[MDEV-30052] Crash with a query containing nested WINDOW clauses - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11
Fix Version/s: 10.11.2, 10.3.38, 10.4.28, 10.5.19, 10.6.12, 10.7.8, 10.8.7, 10.9.5, 10.10.3
Component/s: Parser
Labels:

Description

Setting this to critical due to use-after-poison in sql/sql_list.h (ref ASAN output in first comment below), as well as the code location (opt_subselect.cc) and the code in crashes on (total_key_length += inner->max_length).

CREATE TABLE t (c INT) ENGINE=InnoDB;

UPDATE t SET c=1 WHERE c=2 ORDER BY (1 IN ((SELECT * FROM (SELECT * FROM t) AS v1 GROUP BY c WINDOW v2 AS (ORDER BY (SELECT * FROM t GROUP BY c WINDOW v3 AS (PARTITION BY c))))));

Leads to:

10.11.2 8283948846740a22f96bbe7bccf250708406d5d9 (Debug)
Core was generated by `/test/MD171122-mariadb-10.11.2-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 subquery_types_allow_materialization (thd=thd@entry=0x1463c4000d48,
in_subs=in_subs@entry=0x1463c4028708)
at /test/10.11_dbg/sql/opt_subselect.cc:891
891 total_key_length += inner->max_length;
[Current thread is 1 (Thread 0x1463f8912700 (LWP 3156269))]
(gdb) bt
#0 subquery_types_allow_materialization (thd=thd@entry=0x1463c4000d48, in_subs=in_subs@entry=0x1463c4028708) at /test/10.11_dbg/sql/opt_subselect.cc:891
#1 0x000056489b07a4e6 in is_materialization_applicable (thd=thd@entry=0x1463c4000d48, in_subs=in_subs@entry=0x1463c4028708, child_select=child_select@entry=0x1463c4014068) at /test/10.11_dbg/sql/sql_lex.h:1651
#2 0x000056489b07ab8b in check_and_do_in_subquery_rewrites (join=join@entry=0x1463c4029ef8) at /test/10.11_dbg/sql/opt_subselect.cc:755
#3 0x000056489af4049a in JOIN::prepare (this=0x1463c4029ef8, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=skip_order_by@entry=false, group_init=<optimized out>, having_init=<optimized out>, proc_param_init=<optimized out>, select_lex_arg=<optimized out>, unit_arg=<optimized out>) at /test/10.11_dbg/sql/sql_select.cc:1565
#4 0x000056489b2bd33d in subselect_single_select_engine::prepare (this=0x1463c4028900, thd=0x1463c4000d48) at /test/10.11_dbg/sql/sql_lex.h:1368
#5 0x000056489b2bc80b in Item_subselect::fix_fields (this=this@entry=0x1463c4028708, thd_param=thd_param@entry=0x1463c4000d48, ref=ref@entry=0x1463c4028968) at /test/10.11_dbg/sql/item_subselect.cc:295
#6 0x000056489b2bcc50 in Item_in_subselect::fix_fields (this=0x1463c4028708, thd_arg=0x1463c4000d48, ref=0x1463c4028968) at /test/10.11_dbg/sql/item_subselect.cc:3545
#7 0x000056489af102e7 in Item::fix_fields_if_needed (ref=<optimized out>, thd=0x1463c4000d48, this=0x1463c4028708) at /test/10.11_dbg/sql/item.h:1164
#8 Item::fix_fields_if_needed_for_scalar (ref=<optimized out>, thd=0x1463c4000d48, this=0x1463c4028708) at /test/10.11_dbg/sql/item.h:1156
#9 Item::fix_fields_if_needed_for_order_by (ref=<optimized out>, thd=0x1463c4000d48, this=0x1463c4028708) at /test/10.11_dbg/sql/item.h:1164
#10 find_order_in_list (thd=thd@entry=0x1463c4000d48, ref_pointer_array=<optimized out>, tables=tables@entry=0x1463c4013330, order=order@entry=0x1463c4028958, fields=@0x1463f8910cf0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x56489c459f00 <end_of_list>, last = 0x1463f8910cf0, elements = 0}, <No data fields>}, all_fields=@0x1463c4029a28: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x56489c459f00 <end_of_list>, last = 0x1463c4029a28, elements = 0}, <No data fields>}, is_group_field=false, add_to_all_fields=true, from_window_spec=false) at /test/10.11_dbg/sql/sql_select.cc:25730
#11 0x000056489af3bd31 in setup_order (thd=thd@entry=0x1463c4000d48, ref_pointer_array=<optimized out>, tables=tables@entry=0x1463c4013330, fields=@0x1463f8910cf0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x56489c459f00 <end_of_list>, last = 0x1463f8910cf0, elements = 0}, <No data fields>}, all_fields=@0x1463c4029a28: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x56489c459f00 <end_of_list>, last = 0x1463c4029a28, elements = 0}, <No data fields>}, order=0x1463c4028958, from_window_spec=false) at /test/10.11_dbg/sql/sql_select.cc:25777
#12 0x000056489af3fccd in setup_without_group (reserved=<optimized out>, hidden_group_fields=0x1463c40299d7, win_funcs=<optimized out>, win_specs=<optimized out>, group=<optimized out>, order=<optimized out>, conds=0x1463c4029b10, all_fields=@0x1463c4029a28: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x56489c459f00 <end_of_list>, last = 0x1463c4029a28, elements = 0}, <No data fields>}, fields=<optimized out>, leaves=<optimized out>, tables=<optimized out>, ref_pointer_array=<optimized out>, thd=<optimized out>) at /test/10.11_dbg/sql/sql_select.cc:888
#13 JOIN::prepare (this=this@entry=0x1463c4029690, tables_init=tables_init@entry=0x1463c4013330, conds_init=conds_init@entry=0x1463c4013dc0, og_num=og_num@entry=1, order_init=order_init@entry=0x1463c4028958, skip_order_by=skip_order_by@entry=false, group_init=<optimized out>, having_init=<optimized out>, proc_param_init=<optimized out>, select_lex_arg=<optimized out>, unit_arg=<optimized out>) at /test/10.11_dbg/sql/sql_select.cc:1465
#14 0x000056489af5650c in mysql_select (thd=thd@entry=0x1463c4000d48, tables=tables@entry=0x1463c4013330, fields=@0x1463f8910cf0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x56489c459f00 <end_of_list>, last = 0x1463f8910cf0, elements = 0}, <No data fields>}, conds=conds@entry=0x1463c4013dc0, og_num=1, order=0x1463c4028958, group=0x0, having=0x0, proc_param=0x0, select_options=37383395344512, result=0x1463c4029580, unit=0x1463c4004f88, select_lex=0x1463c40057b8) at /test/10.11_dbg/sql/sql_select.cc:5056
#15 0x000056489afcf16b in mysql_multi_update (thd=thd@entry=0x1463c4000d48, table_list=0x1463c4013330, fields=fields@entry=0x1463c4005a58, values=values@entry=0x1463c4005e88, conds=0x1463c4013dc0, options=0, handle_duplicates=DUP_ERROR, ignore=false, unit=0x1463c4004f88, select_lex=0x1463c40057b8, result=0x1463f8910ed0) at /test/10.11_dbg/sql/sql_update.cc:1980
#16 0x000056489aed18c8 in mysql_execute_command (thd=thd@entry=0x1463c4000d48, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.11_dbg/sql/sql_parse.cc:4489
#17 0x000056489aebe606 in mysql_parse (thd=thd@entry=0x1463c4000d48, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1463f8911300) at /test/10.11_dbg/sql/sql_parse.cc:7998
#18 0x000056489aecbb41 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1463c4000d48, packet=packet@entry=0x1463c400adf9 "UPDATE t SET c=1 WHERE c=2 ORDER BY (1 IN ((SELECT * FROM (SELECT * FROM t) AS v1 GROUP BY c WINDOW v2 AS (ORDER BY (SELECT * FROM t GROUP BY c WINDOW v3 AS (PARTITION BY c))))))", packet_length=packet_length@entry=178, blocking=blocking@entry=true) at /test/10.11_dbg/sql/sql_class.h:1346
#19 0x000056489aecdf7f in do_command (thd=0x1463c4000d48, blocking=blocking@entry=true) at /test/10.11_dbg/sql/sql_parse.cc:1407
#20 0x000056489b028763 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x56489d9a6fb8, put_in_cache=put_in_cache@entry=true) at /test/10.11_dbg/sql/sql_connect.cc:1416
#21 0x000056489b028c32 in handle_one_connection (arg=0x56489d9a6fb8) at /test/10.11_dbg/sql/sql_connect.cc:1318
#22 0x000014641159c609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#23 0x0000146411188133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.3.37 (dbg), 10.4.27 (dbg), 10.5.18 (dbg), 10.6.10 (dbg), 10.7.6 (dbg), 10.8.5 (dbg), 10.9.3 (dbg), 10.10.2 (dbg), 10.11.2 (dbg)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.3.37 (opt), 10.4.27 (opt), 10.5.18 (opt), 10.6.10 (opt), 10.7.6 (opt), 10.8.5 (opt), 10.9.3 (opt), 10.10.2 (opt), 10.11.2 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

Attachments

Issue Links

includes

MDEV-25643 Assertion `table->no_keyread || !table->covering_keys.is_set(tab->index) || table->file->keyread == tab->index' failed in join_read_first

Closed

MDEV-28501 SIGSEGV in update_depend_map_for_order on SELECT, UBSAN: runtime error: member access within null pointer of type 'struct JOIN_TAB'

Closed

MDEV-28505 Server crash in sql/sql_select.cc:19830 in sub_select(JOIN*, st_join_table*, bool)

Closed

MDEV-28510 SIGSEGV in get_sort_by_table and SIGSEGV in subquery_types_allow_materialization

Closed

MDEV-28516 SIGSEGV in get_sort_by_table, UBSAN: runtime error: member access within null pointer of type 'struct TABLE_LIST'

Closed

MDEV-28799 SIGSEGV in JOIN_CACHE::reset_join and Assertion `cache != __null' failed in sub_select_cache on SELECT

Closed

MDEV-29052 SIGSEGV's in hp_rec_hashnr and my_hash_sort_simple (from hp_rec_hashnr and my_ci_hash_sort) on SELECT when using window functions

Closed

MDEV-29353 SIGSEGV's in _ma_unique_hash, _ma_make_key and _ma_calc_blob_length on SELECT (on optimized builds)

Closed

MDEV-30381 investigate group by window issues

Closed

is duplicated by

MDEV-28515 Assertion `field->table == table' failed in Create_tmp_table::finalize and create_tmp_table and SIGSEGV in hp_rec_hashnr

Closed

MDEV-29359 Server crashed with heap-use-after-free in in Field::is_null(long long) const

Closed

MDEV-32036 Server crash in find_field_in_table

Closed

(4 includes, 3 is duplicated by)

Activity

Ascending order - Click to sort in descending order

View 20 older comments

Sergei Petrunia added a comment - 2023-01-18 17:22 - edited

Addressed all of the above in: https://github.com/MariaDB/server/commit/436abf9253d4f54e8a2c7400c33d65790b9e620c
sanja, could you please review?

Sergei Petrunia added a comment - 2023-01-18 17:22 - edited Addressed all of the above in: https://github.com/MariaDB/server/commit/436abf9253d4f54e8a2c7400c33d65790b9e620c sanja , could you please review?

Sergei Petrunia added a comment - 2023-01-18 17:28

sanja, one question that is still not clear to me: If the select list entry was NOT added by GROUP BY code, why does the ORDER structure have ord->in_field_list==false ? Is this correct? (It's hard for me to tell, because there's no exact definition of what in_field_list means).

And do we need the check for (!in_field_list) after this patch?

Sergei Petrunia added a comment - 2023-01-18 17:28 sanja , one question that is still not clear to me: If the select list entry was NOT added by GROUP BY code, why does the ORDER structure have ord->in_field_list==false ? Is this correct? (It's hard for me to tell, because there's no exact definition of what in_field_list means). And do we need the check for (!in_field_list) after this patch?

Igor Babaev (Inactive) added a comment - 2023-01-18 23:57

Let's execute the query:

UPDATE t SET c=1 WHERE c=2 ORDER BY (1 IN ((SELECT * FROM (SELECT * FROM t) AS v1 GROUP BY c WINDOW v2 AS (ORDER BY (SELECT * FROM t tt GROUP BY c WINDOW v3 AS (PARTITION BY c))))));

The cause of the problem can seen here:

(gdb) p thd->lex->all_selects_list

$122 = (SELECT_LEX *) 0x7fff90016990

(gdb) p dbug_print_select((SELECT_LEX *) 0x7fff90016990)

$123 = 0x555557581b40 <dbug_item_print_buf> "select `*` from test.t tt group by c"

(gdb) p ((SELECT_LEX *) 0x7fff90016990)->group_list

$124 = {<Sql_alloc> = {<No data fields>}, elements = 1, first = 0x7fff90017eb0, next = 0x7fff90017eb0}

(gdb) p ((SELECT_LEX *) 0x7fff90016990)->next_select_in_list()

$125 = (st_select_lex *) 0x7fff90014d38

(gdb) p dbug_print_select((st_select_lex *) 0x7fff90014d38)

$126 = 0x555557581b40 <dbug_item_print_buf> "select t.c AS c from test.t"

(gdb) p ((st_select_lex *) 0x7fff90014d38)->next_select_in_list()

$127 = (st_select_lex *) 0x7fff90014018

(gdb) p dbug_print_select((st_select_lex *) 0x7fff90014018)

$128 = 0x555557581b40 <dbug_item_print_buf> "select `*` from (select t.c AS c from test.t) v1 group by c"

(gdb) p ((st_select_lex *) 0x7fff90014018)->group_list

$129 = {<Sql_alloc> = {<No data fields>}, elements = 1, first = 0x7fff90017eb0, next = 0x7fff90017eb0}

Here we see that two different selects:

select `*` from (select t.c AS c from test.t) v1 group by c

select `*` from test.t tt group by c

share the same group_list.
We have this when starting to execute mysql_derived_prepare() for the derived table v1 called indirectly from Multiupdate_prelocking_strategy::handle_end()

Igor Babaev (Inactive) added a comment - 2023-01-18 23:57 Let's execute the query: UPDATE t SET c=1 WHERE c=2 ORDER BY (1 IN (( SELECT * FROM ( SELECT * FROM t) AS v1 GROUP BY c WINDOW v2 AS ( ORDER BY ( SELECT * FROM t tt GROUP BY c WINDOW v3 AS (PARTITION BY c)))))); The cause of the problem can seen here: (gdb) p thd->lex->all_selects_list $122 = (SELECT_LEX *) 0x7fff90016990 (gdb) p dbug_print_select((SELECT_LEX *) 0x7fff90016990) $123 = 0x555557581b40 <dbug_item_print_buf> "select `*` from test.t tt group by c" (gdb) p ((SELECT_LEX *) 0x7fff90016990)->group_list $124 = {<Sql_alloc> = {<No data fields>}, elements = 1, first = 0x7fff90017eb0, next = 0x7fff90017eb0} (gdb) p ((SELECT_LEX *) 0x7fff90016990)->next_select_in_list() $125 = (st_select_lex *) 0x7fff90014d38 (gdb) p dbug_print_select((st_select_lex *) 0x7fff90014d38) $126 = 0x555557581b40 <dbug_item_print_buf> "select t.c AS c from test.t" (gdb) p ((st_select_lex *) 0x7fff90014d38)->next_select_in_list() $127 = (st_select_lex *) 0x7fff90014018 (gdb) p dbug_print_select((st_select_lex *) 0x7fff90014018) $128 = 0x555557581b40 <dbug_item_print_buf> "select `*` from (select t.c AS c from test.t) v1 group by c" (gdb) p ((st_select_lex *) 0x7fff90014018)->group_list $129 = {<Sql_alloc> = {<No data fields>}, elements = 1, first = 0x7fff90017eb0, next = 0x7fff90017eb0} Here we see that two different selects: select `*` from (select t.c AS c from test.t) v1 group by c select `*` from test.t tt group by c share the same group_list. We have this when starting to execute mysql_derived_prepare() for the derived table v1 called indirectly from Multiupdate_prelocking_strategy::handle_end()

Igor Babaev (Inactive) added a comment - 2023-01-19 05:46

Ok, this is a parser problem. Here's a fix:

 diff --git a/sql/sql_lex.h b/sql/sql_lex.h

index bdc8b54..548272f 100644

--- a/sql/sql_lex.h

+++ b/sql/sql_lex.h

@@ -976,6 +976,7 @@ class st_select_lex: public st_select_lex_node

*/

   SQL_I_List<ORDER>       group_list;

   Group_list_ptrs        *group_list_ptrs;

+  SQL_I_List<ORDER>       save_group_list;

   List<Item>          item_list;  /* list of fields & expressions */

   List<Item>          pre_fix; /* above list before fix_fields */

@@ -1040,6 +1041,7 @@ class st_select_lex: public st_select_lex_node

   const char *type;               /* type of select for EXPLAIN          */

   SQL_I_List<ORDER> order_list;   /* ORDER clause */

+  SQL_I_List<ORDER> save_order_list;

   SQL_I_List<ORDER> gorder_list;

   Item *select_limit, *offset_limit;  /* LIMIT clause parameters */

@@ -3215,8 +3217,6 @@ struct LEX: public Query_tables_list

-  SQL_I_List<ORDER> save_group_list;

-  SQL_I_List<ORDER> save_order_list;

   LEX_CSTRING *win_ref;

   Window_frame *win_frame;

   Window_frame_bound *frame_top_bound;

diff --git a/sql/sql_list.h b/sql/sql_list.h

index b112398..40848c2 100644

--- a/sql/sql_list.h

+++ b/sql/sql_list.h

@@ -53,7 +53,7 @@ class SQL_I_List :public Sql_alloc

     elements= tmp.elements;

     first= tmp.first;

-    next= tmp.next;

--- a/sql/sql_list.h

+++ b/sql/sql_list.h

@@ -53,7 +53,7 @@ class SQL_I_List :public Sql_alloc

     elements= tmp.elements;

     first= tmp.first;

-    next= tmp.next;

+    next= elements ? tmp.next : &first;

     return *this;

diff --git a/sql/sql_lex.cc b/sql/sql_lex.cc

index 5e4c41f..cfe8c91 100644

--- a/sql/sql_lex.cc

+++ b/sql/sql_lex.cc

@@ -755,8 +755,6 @@ void LEX::start(THD *thd_arg)

   stmt_var_list.empty();

   proc_list.elements=0;

-  save_group_list.empty();

-  save_order_list.empty();

   win_ref= NULL;

   win_frame= NULL;

   frame_top_bound= NULL;

diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc

index 3102aa6..f360b24 100644

--- a/sql/sql_parse.cc

+++ b/sql/sql_parse.cc

@@ -8662,8 +8662,8 @@ TABLE_LIST *st_select_lex::convert_right_join()

 void st_select_lex::prepare_add_window_spec(THD *thd)

   LEX *lex= thd->lex;

-  lex->save_group_list= group_list;

-  lex->save_order_list= order_list;

+  save_group_list= group_list;

+  save_order_list= order_list;

   lex->win_ref= NULL;

   lex->win_frame= NULL;

   lex->frame_top_bound= NULL;

@@ -8690,8 +8690,8 @@ bool st_select_lex::add_window_def(THD *thd,

                                                       win_part_list_ptr,

                                                       win_order_list_ptr,

                                                       win_frame);

-  group_list= thd->lex->save_group_list;

-  order_list= thd->lex->save_order_list;

+  group_list= save_group_list;

+  order_list= save_order_list;

   if (parsing_place != SELECT_LIST)

     fields_in_window_functions+= win_part_list_ptr->elements +

@@ -8717,8 +8717,8 @@ bool st_select_lex::add_window_spec(THD *thd,

                                                          win_part_list_ptr,

                                                          win_order_list_ptr,

                                                          win_frame);

-  group_list= thd->lex->save_group_list;

-  order_list= thd->lex->save_order_list;

+  group_list= save_group_list;

+  order_list= save_order_list;

   if (parsing_place != SELECT_LIST)

     fields_in_window_functions+= win_part_list_ptr->elements +

This fixes the problem.

Igor Babaev (Inactive) added a comment - 2023-01-19 05:46 Ok, this is a parser problem. Here's a fix: diff --git a/sql/sql_lex.h b/sql/sql_lex.h index bdc8b54..548272f 100644 --- a/sql/sql_lex.h +++ b/sql/sql_lex.h @@ -976,6 +976,7 @@ class st_select_lex: public st_select_lex_node */ SQL_I_List<ORDER> group_list; Group_list_ptrs *group_list_ptrs; + SQL_I_List<ORDER> save_group_list; List<Item> item_list; /* list of fields & expressions */ List<Item> pre_fix; /* above list before fix_fields */ @@ -1040,6 +1041,7 @@ class st_select_lex: public st_select_lex_node const char *type; /* type of select for EXPLAIN */ SQL_I_List<ORDER> order_list; /* ORDER clause */ + SQL_I_List<ORDER> save_order_list; SQL_I_List<ORDER> gorder_list; Item *select_limit, *offset_limit; /* LIMIT clause parameters */ @@ -3215,8 +3217,6 @@ struct LEX: public Query_tables_list } - SQL_I_List<ORDER> save_group_list; - SQL_I_List<ORDER> save_order_list; LEX_CSTRING *win_ref; Window_frame *win_frame; Window_frame_bound *frame_top_bound; diff --git a/sql/sql_list.h b/sql/sql_list.h index b112398..40848c2 100644 --- a/sql/sql_list.h +++ b/sql/sql_list.h @@ -53,7 +53,7 @@ class SQL_I_List :public Sql_alloc { elements= tmp.elements; first= tmp.first; - next= tmp.next; --- a/sql/sql_list.h +++ b/sql/sql_list.h @@ -53,7 +53,7 @@ class SQL_I_List :public Sql_alloc { elements= tmp.elements; first= tmp.first; - next= tmp.next; + next= elements ? tmp.next : &first; return *this; diff --git a/sql/sql_lex.cc b/sql/sql_lex.cc index 5e4c41f..cfe8c91 100644 --- a/sql/sql_lex.cc +++ b/sql/sql_lex.cc @@ -755,8 +755,6 @@ void LEX::start(THD *thd_arg) stmt_var_list.empty(); proc_list.elements=0; - save_group_list.empty(); - save_order_list.empty(); win_ref= NULL; win_frame= NULL; frame_top_bound= NULL; diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc index 3102aa6..f360b24 100644 --- a/sql/sql_parse.cc +++ b/sql/sql_parse.cc @@ -8662,8 +8662,8 @@ TABLE_LIST *st_select_lex::convert_right_join() void st_select_lex::prepare_add_window_spec(THD *thd) { LEX *lex= thd->lex; - lex->save_group_list= group_list; - lex->save_order_list= order_list; + save_group_list= group_list; + save_order_list= order_list; lex->win_ref= NULL; lex->win_frame= NULL; lex->frame_top_bound= NULL; @@ -8690,8 +8690,8 @@ bool st_select_lex::add_window_def(THD *thd, win_part_list_ptr, win_order_list_ptr, win_frame); - group_list= thd->lex->save_group_list; - order_list= thd->lex->save_order_list; + group_list= save_group_list; + order_list= save_order_list; if (parsing_place != SELECT_LIST) { fields_in_window_functions+= win_part_list_ptr->elements + @@ -8717,8 +8717,8 @@ bool st_select_lex::add_window_spec(THD *thd, win_part_list_ptr, win_order_list_ptr, win_frame); - group_list= thd->lex->save_group_list; - order_list= thd->lex->save_order_list; + group_list= save_group_list; + order_list= save_order_list; if (parsing_place != SELECT_LIST) { fields_in_window_functions+= win_part_list_ptr->elements + This fixes the problem.

Rex Johnston added a comment - 2023-01-19 18:13

Igor's patch passes all mtr tests, one interesting thing. Previously this

SELECT

id IN (SELECT id FROM t1

  WINDOW w AS (ORDER BY

        (SELECT  1 FROM t1 WHERE EXISTS

                ( SELECT id FROM t1 GROUP BY id

                          WINDOW w2 AS (ORDER BY id)

)))) FROM t1

emitted a warning

Column 'id' in group statement is ambiguous

With the patch, it's gone.

Rex Johnston added a comment - 2023-01-19 18:13 Igor's patch passes all mtr tests, one interesting thing. Previously this SELECT id IN ( SELECT id FROM t1 WINDOW w AS ( ORDER BY ( SELECT 1 FROM t1 WHERE EXISTS ( SELECT id FROM t1 GROUP BY id WINDOW w2 AS ( ORDER BY id) )))) FROM t1 emitted a warning Column 'id' in group statement is ambiguous With the patch, it's gone.

MariaDB Server

Crash with a query containing nested WINDOW clauses

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration