Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Fixed
-
10.6, 10.11, 12.3
-
Can result in hang or crash
-
Q1/2026 Server Maintenance
Description
This script crashes on the second CALL statement:
DELIMITER $$
|
CREATE PACKAGE pkg1 |
PROCEDURE p1(); |
END; |
$$
|
CREATE PACKAGE BODY pkg1 |
FUNCTION f1() RETURNS INT |
BEGIN |
RETURN 10; |
END; |
PROCEDURE p1() |
BEGIN |
SHOW FUNCTION CODE f1; |
END; |
END; |
$$
|
DELIMITER ;
|
CALL pkg1.p1;
|
CALL pkg1.p1; -- This statement crashes |
DROP PACKAGE pkg1; |
with this stack:
#0 __pthread_kill_implementation (threadid=<optimized out>,
|
signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
|
#1 0x00007ffff7080343 in __pthread_kill_internal (threadid=<optimized out>,
|
signo=6) at pthread_kill.c:89
|
#2 0x00007ffff7026cbe in __GI_raise (sig=sig@entry=6)
|
at ../sysdeps/posix/raise.c:26
|
#3 0x00007ffff700e6d6 in __GI_abort () at abort.c:73
|
#4 0x00007ffff700e639 in __assert_fail_base (fmt=<optimized out>,
|
assertion=<optimized out>, file=<optimized out>, line=308,
|
function=<optimized out>) at assert.c:118
|
#5 0x000055555560858c in Lex_ident_routine::Lex_ident_routine (
|
this=0x7ffff4188e20, name=...)
|
at /home/bar/maria-git/12.2.monty/sql/lex_ident.h:308
|
#6 0x0000555555de76da in Sp_handler::sp_resolve_package_routine_implicit (
|
this=0x555557e8c608 <sp_handler_function>, thd=0x7fffa0000dc8,
|
caller=0x7fffa0073b30, name=0x7fffa0074b10,
|
pkg_routine_handler=0x7ffff4189100, pkgname=0x7ffff4189280)
|
at /home/bar/maria-git/12.2.monty/sql/sp.cc:2639
|
#7 0x0000555555de7aff in Sp_handler::sp_resolve_package_routine (
|
this=0x555557e8c608 <sp_handler_function>, thd=0x7fffa0000dc8,
|
caller=0x7fffa0073b30, name=0x7fffa0074b10,
|
pkg_routine_handler=0x7ffff4189100, pkgname=0x7ffff4189280)
|
at /home/bar/maria-git/12.2.monty/sql/sp.cc:2697
|
#8 0x00005555557308aa in mysql_execute_command (thd=0x7fffa0000dc8,
|
is_called_from_prepared_stmt=false)
|
at /home/bar/maria-git/12.2.monty/sql/sql_parse.cc:5633
|
#9 0x0000555555a2bba3 in sp_instr_stmt::exec_core (this=0x7fffa0074b50,
|
thd=0x7fffa0000dc8, nextp=0x7ffff41899ec)
|
at /home/bar/maria-git/12.2.monty/sql/sp_instr.cc:1268
|
#10 0x0000555555a29a55 in sp_lex_keeper::reset_lex_and_exec_core (
|
this=0x7fffa0074b90, thd=0x7fffa0000dc8, nextp=0x7ffff41899ec,
|
open_tables=false, instr=0x7fffa0074b50, rerun_the_same_instr=false)
|
at /home/bar/maria-git/12.2.monty/sql/sp_instr.cc:418
|
#11 0x0000555555a2a11f in sp_lex_keeper::validate_lex_and_exec_core (
|
this=0x7fffa0074b90, thd=0x7fffa0000dc8, nextp=0x7ffff41899ec,
|
open_tables=false, instr=0x7fffa0074b50)
|
at /home/bar/maria-git/12.2.monty/sql/sp_instr.cc:597
|
#12 0x0000555555a2b6c5 in sp_instr_stmt::execute (this=0x7fffa0074b50,
|
The problem happes because routine name resolution happens during the CALL statement execution:
case SQLCOM_SHOW_PROC_CODE: |
case SQLCOM_SHOW_FUNC_CODE: |
case SQLCOM_SHOW_PACKAGE_BODY_CODE: |
{
|
#ifndef DBUG_OFF
|
Database_qualified_name pkgname;
|
sp_head *sp;
|
const Sp_handler *sph= Sp_handler::handler(lex->sql_command); |
WSREP_SYNC_WAIT(thd, WSREP_SYNC_WAIT_BEFORE_SHOW);
|
if (sph->sp_resolve_package_routine(thd, thd->lex->sphead, |
lex->spname, &sph, &pkgname))
|
return true; |
So LEX::spname gets modified and points to a temporary memory root, which is cleared after the execution. Then on the second execution LEX::spname members point to the cleared memory.
The correct way would to do like CALL statement does:
- It performes resolution durign parse time on a permament memory root: see LEX::call_statement_start().
- During execution time LEX::spname stays untouched.
Attachments
Issue Links
- blocks
-
MDEV-10152 Add support for TYPE .. IS REF CURSOR
-
- In Progress
-