Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-21630

Server crashes in mysql_derived_prepare on 2nd execution of SP with views, ASAN: heap-use-after-free in mysql_derived_prepare

    XMLWordPrintable

Details

    Description

      We have other open bugs for multi-update (and of course for views and 2nd execution), but I haven't found the exact match, so I'm filing it separately.

      CREATE TABLE t1 (a INT);
      CREATE ALGORITHM=MERGE VIEW v1 AS SELECT a FROM t1;
      CREATE ALGORITHM=MERGE VIEW v2 AS SELECT * FROM ( SELECT v1.a FROM t1, v1 ) AS sq;
      CREATE PROCEDURE p() UPDATE v2 SET a = 2;
       
      --error ER_NON_UPDATABLE_TABLE
      CALL p;
      CREATE OR REPLACE TABLE t1 (b INT);
      CALL p;
       
      # Cleanup
      DROP PROCEDURE p;
      DROP VIEW v2;
      DROP VIEW v1;
      DROP TABLE t1;
      

      10.4 d87b725e

      #3  <signal handler called>
      #4  0x0000559533b1a574 in mysql_derived_prepare (thd=0x7f4090000af0, lex=0x7f409013ec68, derived=0x7f4090047a08) at /data/src/10.4/sql/sql_derived.cc:908
      #5  0x0000559533b19227 in mysql_derived_merge_for_insert (thd=0x7f4090000af0, lex=0x7f409013ec68, derived=0x7f4090047a08) at /data/src/10.4/sql/sql_derived.cc:541
      #6  0x0000559533b18326 in mysql_handle_derived (lex=0x7f409013ec68, phases=16) at /data/src/10.4/sql/sql_derived.cc:126
      #7  0x0000559533c863c5 in Multiupdate_prelocking_strategy::handle_end (this=0x7f40a005aa10, thd=0x7f4090000af0) at /data/src/10.4/sql/sql_update.cc:1680
      #8  0x0000559533c86bb5 in mysql_multi_update_prepare (thd=0x7f4090000af0) at /data/src/10.4/sql/sql_update.cc:1846
      #9  0x0000559533b74b6a in mysql_execute_command (thd=0x7f4090000af0) at /data/src/10.4/sql/sql_parse.cc:4408
      #10 0x0000559533a8412e in sp_instr_stmt::exec_core (this=0x7f40901860d8, thd=0x7f4090000af0, nextp=0x7f40a005b6a4) at /data/src/10.4/sql/sp_head.cc:3683
      #11 0x0000559533a83503 in sp_lex_keeper::reset_lex_and_exec_core (this=0x7f4090186120, thd=0x7f4090000af0, nextp=0x7f40a005b6a4, open_tables=false, instr=0x7f40901860d8) at /data/src/10.4/sql/sp_head.cc:3415
      #12 0x0000559533a83cf2 in sp_instr_stmt::execute (this=0x7f40901860d8, thd=0x7f4090000af0, nextp=0x7f40a005b6a4) at /data/src/10.4/sql/sp_head.cc:3589
      #13 0x0000559533a7d3eb in sp_head::execute (this=0x7f4090184ba8, thd=0x7f4090000af0, merge_da_on_success=true) at /data/src/10.4/sql/sp_head.cc:1361
      #14 0x0000559533a8021f in sp_head::execute_procedure (this=0x7f4090184ba8, thd=0x7f4090000af0, args=0x7f40900058e0) at /data/src/10.4/sql/sp_head.cc:2366
      #15 0x0000559533b7018d in do_execute_sp (thd=0x7f4090000af0, sp=0x7f4090184ba8) at /data/src/10.4/sql/sql_parse.cc:3015
      #16 0x0000559533b70e74 in Sql_cmd_call::execute (this=0x7f4090013240, thd=0x7f4090000af0) at /data/src/10.4/sql/sql_parse.cc:3257
      #17 0x0000559533b7c241 in mysql_execute_command (thd=0x7f4090000af0) at /data/src/10.4/sql/sql_parse.cc:6102
      #18 0x0000559533b81903 in mysql_parse (thd=0x7f4090000af0, rawbuf=0x7f4090013198 "CALL p", length=6, parser_state=0x7f40a005d160, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:7901
      #19 0x0000559533b6cad0 in dispatch_command (command=COM_QUERY, thd=0x7f4090000af0, packet=0x7f40900083a1 "CALL p", packet_length=6, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:1842
      #20 0x0000559533b6b15d in do_command (thd=0x7f4090000af0) at /data/src/10.4/sql/sql_parse.cc:1360
      #21 0x0000559533cf4377 in do_handle_one_connection (connect=0x559537e0c7d0) at /data/src/10.4/sql/sql_connect.cc:1412
      #22 0x0000559533cf40c6 in handle_one_connection (arg=0x559537e0c7d0) at /data/src/10.4/sql/sql_connect.cc:1316
      #23 0x00005595346fc8c9 in pfs_spawn_thread (arg=0x559537d2fa90) at /data/src/10.4/storage/perfschema/pfs.cc:1869
      #24 0x00007f40a7e3c4a4 in start_thread (arg=0x7f40a005e700) at pthread_create.c:456
      #25 0x00007f40a5f70d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97
      

      Fails the same way on debug and non-debug builds.
      Reproducible with at least MyISAM, InnoDB, Aria.
      Reproducible on 10.2-10.5, the test case is not applicable to 10.1.

      Attachments

        Issue Links

          Activity

            People

              shulga Dmitry Shulga
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.