Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-22022

Various mangled SQL statements will crash 10.3 to 10.5 debug builds

    XMLWordPrintable

    Details

      Description

       SOURCE in.sql
      

      With in.sql file defined as:

      if(`systeminfo /FO LIST;
      

      Will result in:

      10.5.2>source /tmp/in.sql
      ERROR 2013 (HY000) at line 1 in file: '/tmp/in.sql': Lost connection to MySQL server during query
      

      Core was generated by `/data/MD180320-mariadb-10.5.2-linux-x86_64-debug/bin/mysqld --no-defaults --cor'.
      Program terminated with signal SIGABRT, Aborted.
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=6)
          at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
      57	../sysdeps/unix/sysv/linux/pthread_kill.c: No such file or directory.
      [Current thread is 1 (Thread 0x7f8e51804700 (LWP 15910))]
      (gdb) bt
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=6)
          at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
      #1  0x000055a54106f7d4 in my_write_core (sig=sig@entry=6) at /data/git/10.5_dbg/mysys/stacktrace.c:518
      #2  0x000055a540818b5f in handle_fatal_signal (sig=6) at /data/git/10.5_dbg/sql/signal_handler.cc:325
      #3  <signal handler called>
      #4  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
      #5  0x00007f8e4ff48801 in __GI_abort () at abort.c:79
      #6  0x00007f8e4ff3839a in __assert_fail_base (
          fmt=0x7f8e500bf7d8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", 
          assertion=assertion@entry=0x55a5411e30d8 "end <= thd->m_parser_state->m_lip.get_end_of_query()", 
          file=file@entry=0x55a5411e2c18 "/data/git/10.5_dbg/sql/sql_lex.cc", line=line@entry=8170, 
          function=function@entry=0x55a5411e4780 <LEX::create_item_ident_sp(THD*, Lex_ident_sys_st*, char const*, char const*)::__PRETTY_FUNCTION__> "Item* LEX::create_item_ident_sp(THD*, Lex_ident_sys_st*, const char*, const char*)") at assert.c:92
      #7  0x00007f8e4ff38412 in __GI___assert_fail (
          assertion=assertion@entry=0x55a5411e30d8 "end <= thd->m_parser_state->m_lip.get_end_of_query()", 
          file=file@entry=0x55a5411e2c18 "/data/git/10.5_dbg/sql/sql_lex.cc", line=line@entry=8170, 
          function=function@entry=0x55a5411e4780 <LEX::create_item_ident_sp(THD*, Lex_ident_sys_st*, char const*, char const*)::__PRETTY_FUNCTION__> "Item* LEX::create_item_ident_sp(THD*, Lex_ident_sys_st*, const char*, const char*)") at assert.c:101
      #8  0x000055a540550855 in LEX::create_item_ident_sp (this=this@entry=0x7f8e24c890a0, thd=thd@entry=
          0x7f8e24c15088, name=name@entry=0x7f8e51802530, start=0x7f8e24c740a3 "`systeminfo /FO LIST", 
          end=0x7f8e24c740b8 "\004") at /data/git/10.5_dbg/sql/sql_lex.cc:8170
      #9  0x000055a5407a3619 in LEX::create_item_ident (cname=0x7f8e51802708, thd=0x7f8e24c15088, 
          this=0x7f8e24c890a0) at /data/git/10.5_dbg/sql/sql_lex.h:3915
      #10 MYSQLparse (thd=thd@entry=0x7f8e24c15088) at /data/git/10.5_dbg/sql/sql_yacc.yy:14908
      #11 0x000055a540584135 in parse_sql (thd=thd@entry=0x7f8e24c15088, 
          parser_state=parser_state@entry=0x7f8e51803450, creation_ctx=creation_ctx@entry=0x0, 
          do_pfs_digest=do_pfs_digest@entry=true) at /data/git/10.5_dbg/sql/sql_parse.cc:10232
      #12 0x000055a54057e5ab in mysql_parse (thd=thd@entry=0x7f8e24c15088, rawbuf=<optimized out>, length=23, 
          parser_state=parser_state@entry=0x7f8e51803450, is_com_multi=is_com_multi@entry=false, 
          is_next_command=is_next_command@entry=false) at /data/git/10.5_dbg/sql/sql_parse.cc:7879
      #13 0x000055a54056a664 in dispatch_command (command=command@entry=COM_QUERY, 
          thd=thd@entry=0x7f8e24c15088, packet=packet@entry=0x7f8e24c67089 "if(`systeminfo /FO LIST;", 
          packet_length=packet_length@entry=24, is_com_multi=is_com_multi@entry=false, 
          is_next_command=is_next_command@entry=false) at /data/git/10.5_dbg/sql/sql_parse.cc:1839
      #14 0x000055a540568eaf in do_command (thd=0x7f8e24c15088) at /data/git/10.5_dbg/sql/sql_parse.cc:1358
      #15 0x000055a5406c2a09 in do_handle_one_connection (connect=<optimized out>, 
          connect@entry=0x7f8e2de2b3a8, put_in_cache=put_in_cache@entry=true)
          at /data/git/10.5_dbg/sql/sql_connect.cc:1422
      #16 0x000055a5406c2d38 in handle_one_connection (arg=arg@entry=0x7f8e2de2b3a8)
          at /data/git/10.5_dbg/sql/sql_connect.cc:1319
      #17 0x000055a540b1fcfc in pfs_spawn_thread (arg=0x7f8e4f445888)
          at /data/git/10.5_dbg/storage/perfschema/pfs.cc:2201
      #18 0x00007f8e50c2b6db in start_thread (arg=0x7f8e51804700) at pthread_create.c:463
      #19 0x00007f8e5002988f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
      

      Bug confirmed present in:
      MariaDB: 10.3.23 (dbg), 10.4.13 (dbg), 10.5.2 (dbg)

      Bug confirmed not present in:
      MariaDB: 10.1.45 (dbg), 10.1.45 (opt), 10.2.32 (dbg), 10.2.32 (opt), 10.3.23 (opt), 10.4.13 (opt), 10.5.2 (opt)
      MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.47 (dbg), 5.6.47 (opt), 5.7.29 (dbg), 5.7.29 (opt), 8.0.19 (dbg), 8.0.19 (opt)

      Correct parsing will/should result in:

      10.1.45>source /tmp/in.sql
      ERROR 1064 (42000) at line 1 in file: '/tmp/in.sql': You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' at line 1
      

      In case it matters, OS is Ubuntu 18.04.4 LTS x64

        Attachments

          Activity

            People

            Assignee:
            bar Alexander Barkov
            Reporter:
            Roel Roel Van de Paar
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: