Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-15057

Crash when using an unknown identifier as an SP parameter

    Details

      Description

      I run this script:

      CREATE OR REPLACE PROCEDURE p1 (a VARCHAR(10)) SELECT 1;
      CALL p1(AE);
      

      It crashes the server with this stack trace:

      #0  0x0000555555e9e8d2 in Item_field::fix_fields (this=0x7fff64011810, thd=0x7fff64000a98, reference=0x7fff64010290)
          at /home/bar/maria-git/server.10.2-compatibility/sql/item.cc:5842
      #1  0x0000555555aeed4b in sp_prepare_func_item (thd=0x7fff64000a98, it_addr=0x7fff64010290, cols=1)
          at /home/bar/maria-git/server.10.2-compatibility/sql/sp_head.cc:363
      #2  0x0000555555aeef5f in sp_eval_expr (thd=0x7fff64000a98, result_item=0x7fff64029020, result_field=0x7fff64028ea0, 
          expr_item_ptr=0x7fff64010290) at /home/bar/maria-git/server.10.2-compatibility/sql/sp_head.cc:409
      #3  0x0000555555b06b47 in sp_rcontext::set_variable (this=0x7fff64027b00, thd=0x7fff64000a98, idx=0, value=0x7fff64010290)
          at /home/bar/maria-git/server.10.2-compatibility/sql/sp_rcontext.cc:649
      #4  0x0000555555af3e89 in sp_head::execute_procedure (this=0x7fff64010740, thd=0x7fff64000a98, args=0x7fff64005588)
          at /home/bar/maria-git/server.10.2-compatibility/sql/sp_head.cc:2244
      #5  0x0000555555bb6a3e in do_execute_sp (thd=0x7fff64000a98, sp=0x7fff64010740)
          at /home/bar/maria-git/server.10.2-compatibility/sql/sql_parse.cc:2928
      #6  0x0000555555bb7564 in Sql_cmd_call::execute (this=0x7fff640112b0, thd=0x7fff64000a98)
          at /home/bar/maria-git/server.10.2-compatibility/sql/sql_parse.cc:3168
      #7  0x0000555555bc15d2 in mysql_execute_command (thd=0x7fff64000a98)
          at /home/bar/maria-git/server.10.2-compatibility/sql/sql_parse.cc:6253
      #8  0x0000555555bc6387 in mysql_parse (thd=0x7fff64000a98, rawbuf=0x7fff64011ca0 "CALL p1(AE)", length=11, 
          parser_state=0x7fffe054b230, is_com_multi=false, is_next_command=false)
          at /home/bar/maria-git/server.10.2-compatibility/sql/sql_parse.cc:7973
      #9  0x0000555555bb3c62 in dispatch_command (command=COM_QUERY, thd=0x7fff64000a98, packet=0x7fff640081e9 "CALL p1(AE)", 
          packet_length=11, is_com_multi=false, is_next_command=false)
          at /home/bar/maria-git/server.10.2-compatibility/sql/sql_parse.cc:1834
      #10 0x0000555555bb25e1 in do_command (thd=0x7fff64000a98) at /home/bar/maria-git/server.10.2-compatibility/sql/sql_parse.cc:1382
      #11 0x0000555555d0782c in do_handle_one_connection (connect=0x55555863be18)
          at /home/bar/maria-git/server.10.2-compatibility/sql/sql_connect.cc:1335
      #12 0x0000555555d075ac in handle_one_connection (arg=0x55555863be18)
          at /home/bar/maria-git/server.10.2-compatibility/sql/sql_connect.cc:1241
      #13 0x00007ffff7bbe36d in start_thread () from /lib64/libpthread.so.0
      #14 0x00007ffff62f9b9f in clone () from /lib64/libc.so.6
      

      Here's the line that causes the crash:

      (gdb) f 0
      #0  0x0000555555e9e8d2 in Item_field::fix_fields (this=0x7fff64011810, thd=0x7fff64000a98, reference=0x7fff64010290)
          at /home/bar/maria-git/server.10.2-compatibility/sql/item.cc:5842
      5842	      if (thd->lex->current_select->is_item_list_lookup)
      (gdb) p thd->lex->current_select
      $1 = (SELECT_LEX *) 0x0
      

      The crash was most likely caused by this change:

      commit 6b7dcefdc83c4444ac8a4623b46810ff940528db
      Author: Monty <monty@mariadb.org>
      Date:   Sun Jan 21 20:16:22 2018 +0200
       
          Reset thd->lex->current_select for SP
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                monty Michael Widenius
                Reporter:
                bar Alexander Barkov
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: