Fix MERGE ON CREATE/MATCH SET crash when RHS references a bound variable

gregfelice · gregfelice · commit f0ed4c95137c · 2026-04-21T11:59:30.000-04:00
When MERGE has a previous clause (e.g. MATCH, UNWIND), transform_cypher_merge takes the lateral-left-join path via transform_merge_make_lateral_join. That helper called addRangeTableEntryForJoin with nscolumns=NULL, leaving the join ParseNamespaceItem's p_nscolumns unset. For queries that did not subsequently resolve a column reference against that nsitem (e.g. RETURN, which runs in a fresh namespace built by handle_prev_clause), the NULL was harmless. Our ON CREATE / ON MATCH SET transform runs in-line, before the MERGE query becomes a subquery, so transform_cypher_set_item_list consulted the join's nsitem directly. colNameToVar -> scanNSItemForColumn then dereferenced p_nscolumns[attnum-1] = NULL[0] and the backend segfaulted on any ON SET whose RHS referenced a bound variable. Reported by MuhammadTahaNaveed on PR #2347. Populate the join's p_nscolumns from res_colvars. The Var we end up producing for a bound entity lives inside prop_expr, which is opaque to the planner, so it is not rewritten to match the plan's output slots. At ExecEvalScalarVar time only varattno is consulted, and scantuple's layout mirrors the join's eref->colnames (via make_target_list_from_join). Use the join rtindex and 1-based eref position so scantuple[varattno - 1] resolves to the correct entity column at runtime; without this, Vars for a (varno=l_rte) and b (varno=r_rte) with varattno=1 both hit scantuple[0] and b.id evaluated to a.id. Also initialise apply_update_list's new_property_value at its declaration. All control paths reach the single alter_property_value call with the variable set, but -Wmaybe-uninitialized fires at -O2 because the compiler cannot prove remove_property == isnull when prop_expr is non-NULL. Regression: six new cases in cypher_merge covering outer-ref RHS, self-ref RHS with a previous clause (the silent-wrong-value variant we initially missed), UNWIND-driven MERGE with self-ref (Muhammad's second reproducer), multi-item ON CREATE SET mixing reference kinds, and ON MATCH SET with a variable RHS on the match-branch second run. Cassert installcheck: 33/33.
diff --git a/regress/expected/cypher_merge.out b/regress/expected/cypher_merge.out
@@ -2160,6 +2160,77 @@ $$) AS (name agtype);
  "test"
 (1 row)
 
+-- Issue #2347: RHS of ON CREATE / ON MATCH SET referencing a bound
+-- variable crashed the backend when MERGE had a previous clause, because
+-- the lateral-join's ParseNamespaceItem had p_nscolumns=NULL.
+-- ON CREATE SET with RHS referencing the outer MATCH's variable
+SELECT * FROM cypher('merge_actions', $$ CREATE (:Person {name:'Anchor'}) $$) AS (a agtype);
+ a 
+---
+(0 rows)
+
+SELECT * FROM cypher('merge_actions', $$
+  MATCH (a:Person {name: 'Anchor'})
+  MERGE (b:Person {name: 'FromOuter'})
+    ON CREATE SET b.source_name = a.name
+  RETURN a.name, b.name, b.source_name
+$$) AS (a_name agtype, b_name agtype, b_source agtype);
+  a_name  |   b_name    | b_source 
+----------+-------------+----------
+ "Anchor" | "FromOuter" | "Anchor"
+(1 row)
+
+-- ON CREATE SET with RHS referencing the MERGE-bound variable itself
+SELECT * FROM cypher('merge_actions', $$
+  MATCH (a:Person {name: 'Anchor'})
+  MERGE (b:Person {name: 'SelfRef'})
+    ON CREATE SET b.echo_name = b.name
+  RETURN b.name, b.echo_name
+$$) AS (b_name agtype, b_echo agtype);
+  b_name   |  b_echo   
+-----------+-----------
+ "SelfRef" | "SelfRef"
+(1 row)
+
+-- ON CREATE SET driven by UNWIND with self-reference on the RHS
+-- (Muhammad's second reproducer)
+SELECT * FROM cypher('merge_actions', $$
+  UNWIND ['U1', 'U2'] AS nm
+  MERGE (n:Person {name: nm})
+    ON CREATE SET n.copy_name = n.name
+  RETURN n.name, n.copy_name
+$$) AS (n_name agtype, n_copy agtype);
+ n_name | n_copy 
+--------+--------
+ "U1"   | "U1"
+ "U2"   | "U2"
+(2 rows)
+
+-- Multiple SET items mixing outer-ref, self-ref, and literal RHS
+SELECT * FROM cypher('merge_actions', $$
+  MATCH (a:Person {name: 'Anchor'})
+  MERGE (b:Person {name: 'MultiItem'})
+    ON CREATE SET b.from_a = a.name, b.self = b.name, b.lit = 'literal'
+  RETURN b.from_a, b.self, b.lit
+$$) AS (fa agtype, sf agtype, lit agtype);
+    fa    |     sf      |    lit    
+----------+-------------+-----------
+ "Anchor" | "MultiItem" | "literal"
+(1 row)
+
+-- ON MATCH SET with variable RHS (second run on existing node)
+SELECT * FROM cypher('merge_actions', $$
+  MATCH (a:Person {name: 'Anchor'})
+  MERGE (b:Person {name: 'FromOuter'})
+    ON CREATE SET b.source_name = a.name
+    ON MATCH SET b.last_seen_by = a.name
+  RETURN b.source_name, b.last_seen_by
+$$) AS (src agtype, last agtype);
+   src    |   last   
+----------+----------
+ "Anchor" | "Anchor"
+(1 row)
+
 -- cleanup
 SELECT * FROM cypher('merge_actions', $$ MATCH (n) DETACH DELETE n $$) AS (a agtype);
  a 
diff --git a/regress/sql/cypher_merge.sql b/regress/sql/cypher_merge.sql
@@ -1038,6 +1038,53 @@ SELECT * FROM cypher('merge_actions', $$
   RETURN n.name
 $$) AS (name agtype);
 
+-- Issue #2347: RHS of ON CREATE / ON MATCH SET referencing a bound
+-- variable crashed the backend when MERGE had a previous clause, because
+-- the lateral-join's ParseNamespaceItem had p_nscolumns=NULL.
+
+-- ON CREATE SET with RHS referencing the outer MATCH's variable
+SELECT * FROM cypher('merge_actions', $$ CREATE (:Person {name:'Anchor'}) $$) AS (a agtype);
+SELECT * FROM cypher('merge_actions', $$
+  MATCH (a:Person {name: 'Anchor'})
+  MERGE (b:Person {name: 'FromOuter'})
+    ON CREATE SET b.source_name = a.name
+  RETURN a.name, b.name, b.source_name
+$$) AS (a_name agtype, b_name agtype, b_source agtype);
+
+-- ON CREATE SET with RHS referencing the MERGE-bound variable itself
+SELECT * FROM cypher('merge_actions', $$
+  MATCH (a:Person {name: 'Anchor'})
+  MERGE (b:Person {name: 'SelfRef'})
+    ON CREATE SET b.echo_name = b.name
+  RETURN b.name, b.echo_name
+$$) AS (b_name agtype, b_echo agtype);
+
+-- ON CREATE SET driven by UNWIND with self-reference on the RHS
+-- (Muhammad's second reproducer)
+SELECT * FROM cypher('merge_actions', $$
+  UNWIND ['U1', 'U2'] AS nm
+  MERGE (n:Person {name: nm})
+    ON CREATE SET n.copy_name = n.name
+  RETURN n.name, n.copy_name
+$$) AS (n_name agtype, n_copy agtype);
+
+-- Multiple SET items mixing outer-ref, self-ref, and literal RHS
+SELECT * FROM cypher('merge_actions', $$
+  MATCH (a:Person {name: 'Anchor'})
+  MERGE (b:Person {name: 'MultiItem'})
+    ON CREATE SET b.from_a = a.name, b.self = b.name, b.lit = 'literal'
+  RETURN b.from_a, b.self, b.lit
+$$) AS (fa agtype, sf agtype, lit agtype);
+
+-- ON MATCH SET with variable RHS (second run on existing node)
+SELECT * FROM cypher('merge_actions', $$
+  MATCH (a:Person {name: 'Anchor'})
+  MERGE (b:Person {name: 'FromOuter'})
+    ON CREATE SET b.source_name = a.name
+    ON MATCH SET b.last_seen_by = a.name
+  RETURN b.source_name, b.last_seen_by
+$$) AS (src agtype, last agtype);
+
 -- cleanup
 SELECT * FROM cypher('merge_actions', $$ MATCH (n) DETACH DELETE n $$) AS (a agtype);
 
diff --git a/src/backend/executor/cypher_set.c b/src/backend/executor/cypher_set.c
@@ -440,7 +440,7 @@ void apply_update_list(CustomScanState *node,
         agtype_value *id;
         agtype_value *label;
         agtype *original_entity;
-        agtype *new_property_value;
+        agtype *new_property_value = NULL;
         TupleTableSlot *slot;
         ResultRelInfo *resultRelInfo;
         ScanKeyData scan_keys[1];
diff --git a/src/backend/parser/cypher_clause.c b/src/backend/parser/cypher_clause.c
@@ -7509,10 +7509,63 @@ transform_merge_make_lateral_join(cypher_parsestate *cpstate, Query *query,
      */
     get_res_cols(pstate, l_nsitem, r_nsitem, &res_colnames, &res_colvars);
 
-    /* make the RTE for the join */
-    jnsitem = addRangeTableEntryForJoin(pstate, res_colnames, NULL, j->jointype,
-                                        0, res_colvars, NIL, NIL, j->alias,
-                                        NULL, true);
+    /*
+     * Build a ParseNamespaceColumn array for the join RTE so that
+     * subsequent name lookups (e.g. transform_cypher_set_item_list for an
+     * ON CREATE SET / ON MATCH SET expression) can resolve references to
+     * variables bound in the prev clause or the MERGE's path via
+     * colNameToVar → scanNSItemForColumn, which dereferences
+     * nsitem->p_nscolumns. Passing NULL here left p_nscolumns unset and
+     * caused a segfault whenever an ON SET item's RHS referenced a bound
+     * variable (issue #2347).
+     *
+     * Each column's nscolumn references the join RTE (via its rtindex) with
+     * p_varattno = position in res_colnames. This matches the scantuple
+     * layout that apply_update_list sees at execution time: the join's
+     * target list (built by make_target_list_from_join below) iterates
+     * eref->colnames in order, so scantuple[i-1] corresponds to the i-th
+     * entry in eref->colnames. Using the underlying RTE's varno/varattno
+     * would be semantically equivalent for planner-rewritten Vars in the
+     * query tree, but the Vars we produce here end up inside prop_expr --
+     * opaque metadata the planner does not walk -- so they stay un-remapped
+     * and must index the scantuple layout directly.
+     *
+     * addRangeTableEntryForJoin appends the new RTE to pstate->p_rtable, so
+     * its rtindex is list_length(p_rtable) + 1 at this point.
+     */
+    {
+        int colcount = list_length(res_colvars);
+        int join_rtindex = list_length(pstate->p_rtable) + 1;
+        ParseNamespaceColumn *nscolumns;
+        ListCell *lvar;
+        int col_idx = 0;
+
+        nscolumns = (ParseNamespaceColumn *)
+                    palloc0(colcount * sizeof(ParseNamespaceColumn));
+
+        foreach (lvar, res_colvars)
+        {
+            Var *v = (Var *) lfirst(lvar);
+
+            /* res_colvars is populated by get_res_cols via expandRTE */
+            Assert(IsA(v, Var));
+
+            nscolumns[col_idx].p_varno = join_rtindex;
+            nscolumns[col_idx].p_varattno = col_idx + 1;
+            nscolumns[col_idx].p_vartype = v->vartype;
+            nscolumns[col_idx].p_vartypmod = v->vartypmod;
+            nscolumns[col_idx].p_varcollid = v->varcollid;
+            nscolumns[col_idx].p_varnosyn = join_rtindex;
+            nscolumns[col_idx].p_varattnosyn = col_idx + 1;
+            col_idx++;
+        }
+
+        /* make the RTE for the join */
+        jnsitem = addRangeTableEntryForJoin(pstate, res_colnames, nscolumns,
+                                            j->jointype, 0, res_colvars,
+                                            NIL, NIL, j->alias, NULL, true);
+        Assert(jnsitem->p_rtindex == join_rtindex);
+    }
 
     j->rtindex = jnsitem->p_rtindex;
 
