MDEV-38474: ASAN heap-use-after-free in st_join_table::cleanup

abhishek593 · abhishek593 · commit bdf32eb11e1a · 2026-03-03T11:55:25.000+05:30
Fix a regression introduced by 34a8209 which added cleanup_stranded_units() to the start of st_select_lex_unit::cleanup(). Moving cleanup_stranded_units() to the end of the cleanup() function ensures a parent-first cleanup order, which is required for the safe destruction of merged tables.
diff --git a/mysql-test/suite/merge/merge.result b/mysql-test/suite/merge/merge.result
@@ -4031,3 +4031,31 @@ UPDATE v1 SET a=0;
 DROP VIEW v1;
 DROP TABLE t1;
 # End of 11.1 tests
+#
+# MDEV-38474 Double free or corruption, ASAN heap-use-after-free in st_join_table::cleanup
+#
+# Test case 1, fails on 10.11+
+CREATE TABLE t1 (a INT);
+CREATE TABLE t2 (b INT);
+CREATE TABLE t3 (c INT);
+# Inserts are optional, fails with and without data
+INSERT INTO t1 VALUES (1),(2);
+INSERT INTO t2 VALUES (3),(4);
+INSERT INTO t3 VALUES (5),(6);
+EXPLAIN SELECT * FROM t1 WHERE a IN (SELECT b FROM t2 WHERE a IN ((SELECT c FROM t3 WHERE FALSE HAVING c < 0)));
+id	select_type	table	type	possible_keys	key	key_len	ref	rows	Extra
+1	PRIMARY	NULL	NULL	NULL	NULL	NULL	NULL	NULL	Impossible WHERE noticed after reading const tables
+3	MATERIALIZED	NULL	NULL	NULL	NULL	NULL	NULL	NULL	Impossible WHERE
+DROP TABLE t1, t2, t3;
+# Test case 2, fails on 11.4 but not on 10.11
+CREATE TABLE t1 (a INT);
+CREATE TABLE t2 (b INT);
+CREATE TABLE t3 (c INT);
+CREATE TABLE t4 (d INT PRIMARY KEY);
+SET SQL_SAFE_UPDATES=1;
+UPDATE t1 STRAIGHT_JOIN t2 SET a = 89 WHERE 9 IN (SELECT c FROM t3 WHERE c IN (SELECT MAX(d) FROM t4));
+ERROR HY000: You are using safe update mode and you tried to update a table without a WHERE that uses a KEY column
+DROP TABLE t1, t2, t3, t4;
+#
+# End of 11.4 tests
+#
diff --git a/mysql-test/suite/merge/merge.test b/mysql-test/suite/merge/merge.test
@@ -2965,3 +2965,37 @@ DROP VIEW v1;
 DROP TABLE t1;
 
 --echo # End of 11.1 tests
+
+--echo #
+--echo # MDEV-38474 Double free or corruption, ASAN heap-use-after-free in st_join_table::cleanup
+--echo #
+
+--echo # Test case 1, fails on 10.11+
+CREATE TABLE t1 (a INT);
+CREATE TABLE t2 (b INT);
+CREATE TABLE t3 (c INT);
+
+--echo # Inserts are optional, fails with and without data
+INSERT INTO t1 VALUES (1),(2);
+INSERT INTO t2 VALUES (3),(4);
+INSERT INTO t3 VALUES (5),(6);
+
+EXPLAIN SELECT * FROM t1 WHERE a IN (SELECT b FROM t2 WHERE a IN ((SELECT c FROM t3 WHERE FALSE HAVING c < 0)));
+
+DROP TABLE t1, t2, t3;
+
+--echo # Test case 2, fails on 11.4 but not on 10.11
+CREATE TABLE t1 (a INT);
+CREATE TABLE t2 (b INT);
+CREATE TABLE t3 (c INT);
+CREATE TABLE t4 (d INT PRIMARY KEY);
+
+SET SQL_SAFE_UPDATES=1;
+--error ER_UPDATE_WITHOUT_KEY_IN_SAFE_MODE
+UPDATE t1 STRAIGHT_JOIN t2 SET a = 89 WHERE 9 IN (SELECT c FROM t3 WHERE c IN (SELECT MAX(d) FROM t4));
+
+DROP TABLE t1, t2, t3, t4;
+
+--echo #
+--echo # End of 11.4 tests
+--echo #
diff --git a/sql/sql_union.cc b/sql/sql_union.cc
@@ -2688,8 +2688,6 @@ bool st_select_lex_unit::exec_recursive()
 
 bool st_select_lex_unit::cleanup()
 {
-  cleanup_stranded_units();
-
   bool error= 0;
   DBUG_ENTER("st_select_lex_unit::cleanup");
 
@@ -2778,6 +2776,7 @@ bool st_select_lex_unit::cleanup()
   delete pushdown_unit;
   pushdown_unit= nullptr;
 
+  cleanup_stranded_units();
   DBUG_RETURN(error);
 }
 

Original file line number	Diff line number	Diff line change
`@@ -2688,8 +2688,6 @@ bool st_select_lex_unit::exec_recursive()`
`2688`	`2688`
`2689`	`2689`	`bool st_select_lex_unit::cleanup()`
`2690`	`2690`	`{`
`2691`		`- cleanup_stranded_units();`
`2692`		`-`
`2693`	`2691`	`bool error= 0;`
`2694`	`2692`	`DBUG_ENTER("st_select_lex_unit::cleanup");`
`2695`	`2693`
`@@ -2778,6 +2776,7 @@ bool st_select_lex_unit::cleanup()`
`2778`	`2776`	`delete pushdown_unit;`
`2779`	`2777`	`pushdown_unit= nullptr;`
`2780`	`2778`
	`2779`	`+ cleanup_stranded_units();`
`2781`	`2780`	`DBUG_RETURN(error);`
`2782`	`2781`	`}`
`2783`	`2782`