Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-40124

Assertion `m_sp == m_thd->spcont->m_sp' failed virtual Item *Item_splocal::this_item(), UBSAN : member call on null pointer of type 'Sp_rcontext_handler' in sql/item.cc

    XMLWordPrintable

Details

    • Bug
    • Status: Open (View Workflow)
    • Critical
    • Resolution: Unresolved
    • 13.1
    • 13.1
    • Triggers
    • Not for Release Notes

    Description

      CREATE TABLE t1 (a INT, b INT);
      		 
      INSERT INTO t1 VALUES (1,2);
      		 
      delimiter |;
      		 
      CREATE TRIGGER t1_bu BEFORE UPDATE ON t1 FOR EACH ROW
      		 
      BEGIN
      		 
        IF NEW = OLD THEN
      		 
          SET @x = 1;
      		 
        END IF;
      		 
      END|
      		 
      delimiter ;|
      		 
      # server aborts
      		 
      UPDATE t1 SET a = 9;
      		 
       
      		 
      #Cleanup
      		 
      DROP TABLE t1;

      Leads to

      MDEV-34723 CS 13.0.0 8945d56739e6eaacb674f145d60eb607a8b43a1a (Optimized, Clang 18.1.3-11) Build 19/06/2026

      		 
      Core was generated by `/test/mtest/MDEV-34723/MD190626-mariadb-13.0.0-linux-x86_64-opt/bin/mariadbd --'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  Item_splocal::get_rcontext (this=0x76affc0240f8, local_ctx=0x76affc05f970)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_opt/sql/item.cc:1850
      		 
       
      		 
      [Current thread is 1 (LWP 307940)]
      		 
      (gdb) bt
      		 
      #0  Item_splocal::get_rcontext (this=0x76affc0240f8, local_ctx=0x76affc05f970)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_opt/sql/item.cc:1850
      		 
      #1  Item_splocal::get_variable (this=0x76affc0240f8, ctx=0x76affc05f970)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_opt/sql/item.cc:1856
      		 
      #2  Item_splocal::this_item (this=0x76affc0240f8)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_opt/sql/item.cc:1874
      		 
      #3  0x0000557bddd59491 in Item_splocal::element_index (this=0x0, i=4228249968)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_opt/sql/item.h:3352
      		 
      #4  0x0000557bde0288b0 in cmp_row_type (item1=0x76affc023f78, item2=0x76affc0240f8)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_opt/sql/item_cmpfunc.cc:63
      		 
      #5  0x0000557bde028795 in Type_handler_hybrid_field_type::aggregate_for_comparison (this=this@entry=0x76d2a86e2ce8, funcname=@0x76d2a86e2c98: {str = 0x557bde7493e0 "=", length = 1}, items=0x76affc0242e0, nitems=nitems@entry=2, int_uint_as_dec=false)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_opt/sql/item_cmpfunc.cc:130
      		 
      #6  0x0000557bde028fd7 in Item_func::aggregate_args2_for_comparison_with_conversion (this=this@entry=0x76affc024258, thd=thd@entry=0x76affc000c68, th=th@entry=0x76d2a86e2ce8)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_opt/sql/item_cmpfunc.cc:421
      		 
      #7  0x0000557bde0293a5 in Item_bool_rowready_func2::fix_length_and_dec (this=0x76affc024258, thd=0x76affc000c68)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_opt/sql/item_cmpfunc.cc:526
      		 
      #8  0x0000557bde05ec7b in Item_func::fix_fields (this=0x76affc024258, thd=0x76affc000c68, ref=<optimized out>)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_opt/sql/item_func.cc:412
      		 
      #9  0x0000557bddcb8908 in Item::fix_fields_if_needed (this=0x0, ref=0x76affc024568, thd=<optimized out>)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_opt/sql/item.h:1147
      		 
      #10 THD::sp_fix_func_item (this=0x76affc000c68, it_addr=0x76affc024568)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_opt/sql/sp_head.cc:395
      		 
      #11 THD::sp_prepare_func_item (this=0x76affc000c68, it_addr=0x76affc024568, cols=1) at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_opt/sql/sp_head.cc:381
      		 
      #12 0x0000557bddf1ad8a in sp_instr_jump_if_not::exec_core (this=0x76affc024490, thd=0x76affc000c68, nextp=0x76d2a86e3234)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_opt/sql/sp_instr.cc:1930
      		 
      #13 0x0000557bddf1787f in sp_lex_keeper::reset_lex_and_exec_core (this=this@entry=0x76affc0244c8, thd=thd@entry=0x76affc000c68, nextp=nextp@entry=0x76d2a86e3234, open_tables=true, instr=instr@entry=0x76affc024490, rerun_the_same_instr=<optimized out>)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_opt/sql/sp_instr.cc:420
      		 
      #14 0x0000557bddf17e9b in sp_lex_keeper::validate_lex_and_exec_core (this=0x76affc0244c8, thd=0x76affc000c68, nextp=0x76d2a86e3234, open_tables=<optimized out>, instr=0x76affc024490)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_opt/sql/sp_instr.cc:599
      		 
      #15 0x0000557bddcba95a in sp_head::execute (this=this@entry=0x76affc022b20, thd=thd@entry=0x76affc000c68, merge_da_on_success=false)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_opt/sql/sp_head.cc:1293
      		 
      #16 0x0000557bddcbba27 in sp_head::execute_trigger (this=0x76affc022b20, thd=0x76affc000c68, db_name=<optimized out>, table_name=<optimized out>, grant_info=<optimized out>)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_opt/sql/sp_head.cc:1806
      		 
      #17 0x0000557bdde35ae6 in Table_triggers_list::process_triggers (this=0x76affc055cc0, thd=0x76affc000c68, event=TRG_EVENT_UPDATE, time_type=<optimized out>, old_row_is_record1=<optimized out>, skip_row_indicator=0x76d2a86e3ab0, fields_in_update_stmt=0x76affc005ce8)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_opt/sql/sql_trigger.cc:2880
      		 
      #18 0x0000557bddcf9271 in fill_record_n_invoke_before_triggers (thd=thd@entry=0x76affc000c68, table=table@entry=0x76affc0545b8, fields=@0x76affc005ce8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x76affc018318, last = 0x76affc018318, elements = 1}, <No data fields>}, values=@0x76affc006170: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x76affc018328, last = 0x76affc018328, elements = 1}, <No data fields>}, ignore_errors=<optimized out>, event=event@entry=TRG_EVENT_UPDATE, skip_row_indicator=0x76d2a86e3ab0)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_opt/sql/sql_base.cc:9417
      		 
      #19 0x0000557bdde48bfd in Sql_cmd_update::update_single_table (this=this@entry=0x76affc018338, thd=thd@entry=0x76affc000c68)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_opt/sql/sql_update.cc:991
      		 
      #20 0x0000557bdde4dbae in Sql_cmd_update::execute_inner (this=0x76affc018338, thd=0x76affc000c68)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_opt/sql/sql_update.cc:3237
      		 
      #21 0x0000557bddde172b in Sql_cmd_dml::execute (this=0x76affc018338, thd=0x76affc000c68)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_opt/sql/sql_select.cc:34848
      		 
      #22 0x0000557bddd67abb in mysql_execute_command (thd=thd@entry=0x76affc000c68, is_called_from_prepared_stmt=false)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_opt/sql/sql_parse.cc:4442
      		 
      #23 0x0000557bddd62e41 in mysql_parse (thd=thd@entry=0x76affc000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x76d2a86e4410)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_opt/sql/sql_parse.cc:7937
      		 
      #24 0x0000557bddd6125d in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x76affc000c68, packet=packet@entry=0x76affc008cc9 "UPDATE t1 SET a = 9", packet_length=packet_length@entry=19, blocking=true)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_opt/sql/sql_parse.cc:1896
      		 
      #25 0x0000557bddd63251 in do_command (thd=thd@entry=0x76affc000c68, blocking=true)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_opt/sql/sql_parse.cc:1432
      		 
      #26 0x0000557bdde93fad in do_handle_one_connection (connect=<optimized out>, connect@entry=0x557bf4d02248, put_in_cache=true)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_opt/sql/sql_connect.cc:1503
      		 
      #27 0x0000557bdde93d6f in handle_one_connection (arg=arg@entry=0x557bf4d02248)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_opt/sql/sql_connect.cc:1415
      		 
      #28 0x0000557bde255bb3 in pfs_spawn_thread (arg=0x557bf4ca5188)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_opt/storage/perfschema/pfs.cc:2198
      		 
      #29 0x000076d2ab89caa4 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
      		 
      #30 0x000076d2ab929c6c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

      MDEV-34723 CS 13.0.0 8945d56739e6eaacb674f145d60eb607a8b43a1a (Debug, Clang 18.1.3-11) Build 19/06/2026

      		 
      mariadbd: /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_dbg/sql/item.cc:1872: virtual Item *Item_splocal::this_item(): Assertion `m_sp == m_thd->spcont->m_sp' failed.

      MDEV-34723 CS 13.0.0 8945d56739e6eaacb674f145d60eb607a8b43a1a (Debug, Clang 18.1.3-11) Build 19/06/2026

      		 
      Core was generated by `/test/mtest/MDEV-34723/MD190626-mariadb-13.0.0-linux-x86_64-dbg/bin/mariadbd --'.
      		 
      Program terminated with signal SIGABRT, Aborted.
      		 
      #0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44
      		 
       
      		 
      [Current thread is 1 (LWP 11331)]
      		 
      (gdb) bt
      		 
      #0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44
      		 
      #1  __pthread_kill_internal (signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:78
      		 
      #2  __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6)at ./nptl/pthread_kill.c:89
      		 
      #3  0x00007ee237e4527e in __GI_raise (sig=sig@entry=6)at ../sysdeps/posix/raise.c:26
      		 
      #4  0x00007ee237e288ff in __GI_abort () at ./stdlib/abort.c:79
      		 
      #5  0x00007ee237e2881b in __assert_fail_base (fmt=0x7ee237fd01e8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x611716b83395 "m_sp == m_thd->spcont->m_sp", file=file@entry=0x611716b82d80 "/test/mtest/MDEV-34723/bb-13.0-MDEV-34723_dbg/sql/item.cc", line=line@entry=1872, function=function@entry=0x611716b833b1 "virtual Item *Item_splocal::this_item()") at ./assert/assert.c:96
      		 
      #6  0x00007ee237e3b517 in __assert_fail (assertion=0x611716b83395 "m_sp == m_thd->spcont->m_sp", file=0x611716b82d80 "/test/mtest/MDEV-34723/bb-13.0-MDEV-34723_dbg/sql/item.cc", line=1872, function=0x611716b833b1 "virtual Item *Item_splocal::this_item()")at ./assert/assert.c:105
      		 
      #7  0x0000611715e57c75 in Item_splocal::this_item (this=0x7ebf7c07d080)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_dbg/sql/item.cc:1872
      		 
      #8  0x00006117159bba1c in Item_splocal::element_index (this=0x7ebf7c07d080, i=0) at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_dbg/sql/item.h:3352
      		 
      #9  0x0000611715e8917c in cmp_row_type (item1=0x7ebf7c07cef8, item2=0x7ebf7c07d080)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_dbg/sql/item_cmpfunc.cc:63
      		 
      #10 0x0000611715e89090 in Type_handler_hybrid_field_type::aggregate_for_comparison (this=0x7ede583e8868, funcname=@0x7ede583e8808: {str = 0x611716b52a60 "=", length = 1}, items=0x7ebf7c07d270, nitems=2, int_uint_as_dec=false)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_dbg/sql/item_cmpfunc.cc:130
      		 
      #11 0x0000611715e89f8f in Item_func::aggregate_args2_for_comparison_with_conversion (this=0x7ebf7c07d1e8, thd=0x7ebf7c000d58, th=0x7ede583e8868)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_dbg/sql/item_cmpfunc.cc:421
      		 
      #12 0x0000611715e8a555 in Item_bool_rowready_func2::fix_length_and_dec (this=0x7ebf7c07d1e8, thd=0x7ebf7c000d58)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_dbg/sql/item_cmpfunc.cc:526
      		 
      #13 0x0000611715ed3a1a in Item_func::fix_fields (this=0x7ebf7c07d1e8, thd=0x7ebf7c000d58, ref=0x7ebf7c07d500)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_dbg/sql/item_func.cc:412
      		 
      #14 0x0000611715881aea in Item::fix_fields_if_needed (this=0x7ebf7c07d1e8, thd=0x7ebf7c000d58, ref=0x7ebf7c07d500)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_dbg/sql/item.h:1147
      		 
      #15 0x00006117158ac468 in THD::sp_fix_func_item (this=0x7ebf7c000d58, it_addr=0x7ebf7c07d500)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_dbg/sql/sp_head.cc:395
      		 
      #16 0x00006117158ac3f0 in THD::sp_prepare_func_item (this=0x7ebf7c000d58, it_addr=0x7ebf7c07d500, cols=1)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_dbg/sql/sp_head.cc:381
      		 
      #17 0x0000611715caa7e1 in sp_instr_jump_if_not::exec_core (this=0x7ebf7c07d420, thd=0x7ebf7c000d58, nextp=0x7ede583e8ff8)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_dbg/sql/sp_instr.cc:1930
      		 
      #18 0x0000611715ca5406 in sp_lex_keeper::reset_lex_and_exec_core (this=0x7ebf7c07d460, thd=0x7ebf7c000d58, nextp=0x7ede583e8ff8, open_tables=true, instr=0x7ebf7c07d420, rerun_the_same_instr=false)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_dbg/sql/sp_instr.cc:420
      		 
      #19 0x0000611715ca5b8c in sp_lex_keeper::validate_lex_and_exec_core (this=0x7ebf7c07d460, thd=0x7ebf7c000d58, nextp=0x7ede583e8ff8, open_tables=true, instr=0x7ebf7c07d420)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_dbg/sql/sp_instr.cc:599
      		 
      #20 0x0000611715caa79e in sp_instr_jump_if_not::execute (this=0x7ebf7c07d420, thd=0x7ebf7c000d58, nextp=0x7ede583e8ff8)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_dbg/sql/sp_instr.cc:1920
      		 
      #21 0x00006117158af59c in sp_head::execute (this=0x7ebf7c07ba90, thd=0x7ebf7c000d58, merge_da_on_success=false)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_dbg/sql/sp_head.cc:1293
      		 
      #22 0x00006117158b1466 in sp_head::execute_trigger (this=0x7ebf7c07ba90, thd=0x7ebf7c000d58, db_name=0x7ebf7c0793e8, table_name=0x7ebf7c0793f8, grant_info=0x7ebf7c032830)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_dbg/sql/sp_head.cc:1806
      		 
      #23 0x0000611715b2e25c in Table_triggers_list::process_triggers (this=0x7ebf7c032290, thd=0x7ebf7c000d58, event=TRG_EVENT_UPDATE, time_type=TRG_ACTION_BEFORE, old_row_is_record1=true, skip_row_indicator=0x7ede583e9aa7, fields_in_update_stmt=0x7ebf7c005db0)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_dbg/sql/sql_trigger.cc:2880
      		 
      #24 0x0000611715919718 in fill_record_n_invoke_before_triggers (thd=0x7ebf7c000d58, table=0x7ebf7c0348b8, fields=@0x7ebf7c005db0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x7ebf7c01ab18, last = 0x7ebf7c01ab18, elements = 1}, <No data fields>}, values=@0x7ebf7c006238: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x7ebf7c01ab28, last = 0x7ebf7c01ab28, elements = 1}, <No data fields>}, ignore_errors=false, event=TRG_EVENT_UPDATE, skip_row_indicator=0x7ede583e9aa7)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_dbg/sql/sql_base.cc:9417
      		 
      #25 0x0000611715b4949d in Sql_cmd_update::update_single_table (this=0x7ebf7c01ab38, thd=0x7ebf7c000d58)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_dbg/sql/sql_update.cc:991
      		 
      #26 0x0000611715b515b1 in Sql_cmd_update::execute_inner (this=0x7ebf7c01ab38, thd=0x7ebf7c000d58)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_dbg/sql/sql_update.cc:3237
      		 
      #27 0x0000611715a9c676 in Sql_cmd_dml::execute (this=0x7ebf7c01ab38, thd=0x7ebf7c000d58)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_dbg/sql/sql_select.cc:34848
      		 
      #28 0x00006117159dc06c in mysql_execute_command (thd=0x7ebf7c000d58, is_called_from_prepared_stmt=false)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_dbg/sql/sql_parse.cc:4442
      		 
      #29 0x00006117159d2364 in mysql_parse (thd=0x7ebf7c000d58, rawbuf=0x7ebf7c01a120 "UPDATE t1 SET a = 9", length=19, parser_state=0x7ede583eb9f0)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_dbg/sql/sql_parse.cc:7937
      		 
      #30 0x00006117159cf70d in dispatch_command (command=COM_QUERY, thd=0x7ebf7c000d58, packet=0x7ebf7c00b4c9 "UPDATE t1 SET a = 9", packet_length=19, blocking=true)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_dbg/sql/sql_parse.cc:1896
      		 
      #31 0x00006117159d2f13 in do_command (thd=0x7ebf7c000d58, blocking=true)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_dbg/sql/sql_parse.cc:1432
      		 
      #32 0x0000611715bcd7d9 in do_handle_one_connection (connect=0x6117229b63a8, put_in_cache=true)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_dbg/sql/sql_connect.cc:1503
      		 
      #33 0x0000611715bcd57e in handle_one_connection (arg=0x611722a3e758)at /test/mtest/MDEV-34723/bb-13.0-MDEV-34723_dbg/sql/sql_connect.cc:1415
      		 
      #34 0x00007ee237e9caa4 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
      		 
      #35 0x00007ee237f29c6c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

      UBSAN Stack

      UBSAN|member call on null pointer of type 'Sp_rcontext_handler'|sql/item.cc|Item_splocal::get_rcontext|Item_splocal::get_variable|Item_splocal::element_index|cmp_row_type

      Attachments

        Issue Links

          is caused by

          New Feature - A new feature of the product, which has yet to be developed. MDEV-34723 NEW and OLD in a trigger as row variables

          • Critical - Crashes, loss of data, severe memory leak.
          • In Testing

          Activity

            People

              rucha174 Rucha Deodhar
              ramesh Ramesh Sivaraman
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0d
                  0d
                  Logged:
                  Time Spent - 0.5h
                  0.5h

                  Git Integration

                    Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.