[MDEV-12060] Crash in EXECUTE IMMEDIATE with an expression returning a GRANT command Created: 2017-02-14  Updated: 2018-06-12  Resolved: 2018-06-12

Status: Closed
Project: MariaDB Server
Component/s: Prepared Statements
Affects Version/s: 10.1, 10.2
Fix Version/s: 10.1.34, 10.2.16, 10.3.8, 10.4.0

Type: Bug Priority: Major
Reporter: Alexander Barkov Assignee: Alexander Barkov
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Relates
relates to MDEV-14603 signal 11 with short stacktrace Closed
Sprint: 10.1.22

 Description   

I create a role and a procedure p1:

CREATE ROLE IF NOT EXISTS testrole;
 
DELIMITER /
 
CREATE OR REPLACE PROCEDURE p1() 
BEGIN
 
END;
 
/
 
DELIMITER ;

Now I create a procedure p2 and execute it. It works fine:

DELIMITER /
 
CREATE OR REPLACE PROCEDURE p2 (IN wgrp  VARCHAR(10))
 
BEGIN
 
  DECLARE wcmd VARCHAR(200);
 
  set wcmd=concat('GRANT EXECUTE ON PROCEDURE p1 TO ',wgrp);
 
  -- This works fine
 
  EXECUTE IMMEDIATE wcmd;
 
 END;
 
/
 
DELIMITER ;
 
CALL p2('testrole');

Now I change the procedure body slightly and re-run it. It crashes:

DELIMITER /
 
CREATE OR REPLACE PROCEDURE p2 (wgrp  VARCHAR(10))
 
BEGIN
 
  -- assertion failed
 
  EXECUTE IMMEDIATE concat('GRANT EXECUTE ON PROCEDURE p1 TO ',wgrp);
 
END;
 
/
 
DELIMITER ;
 
CALL p2('testrole');

This procedure also crashes:

DELIMITER /
 
CREATE OR REPLACE PROCEDURE p2 ()
 
BEGIN
 
  EXECUTE IMMEDIATE concat(_utf8'GRANT EXECUTE ON PROCEDURE p1 TO ',_latin1'testrole');
 
END;
 
/
 
DELIMITER ;
 
CALL p2();

So does this one:

DELIMITER /
 
CREATE OR REPLACE PROCEDURE p2 ()
 
BEGIN
 
  PREPARE stmt FROM concat(_utf8'GRANT EXECUTE ON PROCEDURE p1 TO ',_latin1' testrole');
 
  EXECUTE stmt;
 
  DEALLOCATE PREPARE stmt;
 
END;
 
/
 
DELIMITER ;
 
CALL p2();



 Comments   
Comment by Alexander Barkov [ 2017-02-15 ]

The same problem is repeatable in 10.1:

DELIMITER /
 
CREATE OR REPLACE PROCEDURE p2 ()
 
BEGIN
 
  SET STATEMENT join_cache_level=CAST(CONCAT(_utf8'6',_latin1'') AS INT) FOR PREPARE stmt FROM 'SELECT 1';
 
  EXECUTE stmt;
 
  DEALLOCATE PREPARE stmt;
 
END;
 
/
 
DELIMITER ;
 
CALL p2();

Comment by Alexander Barkov [ 2018-06-11 ]

The same problem is repeatable (in 10.1) with an anonymous block, with a SET STATEMENT..PREPARE, which creates a character set conversion Item at the SET STATEMENT stage:

DELIMITER /
 
BEGIN NOT ATOMIC
 
  SET STATEMENT join_cache_level=CAST(CONCAT(_utf8'6',_latin1'') AS INT) FOR PREPARE stmt FROM 'SELECT 1';
 
  EXECUTE stmt;
 
  DEALLOCATE PREPARE stmt;
 
END;
 
/
 
DELIMITER ;

Note, EXECUTE is not needed. It crashes just with PREPARE:

DELIMITER /
 
BEGIN NOT ATOMIC
 
  SET STATEMENT join_cache_level=CAST(CONCAT(_utf8'6',_latin1'') AS INT) FOR PREPARE stmt FROM 'SELECT 1';
 
  DEALLOCATE PREPARE stmt;
 
END;
 
/
 
DELIMITER ;

The problem is also repeatable with SET STATEMENT..EXECUTE:

DELIMITER /
 
BEGIN NOT ATOMIC
 
  PREPARE stmt FROM 'SELECT 1';
 
  SET STATEMENT join_cache_level=CAST(CONCAT(_utf8'6',_latin1'') AS INT) FOR EXECUTE stmt;
 
  DEALLOCATE PREPARE stmt;
 
END;
 
/
 
DELIMITER ;

Generated at Thu Feb 08 07:54:48 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.