SIGSEGV in Query_arena::free_items | sp_lex_instr::parse_expr | sp_lex_keeper::validate_lex_and_exec_core

--DELIMITER $$

CREATE PROCEDURE p() 

BEGIN 

   DECLARE b,c INT DEFAULT f();

   SELECT b - c;

END;

$$

--DELIMITER ;

SET max_session_mem_used=8192;

--ERROR ER_OPTION_PREVENTS_STATEMENT

CALL p();

SET max_session_mem_used=DEFAULT;

CALL p();

# cleanup

DROP PROCEDURE p;

Core was generated by `/test/MD300625-mariadb-12.1.0-linux-x86_64-opt/bin/mariadbd --no-defaults --max'.

Program terminated with signal SIGSEGV, Segmentation fault.

#0  Query_arena::free_items (this=0x1db0)at /test/12.1_opt/sql/sql_class.cc:4190

[Current thread is 1 (LWP 1717604)]

(gdb) bt

#0  Query_arena::free_items (this=0x1db0)at /test/12.1_opt/sql/sql_class.cc:4190

#1  0x0000564457939213 in sp_lex_instr::parse_expr (this=this@entry=0x7f61cc0233c0, thd=thd@entry=0x7f61cc000c68, sp=0x7f61cc021bb0, sp_instr_lex=0x7f61cc023be0)at /test/12.1_opt/sql/sp_instr.cc:940

#2  0x0000564457938e62 in sp_lex_keeper::validate_lex_and_exec_core (this=0x7f61cc0233f8, thd=0x7f61cc000c68, nextp=0x7f847f360e04, open_tables=<optimized out>, instr=0x7f61cc0233c0)at /test/12.1_opt/sql/sp_instr.cc:508

#3  0x00005644576dffea in sp_head::execute (this=this@entry=0x7f61cc021bb0, thd=thd@entry=0x7f61cc000c68, merge_da_on_success=true)at /test/12.1_opt/sql/sp_head.cc:1295

#4  0x00005644576e1a83 in sp_head::execute_procedure (this=0x7f61cc021bb0, thd=0x7f61cc000c68, args=0x7f61cc006028)at /test/12.1_opt/sql/sp_head.cc:2329

#5  0x000056445778ea9a in do_execute_sp (thd=thd@entry=0x7f61cc000c68, sp=0x1db0, sp@entry=0x7f61cc021bb0) at /test/12.1_opt/sql/sql_parse.cc:3060

#6  0x000056445778e76d in Sql_cmd_call::execute (this=0x7f61cc017798, thd=0x7f61cc000c68) at /test/12.1_opt/sql/sql_parse.cc:3283

#7  0x000056445778fcb3 in mysql_execute_command (thd=thd@entry=0x7f61cc000c68, is_called_from_prepared_stmt=false) at /test/12.1_opt/sql/sql_parse.cc:5861

#8  0x000056445778b681 in mysql_parse (thd=thd@entry=0x7f61cc000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x7f847f362420)at /test/12.1_opt/sql/sql_parse.cc:7882

#9  0x0000564457789b9f in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7f61cc000c68, packet=packet@entry=0x7f61cc008a69 "CALL p()", packet_length=packet_length@entry=8, blocking=true)at /test/12.1_opt/sql/sql_parse.cc:1877

#10 0x000056445778ba91 in do_command (thd=thd@entry=0x7f61cc000c68, blocking=true) at /test/12.1_opt/sql/sql_parse.cc:1416

#11 0x00005644578b827d in do_handle_one_connection (connect=<optimized out>, connect@entry=0x56446ccfd058, put_in_cache=true)at /test/12.1_opt/sql/sql_connect.cc:1414

#12 0x00005644578b803f in handle_one_connection (arg=arg@entry=0x56446ccfd058)at /test/12.1_opt/sql/sql_connect.cc:1326

#13 0x0000564457c53e59 in pfs_spawn_thread (arg=0x56446cc9b7f8)at /test/12.1_opt/storage/perfschema/pfs.cc:2198

#14 0x00007f8488c9caa4 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447

#15 0x00007f8488d29c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

    Rel    o/d  Build   Commit                                    UniqueID observed             

CS  10.6   dbg  280725  49febfad21ab6131a4ca421cd08fb25107d42509  No bug found                  

CS  10.6   opt  280725  49febfad21ab6131a4ca421cd08fb25107d42509  No bug found                  

CS  10.11  dbg  210725  55e0c34f4f00ca70ad8d6f0522efa94bb81f74fb  No bug found                  

CS  10.11  opt  210725  55e0c34f4f00ca70ad8d6f0522efa94bb81f74fb  No bug found                  

CS  11.4   dbg  290725  57dd23dad82d69639a589b8e1c7115823915401c  SIGSEGV|Query_arena::free_items|sp_lex_instr::parse_expr|sp_lex_keeper::validate_lex_and_exec_core|sp_instr_set::execute

CS  11.4   opt  290725  57dd23dad82d69639a589b8e1c7115823915401c  SIGSEGV|Query_arena::free_items|sp_lex_instr::parse_expr|sp_lex_keeper::validate_lex_and_exec_core|sp_head::execute

CS  11.8   dbg  300625  311b4445c59caa36ed031f5499eae79d07b68c0c  SIGSEGV|Query_arena::free_items|sp_lex_instr::parse_expr|sp_lex_keeper::validate_lex_and_exec_core|sp_instr_set::execute

CS  11.8   opt  300625  a65f7dc71dcd9d6ca1399221f669641910130624  SIGSEGV|Query_arena::free_items|sp_lex_instr::parse_expr|sp_lex_keeper::validate_lex_and_exec_core|sp_instr_set::execute

CS  12.0   dbg  290725  ef3d171e7e739dc79d972b98174db75578afc45b  SIGSEGV|Query_arena::free_items|sp_lex_instr::parse_expr|sp_lex_keeper::validate_lex_and_exec_core|sp_instr_set::execute

CS  12.0   opt  290725  ef3d171e7e739dc79d972b98174db75578afc45b  SIGSEGV|Query_arena::free_items|sp_lex_instr::parse_expr|sp_lex_keeper::validate_lex_and_exec_core|sp_head::execute

CS  12.1   dbg  210725  7215fe789480c228a91f50ff4f047ea89c16f041  SIGSEGV|Query_arena::free_items|sp_lex_instr::parse_expr|sp_lex_keeper::validate_lex_and_exec_core|sp_instr_set::execute

CS  12.1   opt  210725  7215fe789480c228a91f50ff4f047ea89c16f041  SIGSEGV|Query_arena::free_items|sp_lex_instr::parse_expr|sp_lex_keeper::validate_lex_and_exec_core|sp_head::execute

ES  10.5   dbg  050525  0d368ec0042a81d9549fc939fb742f82350b20ab  No bug found                  

ES  10.5   opt  050525  0d368ec0042a81d9549fc939fb742f82350b20ab  No bug found                  

ES  10.6   dbg  050525  6111fbaf7bdcb6f1170f556ffd05d6e1a4159f62  No bug found                  

ES  10.6   opt  050525  6111fbaf7bdcb6f1170f556ffd05d6e1a4159f62  No bug found                  

ES  11.4   dbg  050525  9cd12544ebfd0d52d2158af66b5aced58121cf1f  SIGSEGV|sp_lex_instr::parse_expr|sp_lex_keeper::validate_lex_and_exec_core|sp_instr_set::execute|sp_head::execute

ES  11.4   opt  050525  9cd12544ebfd0d52d2158af66b5aced58121cf1f  SIGSEGV|sp_lex_instr::parse_expr|sp_lex_keeper::validate_lex_and_exec_core|sp_head::execute|sp_head::execute_procedure