[MDEV-15057] Crash when using an unknown identifier as an SP parameter - Jira

I run this script:

CREATE OR REPLACE PROCEDURE p1 (a VARCHAR(10)) SELECT 1;

CALL p1(AE);

It crashes the server with this stack trace:

#0  0x0000555555e9e8d2 in Item_field::fix_fields (this=0x7fff64011810, thd=0x7fff64000a98, reference=0x7fff64010290)

    at /home/bar/maria-git/server.10.2-compatibility/sql/item.cc:5842

#1  0x0000555555aeed4b in sp_prepare_func_item (thd=0x7fff64000a98, it_addr=0x7fff64010290, cols=1)

    at /home/bar/maria-git/server.10.2-compatibility/sql/sp_head.cc:363

#2  0x0000555555aeef5f in sp_eval_expr (thd=0x7fff64000a98, result_item=0x7fff64029020, result_field=0x7fff64028ea0,

    expr_item_ptr=0x7fff64010290) at /home/bar/maria-git/server.10.2-compatibility/sql/sp_head.cc:409

#3  0x0000555555b06b47 in sp_rcontext::set_variable (this=0x7fff64027b00, thd=0x7fff64000a98, idx=0, value=0x7fff64010290)

    at /home/bar/maria-git/server.10.2-compatibility/sql/sp_rcontext.cc:649

#4  0x0000555555af3e89 in sp_head::execute_procedure (this=0x7fff64010740, thd=0x7fff64000a98, args=0x7fff64005588)

    at /home/bar/maria-git/server.10.2-compatibility/sql/sp_head.cc:2244

#5  0x0000555555bb6a3e in do_execute_sp (thd=0x7fff64000a98, sp=0x7fff64010740)

    at /home/bar/maria-git/server.10.2-compatibility/sql/sql_parse.cc:2928

#6  0x0000555555bb7564 in Sql_cmd_call::execute (this=0x7fff640112b0, thd=0x7fff64000a98)

    at /home/bar/maria-git/server.10.2-compatibility/sql/sql_parse.cc:3168

#7  0x0000555555bc15d2 in mysql_execute_command (thd=0x7fff64000a98)

    at /home/bar/maria-git/server.10.2-compatibility/sql/sql_parse.cc:6253

#8  0x0000555555bc6387 in mysql_parse (thd=0x7fff64000a98, rawbuf=0x7fff64011ca0 "CALL p1(AE)", length=11,

    parser_state=0x7fffe054b230, is_com_multi=false, is_next_command=false)

    at /home/bar/maria-git/server.10.2-compatibility/sql/sql_parse.cc:7973

#9  0x0000555555bb3c62 in dispatch_command (command=COM_QUERY, thd=0x7fff64000a98, packet=0x7fff640081e9 "CALL p1(AE)",

    packet_length=11, is_com_multi=false, is_next_command=false)

    at /home/bar/maria-git/server.10.2-compatibility/sql/sql_parse.cc:1834

#10 0x0000555555bb25e1 in do_command (thd=0x7fff64000a98) at /home/bar/maria-git/server.10.2-compatibility/sql/sql_parse.cc:1382

#11 0x0000555555d0782c in do_handle_one_connection (connect=0x55555863be18)

    at /home/bar/maria-git/server.10.2-compatibility/sql/sql_connect.cc:1335

#12 0x0000555555d075ac in handle_one_connection (arg=0x55555863be18)

    at /home/bar/maria-git/server.10.2-compatibility/sql/sql_connect.cc:1241

#13 0x00007ffff7bbe36d in start_thread () from /lib64/libpthread.so.0

#14 0x00007ffff62f9b9f in clone () from /lib64/libc.so.6

Here's the line that causes the crash:

(gdb) f 0

#0  0x0000555555e9e8d2 in Item_field::fix_fields (this=0x7fff64011810, thd=0x7fff64000a98, reference=0x7fff64010290)

    at /home/bar/maria-git/server.10.2-compatibility/sql/item.cc:5842

5842	      if (thd->lex->current_select->is_item_list_lookup)

(gdb) p thd->lex->current_select

$1 = (SELECT_LEX *) 0x0

The crash was most likely caused by this change:

commit 6b7dcefdc83c4444ac8a4623b46810ff940528db

Author: Monty <monty@mariadb.org>

Date:   Sun Jan 21 20:16:22 2018 +0200

    Reset thd->lex->current_select for SP

relates to

MDEV-15054 Crash in Item_field::fix_fields() when calling stored procedure

MDEV-15870 Using aggregate and window function in unexpected places can crash the server

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server