Bug #25053286: USE VIEW WITH CONDITION IN PROCEDURE CAUSES

Sreeharsha Ramanavarapu · Sreeharsha Ramanavarapu · commit d7b37d4d141a · 2017-02-22T11:02:07.000+05:30
INCORRECT BEHAVIOR

Issue:
------
This problem occurs when a stored procedure contains a
query with a view. While resolving the columns in the
WHERE condition, find_field_in_view insists on creating a
Item_direct_view_ref object every time an execution
happens. This object is not destroyed at the end of the
execution.

In the next execution, a new object is created and will be
appended to the free_list. Hence the size of the free_list
is growing and the cleanup phase at the end of each execute
takes increasingly longer time.

Solution:
---------
This is a regression due to the fix for BUG#19897405.

Ideally the Item_direct_view_ref object (which is related
to the view's column in WHERE clause) should be created at
the beginning of every execution and destroyed at the end.
This doesn't happen because the check related to the status
(STMT_INITIALIZED_FOR_SP / STMT_EXECUTED) had been removed.
This check has been re-introduced.

Scenario 1 in BUG#19897405:
--------------------------
a) SP is executed--&gt; The view fields are resolved/fixed.
b) FLUSH TABLE &lt;table-name&gt;.
c) SP is executed--&gt; Triggers re-prepare--&gt; Query arena
   state is not reset and remains as 'STMT_EXECUTED'.
   Previously created Item_direct_view_ref object is
   destroyed. The view fields are resolved/fixed
   using the execution mem_root. It creates a new
   Item_direct_view_ref object, this is destroyed at the
   end of the execution.
d) SP is executed--&gt; Server crashes while trying to access
   the resolved view columns allocated on the execution
   mem_root which was freed after execution(c).

Solution to Scenario 1 in BUG#19897405:
---------------------------------------
The root cause of the problem mentioned in BUG#19897405 is
that when a re-prepare error is raised due to a
FLUSH TABLE / DROP TABLE, the state of statement arena
should be switched to STMT_INITIALIZED_FOR_SP. Without
this, the statement is unaware that previously created
Item_direct_view_ref have been destroyed after the table
re-open. While it creates a new Item_direct_view_ref
object, this is destroyed at the end of the execution.
Hence the execution that follows will not have any
Item_direct_view_ref to use.

The fix here is to set the state to STMT_INITIALIZED_FOR_SP
after the re-prepare error is raised.


Problem 2 in BUG#19897405:
--------------------------
a) SP is executed--&gt; The view fields are resolved/fixed.
b) SP is executed--&gt; Gets re-prepare error. Destroys
   Item_direct_view_ref object. At the end "TABLE EXISTS"
   error is raised and state is set to EXECUTED
c) DROP TABLE &lt;table-created-in-sp&gt;
d) SP is executed--&gt; Creates new item_direct_view_ref
   object. Destroys the object at the end of the statement.
d) DROP TABLE &lt;table-created-in-sp&gt;
e) SP is executed--&gt; Server crashes while trying to
   access the resolved view columns allocated on the
   execution mem_root which was freed after execution.

Solution to Scenario 2 in BUG#19897405:
---------------------------------------
CREATE TABLE ... SELECT statement in an SP requires some
special handling. The state is always set to
STMT_INITIALIZED_FOR_SP in such a case.
diff --git a/sql/sp_instr.cc b/sql/sp_instr.cc
@@ -1,4 +1,4 @@
-/* Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2012, 2017, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -422,14 +422,49 @@ bool sp_lex_instr::reset_lex_and_exec_core(THD *thd,
   thd->rollback_item_tree_changes();
 
   /*
-    Update the state of the active arena if no errors on
-    open_tables stage.
+    Change state of current arena according to outcome of execution.
+
+    When entering this function, state is STMT_INITIALIZED_FOR_SP if this is
+    the first execution, otherwise it is STMT_EXECUTED.
+
+    When an error occurs during opening tables, no execution takes place and
+    no state change will take place.
+
+    When a re-prepare error is raised, the next execution will re-prepare the
+    statement. To make sure that items are created in the statement mem_root,
+    change state to STMT_INITIALIZED_FOR_SP.
+
+    In other cases, the state should become (or remain) STMT_EXECUTED.
+    See Query_arena->state definition for explanation.
+
+    Some special handling of CREATE TABLE .... SELECT in an SP is required. The
+    state is always set to STMT_INITIALIZED_FOR_SP in such a case.
+
+    Why is this necessary? A useful pointer would be to note how
+    PREPARE/EXECUTE uses functions like select_like_stmt_test to implement
+    CREATE TABLE .... SELECT. The SELECT part of the DDL is resolved first.
+    Then there is an attempt to create the table. So in the execution phase,
+    if "table exists" error occurs or flush table preceeds the execute, the
+    item tree of the select is re-created and followed by an attempt to create
+    the table.
+
+    But SP uses mysql_execute_command (which is used by the conventional
+    execute) after doing a parse. This creates a problem for SP since it
+    tries to preserve the item tree from the previous execution.
   */
 
-  if (!rc || !thd->is_error() ||
-      (thd->get_stmt_da()->sql_errno() != ER_CANT_REOPEN_TABLE &&
-       thd->get_stmt_da()->sql_errno() != ER_NO_SUCH_TABLE &&
-       thd->get_stmt_da()->sql_errno() != ER_UPDATE_TABLE_USED))
+  bool reprepare_error=
+    rc && thd->get_stmt_da()->sql_errno() == ER_NEED_REPREPARE;
+  bool is_create_table_select=
+    thd->lex && thd->lex->sql_command == SQLCOM_CREATE_TABLE &&
+    thd->lex->select_lex.item_list.elements > 0;
+
+  if (reprepare_error || is_create_table_select)
+    thd->stmt_arena->state= Query_arena::STMT_INITIALIZED_FOR_SP;
+  else if (!rc || !thd->is_error() ||
+           (thd->get_stmt_da()->sql_errno() != ER_CANT_REOPEN_TABLE &&
+            thd->get_stmt_da()->sql_errno() != ER_NO_SUCH_TABLE &&
+            thd->get_stmt_da()->sql_errno() != ER_UPDATE_TABLE_USED))
     thd->stmt_arena->state= Query_arena::STMT_EXECUTED;
 
   /*
@@ -493,7 +528,7 @@ LEX *sp_lex_instr::parse_expr(THD *thd, sp_head *sp)
     initiated. Also set the statement query arena to the lex mem_root.
   */
   MEM_ROOT *execution_mem_root= thd->mem_root;
-  Query_arena parse_arena(&m_lex_mem_root, STMT_INITIALIZED_FOR_SP);
+  Query_arena parse_arena(&m_lex_mem_root, thd->stmt_arena->state);
 
   thd->mem_root= &m_lex_mem_root;
   thd->stmt_arena->set_query_arena(&parse_arena);
diff --git a/sql/sql_base.cc b/sql/sql_base.cc
@@ -1,4 +1,4 @@
-/* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -6574,7 +6574,10 @@ find_field_in_view(THD *thd, TABLE_LIST *table_list,
           Use own arena for Prepared Statements or data will be freed after
           PREPARE.
         */
-        Prepared_stmt_arena_holder ps_arena_holder(thd, register_tree_change);
+        Prepared_stmt_arena_holder ps_arena_holder(
+          thd,
+          register_tree_change &&
+            thd->stmt_arena->is_stmt_prepare_or_first_stmt_execute());
 
         /*
           create_item() may, or may not create a new Item, depending on
diff --git a/sql/sql_class.h b/sql/sql_class.h
@@ -1,4 +1,4 @@
-/* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights
+/* Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights
    reserved.
 
    This program is free software; you can redistribute it and/or modify
@@ -727,6 +727,19 @@ class Query_arena
     STMT_CONVENTIONAL_EXECUTION= 3, STMT_EXECUTED= 4, STMT_ERROR= -1
   };
 
+  /*
+    State and state changes in SP:
+    1) When state is STMT_INITIALIZED_FOR_SP, objects in the item tree are
+       created on the statement memroot. This is enforced through
+       ps_arena_holder checking the state.
+    2) After the first execute (call p1()), this state should change to
+       STMT_EXECUTED. Objects will be created on the execution memroot and will
+       be destroyed at the end of each execution.
+    3) In case an ER_NEED_REPREPARE error occurs, state should be changed to
+       STMT_INITIALIZED_FOR_SP and objects will again be created on the
+       statement memroot. At the end of this execution, state should change to
+       STMT_EXECUTED.
+  */
   enum_state state;
 
   /* We build without RTTI, so dynamic_cast can't be used. */
