MDEV-17024 Crash on large query

This problem manifested itself when a join query used two or more materialized CTE such that each of them employed the same recursive CTE. The bug caused a crash. The crash happened because the cleanup() function was performed premature for recursive CTE. This clean up was induced by the cleanup of the first CTE referenced the recusrsive CTE. This cleanup destroyed the structures that would allow to read from the temporary table containing the rows of the recursive CTE and an attempt to read these rows for the second CTE referencing the recursive CTE triggered a crash. The clean up for a recursive CTE R should be performed after the cleanup of the last materialized CTE that uses R.
2025-07-02 14:22:51 +03:00 · 2018-09-07 20:10:04 -07:00
parent 59950df533
commit 4d991abd4f
7 changed files with 222 additions and 5 deletions
--- a/sql/sql_class.h
+++ b/sql/sql_class.h
@ -5095,10 +5095,16 @@ class select_union_recursive :public select_union
  TABLE *first_rec_table_to_update;
  /* The temporary tables used for recursive table references */
  List<TABLE> rec_tables;
+  /*
+    The count of how many times cleanup() was called with cleaned==false
+    for the unit specifying the recursive CTE for which this object was created
+    or for the unit specifying a CTE that mutually recursive with this CTE.
+  */
+  uint cleanup_count;

  select_union_recursive(THD *thd_arg):
    select_union(thd_arg),
-    incr_table(0), first_rec_table_to_update(0) {};
+    incr_table(0), first_rec_table_to_update(0), cleanup_count(0) {};

  int send_data(List<Item> &items);
  bool create_result_table(THD *thd, List<Item> *column_types,