[MDEV-16788] 2nd execution of SP: ASAN heap-use-after-free in my_strcasecmp_utf8 or Assertion `ls->length < 0xFFFFFFFFL && ((ls->length == 0 && !ls->str) || ls->length == strlen(ls->str))' or unexpected ER_TOO_LONG_IDENT - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5
Fix Version/s: 10.2.27, 10.3.18, 10.4.8
Component/s: Data Definition - Alter Table, Stored routines
Labels:
- affects-tests

Description

Note: There are 3 types of failures in this report, all happen on similar test cases. Please fix the ASAN failure, which is reliably reproducible, and then I'll re-check the rest. Other failures are quoted there for the reference.

CREATE TABLE t1 (k INT);

CREATE PROCEDURE pr() ALTER TABLE t1 ADD CONSTRAINT CHECK (k != 5);

CALL pr;

CALL pr;

# Cleanup

DROP PROCEDURE pr;

DROP TABLE t1;

This failure is reliably reproducible on ASAN builds of 10.2 and 10.3:

10.2 9827c5e10 ASAN
==13396==ERROR: AddressSanitizer: heap-use-after-free on address 0x6250000dcba0 at pc 0x5627f434d21f bp 0x7f4f3376eda0 sp 0x7f4f3376ed98
READ of size 1 at 0x6250000dcba0 thread T6
#0 0x5627f434d21e in my_strcasecmp_utf8 /data/src/10.2/strings/ctype-utf8.c:5302
#1 0x5627f2e5707e in handle_if_exists_options /data/src/10.2/sql/sql_table.cc:6211
#2 0x5627f2e690d2 in mysql_alter_table(THD, char, char, HA_CREATE_INFO, TABLE_LIST, Alter_info, unsigned int, st_order*, bool) /data/src/10.2/sql/sql_table.cc:8978
#3 0x5627f2f94bb5 in Sql_cmd_alter_table::execute(THD*) /data/src/10.2/sql/sql_alter.cc:324
#4 0x5627f2c62326 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:6222
#5 0x5627f35e3701 in sp_instr_stmt::exec_core(THD, unsigned int) /data/src/10.2/sql/sp_head.cc:3246
#6 0x5627f35e234d in sp_lex_keeper::reset_lex_and_exec_core(THD, unsigned int, bool, sp_instr*) /data/src/10.2/sql/sp_head.cc:3009
#7 0x5627f35e2fcb in sp_instr_stmt::execute(THD, unsigned int) /data/src/10.2/sql/sp_head.cc:3162
#8 0x5627f35d88cc in sp_head::execute(THD*, bool) /data/src/10.2/sql/sp_head.cc:1327
#9 0x5627f35dc6b9 in sp_head::execute_procedure(THD, List<Item>) /data/src/10.2/sql/sp_head.cc:2116
#10 0x5627f2c4d4d4 in do_execute_sp /data/src/10.2/sql/sql_parse.cc:2909
#11 0x5627f2c5f7d0 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:5822
#12 0x5627f2c6cd0a in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7995
#13 0x5627f2c47996 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1821
#14 0x5627f2c44a3a in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1375
#15 0x5627f2f86851 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
#16 0x5627f2f86266 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
#17 0x5627f39960bf in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
#18 0x7f4f3ff48493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
#19 0x7f4f3e32e93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)

0x6250000dcba0 is located 2720 bytes inside of 8268-byte region [0x6250000dc100,0x6250000de14c)
freed by thread T6 here:
#0 0x7f4f401b2527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
#1 0x5627f42b7b5b in free_memory /data/src/10.2/mysys/safemalloc.c:279
#2 0x5627f42b7161 in sf_free /data/src/10.2/mysys/safemalloc.c:197
#3 0x5627f4286402 in my_free /data/src/10.2/mysys/my_malloc.c:217
#4 0x5627f4267a78 in free_root /data/src/10.2/mysys/my_alloc.c:398
#5 0x5627f35d8a6a in sp_head::execute(THD*, bool) /data/src/10.2/sql/sp_head.cc:1346
#6 0x5627f35dc6b9 in sp_head::execute_procedure(THD, List<Item>) /data/src/10.2/sql/sp_head.cc:2116
#7 0x5627f2c4d4d4 in do_execute_sp /data/src/10.2/sql/sql_parse.cc:2909
#8 0x5627f2c5f7d0 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:5822
#9 0x5627f2c6cd0a in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7995
#10 0x5627f2c47996 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1821
#11 0x5627f2c44a3a in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1375
#12 0x5627f2f86851 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
#13 0x5627f2f86266 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
#14 0x5627f39960bf in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
#15 0x7f4f3ff48493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)

previously allocated by thread T6 here:
#0 0x7f4f401b273f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
#1 0x5627f42b68d1 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
#2 0x5627f4285b3a in my_malloc /data/src/10.2/mysys/my_malloc.c:101
#3 0x5627f42669dd in alloc_root /data/src/10.2/mysys/my_alloc.c:241
#4 0x5627f2c7c213 in Query_arena::memdup_w_gap(void const*, unsigned long, unsigned int) /data/src/10.2/sql/sql_class.h:986
#5 0x5627f2c4be5c in alloc_query(THD, char const, unsigned int) /data/src/10.2/sql/sql_parse.cc:2644
#6 0x5627f35e2eb7 in sp_instr_stmt::execute(THD, unsigned int) /data/src/10.2/sql/sp_head.cc:3150
#7 0x5627f35d88cc in sp_head::execute(THD*, bool) /data/src/10.2/sql/sp_head.cc:1327
#8 0x5627f35dc6b9 in sp_head::execute_procedure(THD, List<Item>) /data/src/10.2/sql/sp_head.cc:2116
#9 0x5627f2c4d4d4 in do_execute_sp /data/src/10.2/sql/sql_parse.cc:2909
#10 0x5627f2c5f7d0 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:5822
#11 0x5627f2c6cd0a in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7995
#12 0x5627f2c47996 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1821
#13 0x5627f2c44a3a in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1375
#14 0x5627f2f86851 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
#15 0x5627f2f86266 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
#16 0x5627f39960bf in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
#17 0x7f4f3ff48493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)

Thread T6 created by T0 here:
#0 0x7f4f40181bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
#1 0x5627f3996687 in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1912
#2 0x5627f2a41c6e in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1239
#3 0x5627f2a56b59 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6451
#4 0x5627f2a5725e in create_new_thread /data/src/10.2/sql/mysqld.cc:6521
#5 0x5627f2a5826f in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6796
#6 0x5627f2a560ae in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6070
#7 0x5627f2a4000f in main /data/src/10.2/sql/main.cc:25
#8 0x7f4f3e2662b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.2/strings/ctype-utf8.c:5302 my_strcasecmp_utf8
Shadow bytes around the buggy address:
0x0c4a80013920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a80013930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a80013940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a80013950: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a80013960: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c4a80013970: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
0x0c4a80013980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a80013990: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a800139a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a800139b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a800139c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==13396==ABORTING

This failure is very sporadically reproducible with similar test cases (but dirtier ones) on 10.3 debug non-ASAN builds, once in dozens attempts. Couldn't make it happen on 10.2:

10.3 141a5b24843
mysqld: /data/src/10.3/sql/sql_string.h:589: void String::q_append(const LEX_CSTRING*): Assertion `ls->length < 0xFFFFFFFFL && ((ls->length == 0 && !ls->str) \|\| ls->length == strlen(ls->str))' failed.
180720 15:07:07 [ERROR] mysqld got signal 6 ;

#7 0x00007ff4ea8adee2 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
#8 0x00005601ae4219f9 in String::q_append (this=0x7ff4e4a4da50, ls=0x7ff4d40de128) at /data/src/10.3/sql/sql_string.h:587
#9 0x00005601ae41fb9a in pack_expression (buf=0x7ff4e4a4da50, vcol=0x7ff4d40de110, field_nr=4294967295, type=VCOL_CHECK_TABLE) at /data/src/10.3/sql/unireg.cc:637
#10 0x00005601ae41fdb4 in pack_vcols (buf=0x7ff4e4a4da50, create_fields=..., check_constraint_list=0x7ff4e4a50d30) at /data/src/10.3/sql/unireg.cc:676
#11 0x00005601ae41e020 in build_frm_image (thd=0x7ff4d4000b00, table=0x7ff4e4a501c0, create_info=0x7ff4e4a50d90, create_fields=..., keys=0, key_info=0x7ff4d40bb188, db_file=0x7ff4d40baa90) at /data/src/10.3/sql/unireg.cc:194
#12 0x00005601ae3c164b in mysql_create_frm_image (thd=0x7ff4d4000b00, db=0x7ff4e4a501b0, table_name=0x7ff4e4a501c0, create_info=0x7ff4e4a50d90, alter_info=0x7ff4e4a50cd0, create_table_mode=-2, key_info=0x7ff4e4a4f498, key_count=0x7ff4e4a4f46c, frm=0x7ff4e4a4f500) at /data/src/10.3/sql/sql_table.cc:4724
#13 0x00005601ae3c2029 in create_table_impl (thd=0x7ff4d4000b00, orig_db=0x7ff4e4a501b0, orig_table_name=0x7ff4e4a501c0, db=0x7ff4e4a501e0, table_name=0x7ff4e4a50210, path=0x7ff4e4a50a0d "./test/#sql-5a25_58", options=..., create_info=0x7ff4e4a50d90, alter_info=0x7ff4e4a50cd0, create_table_mode=-2, is_trans=0x0, key_info=0x7ff4e4a4f498, key_count=0x7ff4e4a4f46c, frm=0x7ff4e4a4f500) at /data/src/10.3/sql/sql_table.cc:4963
#14 0x00005601ae3ce93e in mysql_alter_table (thd=0x7ff4d4000b00, new_db=0x7ff4d405f5d8, new_name=0x7ff4d405f990, create_info=0x7ff4e4a50d90, table_list=0x7ff4d40dd7a8, alter_info=0x7ff4e4a50cd0, order_num=0, order=0x0, ignore=false) at /data/src/10.3/sql/sql_table.cc:9595
#15 0x00005601ae455dc5 in Sql_cmd_alter_table::execute (this=0x7ff4d40de150, thd=0x7ff4d4000b00) at /data/src/10.3/sql/sql_alter.cc:495
#16 0x00005601ae2f92f1 in mysql_execute_command (thd=0x7ff4d4000b00) at /data/src/10.3/sql/sql_parse.cc:6280
#17 0x00005601ae21cf2a in sp_instr_stmt::exec_core (this=0x7ff4d40de158, thd=0x7ff4d4000b00, nextp=0x7ff4e4a52754) at /data/src/10.3/sql/sp_head.cc:3594
#18 0x00005601ae21c387 in sp_lex_keeper::reset_lex_and_exec_core (this=0x7ff4d40de1a0, thd=0x7ff4d4000b00, nextp=0x7ff4e4a52754, open_tables=false, instr=0x7ff4d40de158) at /data/src/10.3/sql/sp_head.cc:3322
#19 0x00005601ae21cb0c in sp_instr_stmt::execute (this=0x7ff4d40de158, thd=0x7ff4d4000b00, nextp=0x7ff4e4a52754) at /data/src/10.3/sql/sp_head.cc:3500
#20 0x00005601ae216887 in sp_head::execute (this=0x7ff4d40dc858, thd=0x7ff4d4000b00, merge_da_on_success=true) at /data/src/10.3/sql/sp_head.cc:1354
#21 0x00005601ae21924e in sp_head::execute_procedure (this=0x7ff4d40dc858, thd=0x7ff4d4000b00, args=0x7ff4d4005740) at /data/src/10.3/sql/sp_head.cc:2294
#22 0x00005601ae2ee560 in do_execute_sp (thd=0x7ff4d4000b00, sp=0x7ff4d40dc858) at /data/src/10.3/sql/sql_parse.cc:2945
#23 0x00005601ae2ef0de in Sql_cmd_call::execute (this=0x7ff4d4014df0, thd=0x7ff4d4000b00) at /data/src/10.3/sql/sql_parse.cc:3187
#24 0x00005601ae2f92f1 in mysql_execute_command (thd=0x7ff4d4000b00) at /data/src/10.3/sql/sql_parse.cc:6280
#25 0x00005601ae2fe2eb in mysql_parse (thd=0x7ff4d4000b00, rawbuf=0x7ff4d4014d08 "CALL stored_proc_6469", length=21, parser_state=0x7ff4e4a545f0, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:8073
#26 0x00005601ae2eb64a in dispatch_command (command=COM_QUERY, thd=0x7ff4d4000b00, packet=0x7ff4d400b211 "CALL stored_proc_6469", packet_length=21, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1847
#27 0x00005601ae2ea06e in do_command (thd=0x7ff4d4000b00) at /data/src/10.3/sql/sql_parse.cc:1392
#28 0x00005601ae4503a5 in do_handle_one_connection (connect=0x5601b0bcfc10) at /data/src/10.3/sql/sql_connect.cc:1402
#29 0x00005601ae450129 in handle_one_connection (arg=0x5601b0bcfc10) at /data/src/10.3/sql/sql_connect.cc:1308
#30 0x00005601ae8e1b27 in pfs_spawn_thread (arg=0x5601b0be34b0) at /data/src/10.3/storage/perfschema/pfs.cc:1862
#31 0x00007ff4ec584494 in start_thread (arg=0x7ff4e4a55700) at pthread_create.c:333
#32 0x00007ff4ea96a93f in clone () from /lib/x86_64-linux-gnu/libc.so.6

Finally, this failure is also very sporadically reproducible on non-debug 10.3 builds:

mysqltest: At line 14: query 'CALL pkg_6469.stored_proc_6469 /* TRANSFORM_OUTCOME_UNORDERED_MATCH */ /* QNO 5905 CON_ID 17 */' failed: 1059: Identifier name 'H?' is too long

This happens on even dirtier test cases and with the stored routine within a package, so it can't be checked on 10.2.

Attachments

Issue Links

duplicates

MDEV-16933 ASAN heap-use-after-free in my_charlen_utf8 / handle_if_exists_options on 2nd execution of SP with ALTER adding CHECK constraint

Closed

relates to

MDEV-16932 ASAN heap-use-after-free in my_charlen_utf8 / my_well_formed_char_length_utf8 on 2nd execution of SP with ALTER trying to add bad CHECK

Closed

MDEV-18285 [Draft] Assertion `! is_set()' failed in Diagnostics_area::disable_status upon DROP COLUMN

Closed

MDEV-21848 Server crashes in handle_if_exists_options upon adding check constraint to temporary table

Closed

MDEV-24524 Assertion `ls->length < 0xFFFFFFFFL && ((ls->length == 0 && !ls->str) || ls->length == strlen(ls->str))' failed in String::append on SELECT from I_S

Closed

Activity

Ascending order - Click to sort in descending order

Roel Van de Paar added a comment - 2020-06-15 16:13

SET collation_connection=ucs2_general_ci;

INSERT INTO mysql.proc (db, name, type, specific_name, language, sql_data_access, is_deterministic, security_type, param_list, returns, body, definer, created, modified, sql_mode, comment, character_set_client, collation_connection, db_collation, body_utf8 ) VALUES ( 'a', 'a', 'FUNCTION', 'bug14233_1', 'SQL', 'READS_SQL_DATA', 'NO', 'DEFINER', '', 'int(10)', 'SELECT * FROM mysql.user', 'root@localhost', NOW(), '0000-00-00 00:00:00', '', '', '', '', '', 'SELECT * FROM mysql.user' );

SELECT * FROM INFORMATION_SCHEMA.ROUTINES WHERE ROUTINE_NAME='a';

Leads to:

10.5.4 4080e3acefd7e58d88c2f3539fb6a0fb359cf057
mysqld: /test/10.5_dbg/sql/sql_string.h:924: bool String::append(const LEX_CSTRING*): Assertion `ls->length < 0xFFFFFFFFL && ((ls->length == 0 && !ls->str) \|\| ls->length == strlen(ls->str))' failed.

10.5.4 4080e3acefd7e58d88c2f3539fb6a0fb359cf057
Core was generated by `/test/MD150620-mariadb-10.5.4-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGABRT, Aborted.
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=6)
at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
[Current thread is 1 (Thread 0x14f08449c700 (LWP 1573308))]
(gdb) bt
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
#1 0x0000561ffbdd44c6 in my_write_core (sig=sig@entry=6) at /test/10.5_dbg/mysys/stacktrace.c:518
#2 0x0000561ffb576d60 in handle_fatal_signal (sig=6) at /test/10.5_dbg/sql/signal_handler.cc:330
#3 <signal handler called>
#4 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#5 0x000014f08cdc5801 in __GI_abort () at abort.c:79
#6 0x000014f08cdb539a in __assert_fail_base (fmt=0x14f08cf3c7d8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x561ffbf2bda8 "ls->length < 0xFFFFFFFFL && ((ls->length == 0 && !ls->str) \|\| ls->length == strlen(ls->str))", file=file@entry=0x561ffbf2b678 "/test/10.5_dbg/sql/sql_string.h", line=line@entry=924, function=function@entry=0x561ffc124500 <_ZZN6String6appendEPK25st_mysql_const_lex_stringE19__PRETTY_FUNCTION__> "bool String::append(const LEX_CSTRING*)") at assert.c:92
#7 0x000014f08cdb5412 in __GI___assert_fail (assertion=assertion@entry=0x561ffbf2bda8 "ls->length < 0xFFFFFFFFL && ((ls->length == 0 && !ls->str) \|\| ls->length == strlen(ls->str))", file=file@entry=0x561ffbf2b678 "/test/10.5_dbg/sql/sql_string.h", line=line@entry=924, function=function@entry=0x561ffc124500 <_ZZN6String6appendEPK25st_mysql_const_lex_stringE19__PRETTY_FUNCTION__> "bool String::append(const LEX_CSTRING*)") at assert.c:101
#8 0x0000561ffb721483 in String::append (ls=0x14f084497280, this=0x14f0844955a0) at /test/10.5_dbg/sql/sql_string.h:922
#9 Sp_handler::show_create_sp (this=this@entry=0x561ffca8ba68 <sp_handler_function>, thd=thd@entry=0x14f06b815088, buf=buf@entry=0x14f0844955a0, db=@0x14f084495600: {str = 0x14f06b903d88 "a", length = 1}, name=@0x14f084495610: {str = 0x14f06b903d90 "a", length = 1}, params=@0x561ffc91b880: {str = 0x561ffc126516 "", length = 0}, returns=@0x14f084497280: {str = 0x14f06b903da8 "", length = 14}, body=@0x14f084495590: {str = 0x561ffc12359b "RETURN NULL", length = 11}, chistics=@0x14f0844955e0: {comment = {str = 0x0, length = 0}, suid = SP_IS_DEFAULT_SUID, detistic = false, daccess = SP_DEFAULT_ACCESS, agg_type = DEFAULT_AGGREGATE}, definer=@0x14f0844955c0: {user = {str = 0x561ffc126516 "", length = 0}, host = {str = 0x561ffc126516 "", length = 0}}, ddl_options={m_options = DDL_options_st::OPT_NONE}, sql_mode=0) at /test/10.5_dbg/sql/sp.cc:2995
#10 0x0000561ffb727c41 in Sp_handler::sp_load_for_information_schema (this=this@entry=0x561ffca8ba68 <sp_handler_function>, thd=thd@entry=0x14f06b815088, proc_table=proc_table@entry=0x14f06b8a2088, db=@0x14f084497250: {str = 0x14f06b903d88 "a", length = 1}, name=@0x14f084497260: {str = 0x14f06b903d90 "a", length = 1}, params=@0x561ffc91b880: {str = 0x561ffc126516 "", length = 0}, returns=@0x14f084497280: {str = 0x14f06b903da8 "", length = 14}, sql_mode=0, free_sp_head=0x14f08449724f) at /test/10.5_dbg/sql/sp.cc:3066
#11 0x0000561ffb373cf3 in store_schema_proc (thd=thd@entry=0x14f06b815088, table=table@entry=0x14f06b8d40a0, proc_table=proc_table@entry=0x14f06b8a2088, wild=wild@entry=0x0, full_access=<optimized out>, full_access@entry=true, sp_user=sp_user@entry=0x14f0844988d0 "root@localhost") at /test/10.5_dbg/sql/sql_show.cc:6430
#12 0x0000561ffb374b19 in fill_schema_proc (thd=0x14f06b815088, tables=<optimized out>, cond=<optimized out>) at /test/10.5_dbg/sql/sql_show.cc:6549
#13 0x0000561ffb37715d in get_schema_tables_result (join=join@entry=0x14f06b876b00, executed_place=executed_place@entry=PROCESSED_BY_JOIN_EXEC) at /test/10.5_dbg/sql/sql_show.cc:8673
#14 0x0000561ffb34a8e1 in JOIN::exec_inner (this=this@entry=0x14f06b876b00) at /test/10.5_dbg/sql/sql_select.cc:4401
#15 0x0000561ffb34b289 in JOIN::exec (this=this@entry=0x14f06b876b00) at /test/10.5_dbg/sql/sql_select.cc:4225
#16 0x0000561ffb34959e in mysql_select (thd=thd@entry=0x14f06b815088, tables=<optimized out>, fields=@0x14f06b8742d8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14f06b874738, last = 0x14f06b87a030, elements = 31}, <No data fields>}, conds=0x14f06b875080, og_num=0, order=<optimized out>, group=0x0, having=0x0, proc_param=0x0, select_options=2684619520, result=0x14f06b876ad8, unit=0x14f06b8190a0, select_lex=0x14f06b874188) at /test/10.5_dbg/sql/sql_select.cc:4649
#17 0x0000561ffb3498cd in handle_select (thd=thd@entry=0x14f06b815088, lex=lex@entry=0x14f06b818fd8, result=result@entry=0x14f06b876ad8, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.5_dbg/sql/sql_select.cc:417
#18 0x0000561ffb2d31ed in execute_sqlcom_select (thd=thd@entry=0x14f06b815088, all_tables=0x14f06b8747a8) at /test/10.5_dbg/sql/sql_parse.cc:6209
#19 0x0000561ffb2cc312 in mysql_execute_command (thd=thd@entry=0x14f06b815088) at /test/10.5_dbg/sql/sql_parse.cc:3939
#20 0x0000561ffb2d915c in mysql_parse (thd=thd@entry=0x14f06b815088, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14f08449b350, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:7993
#21 0x0000561ffb2c5c60 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14f06b815088, packet=packet@entry=0x14f06b867089 "SELECT * FROM INFORMATION_SCHEMA.ROUTINES WHERE ROUTINE_NAME='a'", packet_length=packet_length@entry=64, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:1874
#22 0x0000561ffb2c443a in do_command (thd=0x14f06b815088) at /test/10.5_dbg/sql/sql_parse.cc:1355
#23 0x0000561ffb41fc47 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x14f06e57a808, put_in_cache=put_in_cache@entry=true) at /test/10.5_dbg/sql/sql_connect.cc:1411
#24 0x0000561ffb420363 in handle_one_connection (arg=arg@entry=0x14f06e57a808) at /test/10.5_dbg/sql/sql_connect.cc:1313
#25 0x0000561ffb881902 in pfs_spawn_thread (arg=0x14f08b846c88) at /test/10.5_dbg/storage/perfschema/pfs.cc:2201
#26 0x000014f08daa86db in start_thread (arg=0x14f08449c700) at pthread_create.c:463
#27 0x000014f08cea688f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.3.24 (dbg), 10.4.14 (dbg), 10.5.4 (dbg), 10.5.4 (opt)

Bug confirmed not present in:
MariaDB: 10.1.46 (dbg), 10.1.46 (opt), 10.2.33 (dbg), 10.2.33 (opt), 10.3.24 (opt), 10.4.14 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.47 (dbg), 5.6.47 (opt), 5.7.29 (dbg), 5.7.29 (opt), 8.0.19 (dbg), 8.0.19 (opt)

Roel Van de Paar added a comment - 2020-06-15 16:13 SET collation_connection=ucs2_general_ci; INSERT INTO mysql.proc (db, name, type, specific_name, language, sql_data_access, is_deterministic, security_type, param_list, returns, body, definer, created, modified, sql_mode, comment, character_set_client, collation_connection, db_collation, body_utf8 ) VALUES ( 'a', 'a', 'FUNCTION', 'bug14233_1', 'SQL', 'READS_SQL_DATA', 'NO', 'DEFINER', '', 'int(10)', 'SELECT * FROM mysql.user', 'root@localhost', NOW(), '0000-00-00 00:00:00', '', '', '', '', '', 'SELECT * FROM mysql.user' ); SELECT * FROM INFORMATION_SCHEMA.ROUTINES WHERE ROUTINE_NAME='a'; Leads to: 10.5.4 4080e3acefd7e58d88c2f3539fb6a0fb359cf057 mysqld: /test/10.5_dbg/sql/sql_string.h:924: bool String::append(const LEX_CSTRING*): Assertion `ls->length < 0xFFFFFFFFL && ((ls->length == 0 && !ls->str) || ls->length == strlen(ls->str))' failed. 10.5.4 4080e3acefd7e58d88c2f3539fb6a0fb359cf057 Core was generated by `/test/MD150620-mariadb-10.5.4-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'. Program terminated with signal SIGABRT, Aborted. #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57 [Current thread is 1 (Thread 0x14f08449c700 (LWP 1573308))] (gdb) bt #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57 #1 0x0000561ffbdd44c6 in my_write_core (sig=sig@entry=6) at /test/10.5_dbg/mysys/stacktrace.c:518 #2 0x0000561ffb576d60 in handle_fatal_signal (sig=6) at /test/10.5_dbg/sql/signal_handler.cc:330 #3 <signal handler called> #4 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 #5 0x000014f08cdc5801 in __GI_abort () at abort.c:79 #6 0x000014f08cdb539a in __assert_fail_base (fmt=0x14f08cf3c7d8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x561ffbf2bda8 "ls->length < 0xFFFFFFFFL && ((ls->length == 0 && !ls->str) || ls->length == strlen(ls->str))", file=file@entry=0x561ffbf2b678 "/test/10.5_dbg/sql/sql_string.h", line=line@entry=924, function=function@entry=0x561ffc124500 <_ZZN6String6appendEPK25st_mysql_const_lex_stringE19__PRETTY_FUNCTION__> "bool String::append(const LEX_CSTRING*)") at assert.c:92 #7 0x000014f08cdb5412 in __GI___assert_fail (assertion=assertion@entry=0x561ffbf2bda8 "ls->length < 0xFFFFFFFFL && ((ls->length == 0 && !ls->str) || ls->length == strlen(ls->str))", file=file@entry=0x561ffbf2b678 "/test/10.5_dbg/sql/sql_string.h", line=line@entry=924, function=function@entry=0x561ffc124500 <_ZZN6String6appendEPK25st_mysql_const_lex_stringE19__PRETTY_FUNCTION__> "bool String::append(const LEX_CSTRING*)") at assert.c:101 #8 0x0000561ffb721483 in String::append (ls=0x14f084497280, this=0x14f0844955a0) at /test/10.5_dbg/sql/sql_string.h:922 #9 Sp_handler::show_create_sp (this=this@entry=0x561ffca8ba68 <sp_handler_function>, thd=thd@entry=0x14f06b815088, buf=buf@entry=0x14f0844955a0, db=@0x14f084495600: {str = 0x14f06b903d88 "a", length = 1}, name=@0x14f084495610: {str = 0x14f06b903d90 "a", length = 1}, params=@0x561ffc91b880: {str = 0x561ffc126516 "", length = 0}, returns=@0x14f084497280: {str = 0x14f06b903da8 "", length = 14}, body=@0x14f084495590: {str = 0x561ffc12359b "RETURN NULL", length = 11}, chistics=@0x14f0844955e0: {comment = {str = 0x0, length = 0}, suid = SP_IS_DEFAULT_SUID, detistic = false, daccess = SP_DEFAULT_ACCESS, agg_type = DEFAULT_AGGREGATE}, definer=@0x14f0844955c0: {user = {str = 0x561ffc126516 "", length = 0}, host = {str = 0x561ffc126516 "", length = 0}}, ddl_options={m_options = DDL_options_st::OPT_NONE}, sql_mode=0) at /test/10.5_dbg/sql/sp.cc:2995 #10 0x0000561ffb727c41 in Sp_handler::sp_load_for_information_schema (this=this@entry=0x561ffca8ba68 <sp_handler_function>, thd=thd@entry=0x14f06b815088, proc_table=proc_table@entry=0x14f06b8a2088, db=@0x14f084497250: {str = 0x14f06b903d88 "a", length = 1}, name=@0x14f084497260: {str = 0x14f06b903d90 "a", length = 1}, params=@0x561ffc91b880: {str = 0x561ffc126516 "", length = 0}, returns=@0x14f084497280: {str = 0x14f06b903da8 "", length = 14}, sql_mode=0, free_sp_head=0x14f08449724f) at /test/10.5_dbg/sql/sp.cc:3066 #11 0x0000561ffb373cf3 in store_schema_proc (thd=thd@entry=0x14f06b815088, table=table@entry=0x14f06b8d40a0, proc_table=proc_table@entry=0x14f06b8a2088, wild=wild@entry=0x0, full_access=<optimized out>, full_access@entry=true, sp_user=sp_user@entry=0x14f0844988d0 "root@localhost") at /test/10.5_dbg/sql/sql_show.cc:6430 #12 0x0000561ffb374b19 in fill_schema_proc (thd=0x14f06b815088, tables=<optimized out>, cond=<optimized out>) at /test/10.5_dbg/sql/sql_show.cc:6549 #13 0x0000561ffb37715d in get_schema_tables_result (join=join@entry=0x14f06b876b00, executed_place=executed_place@entry=PROCESSED_BY_JOIN_EXEC) at /test/10.5_dbg/sql/sql_show.cc:8673 #14 0x0000561ffb34a8e1 in JOIN::exec_inner (this=this@entry=0x14f06b876b00) at /test/10.5_dbg/sql/sql_select.cc:4401 #15 0x0000561ffb34b289 in JOIN::exec (this=this@entry=0x14f06b876b00) at /test/10.5_dbg/sql/sql_select.cc:4225 #16 0x0000561ffb34959e in mysql_select (thd=thd@entry=0x14f06b815088, tables=<optimized out>, fields=@0x14f06b8742d8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14f06b874738, last = 0x14f06b87a030, elements = 31}, <No data fields>}, conds=0x14f06b875080, og_num=0, order=<optimized out>, group=0x0, having=0x0, proc_param=0x0, select_options=2684619520, result=0x14f06b876ad8, unit=0x14f06b8190a0, select_lex=0x14f06b874188) at /test/10.5_dbg/sql/sql_select.cc:4649 #17 0x0000561ffb3498cd in handle_select (thd=thd@entry=0x14f06b815088, lex=lex@entry=0x14f06b818fd8, result=result@entry=0x14f06b876ad8, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.5_dbg/sql/sql_select.cc:417 #18 0x0000561ffb2d31ed in execute_sqlcom_select (thd=thd@entry=0x14f06b815088, all_tables=0x14f06b8747a8) at /test/10.5_dbg/sql/sql_parse.cc:6209 #19 0x0000561ffb2cc312 in mysql_execute_command (thd=thd@entry=0x14f06b815088) at /test/10.5_dbg/sql/sql_parse.cc:3939 #20 0x0000561ffb2d915c in mysql_parse (thd=thd@entry=0x14f06b815088, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14f08449b350, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:7993 #21 0x0000561ffb2c5c60 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14f06b815088, packet=packet@entry=0x14f06b867089 "SELECT * FROM INFORMATION_SCHEMA.ROUTINES WHERE ROUTINE_NAME='a'", packet_length=packet_length@entry=64, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:1874 #22 0x0000561ffb2c443a in do_command (thd=0x14f06b815088) at /test/10.5_dbg/sql/sql_parse.cc:1355 #23 0x0000561ffb41fc47 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x14f06e57a808, put_in_cache=put_in_cache@entry=true) at /test/10.5_dbg/sql/sql_connect.cc:1411 #24 0x0000561ffb420363 in handle_one_connection (arg=arg@entry=0x14f06e57a808) at /test/10.5_dbg/sql/sql_connect.cc:1313 #25 0x0000561ffb881902 in pfs_spawn_thread (arg=0x14f08b846c88) at /test/10.5_dbg/storage/perfschema/pfs.cc:2201 #26 0x000014f08daa86db in start_thread (arg=0x14f08449c700) at pthread_create.c:463 #27 0x000014f08cea688f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 Bug confirmed present in: MariaDB: 10.3.24 (dbg), 10.4.14 (dbg), 10.5.4 (dbg), 10.5.4 (opt) Bug confirmed not present in: MariaDB: 10.1.46 (dbg), 10.1.46 (opt), 10.2.33 (dbg), 10.2.33 (opt), 10.3.24 (opt), 10.4.14 (opt) MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.47 (dbg), 5.6.47 (opt), 5.7.29 (dbg), 5.7.29 (opt), 8.0.19 (dbg), 8.0.19 (opt)

Roel Van de Paar added a comment - 2020-06-15 16:14

Additional testcase

SET CHARACTER_SET_CONNECTION=ucs2;

INSERT INTO mysql.proc (db, name, type, specific_name, language, sql_data_access, is_deterministic, security_type, param_list, returns, body, definer, created, modified, sql_mode, comment, character_set_client, collation_connection, db_collation, body_utf8 ) VALUES ('test','bug14233_1','FUNCTION','bug14233_1','SQL','READS_SQL_DATA','NO','DEFINER','','int(10)','SELECT COUNT(*) FROM mysql.user','root@localhost', NOW() , '0000-00-00 00:00:00','','','','','','SELECT COUNT(*) FROM mysql.user');

SHOW FUNCTION STATUS WHERE db=DATABASE();

Roel Van de Paar added a comment - 2020-06-15 16:14 Additional testcase SET CHARACTER_SET_CONNECTION=ucs2; INSERT INTO mysql.proc (db, name, type, specific_name, language, sql_data_access, is_deterministic, security_type, param_list, returns, body, definer, created, modified, sql_mode, comment, character_set_client, collation_connection, db_collation, body_utf8 ) VALUES ('test','bug14233_1','FUNCTION','bug14233_1','SQL','READS_SQL_DATA','NO','DEFINER','','int(10)','SELECT COUNT(*) FROM mysql.user','root@localhost', NOW() , '0000-00-00 00:00:00','','','','','','SELECT COUNT(*) FROM mysql.user'); SHOW FUNCTION STATUS WHERE db=DATABASE();

Stepan Patryshev (Inactive) added a comment - 2020-11-16 11:48

Another test:

SET collation_connection='utf32_bin';

INSERT INTO mysql.proc (db, name, type, specific_name, language, sql_data_access, is_deterministic, security_type, param_list, returns, body, definer, CREATEd, modified, sql_mode, comment, CHARACTER_SET_client, collation_connection, db_collation, body_utf8) VALUES ('test', 'bug14233_1', 'FUNCTION', 'bug14233_1', 'SQL', 'READS_SQL_DATA', 'NO', 'DEFINER', '', 'INT (10)', 'SELECT COUNT (*) FROM mysql.USEr', 'root@localhost', NOW(), '0000-00-00 00:00:00', '', '', '', '', '', 'SELECT COUNT (*) FROM mysql.USEr'), ('test', 'bug14233_2', 'FUNCTION', 'bug14233_2', 'SQL', 'READS_SQL_DATA', 'NO', 'DEFINER', '', 'INT (10)', 'begin declare x INT; SELECT COUNT (*) INTO x FROM mysql.USEr; end', 'root@localhost', NOW(), '0000-00-00 00:00:00', '', '', '', '', '', 'begin declare x INT; SELECT COUNT (*) INTO x FROM mysql.USEr; end'), ('test', 'bug14233_3', 'PROCEDURE', 'bug14233_3', 'SQL', 'READS_SQL_DATA','NO', 'DEFINER', '', '', 'alksj wpsj sa ^#!@ ', 'root@localhost', NOW(), '0000-00-00 00:00:00', '', '', '', '', '', 'alksj wpsj sa ^#!@ ');

SELECT SPECIFIC_SCHEMA, SPECIFIC_NAME, PARAMETER_NAME, DATA_TYPE, DATETIME_PRECISION FROM INFORMATION_SCHEMA.PARAMETERS WHERE SPECIFIC_SCHEMA='i_s_parameters_test';

Leads to:

10.4.18 b2029c0300bf8c311ff5d9fdc4b73a9e48bf6930 (Debug)
Core was generated by `/test/MD131120-mariadb-10.4.18-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
Program terminated with signal SIGABRT, Aborted.
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=6)
at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
[Current thread is 1 (Thread 0x154cf808c700 (LWP 1735101))]
(gdb) bt
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
#1 0x000055e35ff41c00 in my_write_core (sig=sig@entry=6) at /test/10.4_dbg/mysys/stacktrace.c:386
#2 0x000055e35f6ca32e in handle_fatal_signal (sig=6) at /test/10.4_dbg/sql/signal_handler.cc:343
#3 <signal handler called>
#4 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#5 0x0000154d0fba18b1 in __GI_abort () at abort.c:79
#6 0x0000154d0fb9142a in __assert_fail_base (fmt=0x154d0fd18a38 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x55e360011aa0 "ls->length < 0xF
FFFFFFFL && ((ls->length == 0 && !ls->str) \|\| ls->length == strlen(ls->str))", file=file@entry=0x55e36000fea8 "/test/10.4_dbg/sql/sql_string.h", line=line@entry=908, fu
nction=function@entry=0x55e3601f2ec0 <_ZZN6String6appendEPK25st_mysql_const_lex_stringE19__PRETTY_FUNCTION__> "bool String::append(const LEX_CSTRING*)") at assert.c:92
#7 0x0000154d0fb914a2 in __GI___assert_fail (assertion=assertion@entry=0x55e360011aa0 "ls->length < 0xFFFFFFFFL && ((ls->length == 0 && !ls->str) \|\| ls->length == strl
en(ls->str))", file=file@entry=0x55e36000fea8 "/test/10.4_dbg/sql/sql_string.h", line=line@entry=908, function=function@entry=0x55e3601f2ec0 <_ZZN6String6appendEPK25st_
mysql_const_lex_stringE19__PRETTY_FUNCTION__> "bool String::append(const LEX_CSTRING*)") at assert.c:101
#8 0x000055e35f86b8f6 in String::append (ls=0x154cf8086a10, this=0x154cf8084d60) at /test/10.4_dbg/sql/sql_string.h:906
#9 Sp_handler::show_create_sp (this=this@entry=0x55e360af2c48 <sp_handler_function>, thd=thd@entry=0x154ca4000d50, buf=buf@entry=0x154cf8084d60, db=@0x154cf8084dc0: {s
tr = 0x154ca40439f8 "test", length = 4}, name=@0x154cf8084dd0: {str = 0x154ca4043a00 "bug14233_1", length = 10}, params=@0x154cf8086a00: {str = 0x55e3601f4e76 "", lengt
h = 0}, returns=@0x154cf8086a10: {str = 0x154ca4043a20 "", length = 32}, body=@0x154cf8084d50: {str = 0x55e3601f1f5e "RETURN NULL", length = 11}, chistics=@0x154cf8084d
a0: {comment = {str = 0x0, length = 0}, suid = SP_IS_DEFAULT_SUID, detistic = false, daccess = SP_DEFAULT_ACCESS, agg_type = DEFAULT_AGGREGATE}, definer=@0x154cf8084d80
: {user = {str = 0x55e3601f4e76 "", length = 0}, host = {str = 0x55e3601f4e76 "", length = 0}}, ddl_options={m_options = DDL_options_st::OPT_NONE}, sql_mode=0) at /test
/10.4_dbg/sql/sp.cc:2956
#10 0x000055e35f871dcf in Sp_handler::sp_load_for_information_schema (this=this@entry=0x55e360af2c48 <sp_handler_function>, thd=thd@entry=0x154ca4000d50, proc_table=pro
c_table@entry=0x154ca4027210, db=@0x154cf8086a20: {str = 0x154ca40439f8 "test", length = 4}, name=@0x154cf8086a30: {str = 0x154ca4043a00 "bug14233_1", length = 10}, par
ams=@0x154cf8086a00: {str = 0x55e3601f4e76 "", length = 0}, returns=@0x154cf8086a10: {str = 0x154ca4043a20 "", length = 32}, sql_mode=0, free_sp_head=0x154cf80869ef) at
/test/10.4_dbg/sql/sp.cc:3028
#11 0x000055e35f4aaae8 in store_schema_params (thd=thd@entry=0x154ca4000d50, table=table@entry=0x154ca401f528, proc_table=proc_table@entry=0x154ca4027210, wild=wild@ent
ry=0x0, full_access=<optimized out>, full_access@entry=true, sp_user=sp_user@entry=0x154cf8088270 "root@localhost") at /test/10.4_dbg/sql/sql_show.cc:6379
#12 0x000055e35f4ac489 in fill_schema_proc (thd=0x154ca4000d50, tables=<optimized out>, cond=<optimized out>) at /test/10.4_dbg/sql/sql_show.cc:6633
#13 0x000055e35f4b123b in get_schema_tables_result (join=join@entry=0x154ca40152d8, executed_place=executed_place@entry=PROCESSED_BY_JOIN_EXEC) at /test/10.4_dbg/sql/sq
l_show.cc:8927
#14 0x000055e35f48f93f in JOIN::exec_inner (this=this@entry=0x154ca40152d8) at /test/10.4_dbg/sql/sql_select.cc:4439
#15 0x000055e35f4902af in JOIN::exec (this=this@entry=0x154ca40152d8) at /test/10.4_dbg/sql/sql_select.cc:4264
#16 0x000055e35f48e639 in mysql_select (thd=thd@entry=0x154ca4000d50, tables=<optimized out>, wild_num=0, fields=@0x154ca40121b0: {<base_list> = {<Sql_alloc> = {<No dat
a fields>}, first = 0x154ca40125f0, last = 0x154ca4012ab8, elements = 5}, <No data fields>}, conds=0x154ca40134f0, og_num=<optimized out>, order=0x0, group=0x0, having=
0x0, proc_param=0x0, select_options=2684619520, result=0x154ca40152b0, unit=0x154ca4004c80, select_lex=0x154ca4012068) at /test/10.4_dbg/sql/sql_select.cc:4699
#17 0x000055e35f48e964 in handle_select (thd=thd@entry=0x154ca4000d50, lex=lex@entry=0x154ca4004bc0, result=result@entry=0x154ca40152b0, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.4_dbg/sql/sql_select.cc:410
#18 0x000055e35f406bbc in execute_sqlcom_select (thd=thd@entry=0x154ca4000d50, all_tables=0x154ca4012b28) at /test/10.4_dbg/sql/sql_parse.cc:6400
#19 0x000055e35f41203b in mysql_execute_command (thd=thd@entry=0x154ca4000d50) at /test/10.4_dbg/sql/sql_parse.cc:3925
#20 0x000055e35f41cabf in mysql_parse (thd=thd@entry=0x154ca4000d50, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x154cf808b4a0, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.4_dbg/sql/sql_parse.cc:7938
#21 0x000055e35f41f337 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x154ca4000d50, packet=packet@entry=0x154ca401a231 "SELECT SPECIFIC_SCHEMA, SPECIFIC_NAME, PARAMETER_NAME, DATA_TYPE, DATETIME_PRECISION FROM INFORMATION_SCHEMA.PARAMETERS WHERE SPECIFIC_SCHEMA='i_s_parameters_test'", packet_length=packet_length@entry=163, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.4_dbg/sql/sql_parse.cc:1839
#22 0x000055e35f422d72 in do_command (thd=0x154ca4000d50) at /test/10.4_dbg/sql/sql_parse.cc:1357
#23 0x000055e35f5515b6 in do_handle_one_connection (connect=connect@entry=0x55e362477ef0) at /test/10.4_dbg/sql/sql_connect.cc:1412
#24 0x000055e35f5516d6 in handle_one_connection (arg=0x55e362477ef0) at /test/10.4_dbg/sql/sql_connect.cc:1316
#25 0x0000154d10b086db in start_thread (arg=0x154cf808c700) at pthread_create.c:463
#26 0x0000154d0fc82a3f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.3.28 (dbg), 10.4.18 (dbg), 10.5.9 (dbg), 10.6.0 (dbg)

Bug confirmed not present in:
MariaDB: 10.1.49 (dbg), 10.1.49 (opt), 10.2.37 (dbg), 10.2.37 (opt), 10.3.28 (opt), 10.4.18 (opt), 10.5.9 (opt), 10.6.0 (opt)

Stepan Patryshev (Inactive) added a comment - 2020-11-16 11:48 Another test: SET collation_connection='utf32_bin'; INSERT INTO mysql.proc (db, name, type, specific_name, language, sql_data_access, is_deterministic, security_type, param_list, returns, body, definer, CREATEd, modified, sql_mode, comment, CHARACTER_SET_client, collation_connection, db_collation, body_utf8) VALUES ('test', 'bug14233_1', 'FUNCTION', 'bug14233_1', 'SQL', 'READS_SQL_DATA', 'NO', 'DEFINER', '', 'INT (10)', 'SELECT COUNT (*) FROM mysql.USEr', 'root@localhost', NOW(), '0000-00-00 00:00:00', '', '', '', '', '', 'SELECT COUNT (*) FROM mysql.USEr'), ('test', 'bug14233_2', 'FUNCTION', 'bug14233_2', 'SQL', 'READS_SQL_DATA', 'NO', 'DEFINER', '', 'INT (10)', 'begin declare x INT; SELECT COUNT (*) INTO x FROM mysql.USEr; end', 'root@localhost', NOW(), '0000-00-00 00:00:00', '', '', '', '', '', 'begin declare x INT; SELECT COUNT (*) INTO x FROM mysql.USEr; end'), ('test', 'bug14233_3', 'PROCEDURE', 'bug14233_3', 'SQL', 'READS_SQL_DATA','NO', 'DEFINER', '', '', 'alksj wpsj sa ^#!@ ', 'root@localhost', NOW(), '0000-00-00 00:00:00', '', '', '', '', '', 'alksj wpsj sa ^#!@ '); SELECT SPECIFIC_SCHEMA, SPECIFIC_NAME, PARAMETER_NAME, DATA_TYPE, DATETIME_PRECISION FROM INFORMATION_SCHEMA.PARAMETERS WHERE SPECIFIC_SCHEMA='i_s_parameters_test'; Leads to: 10.4.18 b2029c0300bf8c311ff5d9fdc4b73a9e48bf6930 (Debug) Core was generated by `/test/MD131120-mariadb-10.4.18-linux-x86_64-dbg/bin/mysqld --no-defaults --core'. Program terminated with signal SIGABRT, Aborted. #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57 [Current thread is 1 (Thread 0x154cf808c700 (LWP 1735101))] (gdb) bt #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57 #1 0x000055e35ff41c00 in my_write_core (sig=sig@entry=6) at /test/10.4_dbg/mysys/stacktrace.c:386 #2 0x000055e35f6ca32e in handle_fatal_signal (sig=6) at /test/10.4_dbg/sql/signal_handler.cc:343 #3 <signal handler called> #4 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 #5 0x0000154d0fba18b1 in __GI_abort () at abort.c:79 #6 0x0000154d0fb9142a in __assert_fail_base (fmt=0x154d0fd18a38 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x55e360011aa0 "ls->length < 0xF FFFFFFFL && ((ls->length == 0 && !ls->str) || ls->length == strlen(ls->str))", file=file@entry=0x55e36000fea8 "/test/10.4_dbg/sql/sql_string.h", line=line@entry=908, fu nction=function@entry=0x55e3601f2ec0 <_ZZN6String6appendEPK25st_mysql_const_lex_stringE19__PRETTY_FUNCTION__> "bool String::append(const LEX_CSTRING*)") at assert.c:92 #7 0x0000154d0fb914a2 in __GI___assert_fail (assertion=assertion@entry=0x55e360011aa0 "ls->length < 0xFFFFFFFFL && ((ls->length == 0 && !ls->str) || ls->length == strl en(ls->str))", file=file@entry=0x55e36000fea8 "/test/10.4_dbg/sql/sql_string.h", line=line@entry=908, function=function@entry=0x55e3601f2ec0 <_ZZN6String6appendEPK25st_ mysql_const_lex_stringE19__PRETTY_FUNCTION__> "bool String::append(const LEX_CSTRING*)") at assert.c:101 #8 0x000055e35f86b8f6 in String::append (ls=0x154cf8086a10, this=0x154cf8084d60) at /test/10.4_dbg/sql/sql_string.h:906 #9 Sp_handler::show_create_sp (this=this@entry=0x55e360af2c48 <sp_handler_function>, thd=thd@entry=0x154ca4000d50, buf=buf@entry=0x154cf8084d60, db=@0x154cf8084dc0: {s tr = 0x154ca40439f8 "test", length = 4}, name=@0x154cf8084dd0: {str = 0x154ca4043a00 "bug14233_1", length = 10}, params=@0x154cf8086a00: {str = 0x55e3601f4e76 "", lengt h = 0}, returns=@0x154cf8086a10: {str = 0x154ca4043a20 "", length = 32}, body=@0x154cf8084d50: {str = 0x55e3601f1f5e "RETURN NULL", length = 11}, chistics=@0x154cf8084d a0: {comment = {str = 0x0, length = 0}, suid = SP_IS_DEFAULT_SUID, detistic = false, daccess = SP_DEFAULT_ACCESS, agg_type = DEFAULT_AGGREGATE}, definer=@0x154cf8084d80 : {user = {str = 0x55e3601f4e76 "", length = 0}, host = {str = 0x55e3601f4e76 "", length = 0}}, ddl_options={m_options = DDL_options_st::OPT_NONE}, sql_mode=0) at /test /10.4_dbg/sql/sp.cc:2956 #10 0x000055e35f871dcf in Sp_handler::sp_load_for_information_schema (this=this@entry=0x55e360af2c48 <sp_handler_function>, thd=thd@entry=0x154ca4000d50, proc_table=pro c_table@entry=0x154ca4027210, db=@0x154cf8086a20: {str = 0x154ca40439f8 "test", length = 4}, name=@0x154cf8086a30: {str = 0x154ca4043a00 "bug14233_1", length = 10}, par ams=@0x154cf8086a00: {str = 0x55e3601f4e76 "", length = 0}, returns=@0x154cf8086a10: {str = 0x154ca4043a20 "", length = 32}, sql_mode=0, free_sp_head=0x154cf80869ef) at /test/10.4_dbg/sql/sp.cc:3028 #11 0x000055e35f4aaae8 in store_schema_params (thd=thd@entry=0x154ca4000d50, table=table@entry=0x154ca401f528, proc_table=proc_table@entry=0x154ca4027210, wild=wild@ent ry=0x0, full_access=<optimized out>, full_access@entry=true, sp_user=sp_user@entry=0x154cf8088270 "root@localhost") at /test/10.4_dbg/sql/sql_show.cc:6379 #12 0x000055e35f4ac489 in fill_schema_proc (thd=0x154ca4000d50, tables=<optimized out>, cond=<optimized out>) at /test/10.4_dbg/sql/sql_show.cc:6633 #13 0x000055e35f4b123b in get_schema_tables_result (join=join@entry=0x154ca40152d8, executed_place=executed_place@entry=PROCESSED_BY_JOIN_EXEC) at /test/10.4_dbg/sql/sq l_show.cc:8927 #14 0x000055e35f48f93f in JOIN::exec_inner (this=this@entry=0x154ca40152d8) at /test/10.4_dbg/sql/sql_select.cc:4439 #15 0x000055e35f4902af in JOIN::exec (this=this@entry=0x154ca40152d8) at /test/10.4_dbg/sql/sql_select.cc:4264 #16 0x000055e35f48e639 in mysql_select (thd=thd@entry=0x154ca4000d50, tables=<optimized out>, wild_num=0, fields=@0x154ca40121b0: {<base_list> = {<Sql_alloc> = {<No dat a fields>}, first = 0x154ca40125f0, last = 0x154ca4012ab8, elements = 5}, <No data fields>}, conds=0x154ca40134f0, og_num=<optimized out>, order=0x0, group=0x0, having= 0x0, proc_param=0x0, select_options=2684619520, result=0x154ca40152b0, unit=0x154ca4004c80, select_lex=0x154ca4012068) at /test/10.4_dbg/sql/sql_select.cc:4699 #17 0x000055e35f48e964 in handle_select (thd=thd@entry=0x154ca4000d50, lex=lex@entry=0x154ca4004bc0, result=result@entry=0x154ca40152b0, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.4_dbg/sql/sql_select.cc:410 #18 0x000055e35f406bbc in execute_sqlcom_select (thd=thd@entry=0x154ca4000d50, all_tables=0x154ca4012b28) at /test/10.4_dbg/sql/sql_parse.cc:6400 #19 0x000055e35f41203b in mysql_execute_command (thd=thd@entry=0x154ca4000d50) at /test/10.4_dbg/sql/sql_parse.cc:3925 #20 0x000055e35f41cabf in mysql_parse (thd=thd@entry=0x154ca4000d50, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x154cf808b4a0, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.4_dbg/sql/sql_parse.cc:7938 #21 0x000055e35f41f337 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x154ca4000d50, packet=packet@entry=0x154ca401a231 "SELECT SPECIFIC_SCHEMA, SPECIFIC_NAME, PARAMETER_NAME, DATA_TYPE, DATETIME_PRECISION FROM INFORMATION_SCHEMA.PARAMETERS WHERE SPECIFIC_SCHEMA='i_s_parameters_test'", packet_length=packet_length@entry=163, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.4_dbg/sql/sql_parse.cc:1839 #22 0x000055e35f422d72 in do_command (thd=0x154ca4000d50) at /test/10.4_dbg/sql/sql_parse.cc:1357 #23 0x000055e35f5515b6 in do_handle_one_connection (connect=connect@entry=0x55e362477ef0) at /test/10.4_dbg/sql/sql_connect.cc:1412 #24 0x000055e35f5516d6 in handle_one_connection (arg=0x55e362477ef0) at /test/10.4_dbg/sql/sql_connect.cc:1316 #25 0x0000154d10b086db in start_thread (arg=0x154cf808c700) at pthread_create.c:463 #26 0x0000154d0fc82a3f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 Bug confirmed present in: MariaDB: 10.3.28 (dbg), 10.4.18 (dbg), 10.5.9 (dbg), 10.6.0 (dbg) Bug confirmed not present in: MariaDB: 10.1.49 (dbg), 10.1.49 (opt), 10.2.37 (dbg), 10.2.37 (opt), 10.3.28 (opt), 10.4.18 (opt), 10.5.9 (opt), 10.6.0 (opt)

Sergei Golubchik added a comment - 2021-01-04 11:31

I failed to repeat it in the latest 10.2 (mariadb-10.2.36-89-g608b0ee52ef) and the latest 10.3 (mariadb-10.3.27-133-g564dcf57d49). No errors with or without ASAN

Sergei Golubchik added a comment - 2021-01-04 11:31 I failed to repeat it in the latest 10.2 (mariadb-10.2.36-89-g608b0ee52ef) and the latest 10.3 (mariadb-10.3.27-133-g564dcf57d49). No errors with or without ASAN

Sergei Golubchik added a comment - 2021-01-04 11:32

bugs from comments are repeatable, but they aren't "2nd execution of SP", so not related to ~~MDEV-16788~~

Sergei Golubchik added a comment - 2021-01-04 11:32 bugs from comments are repeatable, but they aren't "2nd execution of SP", so not related to MDEV-16788

Elena Stepanova added a comment - 2021-01-04 13:39

The originally reported failure was fixed by the patch for ~~MDEV-16932~~ in 10.2.27, 10.3.18, 10.4.8. As Sergei stated above, failures in the comments are unrelated.
Fixing patch:

Author: Oleksandr Byelkin <sanja@mariadb.com>

Date:   Tue May 14 14:01:15 2019 +0200

    MDEV-16932: ASAN heap-use-after-free in my_charlen_utf8 / my_well_formed_char_length_utf8 on 2nd execution of SP with ALTER trying to add bad CHECK

Elena Stepanova added a comment - 2021-01-04 13:39 The originally reported failure was fixed by the patch for MDEV-16932 in 10.2.27, 10.3.18, 10.4.8. As Sergei stated above, failures in the comments are unrelated. Fixing patch: Author: Oleksandr Byelkin <sanja@mariadb.com> Date: Tue May 14 14:01:15 2019 +0200 MDEV-16932: ASAN heap-use-after-free in my_charlen_utf8 / my_well_formed_char_length_utf8 on 2nd execution of SP with ALTER trying to add bad CHECK

Roel Van de Paar added a comment - 2021-01-05 09:16

Moved additional testcases to ~~MDEV-24524~~.

Roel Van de Paar added a comment - 2021-01-05 09:16 Moved additional testcases to MDEV-24524 .

People

Assignee:: Sergei Golubchik

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2018-07-20 12:12

Updated:: 2021-01-05 09:16

Resolved:: 2021-01-04 13:39

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server