Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-15703

Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT, UBSAN runtime error: member call on null pointer of type 'struct TABLE_LIST' in Item_param::save_in_field

Details

    Description

      These (intentionally incorrect) queries crash the server:

      EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT;


      EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING IGNORE;

      I didn't check binding the same constants in the client-server protocol, but most likely they'll also crash.

      10.2 73af8af094

      		 
      #3  <signal handler called>
      		 
      #4  0x0000562f979d290a in TABLE_LIST::top_table (this=0x0) at /data/src/10.2/sql/table.h:2214
      		 
      #5  0x0000562f97cc55f7 in Item_param::save_in_field (this=0x7f3268158770, field=0x7f32680133d8, no_conversions=true) at /data/src/10.2/sql/item.cc:3803
      		 
      #6  0x0000562f97b51d83 in make_empty_rec (thd=0x7f3268000b00, buff=0x7f3268008086 "\001", table_options=8, create_fields=..., reclength=5, data_offset=1) at /data/src/10.2/sql/unireg.cc:998
      		 
      #7  0x0000562f97b4f4d5 in build_frm_image (thd=0x7f3268000b00, table=0x7f3268158048 "t1", create_info=0x7f327a8a7630, create_fields=..., keys=0, key_info=0x7f32680133c8, db_file=0x7f3268012ce8) at /data/src/10.2/sql/unireg.cc:308
      		 
      #8  0x0000562f97afd73b in mysql_create_frm_image (thd=0x7f3268000b00, db=0x7f3268158690 "test", table_name=0x7f3268158048 "t1", create_info=0x7f327a8a7630, alter_info=0x7f327a8a7580, create_table_mode=0, key_info=0x7f327a8a7010, key_count=0x7f327a8a7004, frm=0x7f327a8a7020) at /data/src/10.2/sql/sql_table.cc:4660
      		 
      #9  0x0000562f97afe0ec in create_table_impl (thd=0x7f3268000b00, orig_db=0x7f3268158690 "test", orig_table_name=0x7f3268158048 "t1", db=0x7f3268158690 "test", table_name=0x7f3268158048 "t1", path=0x7f327a8a7030 "./test/t1", options=..., create_info=0x7f327a8a7630, alter_info=0x7f327a8a7580, create_table_mode=0, is_trans=0x7f327a8a728e, key_info=0x7f327a8a7010, key_count=0x7f327a8a7004, frm=0x7f327a8a7020) at /data/src/10.2/sql/sql_table.cc:4896
      		 
      #10 0x0000562f97afe73b in mysql_create_table_no_lock (thd=0x7f3268000b00, db=0x7f3268158690 "test", table_name=0x7f3268158048 "t1", create_info=0x7f327a8a7630, alter_info=0x7f327a8a7580, is_trans=0x7f327a8a728e, create_table_mode=0) at /data/src/10.2/sql/sql_table.cc:5012
      		 
      #11 0x0000562f97afe9af in mysql_create_table (thd=0x7f3268000b00, create_table=0x7f3268158080, create_info=0x7f327a8a7630, alter_info=0x7f327a8a7580) at /data/src/10.2/sql/sql_table.cc:5075
      		 
      #12 0x0000562f97a36e9b in mysql_execute_command (thd=0x7f3268000b00) at /data/src/10.2/sql/sql_parse.cc:3983
      		 
      #13 0x0000562f97a60b18 in Prepared_statement::execute (this=0x7f32680066b0, expanded_query=0x7f327a8a83d0, open_cursor=false) at /data/src/10.2/sql/sql_prepare.cc:4774
      		 
      #14 0x0000562f97a5ee73 in Prepared_statement::execute_loop (this=0x7f32680066b0, expanded_query=0x7f327a8a83d0, open_cursor=false, packet=0x0, packet_end=0x0) at /data/src/10.2/sql/sql_prepare.cc:4203
      		 
      #15 0x0000562f97a6106e in Prepared_statement::execute_immediate (this=0x7f32680066b0, query=0x7f3268012750 "CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)", query_len=44) at /data/src/10.2/sql/sql_prepare.cc:4898
      		 
      #16 0x0000562f97a5bc0f in mysql_sql_stmt_execute_immediate (thd=0x7f3268000b00) at /data/src/10.2/sql/sql_prepare.cc:2893
      		 
      #17 0x0000562f97a35a04 in mysql_execute_command (thd=0x7f3268000b00) at /data/src/10.2/sql/sql_parse.cc:3485
      		 
      #18 0x0000562f97a433a8 in mysql_parse (thd=0x7f3268000b00, rawbuf=0x7f3268012640 "EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT", length=78, parser_state=0x7f327a8a9200, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7914
      		 
      #19 0x0000562f97a31263 in dispatch_command (command=COM_QUERY, thd=0x7f3268000b00, packet=0x7f326816b521 "EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT", packet_length=78, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1815
      		 
      #20 0x0000562f97a2fbc6 in do_command (thd=0x7f3268000b00) at /data/src/10.2/sql/sql_parse.cc:1369
      		 
      #21 0x0000562f97b7e480 in do_handle_one_connection (connect=0x562f99f6c400) at /data/src/10.2/sql/sql_connect.cc:1335
      		 
      #22 0x0000562f97b7e20d in handle_one_connection (arg=0x562f99f6c400) at /data/src/10.2/sql/sql_connect.cc:1241
      		 
      #23 0x0000562f97f9e3de in pfs_spawn_thread (arg=0x562f99f46ec0) at /data/src/10.2/storage/perfschema/pfs.cc:1862
      		 
      #24 0x00007f32822a4494 in start_thread (arg=0x7f327a8aa700) at pthread_create.c:333
      		 
      #25 0x00007f328068a93f in clone () from /lib/x86_64-linux-gnu/libc.so.6

      Note, the queries are incorrect. DEFAULT/IGNORE should not be allowed as bind parameters in this context.

      The expected behaviour should be to return an error, e.g. like this query does:

      MariaDB [test]> EXECUTE IMMEDIATE 'SELECT 1=?' USING DEFAULT;
      		 
      ERROR 4032 (HY000): Default/ignore value is not supported for such parameter usage

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-21028 Server crashes in Query_arena::set_query_arena upon SELECT from view

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            View 12 older comments
            Roel Roel Van de Paar added a comment -

            UBSAN also sees an issue: runtime error: member call on null pointer of type 'struct TABLE_LIST':

            EXECUTE IMMEDIATE 'CREATE TABLE t(c INT DEFAULT ?)' USING IGNORE;

            Leads to:

            11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Debug, UBASAN)

            		 
            /test/11.0_dbg_san/sql/item.cc:4496:55: runtime error: member call on null pointer of type 'struct TABLE_LIST'
            		 
                #0 0x559d8948e909 in Item_param::save_in_field(Field*, bool) /test/11.0_dbg_san/sql/item.cc:4496
            		 
                #1 0x559d8922e440 in Field::make_empty_rec_store_default_value(THD*, Item*) /test/11.0_dbg_san/sql/field.cc:1561
            		 
                #2 0x559d885d2452 in make_empty_rec_store_default /test/11.0_dbg_san/sql/unireg.cc:1168
            		 
                #3 0x559d885d2452 in make_empty_rec /test/11.0_dbg_san/sql/unireg.cc:1243
            		 
                #4 0x559d885d2452 in build_frm_image(THD*, st_mysql_const_lex_string const&, HA_CREATE_INFO*, List<Create_field>&, unsigned int, st_key*, handler*) /test/11.0_dbg_san/sql/unireg.cc:578
            		 
                #5 0x559d8836f7b1 in mysql_create_frm_image(THD*, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, HA_CREATE_INFO*, Alter_info*, int, st_key**, unsigned int*, st_mysql_const_unsigned_lex_string*) /test/11.0_dbg_san/sql/sql_table.cc:4340
            		 
                #6 0x559d883710b2 in create_table_impl /test/11.0_dbg_san/sql/sql_table.cc:4647
            		 
                #7 0x559d88374f6f in mysql_create_table_no_lock(THD*, st_ddl_log_state*, st_ddl_log_state*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /test/11.0_dbg_san/sql/sql_table.cc:4772
            		 
                #8 0x559d88380988 in mysql_create_table /test/11.0_dbg_san/sql/sql_table.cc:4888
            		 
                #9 0x559d88380988 in Sql_cmd_create_table_like::execute(THD*) /test/11.0_dbg_san/sql/sql_table.cc:12492
            		 
                #10 0x559d87cf0054 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:6015
            		 
                #11 0x559d87df5f20 in Prepared_statement::execute(String*, bool) /test/11.0_dbg_san/sql/sql_prepare.cc:5223
            		 
                #12 0x559d87df9a1f in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /test/11.0_dbg_san/sql/sql_prepare.cc:4646
            		 
                #13 0x559d87e04f6d in Prepared_statement::execute_immediate(char const*, unsigned int) /test/11.0_dbg_san/sql/sql_prepare.cc:5374
            		 
                #14 0x559d87e0606c in mysql_sql_stmt_execute_immediate(THD*) /test/11.0_dbg_san/sql/sql_prepare.cc:3099
            		 
                #15 0x559d87cc9f6e in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3955
            		 
                #16 0x559d87cf9973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014
            		 
                #17 0x559d87d09707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894
            		 
                #18 0x559d87d17542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407
            		 
                #19 0x559d886ec8b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416
            		 
                #20 0x559d886eddd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318
            		 
                #21 0x14f758294b42 in start_thread nptl/pthread_create.c:442
            		 
                #22 0x14f7583269ff  (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)
            		 
             
            		 
            /test/11.0_dbg_san/sql/table.h:2872:14: runtime error: member access within null pointer of type 'struct TABLE_LIST'
            		 
                #0 0x559d8948e91f in TABLE_LIST::top_table() /test/11.0_dbg_san/sql/table.h:2872
            		 
                #1 0x559d8948e91f in Item_param::save_in_field(Field*, bool) /test/11.0_dbg_san/sql/item.cc:4496
            		 
                #2 0x559d8922e440 in Field::make_empty_rec_store_default_value(THD*, Item*) /test/11.0_dbg_san/sql/field.cc:1561
            		 
                #3 0x559d885d2452 in make_empty_rec_store_default /test/11.0_dbg_san/sql/unireg.cc:1168
            		 
                #4 0x559d885d2452 in make_empty_rec /test/11.0_dbg_san/sql/unireg.cc:1243
            		 
                #5 0x559d885d2452 in build_frm_image(THD*, st_mysql_const_lex_string const&, HA_CREATE_INFO*, List<Create_field>&, unsigned int, st_key*, handler*) /test/11.0_dbg_san/sql/unireg.cc:578
            		 
                #6 0x559d8836f7b1 in mysql_create_frm_image(THD*, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, HA_CREATE_INFO*, Alter_info*, int, st_key**, unsigned int*, st_mysql_const_unsigned_lex_string*) /test/11.0_dbg_san/sql/sql_table.cc:4340
            		 
                #7 0x559d883710b2 in create_table_impl /test/11.0_dbg_san/sql/sql_table.cc:4647
            		 
                #8 0x559d88374f6f in mysql_create_table_no_lock(THD*, st_ddl_log_state*, st_ddl_log_state*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /test/11.0_dbg_san/sql/sql_table.cc:4772
            		 
                #9 0x559d88380988 in mysql_create_table /test/11.0_dbg_san/sql/sql_table.cc:4888
            		 
                #10 0x559d88380988 in Sql_cmd_create_table_like::execute(THD*) /test/11.0_dbg_san/sql/sql_table.cc:12492
            		 
                #11 0x559d87cf0054 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:6015
            		 
                #12 0x559d87df5f20 in Prepared_statement::execute(String*, bool) /test/11.0_dbg_san/sql/sql_prepare.cc:5223
            		 
                #13 0x559d87df9a1f in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /test/11.0_dbg_san/sql/sql_prepare.cc:4646
            		 
                #14 0x559d87e04f6d in Prepared_statement::execute_immediate(char const*, unsigned int) /test/11.0_dbg_san/sql/sql_prepare.cc:5374
            		 
                #15 0x559d87e0606c in mysql_sql_stmt_execute_immediate(THD*) /test/11.0_dbg_san/sql/sql_prepare.cc:3099
            		 
                #16 0x559d87cc9f6e in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3955
            		 
                #17 0x559d87cf9973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014
            		 
                #18 0x559d87d09707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894
            		 
                #19 0x559d87d17542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407
            		 
                #20 0x559d886ec8b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416
            		 
                #21 0x559d886eddd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318
            		 
                #22 0x14f758294b42 in start_thread nptl/pthread_create.c:442
            		 
                #23 0x14f7583269ff  (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)
            		 
             
            		 
            230513 13:17:36 [ERROR] mysqld got signal 11 ;

            Roel Roel Van de Paar added a comment - UBSAN also sees an issue: runtime error: member call on null pointer of type 'struct TABLE_LIST': EXECUTE IMMEDIATE 'CREATE TABLE t(c INT DEFAULT ?)' USING IGNORE ; Leads to: 11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Debug, UBASAN) /test/11.0_dbg_san/sql/item.cc:4496:55: runtime error: member call on null pointer of type 'struct TABLE_LIST' #0 0x559d8948e909 in Item_param::save_in_field(Field*, bool) /test/11.0_dbg_san/sql/item.cc:4496 #1 0x559d8922e440 in Field::make_empty_rec_store_default_value(THD*, Item*) /test/11.0_dbg_san/sql/field.cc:1561 #2 0x559d885d2452 in make_empty_rec_store_default /test/11.0_dbg_san/sql/unireg.cc:1168 #3 0x559d885d2452 in make_empty_rec /test/11.0_dbg_san/sql/unireg.cc:1243 #4 0x559d885d2452 in build_frm_image(THD*, st_mysql_const_lex_string const&, HA_CREATE_INFO*, List<Create_field>&, unsigned int, st_key*, handler*) /test/11.0_dbg_san/sql/unireg.cc:578 #5 0x559d8836f7b1 in mysql_create_frm_image(THD*, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, HA_CREATE_INFO*, Alter_info*, int, st_key**, unsigned int*, st_mysql_const_unsigned_lex_string*) /test/11.0_dbg_san/sql/sql_table.cc:4340 #6 0x559d883710b2 in create_table_impl /test/11.0_dbg_san/sql/sql_table.cc:4647 #7 0x559d88374f6f in mysql_create_table_no_lock(THD*, st_ddl_log_state*, st_ddl_log_state*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /test/11.0_dbg_san/sql/sql_table.cc:4772 #8 0x559d88380988 in mysql_create_table /test/11.0_dbg_san/sql/sql_table.cc:4888 #9 0x559d88380988 in Sql_cmd_create_table_like::execute(THD*) /test/11.0_dbg_san/sql/sql_table.cc:12492 #10 0x559d87cf0054 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:6015 #11 0x559d87df5f20 in Prepared_statement::execute(String*, bool) /test/11.0_dbg_san/sql/sql_prepare.cc:5223 #12 0x559d87df9a1f in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /test/11.0_dbg_san/sql/sql_prepare.cc:4646 #13 0x559d87e04f6d in Prepared_statement::execute_immediate(char const*, unsigned int) /test/11.0_dbg_san/sql/sql_prepare.cc:5374 #14 0x559d87e0606c in mysql_sql_stmt_execute_immediate(THD*) /test/11.0_dbg_san/sql/sql_prepare.cc:3099 #15 0x559d87cc9f6e in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3955 #16 0x559d87cf9973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014 #17 0x559d87d09707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894 #18 0x559d87d17542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407 #19 0x559d886ec8b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416 #20 0x559d886eddd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318 #21 0x14f758294b42 in start_thread nptl/pthread_create.c:442 #22 0x14f7583269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)   /test/11.0_dbg_san/sql/table.h:2872:14: runtime error: member access within null pointer of type 'struct TABLE_LIST' #0 0x559d8948e91f in TABLE_LIST::top_table() /test/11.0_dbg_san/sql/table.h:2872 #1 0x559d8948e91f in Item_param::save_in_field(Field*, bool) /test/11.0_dbg_san/sql/item.cc:4496 #2 0x559d8922e440 in Field::make_empty_rec_store_default_value(THD*, Item*) /test/11.0_dbg_san/sql/field.cc:1561 #3 0x559d885d2452 in make_empty_rec_store_default /test/11.0_dbg_san/sql/unireg.cc:1168 #4 0x559d885d2452 in make_empty_rec /test/11.0_dbg_san/sql/unireg.cc:1243 #5 0x559d885d2452 in build_frm_image(THD*, st_mysql_const_lex_string const&, HA_CREATE_INFO*, List<Create_field>&, unsigned int, st_key*, handler*) /test/11.0_dbg_san/sql/unireg.cc:578 #6 0x559d8836f7b1 in mysql_create_frm_image(THD*, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, HA_CREATE_INFO*, Alter_info*, int, st_key**, unsigned int*, st_mysql_const_unsigned_lex_string*) /test/11.0_dbg_san/sql/sql_table.cc:4340 #7 0x559d883710b2 in create_table_impl /test/11.0_dbg_san/sql/sql_table.cc:4647 #8 0x559d88374f6f in mysql_create_table_no_lock(THD*, st_ddl_log_state*, st_ddl_log_state*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /test/11.0_dbg_san/sql/sql_table.cc:4772 #9 0x559d88380988 in mysql_create_table /test/11.0_dbg_san/sql/sql_table.cc:4888 #10 0x559d88380988 in Sql_cmd_create_table_like::execute(THD*) /test/11.0_dbg_san/sql/sql_table.cc:12492 #11 0x559d87cf0054 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:6015 #12 0x559d87df5f20 in Prepared_statement::execute(String*, bool) /test/11.0_dbg_san/sql/sql_prepare.cc:5223 #13 0x559d87df9a1f in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /test/11.0_dbg_san/sql/sql_prepare.cc:4646 #14 0x559d87e04f6d in Prepared_statement::execute_immediate(char const*, unsigned int) /test/11.0_dbg_san/sql/sql_prepare.cc:5374 #15 0x559d87e0606c in mysql_sql_stmt_execute_immediate(THD*) /test/11.0_dbg_san/sql/sql_prepare.cc:3099 #16 0x559d87cc9f6e in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3955 #17 0x559d87cf9973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014 #18 0x559d87d09707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894 #19 0x559d87d17542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407 #20 0x559d886ec8b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416 #21 0x559d886eddd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318 #22 0x14f758294b42 in start_thread nptl/pthread_create.c:442 #23 0x14f7583269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)   230513 13:17:36 [ERROR] mysqld got signal 11 ;
            Roel Roel Van de Paar added a comment -

            This testcase:

            CREATE PROCEDURE p0 (IN i INT) DETERMINISTIC NO SQL SET @c=i +0;
            		 
            EXECUTE IMMEDIATE 'CALL p0 (?)' USING DEFAULT;

            Leads to this additional stack:

            11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Debug)

            		 
            /test/11.0_dbg_san/sql/item.cc:4492:56: runtime error: member call on null pointer of type 'struct TABLE_LIST'
            		 
            /test/11.0_dbg_san/sql/table.h:2872:14: runtime error: member access within null pointer of type 'struct TABLE_LIST'

            11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Debug)

            		 
                #0 0x55adc55fb73e in Item_param::save_in_field(Field*, bool) /test/11.0_dbg_san/sql/item.cc:4492
            		 
                #1 0x55adc53bb206 in Field::sp_prepare_and_store_item(THD*, Item**) /test/11.0_dbg_san/sql/field.cc:1498
            		 
                #2 0x55adc3823a68 in THD::sp_eval_expr(Field*, Item**) /test/11.0_dbg_san/sql/sp_head.cc:453
            		 
                #3 0x55adc38b93af in sp_rcontext::set_variable(THD*, unsigned int, Item**) /test/11.0_dbg_san/sql/sp_rcontext.cc:640
            		 
                #4 0x55adc383fa88 in sp_rcontext::set_parameter(THD*, unsigned int, Item**) /test/11.0_dbg_san/sql/sp_rcontext.h:194
            		 
                #5 0x55adc383fa88 in sp_head::bind_input_param(THD*, Item*, unsigned int, sp_rcontext*, bool) /test/11.0_dbg_san/sql/sp_head.cc:2567
            		 
                #6 0x55adc3842d11 in sp_head::execute_procedure(THD*, List<Item>*) /test/11.0_dbg_san/sql/sp_head.cc:2363
            		 
                #7 0x55adc3dd71d3 in do_execute_sp /test/11.0_dbg_san/sql/sql_parse.cc:3026
            		 
                #8 0x55adc3df418d in Sql_cmd_call::execute(THD*) /test/11.0_dbg_san/sql/sql_parse.cc:3271
            		 
                #9 0x55adc3e5d054 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:6015
            		 
                #10 0x55adc3f62f20 in Prepared_statement::execute(String*, bool) /test/11.0_dbg_san/sql/sql_prepare.cc:5223
            		 
                #11 0x55adc3f66a1f in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /test/11.0_dbg_san/sql/sql_prepare.cc:4646
            		 
                #12 0x55adc3f71f6d in Prepared_statement::execute_immediate(char const*, unsigned int) /test/11.0_dbg_san/sql/sql_prepare.cc:5374
            		 
                #13 0x55adc3f7306c in mysql_sql_stmt_execute_immediate(THD*) /test/11.0_dbg_san/sql/sql_prepare.cc:3099
            		 
                #14 0x55adc3e36f6e in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3955
            		 
                #15 0x55adc3e66973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014
            		 
                #16 0x55adc3e76707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894
            		 
                #17 0x55adc3e84542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407
            		 
                #18 0x55adc48598b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416
            		 
                #19 0x55adc485add0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318
            		 
                #20 0x148b38e94b42 in start_thread nptl/pthread_create.c:442
            		 
                #21 0x148b38f269ff  (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)

            Roel Roel Van de Paar added a comment - This testcase: CREATE PROCEDURE p0 ( IN i INT ) DETERMINISTIC NO SQL SET @c=i +0; EXECUTE IMMEDIATE 'CALL p0 (?)' USING DEFAULT ; Leads to this additional stack: 11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Debug) /test/11.0_dbg_san/sql/item.cc:4492:56: runtime error: member call on null pointer of type 'struct TABLE_LIST' /test/11.0_dbg_san/sql/table.h:2872:14: runtime error: member access within null pointer of type 'struct TABLE_LIST' 11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Debug) #0 0x55adc55fb73e in Item_param::save_in_field(Field*, bool) /test/11.0_dbg_san/sql/item.cc:4492 #1 0x55adc53bb206 in Field::sp_prepare_and_store_item(THD*, Item**) /test/11.0_dbg_san/sql/field.cc:1498 #2 0x55adc3823a68 in THD::sp_eval_expr(Field*, Item**) /test/11.0_dbg_san/sql/sp_head.cc:453 #3 0x55adc38b93af in sp_rcontext::set_variable(THD*, unsigned int, Item**) /test/11.0_dbg_san/sql/sp_rcontext.cc:640 #4 0x55adc383fa88 in sp_rcontext::set_parameter(THD*, unsigned int, Item**) /test/11.0_dbg_san/sql/sp_rcontext.h:194 #5 0x55adc383fa88 in sp_head::bind_input_param(THD*, Item*, unsigned int, sp_rcontext*, bool) /test/11.0_dbg_san/sql/sp_head.cc:2567 #6 0x55adc3842d11 in sp_head::execute_procedure(THD*, List<Item>*) /test/11.0_dbg_san/sql/sp_head.cc:2363 #7 0x55adc3dd71d3 in do_execute_sp /test/11.0_dbg_san/sql/sql_parse.cc:3026 #8 0x55adc3df418d in Sql_cmd_call::execute(THD*) /test/11.0_dbg_san/sql/sql_parse.cc:3271 #9 0x55adc3e5d054 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:6015 #10 0x55adc3f62f20 in Prepared_statement::execute(String*, bool) /test/11.0_dbg_san/sql/sql_prepare.cc:5223 #11 0x55adc3f66a1f in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /test/11.0_dbg_san/sql/sql_prepare.cc:4646 #12 0x55adc3f71f6d in Prepared_statement::execute_immediate(char const*, unsigned int) /test/11.0_dbg_san/sql/sql_prepare.cc:5374 #13 0x55adc3f7306c in mysql_sql_stmt_execute_immediate(THD*) /test/11.0_dbg_san/sql/sql_prepare.cc:3099 #14 0x55adc3e36f6e in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3955 #15 0x55adc3e66973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014 #16 0x55adc3e76707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894 #17 0x55adc3e84542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407 #18 0x55adc48598b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416 #19 0x55adc485add0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318 #20 0x148b38e94b42 in start_thread nptl/pthread_create.c:442 #21 0x148b38f269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)
            Roel Roel Van de Paar added a comment -

            Please also test any fixes with:

            CREATE PROCEDURE p1(IN i INT) EXECUTE s;
            		 
            EXECUTE IMMEDIATE 'CALL p1(?)' USING IGNORE;

            Roel Roel Van de Paar added a comment - Please also test any fixes with: CREATE PROCEDURE p1( IN i INT ) EXECUTE s; EXECUTE IMMEDIATE 'CALL p1(?)' USING IGNORE ;
            shulga Dmitry Shulga added a comment -

            Branch for review is bb-10.4-MDEV-15703-1

            shulga Dmitry Shulga added a comment - Branch for review is bb-10.4- MDEV-15703 -1
            sanja Oleksandr Byelkin added a comment -

            OK to push, lets discuss if it is safe for 10.4

            sanja Oleksandr Byelkin added a comment - OK to push, lets discuss if it is safe for 10.4

            People

              shulga Dmitry Shulga
              bar Alexander Barkov
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.