[MDEV-15703] Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT, UBSAN runtime error: member call on null pointer of type 'struct TABLE_LIST' in Item_param::save_in_field - Jira

Alexander Barkov created issue - 2018-03-28 06:58

Alexander Barkov made changes - 2018-03-28 07:01

Field	Original Value	New Value
Description	These queries crash the server: {code:sql} EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT; {code} {code:sql} EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING IGNORE; {code}	These queries crash the server: {code:sql} EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT; {code} {code:sql} EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING IGNORE; {code} I didn't check binding the same constants in the client-server protocol, but most likely they'll also crash.

Alexander Barkov made changes - 2018-03-28 07:07

Assignee

Oleksandr Byelkin [ sanja ]

Elena Stepanova made changes - 2018-03-28 09:54

Description

These queries crash the server:

{code:sql}
EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT;
{code}

{code:sql}
EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING IGNORE;
{code}

I didn't check binding the same constants in the client-server protocol, but most likely they'll also crash.

These queries crash the server:

{code:sql}
EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT;
{code}

{code:sql}
EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING IGNORE;
{code}

I didn't check binding the same constants in the client-server protocol, but most likely they'll also crash.

{noformat:title=10.2 73af8af094}
#3 <signal handler called>
#4 0x0000562f979d290a in TABLE_LIST::top_table (this=0x0) at /data/src/10.2/sql/table.h:2214
#5 0x0000562f97cc55f7 in Item_param::save_in_field (this=0x7f3268158770, field=0x7f32680133d8, no_conversions=true) at /data/src/10.2/sql/item.cc:3803
#6 0x0000562f97b51d83 in make_empty_rec (thd=0x7f3268000b00, buff=0x7f3268008086 "\001", table_options=8, create_fields=..., reclength=5, data_offset=1) at /data/src/10.2/sql/unireg.cc:998
#7 0x0000562f97b4f4d5 in build_frm_image (thd=0x7f3268000b00, table=0x7f3268158048 "t1", create_info=0x7f327a8a7630, create_fields=..., keys=0, key_info=0x7f32680133c8, db_file=0x7f3268012ce8) at /data/src/10.2/sql/unireg.cc:308
#8 0x0000562f97afd73b in mysql_create_frm_image (thd=0x7f3268000b00, db=0x7f3268158690 "test", table_name=0x7f3268158048 "t1", create_info=0x7f327a8a7630, alter_info=0x7f327a8a7580, create_table_mode=0, key_info=0x7f327a8a7010, key_count=0x7f327a8a7004, frm=0x7f327a8a7020) at /data/src/10.2/sql/sql_table.cc:4660
#9 0x0000562f97afe0ec in create_table_impl (thd=0x7f3268000b00, orig_db=0x7f3268158690 "test", orig_table_name=0x7f3268158048 "t1", db=0x7f3268158690 "test", table_name=0x7f3268158048 "t1", path=0x7f327a8a7030 "./test/t1", options=..., create_info=0x7f327a8a7630, alter_info=0x7f327a8a7580, create_table_mode=0, is_trans=0x7f327a8a728e, key_info=0x7f327a8a7010, key_count=0x7f327a8a7004, frm=0x7f327a8a7020) at /data/src/10.2/sql/sql_table.cc:4896
#10 0x0000562f97afe73b in mysql_create_table_no_lock (thd=0x7f3268000b00, db=0x7f3268158690 "test", table_name=0x7f3268158048 "t1", create_info=0x7f327a8a7630, alter_info=0x7f327a8a7580, is_trans=0x7f327a8a728e, create_table_mode=0) at /data/src/10.2/sql/sql_table.cc:5012
#11 0x0000562f97afe9af in mysql_create_table (thd=0x7f3268000b00, create_table=0x7f3268158080, create_info=0x7f327a8a7630, alter_info=0x7f327a8a7580) at /data/src/10.2/sql/sql_table.cc:5075
#12 0x0000562f97a36e9b in mysql_execute_command (thd=0x7f3268000b00) at /data/src/10.2/sql/sql_parse.cc:3983
#13 0x0000562f97a60b18 in Prepared_statement::execute (this=0x7f32680066b0, expanded_query=0x7f327a8a83d0, open_cursor=false) at /data/src/10.2/sql/sql_prepare.cc:4774
#14 0x0000562f97a5ee73 in Prepared_statement::execute_loop (this=0x7f32680066b0, expanded_query=0x7f327a8a83d0, open_cursor=false, packet=0x0, packet_end=0x0) at /data/src/10.2/sql/sql_prepare.cc:4203
#15 0x0000562f97a6106e in Prepared_statement::execute_immediate (this=0x7f32680066b0, query=0x7f3268012750 "CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)", query_len=44) at /data/src/10.2/sql/sql_prepare.cc:4898
#16 0x0000562f97a5bc0f in mysql_sql_stmt_execute_immediate (thd=0x7f3268000b00) at /data/src/10.2/sql/sql_prepare.cc:2893
#17 0x0000562f97a35a04 in mysql_execute_command (thd=0x7f3268000b00) at /data/src/10.2/sql/sql_parse.cc:3485
#18 0x0000562f97a433a8 in mysql_parse (thd=0x7f3268000b00, rawbuf=0x7f3268012640 "EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT", length=78, parser_state=0x7f327a8a9200, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7914
#19 0x0000562f97a31263 in dispatch_command (command=COM_QUERY, thd=0x7f3268000b00, packet=0x7f326816b521 "EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT", packet_length=78, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1815
#20 0x0000562f97a2fbc6 in do_command (thd=0x7f3268000b00) at /data/src/10.2/sql/sql_parse.cc:1369
#21 0x0000562f97b7e480 in do_handle_one_connection (connect=0x562f99f6c400) at /data/src/10.2/sql/sql_connect.cc:1335
#22 0x0000562f97b7e20d in handle_one_connection (arg=0x562f99f6c400) at /data/src/10.2/sql/sql_connect.cc:1241
#23 0x0000562f97f9e3de in pfs_spawn_thread (arg=0x562f99f46ec0) at /data/src/10.2/storage/perfschema/pfs.cc:1862
#24 0x00007f32822a4494 in start_thread (arg=0x7f327a8aa700) at pthread_create.c:333
#25 0x00007f328068a93f in clone () from /lib/x86_64-linux-gnu/libc.so.6
{noformat}

Sergei Golubchik made changes - 2019-03-29 12:04

Fix Version/s

10.4 [ 22408 ]

Roel Van de Paar added a comment - 2020-05-11 11:09 - edited

CREATE PROCEDURE p(IN c INT) SET max_connections=100;

EXECUTE IMMEDIATE 'CALL p(?)' USING DEFAULT;

The encapsulated SET is not important; it can be anything else.

Leads to:

10.5.3 64488a6f2dd6aa43462292b757e783cfba11a8c6
Core was generated by `/test/MD050520-mariadb-10.5.3-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
[Current thread is 1 (Thread 0x15234b3c7700 (LWP 121254))]
(gdb) bt
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
#1 0x000056217ea96757 in my_write_core (sig=sig@entry=11) at /test/10.5_opt/mysys/stacktrace.c:518
#2 0x000056217e45881a in handle_fatal_signal (sig=11) at /test/10.5_opt/sql/signal_handler.cc:329
#3 <signal handler called>
#4 TABLE_LIST::top_table (this=0x0) at /test/10.5_opt/sql/table.h:2535
#5 Item_param::save_in_field (this=0x15232810ee58, field=0x152328049e00, no_conversions=<optimized out>) at /test/10.5_opt/sql/item.cc:4274
#6 0x000056217e4372b3 in Field::sp_prepare_and_store_item (this=0x152328049e00, thd=0x152328012018, value=<optimized out>) at /test/10.5_opt/sql/field.cc:1430
#7 0x000056217e1c9097 in THD::sp_eval_expr (this=this@entry=0x152328012018, result_field=<optimized out>, expr_item_ptr=<optimized out>) at /test/10.5_opt/sql/sp_head.cc:431
#8 0x000056217e1d5c53 in sp_rcontext::set_variable (this=this@entry=0x152328048ac8, thd=thd@entry=0x152328012018, idx=idx@entry=0, value=<optimized out>) at /test/10.5_opt/sql/sp_rcontext.cc:639
#9 0x000056217e1cbb2d in sp_rcontext::set_parameter (value=<optimized out>, var_idx=<optimized out>, thd=<optimized out>, this=<optimized out>) at /test/10.5_opt/sql/sp_rcontext.h:191
#10 sp_head::execute_procedure (this=0x152328051030, thd=thd@entry=0x152328012018, args=0x15232810dfc0) at /test/10.5_opt/sql/sp_head.cc:2353
#11 0x000056217e260f55 in do_execute_sp (thd=thd@entry=0x152328012018, sp=sp@entry=0x152328051030) at /test/10.5_opt/sql/sql_parse.cc:3013
#12 0x000056217e2615e6 in Sql_cmd_call::execute (this=0x15232810ec60, thd=0x152328012018) at /test/10.5_opt/sql/sql_parse.cc:3258
#13 0x000056217e263010 in mysql_execute_command (thd=0x152328012018) at /test/10.5_opt/sql/sql_parse.cc:5912
#14 0x000056217e280975 in Prepared_statement::execute (this=this@entry=0x15232807c418, expanded_query=expanded_query@entry=0x15234b3c5d60, open_cursor=open_cursor@entry=false) at /test/10.5_opt/sql/sql_prepare.cc:4786
#15 0x000056217e280a72 in Prepared_statement::execute_loop (this=0x15232807c418, expanded_query=0x15234b3c5d60, open_cursor=<optimized out>, packet=<optimized out>, packet_end=<optimized out>) at /test/10.5_opt/sql/sql_prepare.cc:4275
#16 0x000056217e280f5b in Prepared_statement::execute_immediate (this=this@entry=0x15232807c418, query=<optimized out>, query_len=9) at /test/10.5_opt/sql/sql_prepare.cc:4914
#17 0x000056217e2811ae in mysql_sql_stmt_execute_immediate (thd=thd@entry=0x152328012018) at /test/10.5_opt/sql/sql_prepare.cc:2941
#18 0x000056217e263564 in mysql_execute_command (thd=thd@entry=0x152328012018) at /test/10.5_opt/sql/sql_parse.cc:3907
#19 0x000056217e26a27c in mysql_parse (thd=0x152328012018, rawbuf=<optimized out>, length=43, parser_state=0x15234b3c64d0, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /test/10.5_opt/sql/sql_parse.cc:7957
#20 0x000056217e25f8a5 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x152328012018, packet=packet@entry=0x15232803a019 "EXECUTE IMMEDIATE 'CALL p(?)' USING DEFAULT", packet_length=packet_length@entry=43, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_opt/sql/sql_parse.cc:1839
#21 0x000056217e25db36 in do_command (thd=0x152328012018) at /test/10.5_opt/sql/sql_parse.cc:1358
#22 0x000056217e3522ee in do_handle_one_connection (connect=<optimized out>, connect@entry=0x1523490329b8, put_in_cache=put_in_cache@entry=true) at /test/10.5_opt/sql/sql_connect.cc:1422
#23 0x000056217e352494 in handle_one_connection (arg=arg@entry=0x1523490329b8) at /test/10.5_opt/sql/sql_connect.cc:1319
#24 0x000056217e6be5ea in pfs_spawn_thread (arg=0x15234904b018) at /test/10.5_opt/storage/perfschema/pfs.cc:2201
#25 0x000015234a7ee6db in start_thread (arg=0x15234b3c7700) at pthread_create.c:463
#26 0x0000152349bec88f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.2.32 (dbg), 10.2.32 (opt), 10.3.23 (dbg), 10.3.23 (opt), 10.4.13 (dbg), 10.4.13 (opt), 10.5.2 (dbg), 10.5.2 (opt), 10.5.3 (dbg), 10.5.3 (opt)

Bug confirmed not present in:
MariaDB: 10.1.45 (dbg), 10.1.45 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.47 (dbg), 5.6.47 (opt), 5.7.29 (dbg), 5.7.29 (opt), 8.0.19 (dbg), 8.0.19 (opt)

Roel Van de Paar added a comment - 2020-05-11 11:09 - edited CREATE PROCEDURE p(IN c INT) SET max_connections=100; EXECUTE IMMEDIATE 'CALL p(?)' USING DEFAULT; The encapsulated SET is not important; it can be anything else. Leads to: 10.5.3 64488a6f2dd6aa43462292b757e783cfba11a8c6 Core was generated by `/test/MD050520-mariadb-10.5.3-linux-x86_64-opt/bin/mysqld --no-defaults --core-'. Program terminated with signal SIGSEGV, Segmentation fault. #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57 [Current thread is 1 (Thread 0x15234b3c7700 (LWP 121254))] (gdb) bt #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57 #1 0x000056217ea96757 in my_write_core (sig=sig@entry=11) at /test/10.5_opt/mysys/stacktrace.c:518 #2 0x000056217e45881a in handle_fatal_signal (sig=11) at /test/10.5_opt/sql/signal_handler.cc:329 #3 <signal handler called> #4 TABLE_LIST::top_table (this=0x0) at /test/10.5_opt/sql/table.h:2535 #5 Item_param::save_in_field (this=0x15232810ee58, field=0x152328049e00, no_conversions=<optimized out>) at /test/10.5_opt/sql/item.cc:4274 #6 0x000056217e4372b3 in Field::sp_prepare_and_store_item (this=0x152328049e00, thd=0x152328012018, value=<optimized out>) at /test/10.5_opt/sql/field.cc:1430 #7 0x000056217e1c9097 in THD::sp_eval_expr (this=this@entry=0x152328012018, result_field=<optimized out>, expr_item_ptr=<optimized out>) at /test/10.5_opt/sql/sp_head.cc:431 #8 0x000056217e1d5c53 in sp_rcontext::set_variable (this=this@entry=0x152328048ac8, thd=thd@entry=0x152328012018, idx=idx@entry=0, value=<optimized out>) at /test/10.5_opt/sql/sp_rcontext.cc:639 #9 0x000056217e1cbb2d in sp_rcontext::set_parameter (value=<optimized out>, var_idx=<optimized out>, thd=<optimized out>, this=<optimized out>) at /test/10.5_opt/sql/sp_rcontext.h:191 #10 sp_head::execute_procedure (this=0x152328051030, thd=thd@entry=0x152328012018, args=0x15232810dfc0) at /test/10.5_opt/sql/sp_head.cc:2353 #11 0x000056217e260f55 in do_execute_sp (thd=thd@entry=0x152328012018, sp=sp@entry=0x152328051030) at /test/10.5_opt/sql/sql_parse.cc:3013 #12 0x000056217e2615e6 in Sql_cmd_call::execute (this=0x15232810ec60, thd=0x152328012018) at /test/10.5_opt/sql/sql_parse.cc:3258 #13 0x000056217e263010 in mysql_execute_command (thd=0x152328012018) at /test/10.5_opt/sql/sql_parse.cc:5912 #14 0x000056217e280975 in Prepared_statement::execute (this=this@entry=0x15232807c418, expanded_query=expanded_query@entry=0x15234b3c5d60, open_cursor=open_cursor@entry=false) at /test/10.5_opt/sql/sql_prepare.cc:4786 #15 0x000056217e280a72 in Prepared_statement::execute_loop (this=0x15232807c418, expanded_query=0x15234b3c5d60, open_cursor=<optimized out>, packet=<optimized out>, packet_end=<optimized out>) at /test/10.5_opt/sql/sql_prepare.cc:4275 #16 0x000056217e280f5b in Prepared_statement::execute_immediate (this=this@entry=0x15232807c418, query=<optimized out>, query_len=9) at /test/10.5_opt/sql/sql_prepare.cc:4914 #17 0x000056217e2811ae in mysql_sql_stmt_execute_immediate (thd=thd@entry=0x152328012018) at /test/10.5_opt/sql/sql_prepare.cc:2941 #18 0x000056217e263564 in mysql_execute_command (thd=thd@entry=0x152328012018) at /test/10.5_opt/sql/sql_parse.cc:3907 #19 0x000056217e26a27c in mysql_parse (thd=0x152328012018, rawbuf=<optimized out>, length=43, parser_state=0x15234b3c64d0, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /test/10.5_opt/sql/sql_parse.cc:7957 #20 0x000056217e25f8a5 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x152328012018, packet=packet@entry=0x15232803a019 "EXECUTE IMMEDIATE 'CALL p(?)' USING DEFAULT", packet_length=packet_length@entry=43, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_opt/sql/sql_parse.cc:1839 #21 0x000056217e25db36 in do_command (thd=0x152328012018) at /test/10.5_opt/sql/sql_parse.cc:1358 #22 0x000056217e3522ee in do_handle_one_connection (connect=<optimized out>, connect@entry=0x1523490329b8, put_in_cache=put_in_cache@entry=true) at /test/10.5_opt/sql/sql_connect.cc:1422 #23 0x000056217e352494 in handle_one_connection (arg=arg@entry=0x1523490329b8) at /test/10.5_opt/sql/sql_connect.cc:1319 #24 0x000056217e6be5ea in pfs_spawn_thread (arg=0x15234904b018) at /test/10.5_opt/storage/perfschema/pfs.cc:2201 #25 0x000015234a7ee6db in start_thread (arg=0x15234b3c7700) at pthread_create.c:463 #26 0x0000152349bec88f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 Bug confirmed present in: MariaDB: 10.2.32 (dbg), 10.2.32 (opt), 10.3.23 (dbg), 10.3.23 (opt), 10.4.13 (dbg), 10.4.13 (opt), 10.5.2 (dbg), 10.5.2 (opt), 10.5.3 (dbg), 10.5.3 (opt) Bug confirmed not present in: MariaDB: 10.1.45 (dbg), 10.1.45 (opt) MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.47 (dbg), 5.6.47 (opt), 5.7.29 (dbg), 5.7.29 (opt), 8.0.19 (dbg), 8.0.19 (opt)

Roel Van de Paar made changes - 2020-05-11 11:09

Affects Version/s		10.4 [ 22408 ]
Affects Version/s		10.5 [ 23123 ]

Roel Van de Paar made changes - 2020-05-11 11:09

Fix Version/s

10.5 [ 23123 ]

Roel Van de Paar made changes - 2020-05-11 11:09

Priority

Major [ 3 ]

Critical [ 2 ]

Oleksandr Byelkin made changes - 2020-07-09 07:41

Status

Open [ 1 ]

In Progress [ 3 ]

Oleksandr Byelkin added a comment - 2020-07-09 13:39

there are 2 version 10.2 and 10.4:

commit f9ee717c3440645b2b34857fe0297e7230332bcd (HEAD ~~> bb-10.2MDEV-15703~~)
Author: Oleksandr Byelkin <sanja@mariadb.com>
Date: Thu Jul 9 14:36:41 2020 +0200

~~MDEV-15703~~ Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT

Check usage of IGNORE out of allowed commands.
Check that table is opened for DEFAULT.

commit 4a499d8b2fca929db0f4f9080f360284f49c3e5a (HEAD ~~> bb-10.4MDEV-15703~~, origin/bb-10.4-~~MDEV-15703~~)
Author: Oleksandr Byelkin <sanja@mariadb.com>
Date: Thu Jul 9 15:37:55 2020 +0200

~~MDEV-15703~~ Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT

10.4 version: check evaluablity on Field::make_empty_rec_store_default_value

10.2 version changed with ASSERTS.

Oleksandr Byelkin added a comment - 2020-07-09 13:39 there are 2 version 10.2 and 10.4: commit f9ee717c3440645b2b34857fe0297e7230332bcd (HEAD > bb-10.2 MDEV-15703 ) Author: Oleksandr Byelkin <sanja@mariadb.com> Date: Thu Jul 9 14:36:41 2020 +0200 MDEV-15703 Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT Check usage of IGNORE out of allowed commands. Check that table is opened for DEFAULT. commit 4a499d8b2fca929db0f4f9080f360284f49c3e5a (HEAD > bb-10.4 MDEV-15703 , origin/bb-10.4- MDEV-15703 ) Author: Oleksandr Byelkin <sanja@mariadb.com> Date: Thu Jul 9 15:37:55 2020 +0200 MDEV-15703 Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT 10.4 version: check evaluablity on Field::make_empty_rec_store_default_value 10.2 version changed with ASSERTS.

Oleksandr Byelkin made changes - 2020-07-09 13:40

Assignee	Oleksandr Byelkin [ sanja ]	Alexander Barkov [ bar ]
Status	In Progress [ 3 ]	In Review [ 10002 ]

Alexander Barkov added a comment - 2020-07-10 07:33 - edited

More similar crashes:

EXECUTE IMMEDIATE 'BEGIN NOT ATOMIC DECLARE a INT DEFAULT ?; END' USING DEFAULT;

EXECUTE IMMEDIATE 'BEGIN NOT ATOMIC DECLARE a INT DEFAULT ?; END' USING IGNORE;

Alexander Barkov added a comment - 2020-07-10 07:33 - edited More similar crashes: EXECUTE IMMEDIATE 'BEGIN NOT ATOMIC DECLARE a INT DEFAULT ?; END' USING DEFAULT ; EXECUTE IMMEDIATE 'BEGIN NOT ATOMIC DECLARE a INT DEFAULT ?; END' USING IGNORE ;

Oleksandr Byelkin added a comment - 2020-07-10 13:21

commit d476d9bc84b2267fb093e70563a15adaa874ae2b (HEAD ~~> bb-10.2MDEV-15703~~, origin/bb-10.2-~~MDEV-15703~~)
Author: Oleksandr Byelkin <sanja@mariadb.com>
Date: Fri Jul 10 15:17:07 2020 +0200

~~MDEV-15703~~ Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT

part 2: check that expressions are evaluable for
making empty row and assigning PS variable
(Item::is_evaluable_expression() bakported from 10.4).

commit 9d26f1d10a71732cf1d03906cfde809810058f98
Author: Oleksandr Byelkin <sanja@mariadb.com>
Date: Thu Jul 9 14:36:41 2020 +0200

~~MDEV-15703~~ Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT

Part 1: make better asserts.

Oleksandr Byelkin added a comment - 2020-07-10 13:21 commit d476d9bc84b2267fb093e70563a15adaa874ae2b (HEAD > bb-10.2 MDEV-15703 , origin/bb-10.2- MDEV-15703 ) Author: Oleksandr Byelkin <sanja@mariadb.com> Date: Fri Jul 10 15:17:07 2020 +0200 MDEV-15703 Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT part 2: check that expressions are evaluable for making empty row and assigning PS variable (Item::is_evaluable_expression() bakported from 10.4). commit 9d26f1d10a71732cf1d03906cfde809810058f98 Author: Oleksandr Byelkin <sanja@mariadb.com> Date: Thu Jul 9 14:36:41 2020 +0200 MDEV-15703 Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT Part 1: make better asserts.

Oleksandr Byelkin added a comment - 2020-07-10 14:21

commit 70d1c6337c9d548d04f771c1762d8bfa08f415e9 (HEAD ~~> bb-10.2MDEV-15703~~, origin/bb-10.2-~~MDEV-15703~~)
Author: Oleksandr Byelkin <sanja@mariadb.com>
Date: Fri Jul 10 15:17:07 2020 +0200

~~MDEV-15703~~ Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT

part 2:

check that expressions are evaluable for
making empty row and assigning PS variable

Item::raise_error_not_evaluable() bakported from 10.4 and made vitrual

Item::is_evaluable_expression() bakported from 10.4

Item::check_is_evaluable_expression_or_error() bakported from 10.4

Item::Print bakported from 10.4

commit 9d26f1d10a71732cf1d03906cfde809810058f98
Author: Oleksandr Byelkin <sanja@mariadb.com>
Date: Thu Jul 9 14:36:41 2020 +0200

~~MDEV-15703~~ Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT

Part 1: make better asserts.

Oleksandr Byelkin added a comment - 2020-07-10 14:21 commit 70d1c6337c9d548d04f771c1762d8bfa08f415e9 (HEAD > bb-10.2 MDEV-15703 , origin/bb-10.2- MDEV-15703 ) Author: Oleksandr Byelkin <sanja@mariadb.com> Date: Fri Jul 10 15:17:07 2020 +0200 MDEV-15703 Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT part 2: check that expressions are evaluable for making empty row and assigning PS variable Item::raise_error_not_evaluable() bakported from 10.4 and made vitrual Item::is_evaluable_expression() bakported from 10.4 Item::check_is_evaluable_expression_or_error() bakported from 10.4 Item::Print bakported from 10.4 commit 9d26f1d10a71732cf1d03906cfde809810058f98 Author: Oleksandr Byelkin <sanja@mariadb.com> Date: Thu Jul 9 14:36:41 2020 +0200 MDEV-15703 Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT Part 1: make better asserts.

Alexander Barkov added a comment - 2020-07-13 12:57

The patch
https://github.com/MariaDB/server/commit/70d1c6337c9d548d04f771c1762d8bfa08f415e9
looks ok for me.

Alexander Barkov added a comment - 2020-07-13 12:57 The patch https://github.com/MariaDB/server/commit/70d1c6337c9d548d04f771c1762d8bfa08f415e9 looks ok for me.

Alexander Barkov added a comment - 2020-07-13 13:14

This query also makes the server crash:

EXECUTE IMMEDIATE 'SELECT ? UNION SELECT 1' USING DEFAULT;

Alexander Barkov added a comment - 2020-07-13 13:14 This query also makes the server crash: EXECUTE IMMEDIATE 'SELECT ? UNION SELECT 1' USING DEFAULT ;

Oleksandr Byelkin added a comment - 2020-07-15 05:43

The other problem in default found due to asserts but repeatable on 10.2 vanilla:

CREATE TABLE t1 (a INT, b INT default a);

INSERT into t1 values (1,2),(2,3);

CREATE TABLE t2 (a INT, b INT default a);

INSERT into t2 values (1,10),(2,30);

UPDATE t1,t2 SET t1.b = DEFAULT, t2.b = DEFAULT WHERE t1.a=t2.a;

SELECT * from t1;

SELECT * from t2;

# Cleanup

DROP TABLE t1, t2;

Oleksandr Byelkin added a comment - 2020-07-15 05:43 The other problem in default found due to asserts but repeatable on 10.2 vanilla: CREATE TABLE t1 (a INT, b INT default a); INSERT into t1 values (1,2),(2,3); CREATE TABLE t2 (a INT, b INT default a); INSERT into t2 values (1,10),(2,30); UPDATE t1,t2 SET t1.b = DEFAULT, t2.b = DEFAULT WHERE t1.a=t2.a; SELECT * from t1; SELECT * from t2; # Cleanup DROP TABLE t1, t2;

Oleksandr Byelkin added a comment - 2020-07-15 05:48

The crash is the same as for https://jira.mariadb.org/browse/MDEV-21028 (because in both cases we try to apply complex default to a temporary table) but bugs are different.

Oleksandr Byelkin added a comment - 2020-07-15 05:48 The crash is the same as for https://jira.mariadb.org/browse/MDEV-21028 (because in both cases we try to apply complex default to a temporary table) but bugs are different.

Oleksandr Byelkin made changes - 2020-07-17 18:20

Assignee

Alexander Barkov [ bar ]

Oleksandr Byelkin [ sanja ]

Oleksandr Byelkin made changes - 2020-07-17 18:20

Assignee

Oleksandr Byelkin [ sanja ]

Sergei Golubchik [ serg ]

Oleksandr Byelkin added a comment - 2020-07-17 18:21

commit bc73b455ba255d5fd6b277a3477ab47d368241a1
Author: Oleksandr Byelkin <sanja@mariadb.com>
Date: Fri Jul 10 15:17:07 2020 +0200

~~MDEV-15703~~ Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT

part 2:

check that expressions are evaluable for
making empty row and assigning PS variable

correctly handling writing to a temporary tabe during multi-update
by setting associated field

Item::raise_error_not_evaluable() bakported from 10.4 and made vitrual

Item::is_evaluable_expression() bakported from 10.4

Item::check_is_evaluable_expression_or_error() bakported from 10.4

Item::Print bakported from 10.4

commit 7311586ca259b619cac949da70e79ddd9f8f6da8
Author: Oleksandr Byelkin <sanja@mariadb.com>
Date: Thu Jul 9 14:36:41 2020 +0200

~~MDEV-15703~~ Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT

Part 1: make better asserts.

Oleksandr Byelkin added a comment - 2020-07-17 18:21 commit bc73b455ba255d5fd6b277a3477ab47d368241a1 Author: Oleksandr Byelkin <sanja@mariadb.com> Date: Fri Jul 10 15:17:07 2020 +0200 MDEV-15703 Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT part 2: check that expressions are evaluable for making empty row and assigning PS variable correctly handling writing to a temporary tabe during multi-update by setting associated field Item::raise_error_not_evaluable() bakported from 10.4 and made vitrual Item::is_evaluable_expression() bakported from 10.4 Item::check_is_evaluable_expression_or_error() bakported from 10.4 Item::Print bakported from 10.4 commit 7311586ca259b619cac949da70e79ddd9f8f6da8 Author: Oleksandr Byelkin <sanja@mariadb.com> Date: Thu Jul 9 14:36:41 2020 +0200 MDEV-15703 Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT Part 1: make better asserts.

Sergei Golubchik made changes - 2020-07-29 16:33

Assignee	Sergei Golubchik [ serg ]	Oleksandr Byelkin [ sanja ]
Status	In Review [ 10002 ]	Stalled [ 10000 ]

Oleksandr Byelkin made changes - 2020-10-07 09:07

Status

Stalled [ 10000 ]

In Progress [ 3 ]

Oleksandr Byelkin added a comment - 2020-10-07 11:42 - edited

I fixed small issues, answered big one, but what to do with big ones I have no idea (partially because thay was requirements of first reviews)

commit 6d02ddda888dc85a91f5d5e6a92696a7d69a5b12 (HEAD -> bb-10.2-MDEV-15703, origin/bb-10.2-MDEV-15703)

Author: Oleksandr Byelkin <sanja@mariadb.com>

Date:   Tue Jul 14 10:12:22 2020 +0200

    Fix of typo in the comment.

commit 62c35fe93e14ff469007dac2488f5c34a76ce9de

Author: Oleksandr Byelkin <sanja@mariadb.com>

Date:   Fri Jul 10 15:17:07 2020 +0200

    MDEV-15703 Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT

    part 2:

    - check that expressions are evaluable for

      making empty row and assigning PS variable

    - correctly handling writing to a temporary tabe during multi-update

      by setting associated field

    - Item::raise_error_not_evaluable() bakported from 10.4 and made vitrual

    - Item::is_evaluable_expression() bakported from 10.4

    - Item::check_is_evaluable_expression_or_error() bakported from 10.4

commit f584d567dbb499485b1d1122e4370db43cb27c4c

Author: Oleksandr Byelkin <sanja@mariadb.com>

Date:   Thu Jul 9 14:36:41 2020 +0200

    MDEV-15703 Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT

    Part 1: make better asserts.

Oleksandr Byelkin added a comment - 2020-10-07 11:42 - edited I fixed small issues, answered big one, but what to do with big ones I have no idea (partially because thay was requirements of first reviews) commit 6d02ddda888dc85a91f5d5e6a92696a7d69a5b12 (HEAD -> bb-10.2-MDEV-15703, origin/bb-10.2-MDEV-15703) Author: Oleksandr Byelkin <sanja@mariadb.com> Date: Tue Jul 14 10:12:22 2020 +0200 Fix of typo in the comment. commit 62c35fe93e14ff469007dac2488f5c34a76ce9de Author: Oleksandr Byelkin <sanja@mariadb.com> Date: Fri Jul 10 15:17:07 2020 +0200 MDEV-15703 Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT part 2: - check that expressions are evaluable for making empty row and assigning PS variable - correctly handling writing to a temporary tabe during multi-update by setting associated field - Item::raise_error_not_evaluable() bakported from 10.4 and made vitrual - Item::is_evaluable_expression() bakported from 10.4 - Item::check_is_evaluable_expression_or_error() bakported from 10.4 commit f584d567dbb499485b1d1122e4370db43cb27c4c Author: Oleksandr Byelkin <sanja@mariadb.com> Date: Thu Jul 9 14:36:41 2020 +0200 MDEV-15703 Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT Part 1: make better asserts.

Oleksandr Byelkin made changes - 2020-10-07 11:45

Assignee	Oleksandr Byelkin [ sanja ]	Sergei Golubchik [ serg ]
Status	In Progress [ 3 ]	In Review [ 10002 ]

Sergei Golubchik made changes - 2020-10-09 20:26

Assignee	Sergei Golubchik [ serg ]	Oleksandr Byelkin [ sanja ]
Status	In Review [ 10002 ]	Stalled [ 10000 ]

Roel Van de Paar made changes - 2020-10-10 04:21

Link

This issue relates to ~~MDEV-21028~~ [ ~~MDEV-21028~~ ]

Oleksandr Byelkin made changes - 2021-07-12 11:15

Assignee

Oleksandr Byelkin [ sanja ]

Dmitry Shulga [ JIRAUSER47315 ]

Sergei Golubchik made changes - 2021-12-06 21:35

Workflow

MariaDB v3 [ 86263 ]

MariaDB v4 [ 143537 ]

Ralf Gebhardt made changes - 2022-08-04 08:44

Fix Version/s

10.2 [ 14601 ]

Dmitry Shulga made changes - 2022-10-11 04:00

Status

Stalled [ 10000 ]

In Progress [ 3 ]

Alexander Barkov made changes - 2022-10-11 13:12

Description

These queries crash the server:

{code:sql}
EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT;
{code}

{code:sql}
EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING IGNORE;
{code}

I didn't check binding the same constants in the client-server protocol, but most likely they'll also crash.

{noformat:title=10.2 73af8af094}
#3 <signal handler called>
#4 0x0000562f979d290a in TABLE_LIST::top_table (this=0x0) at /data/src/10.2/sql/table.h:2214
#5 0x0000562f97cc55f7 in Item_param::save_in_field (this=0x7f3268158770, field=0x7f32680133d8, no_conversions=true) at /data/src/10.2/sql/item.cc:3803
#6 0x0000562f97b51d83 in make_empty_rec (thd=0x7f3268000b00, buff=0x7f3268008086 "\001", table_options=8, create_fields=..., reclength=5, data_offset=1) at /data/src/10.2/sql/unireg.cc:998
#7 0x0000562f97b4f4d5 in build_frm_image (thd=0x7f3268000b00, table=0x7f3268158048 "t1", create_info=0x7f327a8a7630, create_fields=..., keys=0, key_info=0x7f32680133c8, db_file=0x7f3268012ce8) at /data/src/10.2/sql/unireg.cc:308
#8 0x0000562f97afd73b in mysql_create_frm_image (thd=0x7f3268000b00, db=0x7f3268158690 "test", table_name=0x7f3268158048 "t1", create_info=0x7f327a8a7630, alter_info=0x7f327a8a7580, create_table_mode=0, key_info=0x7f327a8a7010, key_count=0x7f327a8a7004, frm=0x7f327a8a7020) at /data/src/10.2/sql/sql_table.cc:4660
#9 0x0000562f97afe0ec in create_table_impl (thd=0x7f3268000b00, orig_db=0x7f3268158690 "test", orig_table_name=0x7f3268158048 "t1", db=0x7f3268158690 "test", table_name=0x7f3268158048 "t1", path=0x7f327a8a7030 "./test/t1", options=..., create_info=0x7f327a8a7630, alter_info=0x7f327a8a7580, create_table_mode=0, is_trans=0x7f327a8a728e, key_info=0x7f327a8a7010, key_count=0x7f327a8a7004, frm=0x7f327a8a7020) at /data/src/10.2/sql/sql_table.cc:4896
#10 0x0000562f97afe73b in mysql_create_table_no_lock (thd=0x7f3268000b00, db=0x7f3268158690 "test", table_name=0x7f3268158048 "t1", create_info=0x7f327a8a7630, alter_info=0x7f327a8a7580, is_trans=0x7f327a8a728e, create_table_mode=0) at /data/src/10.2/sql/sql_table.cc:5012
#11 0x0000562f97afe9af in mysql_create_table (thd=0x7f3268000b00, create_table=0x7f3268158080, create_info=0x7f327a8a7630, alter_info=0x7f327a8a7580) at /data/src/10.2/sql/sql_table.cc:5075
#12 0x0000562f97a36e9b in mysql_execute_command (thd=0x7f3268000b00) at /data/src/10.2/sql/sql_parse.cc:3983
#13 0x0000562f97a60b18 in Prepared_statement::execute (this=0x7f32680066b0, expanded_query=0x7f327a8a83d0, open_cursor=false) at /data/src/10.2/sql/sql_prepare.cc:4774
#14 0x0000562f97a5ee73 in Prepared_statement::execute_loop (this=0x7f32680066b0, expanded_query=0x7f327a8a83d0, open_cursor=false, packet=0x0, packet_end=0x0) at /data/src/10.2/sql/sql_prepare.cc:4203
#15 0x0000562f97a6106e in Prepared_statement::execute_immediate (this=0x7f32680066b0, query=0x7f3268012750 "CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)", query_len=44) at /data/src/10.2/sql/sql_prepare.cc:4898
#16 0x0000562f97a5bc0f in mysql_sql_stmt_execute_immediate (thd=0x7f3268000b00) at /data/src/10.2/sql/sql_prepare.cc:2893
#17 0x0000562f97a35a04 in mysql_execute_command (thd=0x7f3268000b00) at /data/src/10.2/sql/sql_parse.cc:3485
#18 0x0000562f97a433a8 in mysql_parse (thd=0x7f3268000b00, rawbuf=0x7f3268012640 "EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT", length=78, parser_state=0x7f327a8a9200, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7914
#19 0x0000562f97a31263 in dispatch_command (command=COM_QUERY, thd=0x7f3268000b00, packet=0x7f326816b521 "EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT", packet_length=78, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1815
#20 0x0000562f97a2fbc6 in do_command (thd=0x7f3268000b00) at /data/src/10.2/sql/sql_parse.cc:1369
#21 0x0000562f97b7e480 in do_handle_one_connection (connect=0x562f99f6c400) at /data/src/10.2/sql/sql_connect.cc:1335
#22 0x0000562f97b7e20d in handle_one_connection (arg=0x562f99f6c400) at /data/src/10.2/sql/sql_connect.cc:1241
#23 0x0000562f97f9e3de in pfs_spawn_thread (arg=0x562f99f46ec0) at /data/src/10.2/storage/perfschema/pfs.cc:1862
#24 0x00007f32822a4494 in start_thread (arg=0x7f327a8aa700) at pthread_create.c:333
#25 0x00007f328068a93f in clone () from /lib/x86_64-linux-gnu/libc.so.6
{noformat}

These queries crash the server:

{code:sql}
EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT;
{code}

{code:sql}
EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING IGNORE;
{code}

I didn't check binding the same constants in the client-server protocol, but most likely they'll also crash.

{noformat:title=10.2 73af8af094}
#3 <signal handler called>
#4 0x0000562f979d290a in TABLE_LIST::top_table (this=0x0) at /data/src/10.2/sql/table.h:2214
#5 0x0000562f97cc55f7 in Item_param::save_in_field (this=0x7f3268158770, field=0x7f32680133d8, no_conversions=true) at /data/src/10.2/sql/item.cc:3803
#6 0x0000562f97b51d83 in make_empty_rec (thd=0x7f3268000b00, buff=0x7f3268008086 "\001", table_options=8, create_fields=..., reclength=5, data_offset=1) at /data/src/10.2/sql/unireg.cc:998
#7 0x0000562f97b4f4d5 in build_frm_image (thd=0x7f3268000b00, table=0x7f3268158048 "t1", create_info=0x7f327a8a7630, create_fields=..., keys=0, key_info=0x7f32680133c8, db_file=0x7f3268012ce8) at /data/src/10.2/sql/unireg.cc:308
#8 0x0000562f97afd73b in mysql_create_frm_image (thd=0x7f3268000b00, db=0x7f3268158690 "test", table_name=0x7f3268158048 "t1", create_info=0x7f327a8a7630, alter_info=0x7f327a8a7580, create_table_mode=0, key_info=0x7f327a8a7010, key_count=0x7f327a8a7004, frm=0x7f327a8a7020) at /data/src/10.2/sql/sql_table.cc:4660
#9 0x0000562f97afe0ec in create_table_impl (thd=0x7f3268000b00, orig_db=0x7f3268158690 "test", orig_table_name=0x7f3268158048 "t1", db=0x7f3268158690 "test", table_name=0x7f3268158048 "t1", path=0x7f327a8a7030 "./test/t1", options=..., create_info=0x7f327a8a7630, alter_info=0x7f327a8a7580, create_table_mode=0, is_trans=0x7f327a8a728e, key_info=0x7f327a8a7010, key_count=0x7f327a8a7004, frm=0x7f327a8a7020) at /data/src/10.2/sql/sql_table.cc:4896
#10 0x0000562f97afe73b in mysql_create_table_no_lock (thd=0x7f3268000b00, db=0x7f3268158690 "test", table_name=0x7f3268158048 "t1", create_info=0x7f327a8a7630, alter_info=0x7f327a8a7580, is_trans=0x7f327a8a728e, create_table_mode=0) at /data/src/10.2/sql/sql_table.cc:5012
#11 0x0000562f97afe9af in mysql_create_table (thd=0x7f3268000b00, create_table=0x7f3268158080, create_info=0x7f327a8a7630, alter_info=0x7f327a8a7580) at /data/src/10.2/sql/sql_table.cc:5075
#12 0x0000562f97a36e9b in mysql_execute_command (thd=0x7f3268000b00) at /data/src/10.2/sql/sql_parse.cc:3983
#13 0x0000562f97a60b18 in Prepared_statement::execute (this=0x7f32680066b0, expanded_query=0x7f327a8a83d0, open_cursor=false) at /data/src/10.2/sql/sql_prepare.cc:4774
#14 0x0000562f97a5ee73 in Prepared_statement::execute_loop (this=0x7f32680066b0, expanded_query=0x7f327a8a83d0, open_cursor=false, packet=0x0, packet_end=0x0) at /data/src/10.2/sql/sql_prepare.cc:4203
#15 0x0000562f97a6106e in Prepared_statement::execute_immediate (this=0x7f32680066b0, query=0x7f3268012750 "CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)", query_len=44) at /data/src/10.2/sql/sql_prepare.cc:4898
#16 0x0000562f97a5bc0f in mysql_sql_stmt_execute_immediate (thd=0x7f3268000b00) at /data/src/10.2/sql/sql_prepare.cc:2893
#17 0x0000562f97a35a04 in mysql_execute_command (thd=0x7f3268000b00) at /data/src/10.2/sql/sql_parse.cc:3485
#18 0x0000562f97a433a8 in mysql_parse (thd=0x7f3268000b00, rawbuf=0x7f3268012640 "EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT", length=78, parser_state=0x7f327a8a9200, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7914
#19 0x0000562f97a31263 in dispatch_command (command=COM_QUERY, thd=0x7f3268000b00, packet=0x7f326816b521 "EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT", packet_length=78, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1815
#20 0x0000562f97a2fbc6 in do_command (thd=0x7f3268000b00) at /data/src/10.2/sql/sql_parse.cc:1369
#21 0x0000562f97b7e480 in do_handle_one_connection (connect=0x562f99f6c400) at /data/src/10.2/sql/sql_connect.cc:1335
#22 0x0000562f97b7e20d in handle_one_connection (arg=0x562f99f6c400) at /data/src/10.2/sql/sql_connect.cc:1241
#23 0x0000562f97f9e3de in pfs_spawn_thread (arg=0x562f99f46ec0) at /data/src/10.2/storage/perfschema/pfs.cc:1862
#24 0x00007f32822a4494 in start_thread (arg=0x7f327a8aa700) at pthread_create.c:333
#25 0x00007f328068a93f in clone () from /lib/x86_64-linux-gnu/libc.so.6
{noformat}

Note, the queries are intentionally incorrect. DEFAULT/IGNORE should not be allowed as bind parameters in this context.

The expected behaviour should be to return an error, e.g. like this query does:
{code:sql}
MariaDB [test]> EXECUTE IMMEDIATE 'SELECT 1=?' USING DEFAULT;
ERROR 4032 (HY000): Default/ignore value is not supported for such parameter usage
{code}

Alexander Barkov made changes - 2022-10-11 13:12

Description

These queries crash the server:

{code:sql}
EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT;
{code}

{code:sql}
EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING IGNORE;
{code}

I didn't check binding the same constants in the client-server protocol, but most likely they'll also crash.

{noformat:title=10.2 73af8af094}
#3 <signal handler called>
#4 0x0000562f979d290a in TABLE_LIST::top_table (this=0x0) at /data/src/10.2/sql/table.h:2214
#5 0x0000562f97cc55f7 in Item_param::save_in_field (this=0x7f3268158770, field=0x7f32680133d8, no_conversions=true) at /data/src/10.2/sql/item.cc:3803
#6 0x0000562f97b51d83 in make_empty_rec (thd=0x7f3268000b00, buff=0x7f3268008086 "\001", table_options=8, create_fields=..., reclength=5, data_offset=1) at /data/src/10.2/sql/unireg.cc:998
#7 0x0000562f97b4f4d5 in build_frm_image (thd=0x7f3268000b00, table=0x7f3268158048 "t1", create_info=0x7f327a8a7630, create_fields=..., keys=0, key_info=0x7f32680133c8, db_file=0x7f3268012ce8) at /data/src/10.2/sql/unireg.cc:308
#8 0x0000562f97afd73b in mysql_create_frm_image (thd=0x7f3268000b00, db=0x7f3268158690 "test", table_name=0x7f3268158048 "t1", create_info=0x7f327a8a7630, alter_info=0x7f327a8a7580, create_table_mode=0, key_info=0x7f327a8a7010, key_count=0x7f327a8a7004, frm=0x7f327a8a7020) at /data/src/10.2/sql/sql_table.cc:4660
#9 0x0000562f97afe0ec in create_table_impl (thd=0x7f3268000b00, orig_db=0x7f3268158690 "test", orig_table_name=0x7f3268158048 "t1", db=0x7f3268158690 "test", table_name=0x7f3268158048 "t1", path=0x7f327a8a7030 "./test/t1", options=..., create_info=0x7f327a8a7630, alter_info=0x7f327a8a7580, create_table_mode=0, is_trans=0x7f327a8a728e, key_info=0x7f327a8a7010, key_count=0x7f327a8a7004, frm=0x7f327a8a7020) at /data/src/10.2/sql/sql_table.cc:4896
#10 0x0000562f97afe73b in mysql_create_table_no_lock (thd=0x7f3268000b00, db=0x7f3268158690 "test", table_name=0x7f3268158048 "t1", create_info=0x7f327a8a7630, alter_info=0x7f327a8a7580, is_trans=0x7f327a8a728e, create_table_mode=0) at /data/src/10.2/sql/sql_table.cc:5012
#11 0x0000562f97afe9af in mysql_create_table (thd=0x7f3268000b00, create_table=0x7f3268158080, create_info=0x7f327a8a7630, alter_info=0x7f327a8a7580) at /data/src/10.2/sql/sql_table.cc:5075
#12 0x0000562f97a36e9b in mysql_execute_command (thd=0x7f3268000b00) at /data/src/10.2/sql/sql_parse.cc:3983
#13 0x0000562f97a60b18 in Prepared_statement::execute (this=0x7f32680066b0, expanded_query=0x7f327a8a83d0, open_cursor=false) at /data/src/10.2/sql/sql_prepare.cc:4774
#14 0x0000562f97a5ee73 in Prepared_statement::execute_loop (this=0x7f32680066b0, expanded_query=0x7f327a8a83d0, open_cursor=false, packet=0x0, packet_end=0x0) at /data/src/10.2/sql/sql_prepare.cc:4203
#15 0x0000562f97a6106e in Prepared_statement::execute_immediate (this=0x7f32680066b0, query=0x7f3268012750 "CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)", query_len=44) at /data/src/10.2/sql/sql_prepare.cc:4898
#16 0x0000562f97a5bc0f in mysql_sql_stmt_execute_immediate (thd=0x7f3268000b00) at /data/src/10.2/sql/sql_prepare.cc:2893
#17 0x0000562f97a35a04 in mysql_execute_command (thd=0x7f3268000b00) at /data/src/10.2/sql/sql_parse.cc:3485
#18 0x0000562f97a433a8 in mysql_parse (thd=0x7f3268000b00, rawbuf=0x7f3268012640 "EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT", length=78, parser_state=0x7f327a8a9200, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7914
#19 0x0000562f97a31263 in dispatch_command (command=COM_QUERY, thd=0x7f3268000b00, packet=0x7f326816b521 "EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT", packet_length=78, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1815
#20 0x0000562f97a2fbc6 in do_command (thd=0x7f3268000b00) at /data/src/10.2/sql/sql_parse.cc:1369
#21 0x0000562f97b7e480 in do_handle_one_connection (connect=0x562f99f6c400) at /data/src/10.2/sql/sql_connect.cc:1335
#22 0x0000562f97b7e20d in handle_one_connection (arg=0x562f99f6c400) at /data/src/10.2/sql/sql_connect.cc:1241
#23 0x0000562f97f9e3de in pfs_spawn_thread (arg=0x562f99f46ec0) at /data/src/10.2/storage/perfschema/pfs.cc:1862
#24 0x00007f32822a4494 in start_thread (arg=0x7f327a8aa700) at pthread_create.c:333
#25 0x00007f328068a93f in clone () from /lib/x86_64-linux-gnu/libc.so.6
{noformat}

Note, the queries are intentionally incorrect. DEFAULT/IGNORE should not be allowed as bind parameters in this context.

The expected behaviour should be to return an error, e.g. like this query does:
{code:sql}
MariaDB [test]> EXECUTE IMMEDIATE 'SELECT 1=?' USING DEFAULT;
ERROR 4032 (HY000): Default/ignore value is not supported for such parameter usage
{code}

These (intentionally incorrect) queries crash the server:

{code:sql}
EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT;
{code}

{code:sql}
EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING IGNORE;
{code}

I didn't check binding the same constants in the client-server protocol, but most likely they'll also crash.

{noformat:title=10.2 73af8af094}
#3 <signal handler called>
#4 0x0000562f979d290a in TABLE_LIST::top_table (this=0x0) at /data/src/10.2/sql/table.h:2214
#5 0x0000562f97cc55f7 in Item_param::save_in_field (this=0x7f3268158770, field=0x7f32680133d8, no_conversions=true) at /data/src/10.2/sql/item.cc:3803
#6 0x0000562f97b51d83 in make_empty_rec (thd=0x7f3268000b00, buff=0x7f3268008086 "\001", table_options=8, create_fields=..., reclength=5, data_offset=1) at /data/src/10.2/sql/unireg.cc:998
#7 0x0000562f97b4f4d5 in build_frm_image (thd=0x7f3268000b00, table=0x7f3268158048 "t1", create_info=0x7f327a8a7630, create_fields=..., keys=0, key_info=0x7f32680133c8, db_file=0x7f3268012ce8) at /data/src/10.2/sql/unireg.cc:308
#8 0x0000562f97afd73b in mysql_create_frm_image (thd=0x7f3268000b00, db=0x7f3268158690 "test", table_name=0x7f3268158048 "t1", create_info=0x7f327a8a7630, alter_info=0x7f327a8a7580, create_table_mode=0, key_info=0x7f327a8a7010, key_count=0x7f327a8a7004, frm=0x7f327a8a7020) at /data/src/10.2/sql/sql_table.cc:4660
#9 0x0000562f97afe0ec in create_table_impl (thd=0x7f3268000b00, orig_db=0x7f3268158690 "test", orig_table_name=0x7f3268158048 "t1", db=0x7f3268158690 "test", table_name=0x7f3268158048 "t1", path=0x7f327a8a7030 "./test/t1", options=..., create_info=0x7f327a8a7630, alter_info=0x7f327a8a7580, create_table_mode=0, is_trans=0x7f327a8a728e, key_info=0x7f327a8a7010, key_count=0x7f327a8a7004, frm=0x7f327a8a7020) at /data/src/10.2/sql/sql_table.cc:4896
#10 0x0000562f97afe73b in mysql_create_table_no_lock (thd=0x7f3268000b00, db=0x7f3268158690 "test", table_name=0x7f3268158048 "t1", create_info=0x7f327a8a7630, alter_info=0x7f327a8a7580, is_trans=0x7f327a8a728e, create_table_mode=0) at /data/src/10.2/sql/sql_table.cc:5012
#11 0x0000562f97afe9af in mysql_create_table (thd=0x7f3268000b00, create_table=0x7f3268158080, create_info=0x7f327a8a7630, alter_info=0x7f327a8a7580) at /data/src/10.2/sql/sql_table.cc:5075
#12 0x0000562f97a36e9b in mysql_execute_command (thd=0x7f3268000b00) at /data/src/10.2/sql/sql_parse.cc:3983
#13 0x0000562f97a60b18 in Prepared_statement::execute (this=0x7f32680066b0, expanded_query=0x7f327a8a83d0, open_cursor=false) at /data/src/10.2/sql/sql_prepare.cc:4774
#14 0x0000562f97a5ee73 in Prepared_statement::execute_loop (this=0x7f32680066b0, expanded_query=0x7f327a8a83d0, open_cursor=false, packet=0x0, packet_end=0x0) at /data/src/10.2/sql/sql_prepare.cc:4203
#15 0x0000562f97a6106e in Prepared_statement::execute_immediate (this=0x7f32680066b0, query=0x7f3268012750 "CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)", query_len=44) at /data/src/10.2/sql/sql_prepare.cc:4898
#16 0x0000562f97a5bc0f in mysql_sql_stmt_execute_immediate (thd=0x7f3268000b00) at /data/src/10.2/sql/sql_prepare.cc:2893
#17 0x0000562f97a35a04 in mysql_execute_command (thd=0x7f3268000b00) at /data/src/10.2/sql/sql_parse.cc:3485
#18 0x0000562f97a433a8 in mysql_parse (thd=0x7f3268000b00, rawbuf=0x7f3268012640 "EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT", length=78, parser_state=0x7f327a8a9200, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7914
#19 0x0000562f97a31263 in dispatch_command (command=COM_QUERY, thd=0x7f3268000b00, packet=0x7f326816b521 "EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT", packet_length=78, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1815
#20 0x0000562f97a2fbc6 in do_command (thd=0x7f3268000b00) at /data/src/10.2/sql/sql_parse.cc:1369
#21 0x0000562f97b7e480 in do_handle_one_connection (connect=0x562f99f6c400) at /data/src/10.2/sql/sql_connect.cc:1335
#22 0x0000562f97b7e20d in handle_one_connection (arg=0x562f99f6c400) at /data/src/10.2/sql/sql_connect.cc:1241
#23 0x0000562f97f9e3de in pfs_spawn_thread (arg=0x562f99f46ec0) at /data/src/10.2/storage/perfschema/pfs.cc:1862
#24 0x00007f32822a4494 in start_thread (arg=0x7f327a8aa700) at pthread_create.c:333
#25 0x00007f328068a93f in clone () from /lib/x86_64-linux-gnu/libc.so.6
{noformat}

Note, the queries are intentionally incorrect. DEFAULT/IGNORE should not be allowed as bind parameters in this context.

The expected behaviour should be to return an error, e.g. like this query does:
{code:sql}
MariaDB [test]> EXECUTE IMMEDIATE 'SELECT 1=?' USING DEFAULT;
ERROR 4032 (HY000): Default/ignore value is not supported for such parameter usage
{code}

Alexander Barkov made changes - 2022-10-11 13:12

Description

These (intentionally incorrect) queries crash the server:

{code:sql}
EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT;
{code}

{code:sql}
EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING IGNORE;
{code}

I didn't check binding the same constants in the client-server protocol, but most likely they'll also crash.

{noformat:title=10.2 73af8af094}
#3 <signal handler called>
#4 0x0000562f979d290a in TABLE_LIST::top_table (this=0x0) at /data/src/10.2/sql/table.h:2214
#5 0x0000562f97cc55f7 in Item_param::save_in_field (this=0x7f3268158770, field=0x7f32680133d8, no_conversions=true) at /data/src/10.2/sql/item.cc:3803
#6 0x0000562f97b51d83 in make_empty_rec (thd=0x7f3268000b00, buff=0x7f3268008086 "\001", table_options=8, create_fields=..., reclength=5, data_offset=1) at /data/src/10.2/sql/unireg.cc:998
#7 0x0000562f97b4f4d5 in build_frm_image (thd=0x7f3268000b00, table=0x7f3268158048 "t1", create_info=0x7f327a8a7630, create_fields=..., keys=0, key_info=0x7f32680133c8, db_file=0x7f3268012ce8) at /data/src/10.2/sql/unireg.cc:308
#8 0x0000562f97afd73b in mysql_create_frm_image (thd=0x7f3268000b00, db=0x7f3268158690 "test", table_name=0x7f3268158048 "t1", create_info=0x7f327a8a7630, alter_info=0x7f327a8a7580, create_table_mode=0, key_info=0x7f327a8a7010, key_count=0x7f327a8a7004, frm=0x7f327a8a7020) at /data/src/10.2/sql/sql_table.cc:4660
#9 0x0000562f97afe0ec in create_table_impl (thd=0x7f3268000b00, orig_db=0x7f3268158690 "test", orig_table_name=0x7f3268158048 "t1", db=0x7f3268158690 "test", table_name=0x7f3268158048 "t1", path=0x7f327a8a7030 "./test/t1", options=..., create_info=0x7f327a8a7630, alter_info=0x7f327a8a7580, create_table_mode=0, is_trans=0x7f327a8a728e, key_info=0x7f327a8a7010, key_count=0x7f327a8a7004, frm=0x7f327a8a7020) at /data/src/10.2/sql/sql_table.cc:4896
#10 0x0000562f97afe73b in mysql_create_table_no_lock (thd=0x7f3268000b00, db=0x7f3268158690 "test", table_name=0x7f3268158048 "t1", create_info=0x7f327a8a7630, alter_info=0x7f327a8a7580, is_trans=0x7f327a8a728e, create_table_mode=0) at /data/src/10.2/sql/sql_table.cc:5012
#11 0x0000562f97afe9af in mysql_create_table (thd=0x7f3268000b00, create_table=0x7f3268158080, create_info=0x7f327a8a7630, alter_info=0x7f327a8a7580) at /data/src/10.2/sql/sql_table.cc:5075
#12 0x0000562f97a36e9b in mysql_execute_command (thd=0x7f3268000b00) at /data/src/10.2/sql/sql_parse.cc:3983
#13 0x0000562f97a60b18 in Prepared_statement::execute (this=0x7f32680066b0, expanded_query=0x7f327a8a83d0, open_cursor=false) at /data/src/10.2/sql/sql_prepare.cc:4774
#14 0x0000562f97a5ee73 in Prepared_statement::execute_loop (this=0x7f32680066b0, expanded_query=0x7f327a8a83d0, open_cursor=false, packet=0x0, packet_end=0x0) at /data/src/10.2/sql/sql_prepare.cc:4203
#15 0x0000562f97a6106e in Prepared_statement::execute_immediate (this=0x7f32680066b0, query=0x7f3268012750 "CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)", query_len=44) at /data/src/10.2/sql/sql_prepare.cc:4898
#16 0x0000562f97a5bc0f in mysql_sql_stmt_execute_immediate (thd=0x7f3268000b00) at /data/src/10.2/sql/sql_prepare.cc:2893
#17 0x0000562f97a35a04 in mysql_execute_command (thd=0x7f3268000b00) at /data/src/10.2/sql/sql_parse.cc:3485
#18 0x0000562f97a433a8 in mysql_parse (thd=0x7f3268000b00, rawbuf=0x7f3268012640 "EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT", length=78, parser_state=0x7f327a8a9200, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7914
#19 0x0000562f97a31263 in dispatch_command (command=COM_QUERY, thd=0x7f3268000b00, packet=0x7f326816b521 "EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT", packet_length=78, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1815
#20 0x0000562f97a2fbc6 in do_command (thd=0x7f3268000b00) at /data/src/10.2/sql/sql_parse.cc:1369
#21 0x0000562f97b7e480 in do_handle_one_connection (connect=0x562f99f6c400) at /data/src/10.2/sql/sql_connect.cc:1335
#22 0x0000562f97b7e20d in handle_one_connection (arg=0x562f99f6c400) at /data/src/10.2/sql/sql_connect.cc:1241
#23 0x0000562f97f9e3de in pfs_spawn_thread (arg=0x562f99f46ec0) at /data/src/10.2/storage/perfschema/pfs.cc:1862
#24 0x00007f32822a4494 in start_thread (arg=0x7f327a8aa700) at pthread_create.c:333
#25 0x00007f328068a93f in clone () from /lib/x86_64-linux-gnu/libc.so.6
{noformat}

Note, the queries are intentionally incorrect. DEFAULT/IGNORE should not be allowed as bind parameters in this context.

The expected behaviour should be to return an error, e.g. like this query does:
{code:sql}
MariaDB [test]> EXECUTE IMMEDIATE 'SELECT 1=?' USING DEFAULT;
ERROR 4032 (HY000): Default/ignore value is not supported for such parameter usage
{code}

These (intentionally incorrect) queries crash the server:

{code:sql}
EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT;
{code}

{code:sql}
EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING IGNORE;
{code}

I didn't check binding the same constants in the client-server protocol, but most likely they'll also crash.

{noformat:title=10.2 73af8af094}
#3 <signal handler called>
#4 0x0000562f979d290a in TABLE_LIST::top_table (this=0x0) at /data/src/10.2/sql/table.h:2214
#5 0x0000562f97cc55f7 in Item_param::save_in_field (this=0x7f3268158770, field=0x7f32680133d8, no_conversions=true) at /data/src/10.2/sql/item.cc:3803
#6 0x0000562f97b51d83 in make_empty_rec (thd=0x7f3268000b00, buff=0x7f3268008086 "\001", table_options=8, create_fields=..., reclength=5, data_offset=1) at /data/src/10.2/sql/unireg.cc:998
#7 0x0000562f97b4f4d5 in build_frm_image (thd=0x7f3268000b00, table=0x7f3268158048 "t1", create_info=0x7f327a8a7630, create_fields=..., keys=0, key_info=0x7f32680133c8, db_file=0x7f3268012ce8) at /data/src/10.2/sql/unireg.cc:308
#8 0x0000562f97afd73b in mysql_create_frm_image (thd=0x7f3268000b00, db=0x7f3268158690 "test", table_name=0x7f3268158048 "t1", create_info=0x7f327a8a7630, alter_info=0x7f327a8a7580, create_table_mode=0, key_info=0x7f327a8a7010, key_count=0x7f327a8a7004, frm=0x7f327a8a7020) at /data/src/10.2/sql/sql_table.cc:4660
#9 0x0000562f97afe0ec in create_table_impl (thd=0x7f3268000b00, orig_db=0x7f3268158690 "test", orig_table_name=0x7f3268158048 "t1", db=0x7f3268158690 "test", table_name=0x7f3268158048 "t1", path=0x7f327a8a7030 "./test/t1", options=..., create_info=0x7f327a8a7630, alter_info=0x7f327a8a7580, create_table_mode=0, is_trans=0x7f327a8a728e, key_info=0x7f327a8a7010, key_count=0x7f327a8a7004, frm=0x7f327a8a7020) at /data/src/10.2/sql/sql_table.cc:4896
#10 0x0000562f97afe73b in mysql_create_table_no_lock (thd=0x7f3268000b00, db=0x7f3268158690 "test", table_name=0x7f3268158048 "t1", create_info=0x7f327a8a7630, alter_info=0x7f327a8a7580, is_trans=0x7f327a8a728e, create_table_mode=0) at /data/src/10.2/sql/sql_table.cc:5012
#11 0x0000562f97afe9af in mysql_create_table (thd=0x7f3268000b00, create_table=0x7f3268158080, create_info=0x7f327a8a7630, alter_info=0x7f327a8a7580) at /data/src/10.2/sql/sql_table.cc:5075
#12 0x0000562f97a36e9b in mysql_execute_command (thd=0x7f3268000b00) at /data/src/10.2/sql/sql_parse.cc:3983
#13 0x0000562f97a60b18 in Prepared_statement::execute (this=0x7f32680066b0, expanded_query=0x7f327a8a83d0, open_cursor=false) at /data/src/10.2/sql/sql_prepare.cc:4774
#14 0x0000562f97a5ee73 in Prepared_statement::execute_loop (this=0x7f32680066b0, expanded_query=0x7f327a8a83d0, open_cursor=false, packet=0x0, packet_end=0x0) at /data/src/10.2/sql/sql_prepare.cc:4203
#15 0x0000562f97a6106e in Prepared_statement::execute_immediate (this=0x7f32680066b0, query=0x7f3268012750 "CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)", query_len=44) at /data/src/10.2/sql/sql_prepare.cc:4898
#16 0x0000562f97a5bc0f in mysql_sql_stmt_execute_immediate (thd=0x7f3268000b00) at /data/src/10.2/sql/sql_prepare.cc:2893
#17 0x0000562f97a35a04 in mysql_execute_command (thd=0x7f3268000b00) at /data/src/10.2/sql/sql_parse.cc:3485
#18 0x0000562f97a433a8 in mysql_parse (thd=0x7f3268000b00, rawbuf=0x7f3268012640 "EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT", length=78, parser_state=0x7f327a8a9200, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7914
#19 0x0000562f97a31263 in dispatch_command (command=COM_QUERY, thd=0x7f3268000b00, packet=0x7f326816b521 "EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT", packet_length=78, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1815
#20 0x0000562f97a2fbc6 in do_command (thd=0x7f3268000b00) at /data/src/10.2/sql/sql_parse.cc:1369
#21 0x0000562f97b7e480 in do_handle_one_connection (connect=0x562f99f6c400) at /data/src/10.2/sql/sql_connect.cc:1335
#22 0x0000562f97b7e20d in handle_one_connection (arg=0x562f99f6c400) at /data/src/10.2/sql/sql_connect.cc:1241
#23 0x0000562f97f9e3de in pfs_spawn_thread (arg=0x562f99f46ec0) at /data/src/10.2/storage/perfschema/pfs.cc:1862
#24 0x00007f32822a4494 in start_thread (arg=0x7f327a8aa700) at pthread_create.c:333
#25 0x00007f328068a93f in clone () from /lib/x86_64-linux-gnu/libc.so.6
{noformat}

Note, the queries are incorrect. DEFAULT/IGNORE should not be allowed as bind parameters in this context.

The expected behaviour should be to return an error, e.g. like this query does:
{code:sql}
MariaDB [test]> EXECUTE IMMEDIATE 'SELECT 1=?' USING DEFAULT;
ERROR 4032 (HY000): Default/ignore value is not supported for such parameter usage
{code}

Roel Van de Paar added a comment - 2023-03-25 01:24

Please also test any fixes with:

CREATE PROCEDURE p(IN c INT) SET max_connections=100;

EXECUTE IMMEDIATE 'CALL p(?)' USING DEFAULT;

Roel Van de Paar added a comment - 2023-03-25 01:24 Please also test any fixes with: CREATE PROCEDURE p( IN c INT ) SET max_connections=100; EXECUTE IMMEDIATE 'CALL p(?)' USING DEFAULT ;

Julien Fritsch made changes - 2023-04-27 14:23

Fix Version/s

10.3 [ 22126 ]

Roel Van de Paar made changes - 2023-05-13 03:18

Fix Version/s		10.6 [ 24028 ]
Fix Version/s		10.9 [ 26905 ]
Fix Version/s		10.10 [ 27530 ]
Fix Version/s		10.11 [ 27614 ]
Fix Version/s		11.0 [ 28320 ]
Fix Version/s		11.1 [ 28549 ]
Affects Version/s		10.6 [ 24028 ]
Affects Version/s		10.9 [ 26905 ]
Affects Version/s		10.10 [ 27530 ]
Affects Version/s		10.11 [ 27614 ]
Affects Version/s		11.0 [ 28320 ]
Affects Version/s		11.1 [ 28549 ]

Roel Van de Paar added a comment - 2023-05-13 03:22

UBSAN also sees an issue: runtime error: member call on null pointer of type 'struct TABLE_LIST':

EXECUTE IMMEDIATE 'CREATE TABLE t(c INT DEFAULT ?)' USING IGNORE;

Leads to:

11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Debug, UBASAN)
/test/11.0_dbg_san/sql/item.cc:4496:55: runtime error: member call on null pointer of type 'struct TABLE_LIST'
#0 0x559d8948e909 in Item_param::save_in_field(Field*, bool) /test/11.0_dbg_san/sql/item.cc:4496
#1 0x559d8922e440 in Field::make_empty_rec_store_default_value(THD, Item) /test/11.0_dbg_san/sql/field.cc:1561
#2 0x559d885d2452 in make_empty_rec_store_default /test/11.0_dbg_san/sql/unireg.cc:1168
#3 0x559d885d2452 in make_empty_rec /test/11.0_dbg_san/sql/unireg.cc:1243
#4 0x559d885d2452 in build_frm_image(THD, st_mysql_const_lex_string const&, HA_CREATE_INFO, List<Create_field>&, unsigned int, st_key, handler) /test/11.0_dbg_san/sql/unireg.cc:578
#5 0x559d8836f7b1 in mysql_create_frm_image(THD, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, HA_CREATE_INFO, Alter_info, int, st_key, unsigned int, st_mysql_const_unsigned_lex_string*) /test/11.0_dbg_san/sql/sql_table.cc:4340
#6 0x559d883710b2 in create_table_impl /test/11.0_dbg_san/sql/sql_table.cc:4647
#7 0x559d88374f6f in mysql_create_table_no_lock(THD, st_ddl_log_state, st_ddl_log_state, st_mysql_const_lex_string const, st_mysql_const_lex_string const, Table_specification_st, Alter_info, bool, int, TABLE_LIST*) /test/11.0_dbg_san/sql/sql_table.cc:4772
#8 0x559d88380988 in mysql_create_table /test/11.0_dbg_san/sql/sql_table.cc:4888
#9 0x559d88380988 in Sql_cmd_create_table_like::execute(THD*) /test/11.0_dbg_san/sql/sql_table.cc:12492
#10 0x559d87cf0054 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:6015
#11 0x559d87df5f20 in Prepared_statement::execute(String*, bool) /test/11.0_dbg_san/sql/sql_prepare.cc:5223
#12 0x559d87df9a1f in Prepared_statement::execute_loop(String, bool, unsigned char, unsigned char*) /test/11.0_dbg_san/sql/sql_prepare.cc:4646
#13 0x559d87e04f6d in Prepared_statement::execute_immediate(char const*, unsigned int) /test/11.0_dbg_san/sql/sql_prepare.cc:5374
#14 0x559d87e0606c in mysql_sql_stmt_execute_immediate(THD*) /test/11.0_dbg_san/sql/sql_prepare.cc:3099
#15 0x559d87cc9f6e in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3955
#16 0x559d87cf9973 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014
#17 0x559d87d09707 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894
#18 0x559d87d17542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407
#19 0x559d886ec8b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416
#20 0x559d886eddd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318
#21 0x14f758294b42 in start_thread nptl/pthread_create.c:442
#22 0x14f7583269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)

/test/11.0_dbg_san/sql/table.h:2872:14: runtime error: member access within null pointer of type 'struct TABLE_LIST'
#0 0x559d8948e91f in TABLE_LIST::top_table() /test/11.0_dbg_san/sql/table.h:2872
#1 0x559d8948e91f in Item_param::save_in_field(Field*, bool) /test/11.0_dbg_san/sql/item.cc:4496
#2 0x559d8922e440 in Field::make_empty_rec_store_default_value(THD, Item) /test/11.0_dbg_san/sql/field.cc:1561
#3 0x559d885d2452 in make_empty_rec_store_default /test/11.0_dbg_san/sql/unireg.cc:1168
#4 0x559d885d2452 in make_empty_rec /test/11.0_dbg_san/sql/unireg.cc:1243
#5 0x559d885d2452 in build_frm_image(THD, st_mysql_const_lex_string const&, HA_CREATE_INFO, List<Create_field>&, unsigned int, st_key, handler) /test/11.0_dbg_san/sql/unireg.cc:578
#6 0x559d8836f7b1 in mysql_create_frm_image(THD, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, HA_CREATE_INFO, Alter_info, int, st_key, unsigned int, st_mysql_const_unsigned_lex_string*) /test/11.0_dbg_san/sql/sql_table.cc:4340
#7 0x559d883710b2 in create_table_impl /test/11.0_dbg_san/sql/sql_table.cc:4647
#8 0x559d88374f6f in mysql_create_table_no_lock(THD, st_ddl_log_state, st_ddl_log_state, st_mysql_const_lex_string const, st_mysql_const_lex_string const, Table_specification_st, Alter_info, bool, int, TABLE_LIST*) /test/11.0_dbg_san/sql/sql_table.cc:4772
#9 0x559d88380988 in mysql_create_table /test/11.0_dbg_san/sql/sql_table.cc:4888
#10 0x559d88380988 in Sql_cmd_create_table_like::execute(THD*) /test/11.0_dbg_san/sql/sql_table.cc:12492
#11 0x559d87cf0054 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:6015
#12 0x559d87df5f20 in Prepared_statement::execute(String*, bool) /test/11.0_dbg_san/sql/sql_prepare.cc:5223
#13 0x559d87df9a1f in Prepared_statement::execute_loop(String, bool, unsigned char, unsigned char*) /test/11.0_dbg_san/sql/sql_prepare.cc:4646
#14 0x559d87e04f6d in Prepared_statement::execute_immediate(char const*, unsigned int) /test/11.0_dbg_san/sql/sql_prepare.cc:5374
#15 0x559d87e0606c in mysql_sql_stmt_execute_immediate(THD*) /test/11.0_dbg_san/sql/sql_prepare.cc:3099
#16 0x559d87cc9f6e in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3955
#17 0x559d87cf9973 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014
#18 0x559d87d09707 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894
#19 0x559d87d17542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407
#20 0x559d886ec8b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416
#21 0x559d886eddd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318
#22 0x14f758294b42 in start_thread nptl/pthread_create.c:442
#23 0x14f7583269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)

230513 13:17:36 [ERROR] mysqld got signal 11 ;

Roel Van de Paar added a comment - 2023-05-13 03:22 UBSAN also sees an issue: runtime error: member call on null pointer of type 'struct TABLE_LIST': EXECUTE IMMEDIATE 'CREATE TABLE t(c INT DEFAULT ?)' USING IGNORE ; Leads to: 11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Debug, UBASAN) /test/11.0_dbg_san/sql/item.cc:4496:55: runtime error: member call on null pointer of type 'struct TABLE_LIST' #0 0x559d8948e909 in Item_param::save_in_field(Field*, bool) /test/11.0_dbg_san/sql/item.cc:4496 #1 0x559d8922e440 in Field::make_empty_rec_store_default_value(THD*, Item*) /test/11.0_dbg_san/sql/field.cc:1561 #2 0x559d885d2452 in make_empty_rec_store_default /test/11.0_dbg_san/sql/unireg.cc:1168 #3 0x559d885d2452 in make_empty_rec /test/11.0_dbg_san/sql/unireg.cc:1243 #4 0x559d885d2452 in build_frm_image(THD*, st_mysql_const_lex_string const&, HA_CREATE_INFO*, List<Create_field>&, unsigned int, st_key*, handler*) /test/11.0_dbg_san/sql/unireg.cc:578 #5 0x559d8836f7b1 in mysql_create_frm_image(THD*, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, HA_CREATE_INFO*, Alter_info*, int, st_key**, unsigned int*, st_mysql_const_unsigned_lex_string*) /test/11.0_dbg_san/sql/sql_table.cc:4340 #6 0x559d883710b2 in create_table_impl /test/11.0_dbg_san/sql/sql_table.cc:4647 #7 0x559d88374f6f in mysql_create_table_no_lock(THD*, st_ddl_log_state*, st_ddl_log_state*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /test/11.0_dbg_san/sql/sql_table.cc:4772 #8 0x559d88380988 in mysql_create_table /test/11.0_dbg_san/sql/sql_table.cc:4888 #9 0x559d88380988 in Sql_cmd_create_table_like::execute(THD*) /test/11.0_dbg_san/sql/sql_table.cc:12492 #10 0x559d87cf0054 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:6015 #11 0x559d87df5f20 in Prepared_statement::execute(String*, bool) /test/11.0_dbg_san/sql/sql_prepare.cc:5223 #12 0x559d87df9a1f in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /test/11.0_dbg_san/sql/sql_prepare.cc:4646 #13 0x559d87e04f6d in Prepared_statement::execute_immediate(char const*, unsigned int) /test/11.0_dbg_san/sql/sql_prepare.cc:5374 #14 0x559d87e0606c in mysql_sql_stmt_execute_immediate(THD*) /test/11.0_dbg_san/sql/sql_prepare.cc:3099 #15 0x559d87cc9f6e in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3955 #16 0x559d87cf9973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014 #17 0x559d87d09707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894 #18 0x559d87d17542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407 #19 0x559d886ec8b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416 #20 0x559d886eddd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318 #21 0x14f758294b42 in start_thread nptl/pthread_create.c:442 #22 0x14f7583269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff) /test/11.0_dbg_san/sql/table.h:2872:14: runtime error: member access within null pointer of type 'struct TABLE_LIST' #0 0x559d8948e91f in TABLE_LIST::top_table() /test/11.0_dbg_san/sql/table.h:2872 #1 0x559d8948e91f in Item_param::save_in_field(Field*, bool) /test/11.0_dbg_san/sql/item.cc:4496 #2 0x559d8922e440 in Field::make_empty_rec_store_default_value(THD*, Item*) /test/11.0_dbg_san/sql/field.cc:1561 #3 0x559d885d2452 in make_empty_rec_store_default /test/11.0_dbg_san/sql/unireg.cc:1168 #4 0x559d885d2452 in make_empty_rec /test/11.0_dbg_san/sql/unireg.cc:1243 #5 0x559d885d2452 in build_frm_image(THD*, st_mysql_const_lex_string const&, HA_CREATE_INFO*, List<Create_field>&, unsigned int, st_key*, handler*) /test/11.0_dbg_san/sql/unireg.cc:578 #6 0x559d8836f7b1 in mysql_create_frm_image(THD*, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, HA_CREATE_INFO*, Alter_info*, int, st_key**, unsigned int*, st_mysql_const_unsigned_lex_string*) /test/11.0_dbg_san/sql/sql_table.cc:4340 #7 0x559d883710b2 in create_table_impl /test/11.0_dbg_san/sql/sql_table.cc:4647 #8 0x559d88374f6f in mysql_create_table_no_lock(THD*, st_ddl_log_state*, st_ddl_log_state*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /test/11.0_dbg_san/sql/sql_table.cc:4772 #9 0x559d88380988 in mysql_create_table /test/11.0_dbg_san/sql/sql_table.cc:4888 #10 0x559d88380988 in Sql_cmd_create_table_like::execute(THD*) /test/11.0_dbg_san/sql/sql_table.cc:12492 #11 0x559d87cf0054 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:6015 #12 0x559d87df5f20 in Prepared_statement::execute(String*, bool) /test/11.0_dbg_san/sql/sql_prepare.cc:5223 #13 0x559d87df9a1f in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /test/11.0_dbg_san/sql/sql_prepare.cc:4646 #14 0x559d87e04f6d in Prepared_statement::execute_immediate(char const*, unsigned int) /test/11.0_dbg_san/sql/sql_prepare.cc:5374 #15 0x559d87e0606c in mysql_sql_stmt_execute_immediate(THD*) /test/11.0_dbg_san/sql/sql_prepare.cc:3099 #16 0x559d87cc9f6e in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3955 #17 0x559d87cf9973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014 #18 0x559d87d09707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894 #19 0x559d87d17542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407 #20 0x559d886ec8b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416 #21 0x559d886eddd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318 #22 0x14f758294b42 in start_thread nptl/pthread_create.c:442 #23 0x14f7583269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff) 230513 13:17:36 [ERROR] mysqld got signal 11 ;

Roel Van de Paar made changes - 2023-05-13 03:22

Summary

Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT

Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT, UBSAN runtime error: member call on null pointer of type 'struct TABLE_LIST' in Item_param::save_in_field

Roel Van de Paar made changes - 2023-05-13 03:22

Labels

UBSAN

Roel Van de Paar added a comment - 2023-07-01 03:18

This testcase:

CREATE PROCEDURE p0 (IN i INT) DETERMINISTIC NO SQL SET @c=i +0;

EXECUTE IMMEDIATE 'CALL p0 (?)' USING DEFAULT;

Leads to this additional stack:

11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Debug)

/test/11.0_dbg_san/sql/item.cc:4492:56: runtime error: member call on null pointer of type 'struct TABLE_LIST'

/test/11.0_dbg_san/sql/table.h:2872:14: runtime error: member access within null pointer of type 'struct TABLE_LIST'

11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Debug)
#0 0x55adc55fb73e in Item_param::save_in_field(Field*, bool) /test/11.0_dbg_san/sql/item.cc:4492
#1 0x55adc53bb206 in Field::sp_prepare_and_store_item(THD, Item*) /test/11.0_dbg_san/sql/field.cc:1498
#2 0x55adc3823a68 in THD::sp_eval_expr(Field, Item*) /test/11.0_dbg_san/sql/sp_head.cc:453
#3 0x55adc38b93af in sp_rcontext::set_variable(THD, unsigned int, Item*) /test/11.0_dbg_san/sql/sp_rcontext.cc:640
#4 0x55adc383fa88 in sp_rcontext::set_parameter(THD, unsigned int, Item*) /test/11.0_dbg_san/sql/sp_rcontext.h:194
#5 0x55adc383fa88 in sp_head::bind_input_param(THD, Item, unsigned int, sp_rcontext*, bool) /test/11.0_dbg_san/sql/sp_head.cc:2567
#6 0x55adc3842d11 in sp_head::execute_procedure(THD, List<Item>) /test/11.0_dbg_san/sql/sp_head.cc:2363
#7 0x55adc3dd71d3 in do_execute_sp /test/11.0_dbg_san/sql/sql_parse.cc:3026
#8 0x55adc3df418d in Sql_cmd_call::execute(THD*) /test/11.0_dbg_san/sql/sql_parse.cc:3271
#9 0x55adc3e5d054 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:6015
#10 0x55adc3f62f20 in Prepared_statement::execute(String*, bool) /test/11.0_dbg_san/sql/sql_prepare.cc:5223
#11 0x55adc3f66a1f in Prepared_statement::execute_loop(String, bool, unsigned char, unsigned char*) /test/11.0_dbg_san/sql/sql_prepare.cc:4646
#12 0x55adc3f71f6d in Prepared_statement::execute_immediate(char const*, unsigned int) /test/11.0_dbg_san/sql/sql_prepare.cc:5374
#13 0x55adc3f7306c in mysql_sql_stmt_execute_immediate(THD*) /test/11.0_dbg_san/sql/sql_prepare.cc:3099
#14 0x55adc3e36f6e in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3955
#15 0x55adc3e66973 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014
#16 0x55adc3e76707 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894
#17 0x55adc3e84542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407
#18 0x55adc48598b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416
#19 0x55adc485add0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318
#20 0x148b38e94b42 in start_thread nptl/pthread_create.c:442
#21 0x148b38f269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)

Roel Van de Paar added a comment - 2023-07-01 03:18 This testcase: CREATE PROCEDURE p0 ( IN i INT ) DETERMINISTIC NO SQL SET @c=i +0; EXECUTE IMMEDIATE 'CALL p0 (?)' USING DEFAULT ; Leads to this additional stack: 11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Debug) /test/11.0_dbg_san/sql/item.cc:4492:56: runtime error: member call on null pointer of type 'struct TABLE_LIST' /test/11.0_dbg_san/sql/table.h:2872:14: runtime error: member access within null pointer of type 'struct TABLE_LIST' 11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Debug) #0 0x55adc55fb73e in Item_param::save_in_field(Field*, bool) /test/11.0_dbg_san/sql/item.cc:4492 #1 0x55adc53bb206 in Field::sp_prepare_and_store_item(THD*, Item**) /test/11.0_dbg_san/sql/field.cc:1498 #2 0x55adc3823a68 in THD::sp_eval_expr(Field*, Item**) /test/11.0_dbg_san/sql/sp_head.cc:453 #3 0x55adc38b93af in sp_rcontext::set_variable(THD*, unsigned int, Item**) /test/11.0_dbg_san/sql/sp_rcontext.cc:640 #4 0x55adc383fa88 in sp_rcontext::set_parameter(THD*, unsigned int, Item**) /test/11.0_dbg_san/sql/sp_rcontext.h:194 #5 0x55adc383fa88 in sp_head::bind_input_param(THD*, Item*, unsigned int, sp_rcontext*, bool) /test/11.0_dbg_san/sql/sp_head.cc:2567 #6 0x55adc3842d11 in sp_head::execute_procedure(THD*, List<Item>*) /test/11.0_dbg_san/sql/sp_head.cc:2363 #7 0x55adc3dd71d3 in do_execute_sp /test/11.0_dbg_san/sql/sql_parse.cc:3026 #8 0x55adc3df418d in Sql_cmd_call::execute(THD*) /test/11.0_dbg_san/sql/sql_parse.cc:3271 #9 0x55adc3e5d054 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:6015 #10 0x55adc3f62f20 in Prepared_statement::execute(String*, bool) /test/11.0_dbg_san/sql/sql_prepare.cc:5223 #11 0x55adc3f66a1f in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /test/11.0_dbg_san/sql/sql_prepare.cc:4646 #12 0x55adc3f71f6d in Prepared_statement::execute_immediate(char const*, unsigned int) /test/11.0_dbg_san/sql/sql_prepare.cc:5374 #13 0x55adc3f7306c in mysql_sql_stmt_execute_immediate(THD*) /test/11.0_dbg_san/sql/sql_prepare.cc:3099 #14 0x55adc3e36f6e in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3955 #15 0x55adc3e66973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014 #16 0x55adc3e76707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894 #17 0x55adc3e84542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407 #18 0x55adc48598b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416 #19 0x55adc485add0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318 #20 0x148b38e94b42 in start_thread nptl/pthread_create.c:442 #21 0x148b38f269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)

Roel Van de Paar added a comment - 2023-10-31 03:18

Please also test any fixes with:

CREATE PROCEDURE p1(IN i INT) EXECUTE s;

EXECUTE IMMEDIATE 'CALL p1(?)' USING IGNORE;

Roel Van de Paar added a comment - 2023-10-31 03:18 Please also test any fixes with: CREATE PROCEDURE p1( IN i INT ) EXECUTE s; EXECUTE IMMEDIATE 'CALL p1(?)' USING IGNORE ;

Roel Van de Paar made changes - 2023-10-31 03:18

Labels

UBSAN

UBSAN affects-tests

Roel Van de Paar made changes - 2023-10-31 03:18

Fix Version/s

11.2 [ 28603 ]

Roel Van de Paar made changes - 2023-10-31 03:18

Affects Version/s		11.2 [ 28603 ]
Affects Version/s		11.3 [ 28565 ]

Julien Fritsch made changes - 2023-11-28 10:24

Fix Version/s

10.9 [ 26905 ]

Julien Fritsch made changes - 2023-11-28 10:30

Fix Version/s

10.10 [ 27530 ]

Julien Fritsch made changes - 2023-12-07 10:01

Status

In Progress [ 3 ]

Stalled [ 10000 ]

Dmitry Shulga made changes - 2023-12-11 07:31

Status

Stalled [ 10000 ]

In Progress [ 3 ]

Julien Fritsch made changes - 2023-12-11 19:11

Labels

UBSAN affects-tests

UBSAN affects-tests crash

Dmitry Shulga added a comment - 2024-01-16 16:39

Branch for review is bb-10.4-~~MDEV-15703~~-1

Dmitry Shulga added a comment - 2024-01-16 16:39 Branch for review is bb-10.4- MDEV-15703 -1

Dmitry Shulga made changes - 2024-01-16 16:39

Assignee	Dmitry Shulga [ JIRAUSER47315 ]	Oleksandr Byelkin [ sanja ]
Status	In Progress [ 3 ]	In Review [ 10002 ]

Oleksandr Byelkin added a comment - 2024-02-06 09:03

OK to push, lets discuss if it is safe for 10.4

Oleksandr Byelkin added a comment - 2024-02-06 09:03 OK to push, lets discuss if it is safe for 10.4

Oleksandr Byelkin made changes - 2024-02-06 09:03

Assignee	Oleksandr Byelkin [ sanja ]	Dmitry Shulga [ JIRAUSER47315 ]
Status	In Review [ 10002 ]	Stalled [ 10000 ]

Dmitry Shulga made changes - 2024-02-12 09:55

Fix Version/s		11.3.2 [ 29522 ]
Fix Version/s		11.4.1 [ 29523 ]
Fix Version/s		10.4.34 [ 29625 ]
Fix Version/s		10.5.25 [ 29626 ]
Fix Version/s		10.6.18 [ 29627 ]
Fix Version/s		10.11.8 [ 29630 ]
Fix Version/s		11.0.6 [ 29628 ]
Fix Version/s		11.1.5 [ 29629 ]
Fix Version/s		11.2.4 [ 29631 ]
Fix Version/s		11.5.1 [ 29634 ]
Fix Version/s	10.4 [ 22408 ]
Fix Version/s	10.5 [ 23123 ]
Fix Version/s	10.6 [ 24028 ]
Fix Version/s	10.11 [ 27614 ]
Fix Version/s	11.0 [ 28320 ]
Fix Version/s	11.1 [ 28549 ]
Fix Version/s	11.2 [ 28603 ]
Resolution		Fixed [ 1 ]
Status	Stalled [ 10000 ]	Closed [ 6 ]

Julien Fritsch made changes - 2024-02-20 13:53

Fix Version/s

11.5.1 [ 29634 ]

MariaDB Server

Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT, UBSAN runtime error: member call on null pointer of type 'struct TABLE_LIST' in Item_param::save_in_field

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration