MDEV-28509 Dereferenced null pointer of type 'struct JOIN_TAB' in add…

…_key_field

This patch fixes a crash when calculating join statistics during query
optimization for queries with dangling WINDOW references.  Put another way,
the system may crash when a query defines a WINDOW but doesn't then refer to
it.

Item::marker is overloaded for different uses, the most typical refer to it as
a bit field.  However, the setup_group function uses it to mark that a field
was found when traversing a GROUP BY.  Originally, this marking set the
Item::marker field to 1 to indicate that it was found.  Later on in setup_group
(and only when SQL mode ONLY_FULL_GROUP_BY is enabled), we would skip any such
marked fields when checking that fields only referenced those found in the
GROUP BY; otherwise, it would be silly to find fields of the GROUP BY within
the GROUP BY field itself.  Setting Item::marker to 1 seemed mostly harmless
at that point in time.  But later, in git sha 4d143a6, we introduced
several changes: (1) the value of marker in setup_group was changed from 1 to
UNDEF_POS, (2) Item::marker was changed from uint8 to int8 (which has since
been changed to an int), and (3) UNDEF_POS which is defined to be -1 was also
added.

Queries that define WINDOWs internally will setup groups and orders as part
of query processing via the setup_group function.  Consequently because of
the behavior described earlier above, such queries may have items with markers
as UNDEF_POS (-1, or 0xffffffff) which is the same as marking all of the flag
bits as set.  This is disastrous for those users of Item::marker which refer
to it as a bit field as some of those bits are mutually exclusive in meaning,
and in many places we don't mask the bits we're interested in, we just
compare the value of the field as a whole to some flag value with direct
comparison.  In particular, the method
Item_direct_view_ref::grouping_field_transformer_for_where would
incorrectly see that the ref's marker was set for substitution when it was
actually -1, all bits set, taking the wrong execution path leading to the
crash.

Upon return from the setup_group function, we set the value of the marker
flag to zero if we set it to -1.  This preserves the marker behavior for
'full group by' (if configured) while not otherwise allowing the marker
flag state to leak outside of this function.

mysql-test/main/win.result

@@ -4391,3 +4391,59 @@ row_number() OVER (order by a)
 2
 3
 drop table t1;
+#
+# MDEV-28509: Access null pointer during add_key_field call
+#
+CREATE TABLE t1 (i int);
+INSERT INTO t1 VALUES (1),(2),(3);
+WITH cte AS (SELECT i FROM (SELECT i FROM t1 GROUP BY i) dt WINDOW w AS (PARTITION BY i))
+SELECT a.i FROM cte a JOIN cte b on a.i=b.i WHERE a.i != 5;
+i
+1
+2
+3
+DROP TABLE t1;
+WITH c AS (SELECT i FROM (SELECT i FROM (SELECT 1 AS i) AS i GROUP BY i) d WINDOW w AS (PARTITION BY i)) SELECT a.i FROM c a JOIN c b on a.i=b.i WHERE a.i!=1;
+i
+WITH c AS (SELECT i FROM (SELECT i AS e, i AS i FROM (SELECT 1 AS i) i GROUP BY e) d WINDOW w AS (PARTITION BY e)) SELECT a.i FROM c a JOIN c b on a.i=b.i WHERE a.i<>1;
+i
+WITH c AS (SELECT i FROM (SELECT i AS e, i AS i FROM (SELECT 1 AS i) i GROUP BY e) d WINDOW w AS (PARTITION BY i)) SELECT a.i FROM c a JOIN c b on a.i=b.i WHERE a.i<>1;
+i
+CREATE TABLE t2 ( v1055 INT );
+INSERT INTO t2 ( v1055 ) VALUES ( 54 );
+UPDATE t2 SET v1055 = 127 WHERE v1055 = 83;
+INSERT INTO t2 ( v1055 ) VALUES ( -1 ) , ( -1 );
+WITH v1057 AS ( SELECT v1055 FROM ( SELECT v1055 FROM t2 GROUP BY v1055 ) AS v1056 ) SELECT v1055 FROM v1057 WHERE v1055 BETWEEN FALSE AND ( ( ( v1055 OR NOT v1055 ) BETWEEN ( ( ( ( EXISTS ( WITH v1063 AS ( SELECT v1055 FROM ( SELECT v1055 FROM t2 GROUP BY v1055 ) AS v1058 WINDOW v1062 AS ( PARTITION BY v1055 ORDER BY ( SELECT DISTINCT 16 FROM t2 AS v1059 , t2 AS v1060 , t2 AS v1061 JOIN t2 ) DESC RANGE BETWEEN 80808358.000000 FOLLOWING AND 82012945.000000 FOLLOWING ) ) SELECT v1055 FROM ( SELECT DISTINCT ( ( NOT ( 60914711.000000 AND v1055 = 68 ) ) = -1 AND v1055 = 17 ) % v1055 , ( v1055 = -1 OR v1055 > 'x' ) FROM t2 WHERE v1055 = -128 AND ( v1055 = -128 OR v1055 = 0 OR v1055 = 31 ) ) AS v1064 NATURAL JOIN v1063 AS v1065 NATURAL JOIN v1063 AS v1066 NATURAL JOIN ( SELECT DISTINCT v1055 , ( v1055 = -1 OR v1055 > 'x' ) FROM t2 ) AS v1067 NATURAL JOIN v1063 AS v1068 NATURAL JOIN v1063 WHERE v1055 != 72 GROUP BY v1055 ORDER BY v1055 ) AND v1055 = -1 ) - 2147483647 ) ) ) AND 'x' = ( 4 + 34235093.000000 <= 60 ) ) );
+v1055
+Warnings:
+Warning 1292 Truncated incorrect DECIMAL value: 'x'
+Warning 1292 Truncated incorrect DECIMAL value: 'x'
+DROP TABLE t2;
+SET @save_sql_mode=@@sql_mode;
+SET sql_mode=ONLY_FULL_GROUP_BY;
+CREATE TABLE t1 (i int);
+INSERT INTO t1 VALUES (1),(2),(3);
+WITH cte AS (SELECT i FROM (SELECT i FROM t1 GROUP BY i) dt WINDOW w AS (PARTITION BY i))
+SELECT a.i FROM cte a JOIN cte b on a.i=b.i WHERE a.i != 5;
+i
+1
+2
+3
+DROP TABLE t1;
+WITH c AS (SELECT i FROM (SELECT i FROM (SELECT 1 AS i) AS i GROUP BY i) d WINDOW w AS (PARTITION BY i)) SELECT a.i FROM c a JOIN c b on a.i=b.i WHERE a.i!=1;
+i
+WITH c AS (SELECT i FROM (SELECT i AS e, i AS i FROM (SELECT 1 AS i) i GROUP BY e) d WINDOW w AS (PARTITION BY e)) SELECT a.i FROM c a JOIN c b on a.i=b.i WHERE a.i<>1;
+i
+WITH c AS (SELECT i FROM (SELECT i AS e, i AS i FROM (SELECT 1 AS i) i GROUP BY e) d WINDOW w AS (PARTITION BY i)) SELECT a.i FROM c a JOIN c b on a.i=b.i WHERE a.i<>1;
+i
+CREATE TABLE t2 ( v1055 INT );
+INSERT INTO t2 ( v1055 ) VALUES ( 54 );
+UPDATE t2 SET v1055 = 127 WHERE v1055 = 83;
+INSERT INTO t2 ( v1055 ) VALUES ( -1 ) , ( -1 );
+WITH v1057 AS ( SELECT v1055 FROM ( SELECT v1055 FROM t2 GROUP BY v1055 ) AS v1056 ) SELECT v1055 FROM v1057 WHERE v1055 BETWEEN FALSE AND ( ( ( v1055 OR NOT v1055 ) BETWEEN ( ( ( ( EXISTS ( WITH v1063 AS ( SELECT v1055 FROM ( SELECT v1055 FROM t2 GROUP BY v1055 ) AS v1058 WINDOW v1062 AS ( PARTITION BY v1055 ORDER BY ( SELECT DISTINCT 16 FROM t2 AS v1059 , t2 AS v1060 , t2 AS v1061 JOIN t2 ) DESC RANGE BETWEEN 80808358.000000 FOLLOWING AND 82012945.000000 FOLLOWING ) ) SELECT v1055 FROM ( SELECT DISTINCT ( ( NOT ( 60914711.000000 AND v1055 = 68 ) ) = -1 AND v1055 = 17 ) % v1055 , ( v1055 = -1 OR v1055 > 'x' ) FROM t2 WHERE v1055 = -128 AND ( v1055 = -128 OR v1055 = 0 OR v1055 = 31 ) ) AS v1064 NATURAL JOIN v1063 AS v1065 NATURAL JOIN v1063 AS v1066 NATURAL JOIN ( SELECT DISTINCT v1055 , ( v1055 = -1 OR v1055 > 'x' ) FROM t2 ) AS v1067 NATURAL JOIN v1063 AS v1068 NATURAL JOIN v1063 WHERE v1055 != 72 GROUP BY v1055 ORDER BY v1055 ) AND v1055 = -1 ) - 2147483647 ) ) ) AND 'x' = ( 4 + 34235093.000000 <= 60 ) ) );
+v1055
+Warnings:
+Warning 1292 Truncated incorrect DECIMAL value: 'x'
+Warning 1292 Truncated incorrect DECIMAL value: 'x'
+DROP TABLE t2;
+SET @@sql_mode=@save_sql_mode;

mysql-test/main/win.test

@@ -2873,3 +2873,46 @@ create table t1 (a int);
 insert into t1 values (1),(2),(3);
 SELECT row_number() OVER (order by a) FROM t1 order by NAME_CONST('myname',NULL);
 drop table t1;
+
+--echo #
+--echo # MDEV-28509: Access null pointer during add_key_field call
+--echo #
+CREATE TABLE t1 (i int);
+INSERT INTO t1 VALUES (1),(2),(3);
+WITH cte AS (SELECT i FROM (SELECT i FROM t1 GROUP BY i) dt WINDOW w AS (PARTITION BY i))
+SELECT a.i FROM cte a JOIN cte b on a.i=b.i WHERE a.i != 5;
+DROP TABLE t1;
+
+WITH c AS (SELECT i FROM (SELECT i FROM (SELECT 1 AS i) AS i GROUP BY i) d WINDOW w AS (PARTITION BY i)) SELECT a.i FROM c a JOIN c b on a.i=b.i WHERE a.i!=1;
+WITH c AS (SELECT i FROM (SELECT i AS e, i AS i FROM (SELECT 1 AS i) i GROUP BY e) d WINDOW w AS (PARTITION BY e)) SELECT a.i FROM c a JOIN c b on a.i=b.i WHERE a.i<>1;
+WITH c AS (SELECT i FROM (SELECT i AS e, i AS i FROM (SELECT 1 AS i) i GROUP BY e) d WINDOW w AS (PARTITION BY i)) SELECT a.i FROM c a JOIN c b on a.i=b.i WHERE a.i<>1;
+
+CREATE TABLE t2 ( v1055 INT );
+INSERT INTO t2 ( v1055 ) VALUES ( 54 );
+UPDATE t2 SET v1055 = 127 WHERE v1055 = 83;
+INSERT INTO t2 ( v1055 ) VALUES ( -1 ) , ( -1 );
+WITH v1057 AS ( SELECT v1055 FROM ( SELECT v1055 FROM t2 GROUP BY v1055 ) AS v1056 ) SELECT v1055 FROM v1057 WHERE v1055 BETWEEN FALSE AND ( ( ( v1055 OR NOT v1055 ) BETWEEN ( ( ( ( EXISTS ( WITH v1063 AS ( SELECT v1055 FROM ( SELECT v1055 FROM t2 GROUP BY v1055 ) AS v1058 WINDOW v1062 AS ( PARTITION BY v1055 ORDER BY ( SELECT DISTINCT 16 FROM t2 AS v1059 , t2 AS v1060 , t2 AS v1061 JOIN t2 ) DESC RANGE BETWEEN 80808358.000000 FOLLOWING AND 82012945.000000 FOLLOWING ) ) SELECT v1055 FROM ( SELECT DISTINCT ( ( NOT ( 60914711.000000 AND v1055 = 68 ) ) = -1 AND v1055 = 17 ) % v1055 , ( v1055 = -1 OR v1055 > 'x' ) FROM t2 WHERE v1055 = -128 AND ( v1055 = -128 OR v1055 = 0 OR v1055 = 31 ) ) AS v1064 NATURAL JOIN v1063 AS v1065 NATURAL JOIN v1063 AS v1066 NATURAL JOIN ( SELECT DISTINCT v1055 , ( v1055 = -1 OR v1055 > 'x' ) FROM t2 ) AS v1067 NATURAL JOIN v1063 AS v1068 NATURAL JOIN v1063 WHERE v1055 != 72 GROUP BY v1055 ORDER BY v1055 ) AND v1055 = -1 ) - 2147483647 ) ) ) AND 'x' = ( 4 + 34235093.000000 <= 60 ) ) );
+DROP TABLE t2;
+
+
+SET @save_sql_mode=@@sql_mode;
+SET sql_mode=ONLY_FULL_GROUP_BY;
+
+CREATE TABLE t1 (i int);
+INSERT INTO t1 VALUES (1),(2),(3);
+WITH cte AS (SELECT i FROM (SELECT i FROM t1 GROUP BY i) dt WINDOW w AS (PARTITION BY i))
+SELECT a.i FROM cte a JOIN cte b on a.i=b.i WHERE a.i != 5;
+DROP TABLE t1;
+
+WITH c AS (SELECT i FROM (SELECT i FROM (SELECT 1 AS i) AS i GROUP BY i) d WINDOW w AS (PARTITION BY i)) SELECT a.i FROM c a JOIN c b on a.i=b.i WHERE a.i!=1;
+WITH c AS (SELECT i FROM (SELECT i AS e, i AS i FROM (SELECT 1 AS i) i GROUP BY e) d WINDOW w AS (PARTITION BY e)) SELECT a.i FROM c a JOIN c b on a.i=b.i WHERE a.i<>1;
+WITH c AS (SELECT i FROM (SELECT i AS e, i AS i FROM (SELECT 1 AS i) i GROUP BY e) d WINDOW w AS (PARTITION BY i)) SELECT a.i FROM c a JOIN c b on a.i=b.i WHERE a.i<>1;
+
+CREATE TABLE t2 ( v1055 INT );
+INSERT INTO t2 ( v1055 ) VALUES ( 54 );
+UPDATE t2 SET v1055 = 127 WHERE v1055 = 83;
+INSERT INTO t2 ( v1055 ) VALUES ( -1 ) , ( -1 );
+WITH v1057 AS ( SELECT v1055 FROM ( SELECT v1055 FROM t2 GROUP BY v1055 ) AS v1056 ) SELECT v1055 FROM v1057 WHERE v1055 BETWEEN FALSE AND ( ( ( v1055 OR NOT v1055 ) BETWEEN ( ( ( ( EXISTS ( WITH v1063 AS ( SELECT v1055 FROM ( SELECT v1055 FROM t2 GROUP BY v1055 ) AS v1058 WINDOW v1062 AS ( PARTITION BY v1055 ORDER BY ( SELECT DISTINCT 16 FROM t2 AS v1059 , t2 AS v1060 , t2 AS v1061 JOIN t2 ) DESC RANGE BETWEEN 80808358.000000 FOLLOWING AND 82012945.000000 FOLLOWING ) ) SELECT v1055 FROM ( SELECT DISTINCT ( ( NOT ( 60914711.000000 AND v1055 = 68 ) ) = -1 AND v1055 = 17 ) % v1055 , ( v1055 = -1 OR v1055 > 'x' ) FROM t2 WHERE v1055 = -128 AND ( v1055 = -128 OR v1055 = 0 OR v1055 = 31 ) ) AS v1064 NATURAL JOIN v1063 AS v1065 NATURAL JOIN v1063 AS v1066 NATURAL JOIN ( SELECT DISTINCT v1055 , ( v1055 = -1 OR v1055 > 'x' ) FROM t2 ) AS v1067 NATURAL JOIN v1063 AS v1068 NATURAL JOIN v1063 WHERE v1055 != 72 GROUP BY v1055 ORDER BY v1055 ) AND v1055 = -1 ) - 2147483647 ) ) ) AND 'x' = ( 4 + 34235093.000000 <= 60 ) ) );
+DROP TABLE t2;
+
+SET @@sql_mode=@save_sql_mode;

mysql-test/suite/encryption/r/tempfiles_encrypted.result

@@ -4398,6 +4398,62 @@ row_number() OVER (order by a)
 3
 drop table t1;
 #
+# MDEV-28509: Access null pointer during add_key_field call
+#
+CREATE TABLE t1 (i int);
+INSERT INTO t1 VALUES (1),(2),(3);
+WITH cte AS (SELECT i FROM (SELECT i FROM t1 GROUP BY i) dt WINDOW w AS (PARTITION BY i))
+SELECT a.i FROM cte a JOIN cte b on a.i=b.i WHERE a.i != 5;
+i
+1
+2
+3
+DROP TABLE t1;
+WITH c AS (SELECT i FROM (SELECT i FROM (SELECT 1 AS i) AS i GROUP BY i) d WINDOW w AS (PARTITION BY i)) SELECT a.i FROM c a JOIN c b on a.i=b.i WHERE a.i!=1;
+i
+WITH c AS (SELECT i FROM (SELECT i AS e, i AS i FROM (SELECT 1 AS i) i GROUP BY e) d WINDOW w AS (PARTITION BY e)) SELECT a.i FROM c a JOIN c b on a.i=b.i WHERE a.i<>1;
+i
+WITH c AS (SELECT i FROM (SELECT i AS e, i AS i FROM (SELECT 1 AS i) i GROUP BY e) d WINDOW w AS (PARTITION BY i)) SELECT a.i FROM c a JOIN c b on a.i=b.i WHERE a.i<>1;
+i
+CREATE TABLE t2 ( v1055 INT );
+INSERT INTO t2 ( v1055 ) VALUES ( 54 );
+UPDATE t2 SET v1055 = 127 WHERE v1055 = 83;
+INSERT INTO t2 ( v1055 ) VALUES ( -1 ) , ( -1 );
+WITH v1057 AS ( SELECT v1055 FROM ( SELECT v1055 FROM t2 GROUP BY v1055 ) AS v1056 ) SELECT v1055 FROM v1057 WHERE v1055 BETWEEN FALSE AND ( ( ( v1055 OR NOT v1055 ) BETWEEN ( ( ( ( EXISTS ( WITH v1063 AS ( SELECT v1055 FROM ( SELECT v1055 FROM t2 GROUP BY v1055 ) AS v1058 WINDOW v1062 AS ( PARTITION BY v1055 ORDER BY ( SELECT DISTINCT 16 FROM t2 AS v1059 , t2 AS v1060 , t2 AS v1061 JOIN t2 ) DESC RANGE BETWEEN 80808358.000000 FOLLOWING AND 82012945.000000 FOLLOWING ) ) SELECT v1055 FROM ( SELECT DISTINCT ( ( NOT ( 60914711.000000 AND v1055 = 68 ) ) = -1 AND v1055 = 17 ) % v1055 , ( v1055 = -1 OR v1055 > 'x' ) FROM t2 WHERE v1055 = -128 AND ( v1055 = -128 OR v1055 = 0 OR v1055 = 31 ) ) AS v1064 NATURAL JOIN v1063 AS v1065 NATURAL JOIN v1063 AS v1066 NATURAL JOIN ( SELECT DISTINCT v1055 , ( v1055 = -1 OR v1055 > 'x' ) FROM t2 ) AS v1067 NATURAL JOIN v1063 AS v1068 NATURAL JOIN v1063 WHERE v1055 != 72 GROUP BY v1055 ORDER BY v1055 ) AND v1055 = -1 ) - 2147483647 ) ) ) AND 'x' = ( 4 + 34235093.000000 <= 60 ) ) );
+v1055
+Warnings:
+Warning 1292 Truncated incorrect DECIMAL value: 'x'
+Warning 1292 Truncated incorrect DECIMAL value: 'x'
+DROP TABLE t2;
+SET @save_sql_mode=@@sql_mode;
+SET sql_mode=ONLY_FULL_GROUP_BY;
+CREATE TABLE t1 (i int);
+INSERT INTO t1 VALUES (1),(2),(3);
+WITH cte AS (SELECT i FROM (SELECT i FROM t1 GROUP BY i) dt WINDOW w AS (PARTITION BY i))
+SELECT a.i FROM cte a JOIN cte b on a.i=b.i WHERE a.i != 5;
+i
+1
+2
+3
+DROP TABLE t1;
+WITH c AS (SELECT i FROM (SELECT i FROM (SELECT 1 AS i) AS i GROUP BY i) d WINDOW w AS (PARTITION BY i)) SELECT a.i FROM c a JOIN c b on a.i=b.i WHERE a.i!=1;
+i
+WITH c AS (SELECT i FROM (SELECT i AS e, i AS i FROM (SELECT 1 AS i) i GROUP BY e) d WINDOW w AS (PARTITION BY e)) SELECT a.i FROM c a JOIN c b on a.i=b.i WHERE a.i<>1;
+i
+WITH c AS (SELECT i FROM (SELECT i AS e, i AS i FROM (SELECT 1 AS i) i GROUP BY e) d WINDOW w AS (PARTITION BY i)) SELECT a.i FROM c a JOIN c b on a.i=b.i WHERE a.i<>1;
+i
+CREATE TABLE t2 ( v1055 INT );
+INSERT INTO t2 ( v1055 ) VALUES ( 54 );
+UPDATE t2 SET v1055 = 127 WHERE v1055 = 83;
+INSERT INTO t2 ( v1055 ) VALUES ( -1 ) , ( -1 );
+WITH v1057 AS ( SELECT v1055 FROM ( SELECT v1055 FROM t2 GROUP BY v1055 ) AS v1056 ) SELECT v1055 FROM v1057 WHERE v1055 BETWEEN FALSE AND ( ( ( v1055 OR NOT v1055 ) BETWEEN ( ( ( ( EXISTS ( WITH v1063 AS ( SELECT v1055 FROM ( SELECT v1055 FROM t2 GROUP BY v1055 ) AS v1058 WINDOW v1062 AS ( PARTITION BY v1055 ORDER BY ( SELECT DISTINCT 16 FROM t2 AS v1059 , t2 AS v1060 , t2 AS v1061 JOIN t2 ) DESC RANGE BETWEEN 80808358.000000 FOLLOWING AND 82012945.000000 FOLLOWING ) ) SELECT v1055 FROM ( SELECT DISTINCT ( ( NOT ( 60914711.000000 AND v1055 = 68 ) ) = -1 AND v1055 = 17 ) % v1055 , ( v1055 = -1 OR v1055 > 'x' ) FROM t2 WHERE v1055 = -128 AND ( v1055 = -128 OR v1055 = 0 OR v1055 = 31 ) ) AS v1064 NATURAL JOIN v1063 AS v1065 NATURAL JOIN v1063 AS v1066 NATURAL JOIN ( SELECT DISTINCT v1055 , ( v1055 = -1 OR v1055 > 'x' ) FROM t2 ) AS v1067 NATURAL JOIN v1063 AS v1068 NATURAL JOIN v1063 WHERE v1055 != 72 GROUP BY v1055 ORDER BY v1055 ) AND v1055 = -1 ) - 2147483647 ) ) ) AND 'x' = ( 4 + 34235093.000000 <= 60 ) ) );
+v1055
+Warnings:
+Warning 1292 Truncated incorrect DECIMAL value: 'x'
+Warning 1292 Truncated incorrect DECIMAL value: 'x'
+DROP TABLE t2;
+SET @@sql_mode=@save_sql_mode;
+#
 # MDEV-23867: select crash in compute_window_func
 #
 set @save_sort_buffer_size=@@sort_buffer_size;

sql/sql_select.cc

@@ -60,6 +60,7 @@
 #include <my_bit.h>
 #include <hash.h>
 #include <ft_global.h>
+#include <scope.h>
 #include "sys_vars_shared.h"
 #include "sp_head.h"
 #include "sp_rcontext.h"
@@ -25413,6 +25414,13 @@ setup_group(THD *thd, Ref_ptr_array ref_pointer_array, TABLE_LIST *tables,
  uint org_fields=all_fields.elements;
 
  thd->where="group statement";
+
+ // Don't allow markers to remain undefined upon return from setup_group
+ SCOPE_EXIT([order] () {
+ for (ORDER *ord= order; ord; ord= ord->next)
+ if ((*ord->item)->marker == UNDEF_POS)
+ (*ord->item)->marker= 0;
+ });
  for (ord= order; ord; ord= ord->next)
  {
  if (find_order_in_list(thd, ref_pointer_array, tables, ord, fields,