Bug#26503 (Illegal SQL exception handler code causes the server to crash)

Before this fix, the parser would accept illegal code in SQL exceptions
handlers, that later causes the runtime to crash when executing the code,
due to memory violations in the exception handler stack.

The root cause of the problem is instructions within an exception handler
that jumps to code located outside of the handler. This is illegal according
to the SQL 2003 standard, since labels located outside the handler are not
supposed to be visible (they are "out of scope"), so any instruction that
jumps to these labels, like ITERATE or LEAVE, should not parse.

The section of the standard that is relevant for this is :
  SQL:2003 SQL/PSM (ISO/IEC 9075-4:2003)
  section 13.1 <compound statement>,
  syntax rule 4
<quote>
  The scope of the <beginning label> is CS excluding every <SQL schema
  statement> contained in CS and excluding every
  <local handler declaration list> contained in CS. <beginning label> shall
  not be equivalent to any other <beginning label>s within that scope.
</quote>

With this fix, the C++ class sp_pcontext, which represent the "parsing
context" tree (a.k.a symbol table) of a stored procedure, has been changed
as follows:
- constructors have been cleaned up, so that only building a root node for
the tree is public; building nodes inside a tree is not public.
- a new member, m_label_scope, indicates if a given syntactic context
belongs to a DECLARE HANDLER block,
- label resolution, in the method find_label(), has been changed to
implement the restriction of scope regarding labels used in a compound
statement.

The actions in the parser, when parsing the body of a SQL exception handler,
have been changed as follows:
- the implementation of an exception handler (DECLARE HANDLER) now creates
explicitly a new sp_pcontext, to isolate the code inside the handler from
the containing compound statement context.
- registering exception handlers as a result occurs in the parent context,
see the rule sp_hcond_element
- the code in sp_hcond_list has been cleaned up, to avoid code duplication

In addition, the flags IN_SIMPLE_CASE and IN_HANDLER, declared in sp_head.h
have been removed, since they are unused and broken by design (as seen with
Bug 19194 (Right recursion in parser for CASE causes excessive stack usage,
limitation), representing a stack in a single flag is not possible.

Tests in sp-error have been added to show that illegal constructs are now
rejected.

Tests in sp have been added for code coverage, to show that ITERATE or LEAVE
statements are legal when jumping to a label in scope, inside the body of
an exception handler.


mysql-test/r/sp-error.result:
  SQL Exception handlers define a parsing context for label resolution.
mysql-test/r/sp.result:
  SQL Exception handlers define a parsing context for label resolution.
mysql-test/t/sp-error.test:
  SQL Exception handlers define a parsing context for label resolution.
mysql-test/t/sp.test:
  SQL Exception handlers define a parsing context for label resolution.
sql/sp_head.cc:
  Minor cleanup
sql/sp_head.h:
  Minor cleanup
sql/sp_pcontext.cc:
  SQL Exception handlers define a parsing context for label resolution.
sql/sp_pcontext.h:
  SQL Exception handlers define a parsing context for label resolution.
sql/sql_yacc.yy:
  SQL Exception handlers define a parsing context for label resolution.

1 files changed, 68 insertions, 22 deletions

diff --git a/sql/sp_pcontext.cc b/sql/sp_pcontext.cc
index 6229cf14604..780243cc79f 100644
--- a/sql/sp_pcontext.cc
+++ b/sql/sp_pcontext.cc
@@ -25,6 +25,11 @@
 #include "sp_pcontext.h"
 #include "sp_head.h"
 
+/* Initial size for the dynamic arrays in sp_pcontext */
+#define PCONTEXT_ARRAY_INIT_ALLOC 16
+/* Increment size for the dynamic arrays in sp_pcontext */
+#define PCONTEXT_ARRAY_INCREMENT_ALLOC 8
+
 /*
   Sanity check for SQLSTATEs. Will not check if it's really an existing
   state (there are just too many), but will check length and bad characters.
@@ -49,28 +54,61 @@ sp_cond_check(LEX_STRING *sqlstate)
   return TRUE;
 }
 
-sp_pcontext::sp_pcontext(sp_pcontext *prev)
-  :Sql_alloc(), m_max_var_index(0), m_max_cursor_index(0), m_max_handler_index(0),
-   m_context_handlers(0), m_parent(prev), m_pboundary(0)
+sp_pcontext::sp_pcontext()
+  : Sql_alloc(),
+  m_max_var_index(0), m_max_cursor_index(0), m_max_handler_index(0),
+  m_context_handlers(0), m_parent(NULL), m_pboundary(0),
+  m_label_scope(LABEL_DEFAULT_SCOPE)
 {
-  VOID(my_init_dynamic_array(&m_vars, sizeof(sp_variable_t *), 16, 8));
-  VOID(my_init_dynamic_array(&m_case_expr_id_lst, sizeof(int), 16, 8));
-  VOID(my_init_dynamic_array(&m_conds, sizeof(sp_cond_type_t *), 16, 8));
-  VOID(my_init_dynamic_array(&m_cursors, sizeof(LEX_STRING), 16, 8));
-  VOID(my_init_dynamic_array(&m_handlers, sizeof(sp_cond_type_t *), 16, 8));
+  VOID(my_init_dynamic_array(&m_vars, sizeof(sp_variable_t *),
+                             PCONTEXT_ARRAY_INIT_ALLOC,
+                             PCONTEXT_ARRAY_INCREMENT_ALLOC));
+  VOID(my_init_dynamic_array(&m_case_expr_id_lst, sizeof(int),
+                             PCONTEXT_ARRAY_INIT_ALLOC,
+                             PCONTEXT_ARRAY_INCREMENT_ALLOC));
+  VOID(my_init_dynamic_array(&m_conds, sizeof(sp_cond_type_t *),
+                             PCONTEXT_ARRAY_INIT_ALLOC,
+                             PCONTEXT_ARRAY_INCREMENT_ALLOC));
+  VOID(my_init_dynamic_array(&m_cursors, sizeof(LEX_STRING),
+                             PCONTEXT_ARRAY_INIT_ALLOC,
+                             PCONTEXT_ARRAY_INCREMENT_ALLOC));
+  VOID(my_init_dynamic_array(&m_handlers, sizeof(sp_cond_type_t *),
+                             PCONTEXT_ARRAY_INIT_ALLOC,
+                             PCONTEXT_ARRAY_INCREMENT_ALLOC));
   m_label.empty();
   m_children.empty();
-  if (!prev)
-  {
-    m_var_offset= m_cursor_offset= 0;
-    m_num_case_exprs= 0;
-  }
-  else
-  {
-    m_var_offset= prev->m_var_offset + prev->m_max_var_index;
-    m_cursor_offset= prev->current_cursor_count();
-    m_num_case_exprs= prev->get_num_case_exprs();
-  }
+
+  m_var_offset= m_cursor_offset= 0;
+  m_num_case_exprs= 0;
+}
+
+sp_pcontext::sp_pcontext(sp_pcontext *prev, label_scope_type label_scope)
+  : Sql_alloc(),
+  m_max_var_index(0), m_max_cursor_index(0), m_max_handler_index(0),
+  m_context_handlers(0), m_parent(prev), m_pboundary(0),
+  m_label_scope(label_scope)
+{
+  VOID(my_init_dynamic_array(&m_vars, sizeof(sp_variable_t *),
+                             PCONTEXT_ARRAY_INIT_ALLOC,
+                             PCONTEXT_ARRAY_INCREMENT_ALLOC));
+  VOID(my_init_dynamic_array(&m_case_expr_id_lst, sizeof(int),
+                             PCONTEXT_ARRAY_INIT_ALLOC,
+                             PCONTEXT_ARRAY_INCREMENT_ALLOC));
+  VOID(my_init_dynamic_array(&m_conds, sizeof(sp_cond_type_t *),
+                             PCONTEXT_ARRAY_INIT_ALLOC,
+                             PCONTEXT_ARRAY_INCREMENT_ALLOC));
+  VOID(my_init_dynamic_array(&m_cursors, sizeof(LEX_STRING),
+                             PCONTEXT_ARRAY_INIT_ALLOC,
+                             PCONTEXT_ARRAY_INCREMENT_ALLOC));
+  VOID(my_init_dynamic_array(&m_handlers, sizeof(sp_cond_type_t *),
+                             PCONTEXT_ARRAY_INIT_ALLOC,
+                             PCONTEXT_ARRAY_INCREMENT_ALLOC));
+  m_label.empty();
+  m_children.empty();
+
+  m_var_offset= prev->m_var_offset + prev->m_max_var_index;
+  m_cursor_offset= prev->current_cursor_count();
+  m_num_case_exprs= prev->get_num_case_exprs();
 }
 
 void
@@ -92,9 +130,9 @@ sp_pcontext::destroy()
 }
 
 sp_pcontext *
-sp_pcontext::push_context()
+sp_pcontext::push_context(label_scope_type label_scope)
 {
-  sp_pcontext *child= new sp_pcontext(this);
+  sp_pcontext *child= new sp_pcontext(this, label_scope);
 
   if (child)
     m_children.push_back(child);
@@ -257,7 +295,15 @@ sp_pcontext::find_label(char *name)
     if (my_strcasecmp(system_charset_info, name, lab->name) == 0)
       return lab;
 
-  if (m_parent)
+  /*
+    Note about exception handlers.
+    See SQL:2003 SQL/PSM (ISO/IEC 9075-4:2003),
+    section 13.1 <compound statement>,
+    syntax rule 4.
+    In short, a DECLARE HANDLER block can not refer
+    to labels from the parent context, as they are out of scope.
+  */
+  if (m_parent && (m_label_scope == LABEL_DEFAULT_SCOPE))
     return m_parent->find_label(name);
   return NULL;
 }