[MDEV-23666] Assertion `m_cpp_buf <= ptr && ptr <= m_cpp_buf + m_buf_length' failed in Lex_input_stream::body_utf8_append - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.3(EOL), 10.4(EOL), 10.5
Fix Version/s: 10.3.28, 10.4.18, 10.5.9, 10.6.0
Component/s: Parser
Labels:
- not-10.1
- not-10.2
- regression
- security

Description

10.5.6 1c587481966abc7a9ad5309d0a91ca920f7a5657 (Debug)
mysqld: /test/10.5_dbg/sql/sql_lex.cc:911: void Lex_input_stream::body_utf8_append(const char, const char): Assertion `m_cpp_buf <= ptr && ptr <= m_cpp_buf + m_buf_length' failed.

10.5.6 1c587481966abc7a9ad5309d0a91ca920f7a5657 (Debug)
Core was generated by `/test/MD110820-mariadb-10.5.6-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGABRT, Aborted.
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=6)
at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
[Current thread is 1 (Thread 0x14b709d00700 (LWP 716908))]
(gdb) bt
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
#1 0x000055ab5dbefb86 in my_write_core (sig=sig@entry=6) at /test/10.5_dbg/mysys/stacktrace.c:519
#2 0x000055ab5d3a6d7b in handle_fatal_signal (sig=6) at /test/10.5_dbg/sql/signal_handler.cc:330
#3 <signal handler called>
#4 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#5 0x000014b707f968b1 in __GI_abort () at abort.c:79
#6 0x000014b707f8642a in __assert_fail_base (fmt=0x14b70810da38 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x55ab5dd6adb0 "m_cpp_buf <= ptr && ptr <= m_cpp_buf + m_buf_length", file=file@entry=0x55ab5dd6950c "/test/10.5_dbg/sql/sql_lex.cc", line=line@entry=911, function=function@entry=0x55ab5dd6dd80 <Lex_input_stream::body_utf8_append(char const, char const)::__PRETTY_FUNCTION__> "void Lex_input_stream::body_utf8_append(const char, const char)") at assert.c:92
#7 0x000014b707f864a2 in __GI___assert_fail (assertion=assertion@entry=0x55ab5dd6adb0 "m_cpp_buf <= ptr && ptr <= m_cpp_buf + m_buf_length", file=file@entry=0x55ab5dd6950c "/test/10.5_dbg/sql/sql_lex.cc", line=line@entry=911, function=function@entry=0x55ab5dd6dd80 <Lex_input_stream::body_utf8_append(char const, char const)::__PRETTY_FUNCTION__> "void Lex_input_stream::body_utf8_append(const char, const char)") at assert.c:101
#8 0x000055ab5d0c6e0e in Lex_input_stream::body_utf8_append (this=this@entry=0x14b709cff350, ptr=ptr@entry=0x14b6e5874160 "\340#\224^\253U", end_ptr=end_ptr@entry=0x14b6e5874160 "\340#\224^\253U") at /test/10.5_dbg/sql/sql_lex.cc:911
#9 0x000055ab5d0c6ea0 in Lex_input_stream::body_utf8_append (this=this@entry=0x14b709cff350, ptr=ptr@entry=0x14b6e5874160 "\340#\224^\253U") at /test/10.5_dbg/sql/sql_lex.cc:939
#10 0x000055ab5d03005c in sp_head::set_stmt_end (this=0x14b6e587d0a0, thd=thd@entry=0x14b6e5815088) at /test/10.5_dbg/sql/sp_head.cc:854
#11 0x000055ab5d0d4516 in LEX::sp_body_finalize_routine (this=this@entry=0x14b6e5818fd8, thd=thd@entry=0x14b6e5815088) at /test/10.5_dbg/sql/sql_lex.cc:7203
#12 0x000055ab5d0d4555 in LEX::sp_body_finalize_procedure (this=0x14b6e5818fd8, thd=thd@entry=0x14b6e5815088) at /test/10.5_dbg/sql/sql_lex.cc:7212
#13 0x000055ab5d336861 in MYSQLparse (thd=thd@entry=0x14b6e5815088) at /test/10.5_dbg/sql/sql_yacc.yy:17933
#14 0x000055ab5d10b7e2 in parse_sql (thd=thd@entry=0x14b6e5815088, parser_state=parser_state@entry=0x14b709cff350, creation_ctx=creation_ctx@entry=0x0, do_pfs_digest=do_pfs_digest@entry=true) at /test/10.5_dbg/sql/sql_parse.cc:10352
#15 0x000055ab5d105b54 in mysql_parse (thd=thd@entry=0x14b6e5815088, rawbuf=<optimized out>, length=47, parser_state=parser_state@entry=0x14b709cff350, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:7947
#16 0x000055ab5d0f277e in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14b6e5815088, packet=packet@entry=0x14b6e5867089 "CREATE PROCEDURE p () UPDATE t SET c='\"''''\"'\"';", packet_length=packet_length@entry=48, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:1867
#17 0x000055ab5d0f0f58 in do_command (thd=0x14b6e5815088) at /test/10.5_dbg/sql/sql_parse.cc:1348
#18 0x000055ab5d24dbc9 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x14b6e8cd0808, put_in_cache=put_in_cache@entry=true) at /test/10.5_dbg/sql/sql_connect.cc:1410
#19 0x000055ab5d24e2e5 in handle_one_connection (arg=arg@entry=0x14b6e8cd0808) at /test/10.5_dbg/sql/sql_connect.cc:1312
#20 0x000055ab5d6b4572 in pfs_spawn_thread (arg=0x14b706846508) at /test/10.5_dbg/storage/perfschema/pfs.cc:2201
#21 0x000014b708c796db in start_thread (arg=0x14b709d00700) at pthread_create.c:463
#22 0x000014b708077a3f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.3.25 (dbg), 10.4.15 (dbg), 10.5.6 (dbg)

Bug confirmed not present in:
MariaDB: 10.1.47 (dbg), 10.1.47 (opt), 10.2.34 (dbg), 10.2.34 (opt), 10.3.25 (opt), 10.4.15 (opt), 10.5.6 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.47 (dbg), 5.6.47 (opt), 5.7.29 (dbg), 5.7.29 (opt), 8.0.19 (dbg), 8.0.19 (opt)

Attachments

Activity

People

Assignee:: Alexander Barkov

Reporter:: Roel Van de Paar

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2020-09-04 03:05

Updated:: 2021-01-14 07:34

Resolved:: 2021-01-14 07:33

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server