Bug #20087571: 5.7 EASILY HITS ERROR 1436 (HY000): THREAD STACK OVERRUN ERRORS ON MANY EXPR'S

This bug is a regression of WL7200: that WL introduced an unconditional
recursive processing of AND and OR parse tree nodes during the
contextualization, when the original parser had some conditional
flattening of nested AND/OR expression.
That affected very long recursive AND/OR expression: instead of the normal
execution the parser failed with a parse error: ER_STACK_OVERRUN_NEED_MORE.

This bugfix re-introduces an optimization that flattens recursive AND/OR
expressions at parse time (before the itemization/contextualization):

 (X1 AND X2) AND (Y1 AND Y2) ==> AND (X1, X2, Y1, Y2)
 (X1 AND X2) AND Y ==> AND (X1, X2, Y)
 X AND (Y1 AND Y2) ==> AND (X, Y1, Y2)

and the same for OR.

Author: GlebShchepa

mysql-test/r/parser-big.result

@@ -0,0 +1,50 @@
+#
+# Bug #20087571: 5.7 EASILY HITS ERROR 1436 (HY000):
+#                THREAD STACK OVERRUN ERRORS ON MANY EXPR'S
+#
+SELECT @tmp_max:= @@global.max_allowed_packet;
+@tmp_max:= @@global.max_allowed_packet
+4194304
+SET @@global.max_allowed_packet=16999424;
+CREATE TABLE t1 (a INT UNSIGNED, b INT UNSIGNED, PRIMARY KEY (a, b))
+ENGINE=INNODB;
+CREATE PROCEDURE p1(p_min_terms INT UNSIGNED, p_max_terms INT UNSIGNED, p_incr
+INT UNSIGNED)
+begin
+DECLARE v_sql LONGTEXT CHARSET LATIN1;
+DECLARE i INT UNSIGNED DEFAULT 1;
+SET i:=greatest(1, p_min_terms);
+REPEAT
+SET @terms:=f1(i);
+SET v_sql:=concat("delete from t1 where ",@terms);
+SET @t:=v_sql;
+SELECT i AS 'numterms', length(@t) AS 'query lengt', p_incr AS 'increment';
+PREPARE s FROM @t;
+EXECUTE s;
+DEALLOCATE PREPARE s;
+SET i:=i + p_incr;
+UNTIL i > p_max_terms end repeat;
+END|
+CREATE FUNCTION f1(p_numterms INT UNSIGNED) RETURNS LONGTEXT
+BEGIN
+DECLARE ret LONGTEXT DEFAULT '';
+SET ret:=CONCAT(REPEAT("(a=1 and b=2) or ",GREATEST(p_numterms-1,1)),"(a=2 and b=1)");
+RETURN RET;
+END|
+SET @min:=950000;
+SET @max:=950000;
+SET @incr:=100000;
+CALL p1(@min, @max, @incr);
+numterms	query lengt	increment
+950000	16150017	100000
+SELECT LENGTH(@terms);
+LENGTH(@terms)
+16149996
+SELECT @@global.thread_stack, @@global.max_allowed_packet;
+@@global.thread_stack	@@global.max_allowed_packet
+262144	16999424
+DROP FUNCTION f1;
+DROP PROCEDURE p1;
+DROP TABLE t1;
+SET @@global.max_allowed_packet:= @tmp_max;
+#

mysql-test/t/parser-big.test

@@ -0,0 +1,61 @@
+--source include/big_test.inc
+
+--echo #
+--echo # Bug #20087571: 5.7 EASILY HITS ERROR 1436 (HY000):
+--echo #                THREAD STACK OVERRUN ERRORS ON MANY EXPR'S
+--echo #
+
+# we need a larger max_allowed_packet for the REPEAT() function
+SELECT @tmp_max:= @@global.max_allowed_packet;
+SET @@global.max_allowed_packet=16999424;
+# switching connection to allow the new max_allowed_packet take effect
+--connect (newconn, localhost, root,,)
+
+CREATE TABLE t1 (a INT UNSIGNED, b INT UNSIGNED, PRIMARY KEY (a, b))
+ENGINE=INNODB;
+
+DELIMITER |;
+
+CREATE PROCEDURE p1(p_min_terms INT UNSIGNED, p_max_terms INT UNSIGNED, p_incr
+INT UNSIGNED)
+begin
+  DECLARE v_sql LONGTEXT CHARSET LATIN1;
+  DECLARE i INT UNSIGNED DEFAULT 1;
+  SET i:=greatest(1, p_min_terms);
+  REPEAT
+    SET @terms:=f1(i);
+    SET v_sql:=concat("delete from t1 where ",@terms);
+    SET @t:=v_sql;
+    SELECT i AS 'numterms', length(@t) AS 'query lengt', p_incr AS 'increment';
+    PREPARE s FROM @t;
+    EXECUTE s;
+    DEALLOCATE PREPARE s;
+    SET i:=i + p_incr;
+  UNTIL i > p_max_terms end repeat;
+END|
+
+CREATE FUNCTION f1(p_numterms INT UNSIGNED) RETURNS LONGTEXT
+BEGIN
+  DECLARE ret LONGTEXT DEFAULT '';
+  SET ret:=CONCAT(REPEAT("(a=1 and b=2) or ",GREATEST(p_numterms-1,1)),"(a=2 and b=1)");
+  RETURN RET;
+END|
+
+DELIMITER ;|
+
+SET @min:=950000;
+SET @max:=950000;
+SET @incr:=100000;
+CALL p1(@min, @max, @incr);
+SELECT LENGTH(@terms);
+SELECT @@global.thread_stack, @@global.max_allowed_packet;
+
+DROP FUNCTION f1;
+DROP PROCEDURE p1;
+DROP TABLE t1;
+
+--connection default
+SET @@global.max_allowed_packet:= @tmp_max;
+--disconnect newconn
+
+--echo #

sql/item_cmpfunc.cc

@@ -5321,6 +5321,33 @@ Item_cond::Item_cond(THD *thd, Item_cond *item)
   */
 }
 
+/**
+  Contextualization for Item_cond functional items
+
+  Item_cond successors use Item_cond::list instead of Item_func::args
+  and Item_func::arg_count, so we can't itemize parse-time Item_cond
+  objects by forwarding a contextualization process to the parent Item_func
+  class: we need to overload this function to run a contextualization
+  the Item_cond::list items.
+*/
+bool Item_cond::itemize(Parse_context *pc, Item **res)
+{
+  if (skip_itemize(res))
+    return false;
+  if (super::itemize(pc, res))
+    return true;
+
+  List_iterator<Item> li(list);
+  Item *item;
+  while ((item= li++))
+  {
+    if (item->itemize(pc, &item))
+      return true;
+    li.replace(item);
+  }
+  return false;
+}
+
 
 void Item_cond::copy_andor_arguments(THD *thd, Item_cond *item)
 {

sql/item_cmpfunc.h

@@ -142,6 +142,9 @@ class Item_bool_func :public Item_int_func
 {
 public:
   Item_bool_func() : Item_int_func(), m_created_by_in2exists(false) {}
+  explicit Item_bool_func(const POS &pos)
+  : Item_int_func(pos), m_created_by_in2exists(false)
+  {}
 
   Item_bool_func(Item *a) : Item_int_func(a),
     m_created_by_in2exists(false)  {}
@@ -1917,6 +1920,8 @@ class Item_func_regex :public Item_bool_func
 
 class Item_cond :public Item_bool_func
 {
+  typedef Item_bool_func super;
+
 protected:
   List<Item> list;
   bool abort_on_null;
@@ -1925,12 +1930,20 @@ class Item_cond :public Item_bool_func
   /* Item_cond() is only used to create top level items */
   Item_cond(): Item_bool_func(), abort_on_null(1)
   { const_item_cache=0; }
+
   Item_cond(Item *i1,Item *i2)
     :Item_bool_func(), abort_on_null(0)
   {
     list.push_back(i1);
     list.push_back(i2);
   }
+  Item_cond(const POS &pos, Item *i1, Item *i2)
+    :Item_bool_func(pos), abort_on_null(0)
+  {
+    list.push_back(i1);
+    list.push_back(i2);
+  }
+
   Item_cond(THD *thd, Item_cond *item);
   Item_cond(List<Item> &nlist)
     :Item_bool_func(), list(nlist), abort_on_null(0) {}
@@ -1949,6 +1962,9 @@ class Item_cond :public Item_bool_func
     DBUG_ASSERT(nlist->elements);
     list.prepand(nlist);
   }
+
+  virtual bool itemize(Parse_context *pc, Item **res);
+
   bool fix_fields(THD *, Item **ref);
   void fix_after_pullout(st_select_lex *parent_select,
                          st_select_lex *removed_select);
@@ -2151,7 +2167,10 @@ class Item_cond_and :public Item_cond
                              the current and level and reference
                              to multiple equalities of upper and levels */  
   Item_cond_and() :Item_cond() {}
+
   Item_cond_and(Item *i1,Item *i2) :Item_cond(i1,i2) {}
+  Item_cond_and(const POS &pos, Item *i1, Item *i2) :Item_cond(pos, i1, i2) {}
+
   Item_cond_and(THD *thd, Item_cond_and *item) :Item_cond(thd, item) {}
   Item_cond_and(List<Item> &list_arg): Item_cond(list_arg) {}
   enum Functype functype() const { return COND_AND_FUNC; }
@@ -2172,20 +2191,15 @@ class Item_cond_and :public Item_cond
                              double rows_in_table);
 };
 
-inline bool is_cond_and(Item *item)
-{
-  if (item->type() != Item::COND_ITEM)
-    return FALSE;
-
-  Item_cond *cond_item= (Item_cond*) item;
-  return (cond_item->functype() == Item_func::COND_AND_FUNC);
-}
 
 class Item_cond_or :public Item_cond
 {
 public:
   Item_cond_or() :Item_cond() {}
+
   Item_cond_or(Item *i1,Item *i2) :Item_cond(i1,i2) {}
+  Item_cond_or(const POS &pos, Item *i1,Item *i2) :Item_cond(pos, i1, i2) {}
+
   Item_cond_or(THD *thd, Item_cond_or *item) :Item_cond(thd, item) {}
   Item_cond_or(List<Item> &list_arg): Item_cond(list_arg) {}
   enum Functype functype() const { return COND_OR_FUNC; }
@@ -2206,15 +2220,6 @@ class Item_cond_or :public Item_cond
                              double rows_in_table);
 };
 
-inline bool is_cond_or(Item *item)
-{
-  if (item->type() != Item::COND_ITEM)
-    return FALSE;
-
-  Item_cond *cond_item= (Item_cond*) item;
-  return (cond_item->functype() == Item_func::COND_OR_FUNC);
-}
-
 /* Some useful inline functions */
 
 inline Item *and_conds(Item *a, Item *b)

sql/parse_tree_helpers.h

@@ -16,7 +16,7 @@
 #ifndef PARSE_TREE_HELPERS_INCLUDED
 #define PARSE_TREE_HELPERS_INCLUDED
 
-#include "item.h"           // Item
+#include "item_func.h"      // Item etc.
 #include "set_var.h"        // enum_var_type
 
 typedef class st_select_lex SELECT_LEX;
@@ -38,7 +38,7 @@ class Parse_tree_item : public Item
 public:
   explicit Parse_tree_item(const POS &pos) : Item(pos) {}
 
-  virtual enum Type type() const { DBUG_ASSERT(0); return INVALID_ITEM; }
+  virtual enum Type type() const { return INVALID_ITEM; }
   virtual double val_real() { DBUG_ASSERT(0); return 0; }
   virtual longlong val_int() { DBUG_ASSERT(0); return 0; }
   virtual String *val_str(String *) { DBUG_ASSERT(0); return NULL; }
@@ -104,6 +104,77 @@ class PT_item_list : public Parse_tree_node
 };
 
 
+/**
+  Helper function to imitate dynamic_cast for Item_cond hierarchy
+
+  @param To     destination type (Item_cond_and etc.)
+  @param Tag    Functype tag to compare from->functype() with
+  @param from   source item
+
+  @return typecasted item of the type To or NULL
+*/
+template<class To, Item_func::Functype Tag>
+To *item_cond_cast(Item * const from)
+{
+  return ((from->type() == Item::COND_ITEM &&
+           static_cast<Item_func *>(from)->functype() == Tag) ?
+          static_cast<To *>(from) : NULL);
+}
+
+
+/**
+  Flatten associative operators at parse time
+
+  This function flattens AND and OR operators at parse time if applicable,
+  otherwise it creates new Item_cond_and or Item_cond_or respectively.
+
+  @param Class  Item_cond_and or Item_cond_or
+  @param Tag    COND_AND_FUNC (for Item_cond_and) or COND_OR_FUNC otherwise
+
+  @param mem_root       MEM_ROOT
+  @param pos            parse location
+  @param left           left argument of the operator
+  @param right          right argument of the operator
+
+  @return resulting parse tree Item
+*/
+template<class Class, Item_func::Functype Tag>
+Item *flatten_associative_operator(MEM_ROOT *mem_root, const POS &pos,
+                                   Item *left, Item *right)
+{
+  if (left == NULL || right == NULL)
+    return NULL;
+  Class *left_func= item_cond_cast<Class, Tag>(left);
+  Class *right_func= item_cond_cast<Class, Tag>(right);
+  if (left_func)
+  {
+    if (right_func)
+    {
+      // (X1 op X2) op (Y1 op Y2) ==> op (X1, X2, Y1, Y2)
+      right_func->add_at_head(left_func->argument_list());
+      return right;
+    }
+    else
+    {
+      // (X1 op X2) op Y ==> op (X1, X2, Y)
+      left_func->add(right);
+      return left;
+    }
+  }
+  else if (right_func)
+  {
+    //  X op (Y1 op Y2) ==> op (X, Y1, Y2)
+    right_func->add_at_head(left);
+    return right;
+  }
+  else
+  {
+    /* X op Y */
+    return new (mem_root) Class(pos, left, right);
+  }
+}
+
+
 Item_splocal* create_item_for_sp_var(THD *thd,
                                      LEX_STRING name,
                                      class sp_variable *spv,