond(Cond_traverser, void *arg, traverse_order order);
@@ -1873,11 +1873,11 @@ class Item_cond_and :public Item_cond
   enum Functype functype() const { return COND_AND_FUNC; }
   longlong val_int();
   const char *func_name() const { return "and"; }
-  Item* copy_andor_structure(THD *thd)
+  Item* copy_andor_structure(THD *thd, bool real_items)
   {
     Item_cond_and *item;
     if ((item= new Item_cond_and(thd, this)))
-       item->copy_andor_arguments(thd, this);
+      item->copy_andor_arguments(thd, this, real_items);
     return item;
   }
   Item *neg_transformer(THD *thd);
@@ -1902,11 +1902,11 @@ class Item_cond_or :public Item_cond
   enum Functype functype() const { return COND_OR_FUNC; }
   longlong val_int();
   const char *func_name() const { return "or"; }
-  Item* copy_andor_structure(THD *thd)
+  Item* copy_andor_structure(THD *thd, bool real_items)
   {
     Item_cond_or *item;
     if ((item= new Item_cond_or(thd, this)))
-      item->copy_andor_arguments(thd, this);
+      item->copy_andor_arguments(thd, this, real_items);
     return item;
   }
   Item *neg_transformer(THD *thd);
diff --git a/sql/sql_lex.cc b/sql/sql_lex.cc
@@ -3657,6 +3657,14 @@ void st_select_lex::fix_prepare_information(THD *thd, Item **conds,
       /*
         In "WHERE outer_field", *conds may be an Item_outer_ref allocated in
         the execution memroot.
+        @todo change this line in WL#7082. Currently, when we execute a SP,
+        containing "SELECT (SELECT ... WHERE t1.col) FROM t1",
+        resolution may make *conds equal to an Item_outer_ref, then below
+        *conds becomes Item_field, which then goes straight on to execution,
+        undoing the effects of putting Item_outer_ref in the first place...
+        With a PS the problem is not as severe, as after the code below we
+        don't go to execution: a next execution will do a new name resolution
+        which will create Item_outer_ref again.
       */
       prep_where= (*conds)->real_item();
       *conds= where= prep_where->copy_andor_structure(thd);
diff --git a/sql/sql_optimizer.cc b/sql/sql_optimizer.cc
@@ -218,9 +218,21 @@ JOIN::optimize()
     }
     build_bitmap_for_nested_joins(join_list, 0);
 
-    // Copied from st_select_lex::fix_prepare_information():
+    /*
+      After permanent transformations above, prep_where created in
+      st_select_lex::fix_prepare_information() is out-of-date, we need to
+      refresh it.
+      For that We must copy "conds" because it contains AND/OR items in a
+      non-permanent memroot. And this copy must contain real items only,
+      because the new AND/OR items will not have their argument pointers
+      restored by rollback_item_tree_changes().
+      @see st_select_lex::fix_prepare_information() for problems with this.
+      @todo in WL#7082 move transformations above to before
+      st_select_lex::fix_prepare_information(), and remove this second copy
+      below.
+    */
     sel->prep_where=
-      conds ? conds->real_item()->copy_andor_structure(thd) : NULL;
+      conds ? conds->copy_andor_structure(thd, true) : NULL;
 
     if (arena)
       thd->restore_active_arena(arena, &backup);
@@ -2759,7 +2771,7 @@ static bool record_join_nest_info(st_select_lex *select,
   while ((table= li++))
   {
     table->prep_join_cond= table->join_cond() ?
-      table->join_cond()->copy_andor_structure(select->join->thd) : NULL;
+      table->join_cond()->copy_andor_structure(select->join->thd, true) : NULL;
 
     if (table->nested_join == NULL)
       continue;

Original file line number	Diff line number	Diff line change
`@@ -4739,11 +4739,12 @@ Item_cond::Item_cond(THD thd, Item_cond item)`
`4739`	`4739`	`}`
`4740`	`4740`
`4741`	`4741`
`4742`		`-void Item_cond::copy_andor_arguments(THD thd, Item_cond item)`
	`4742`	`+void Item_cond::copy_andor_arguments(THD thd, Item_cond item, bool real_items)`
`4743`	`4743`	`{`
`4744`	`4744`	`List_iterator_fast<Item> li(item->list);`
`4745`	`4745`	`while (Item *it= li++)`
`4746`		`- list.push_back(it->real_item()->copy_andor_structure(thd));`
	`4746`	`+ list.push_back((real_items ? it->real_item() : it)->`
	`4747`	`+ copy_andor_structure(thd, real_items));`
`4747`	`4748`	`}`
`4748`	`4749`
`4749`	`4750`