MDEV-35816 ASAN use-after-poison in st_select_lex::print

DaveGosselin-MariaDB · DaveGosselin-MariaDB · commit e4a466d3ce2c · 2025-04-22T08:42:11.000-04:00
Semi-joins with CTEs as the derived table will leave dangling pointers
to the JOIN instance, from the corresponding SELECT_LEX instance, after
first execution has completed.  Clean these up during statement
reinitialization, before subsequent executions occur.
diff --git a/mysql-test/main/prepare.result b/mysql-test/main/prepare.result
@@ -115,3 +115,28 @@ drop table t1,t2;
 #
 # End of 10.6 tests
 #
+#
+# MDEV-35816 ASAN use-after-poison in st_select_lex::print
+#
+CREATE TABLE t1 (a INT);
+INSERT INTO t1 (a) VALUES (1),(2),(3),(4),(5);
+SET SESSION optimizer_trace = 'enabled=on';
+PREPARE stmt FROM 'SELECT STRAIGHT_JOIN * FROM t1 WHERE a IN (WITH cte AS (SELECT a FROM t1) SELECT * FROM cte)';
+EXECUTE stmt;
+a
+1
+2
+3
+4
+5
+EXECUTE stmt;
+a
+1
+2
+3
+4
+5
+DROP TABLE t1;
+#
+# End of 10.11 tests
+#
diff --git a/mysql-test/main/prepare.test b/mysql-test/main/prepare.test
@@ -105,3 +105,18 @@ drop table t1,t2;
 --echo #
 --echo # End of 10.6 tests
 --echo #
+
+--echo #
+--echo # MDEV-35816 ASAN use-after-poison in st_select_lex::print
+--echo #
+CREATE TABLE t1 (a INT);
+INSERT INTO t1 (a) VALUES (1),(2),(3),(4),(5);
+SET SESSION optimizer_trace = 'enabled=on';
+PREPARE stmt FROM 'SELECT STRAIGHT_JOIN * FROM t1 WHERE a IN (WITH cte AS (SELECT a FROM t1) SELECT * FROM cte)';
+EXECUTE stmt;
+EXECUTE stmt;
+DROP TABLE t1;
+
+--echo #
+--echo # End of 10.11 tests
+--echo #
diff --git a/sql/sql_prepare.cc b/sql/sql_prepare.cc
@@ -3134,6 +3134,33 @@ void mysql_sql_stmt_execute_immediate(THD *thd)
 }
 
 
+/**
+  Cleanup destroyed JOIN instances from derived tables' SELECT_LEX instances
+  before second execution by setting the SELECT_LEX instance's JOIN pointer
+  to nullptr.
+ */
+static void cleanup_joins(SELECT_LEX *sl)
+{
+  TABLE_LIST *tl;
+  for (tl= sl->table_list.first; tl; tl= tl->next_local)
+  {
+    // Must be a derived view without a recursive table reference.
+    if (!tl->is_view_or_derived() || tl->is_with_table_recursive_reference())
+      continue;
+
+    SELECT_LEX_UNIT *unit= tl->get_unit();
+    if (!unit)
+      continue;
+
+    // For each query on the unit, disassociate the JOIN instance.  It
+    // should have already been destroyed by this point.  There's no way
+    // to assert that because it will result in EXC_BAD_ACCESS.
+    for (SELECT_LEX *sl= unit->first_select(); sl; sl= sl->next_select())
+      sl->join= nullptr;
+  }
+}
+
+
 /**
   Reinit prepared statement/stored procedure before execution.
 
@@ -3238,6 +3265,8 @@ void reinit_stmt_before_use(THD *thd, LEX *lex)
     }
     if (sl->changed_elements & TOUCHED_SEL_DERIVED)
     {
+      cleanup_joins(sl);
+
 #ifdef DBUG_ASSERT_EXISTS
       bool res=
 #endif
