MDEV-35815: use-after-poison_in_get_hash_symbol

bsrikanth-mariadb · bsrikanth-mariadb · commit 6f366394bc48 · 2025-10-08T13:49:00.000+05:30
When a PREPARED statment is executed twice, it is crashing during the
second execution.

For the following query: -
PREPARE stmt FROM 'SELECT tbl.x509_subject AS fld FROM mysql.user AS tbl
GROUP BY fld HAVING 0 AND fld != 1';

During the first execution:
The Item "fld" in the HAVING clause, is an Item_ref instance with name
"fld", where it has a ref to another Item_ref instance with the same name "fld"
which in turn has a reference to another Item with name "x509_subjext".
In the join prepare stage, while in the call to setup_copy_fields() from
make_aggr_tables_info(), the name field of the last Item instance
is replaced with the name in second Item_ref instance. However, after
the first execution is done, the meory for the second Item_ref is freed.

Now, during the second execution of the same statement, when trying to
access name field Item_ref instance, it was getting crashed, because,
that memory was already freed earlier.

The fix is to allocate a new memory in the stmt_arena for the second
Item_ref instance's name-&gt;str field.
diff --git a/mysql-test/main/having.result b/mysql-test/main/having.result
@@ -1001,3 +1001,15 @@ DROP TABLE t1,t2;
 #
 # End of 10.5 tests
 #
+#
+# Crash in ASAN build due to accessing use-after-poison memory error
+#
+SET optimizer_trace= 'enabled=on';
+PREPARE stmt FROM 'SELECT tbl.x509_subject AS fld FROM mysql.user AS tbl GROUP BY fld HAVING 0 AND fld != 1';
+EXECUTE stmt;
+fld
+EXECUTE stmt;
+fld
+#
+# End of 10.11 tests
+#
diff --git a/mysql-test/main/having.test b/mysql-test/main/having.test
@@ -1056,3 +1056,18 @@ DROP TABLE t1,t2;
 --echo #
 --echo # End of 10.5 tests
 --echo #
+
+--echo #
+--echo # Crash in ASAN build due to accessing use-after-poison memory error
+--echo #
+
+SET optimizer_trace= 'enabled=on';
+ 
+PREPARE stmt FROM 'SELECT tbl.x509_subject AS fld FROM mysql.user AS tbl GROUP BY fld HAVING 0 AND fld != 1';
+ 
+EXECUTE stmt;
+EXECUTE stmt;
+
+--echo #
+--echo # End of 10.11 tests
+--echo #
diff --git a/sql/sql_select.cc b/sql/sql_select.cc
@@ -28086,6 +28086,10 @@ setup_copy_fields(THD *thd, TMP_TABLE_PARAM *param,
 	      real_pos->type() == Item::COND_ITEM) &&
 	     !real_pos->with_sum_func())
     {						// Save for send fields
+      if (!thd->stmt_arena->is_conventional() &&
+          thd->mem_root != thd->stmt_arena->mem_root &&
+          !(thd->stmt_arena->mem_root->flags & ROOT_FLAG_READ_ONLY))
+        pos->name.str= strdup_root(thd->stmt_arena->mem_root, pos->name.str);
       LEX_CSTRING real_name= pos->name;
       pos= real_pos;
       pos->name= real_name;
