[MDEV-27875] The statement FOR var_name IN lower_bound .. upper_bound crashes server in case a stored function is specified for lower_bound/upper_bound - Jira

XML

Word

Printable

Details

Type: Bug
Status: Open (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9
Fix Version/s: 10.4, 10.5, 10.6
Component/s: Stored routines
Labels:
None

Description

Executing the following test case results in server abnormal termination

MariaDB [test]> CREATE TABLE t1(a INT);

Query OK, 0 rows affected (0,025 sec)

MariaDB [test]> CREATE TABLE t2(a INT);

Query OK, 0 rows affected (0,044 sec)

MariaDB [test]> delimiter $

MariaDB [test]> CREATE FUNCTION f() RETURNS INT  BEGIN RETURN (SELECT COUNT(a) FROM t1); END;$

Query OK, 0 rows affected (0,064 sec)

MariaDB [test]> FOR i IN 0..f() DO INSERT INTO t2 VALUES (i); END FOR$

ERROR 2013 (HY000): Lost connection to MySQL server during query

The following call stack shows the place where server crashed

(lldb) bt

* thread #8, stop reason = signal SIGSTOP

  * frame #0: 0x00000001081148d0 mariadbd`Item_sp::cleanup(this=0x00007fbb990ca9e0) at item.cc:2754:3

    frame #1: 0x00000001081afde0 mariadbd`Item_func_sp::cleanup(this=0x00007fbb990ca918) at item_func.cc:6588:12

    frame #2: 0x000000010843fe2a mariadbd`Item::delete_self(this=0x00007fbb990ca918) at item.h:2323:5

    frame #3: 0x000000010843823d mariadbd`Query_arena::free_items(this=0x00007fbb990cb578) at sql_class.cc:3854:16

    frame #4: 0x000000010839cf93 mariadbd`sp_instr::~sp_instr(this=0x00007fbb990cb578) at sp_head.h:1107:5

    frame #5: 0x000000010839ee34 mariadbd`sp_instr_set::~sp_instr_set(this=0x00007fbb990cb578) at sp_head.h:1343:4

    frame #6: 0x000000010839b3a5 mariadbd`sp_instr_set::~sp_instr_set(this=0x00007fbb990cb578) at sp_head.h:1343:3

    frame #7: 0x000000010839b3c9 mariadbd`sp_instr_set::~sp_instr_set(this=0x00007fbb990cb578) at sp_head.h:1343:3

    frame #8: 0x0000000108386e83 mariadbd`sp_head::~sp_head(this=0x00007fbb990c98a0) at sp_head.cc:881:5

    frame #9: 0x00000001083884f5 mariadbd`sp_head::~sp_head(this=0x00007fbb990c98a0) at sp_head.cc:872:1

    frame #10: 0x0000000108388519 mariadbd`sp_head::~sp_head(this=0x00007fbb990c98a0) at sp_head.cc:872:1

    frame #11: 0x0000000108386322 mariadbd`sp_head::destroy(sp=0x00007fbb990c98a0) at sp_head.cc:518:5

    frame #12: 0x000000010849497d mariadbd`lex_end_nops(lex=0x00007fbb9a0a4f98) at sql_lex.cc:1360:3

    frame #13: 0x0000000108492863 mariadbd`lex_end(lex=0x00007fbb9a0a4f98) at sql_lex.cc:1329:3

    frame #14: 0x00000001084401e2 mariadbd`THD::end_statement(this=0x00007fbb9a0a0e88) at sql_class.cc:3928:3

    frame #15: 0x00000001084d2681 mariadbd`mysql_parse(thd=0x00007fbb9a0a0e88, rawbuf="FOR i IN 0..f() DO INSERT INTO t2 VALUES (i); END FOR", length=53, parser_state=0x000070000cde5e48, is_com_multi=false, is_next_command=false) at sql_parse.cc:8122:10

    frame #16: 0x00000001084ce06e mariadbd`dispatch_command(command=COM_QUERY, thd=0x00007fbb9a0a0e88, packet="FOR i IN 0..f() DO INSERT INTO t2 VALUES (i); END FOR", packet_length=53, is_com_multi=false, is_next_command=false) at sql_parse.cc:1891:7

    frame #17: 0x00000001084d3483 mariadbd`do_command(thd=0x00007fbb9a0a0e88) at sql_parse.cc:1370:17

    frame #18: 0x00000001086f8997 mariadbd`do_handle_one_connection(connect=0x0000600001f206a8, put_in_cache=true) at sql_connect.cc:1418:11

    frame #19: 0x00000001086f861a mariadbd`::handle_one_connection(arg=0x0000600001f206a8) at sql_connect.cc:1312:5

    frame #20: 0x00000001089cb60f mariadbd`::pfs_spawn_thread(arg=0x00007fbb9981cc28) at pfs.cc:2201:3

    frame #21: 0x00007ff81fabd514 libsystem_pthread.dylib`_pthread_start + 125

    frame #22: 0x00007ff81fab902f libsystem_pthread.dylib`thread_start + 15

(lldb) list

   2751	void

   2752	Item_sp::cleanup()

   2753	{

   2754	  delete sp_result_field;

   2755	  sp_result_field= NULL;

   2756	  m_sp= NULL;

   2757	  delete func_ctx;

(lldb) p *sp_result_field

(Field) $0 = {

  ptr = 0x8f8f8f8f8f8f8f8f ""

  invisible = INVISIBLE_FULL | 0x8f8f8f8c

  null_ptr = 0x8f8f8f8f8f8f8f8f ""

  table = 0x8f8f8f8f8f8f8f8f

  orig_table = 0x8f8f8f8f8f8f8f8f

  table_name = 0x8f8f8f8f8f8f8f8f

  field_name = (str = "", length = 10344644715844964239)

  comment = (str = "", length = 10344644715844964239)

  option_list = 0x8f8f8f8f8f8f8f8f

  option_struct = 0x8f8f8f8f8f8f8f8f

  key_start = {

    buffer = ([0] = 10344644715844964239)

  part_of_key = {

    buffer = ([0] = 10344644715844964239)

  part_of_key_not_clustered = {

    buffer = ([0] = 10344644715844964239)

  part_of_sortkey = {

    buffer = ([0] = 10344644715844964239)

  unireg_check = 2408550287

  field_length = 2408550287

  flags = 2408550287

  field_index = 36751

  null_bit = '\x8f'

  is_created_from_null_item = true

  cond_selectivity = -9.9261575707946012E-234

  next_equal_field = 0x8f8f8f8f8f8f8f8f

  read_stats = 0x8f8f8f8f8f8f8f8f

  collected_stats = 0x8f8f8f8f8f8f8f8f

  vcol_info = 0x8f8f8f8f8f8f8f8f

  check_constraint = 0x8f8f8f8f8f8f8f8f

  default_value = 0x8f8f8f8f8f8f8f8f

As can be seen from the stack trace, server crashed on attempt to de-reference a pointer to already freed memory.

Attachments

Activity

People

Assignee:: Dmitry Shulga

Reporter:: Dmitry Shulga

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2022-02-17 13:16

Updated:: 2023-11-28 10:38

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.