[MDEV-14388] Server crashes in handle_select / val_uint in ORACLE mode Created: 2017-11-14  Updated: 2020-08-25  Resolved: 2017-11-14

Status: Closed
Project: MariaDB Server
Component/s: Server, Stored routines
Affects Version/s: 10.3
Fix Version/s: 10.3.3

Type: Bug Priority: Critical
Reporter: Elena Stepanova Assignee: Alexander Barkov
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Relates
relates to MDEV-14228 MariaDB crashes with function Closed

 Description    

--source include/have_innodb.inc
 
 
 
DROP TABLE IF EXISTS t;
 
DROP FUNCTION IF EXISTS f;
 
 
 
SET sql_mode='ORACLE';
 
 
 
CREATE TABLE t (id INT) ENGINE=InnoDB;
 
 
 
--delimiter $$
 
CREATE FUNCTION f() RETURN INT
 
is
 
  v1 INT;
 
  v2 INT;
 
BEGIN
 
  FOR v1 in (select id from t)
 
  loop
 
    select 1 into v2;
 
  end loop;
 
  RETURN 1;
 
 
 
END $$
 
--delimiter ;
 
 
 
select f();

10.3 c2a868b18cdffc

 
#3  <signal handler called>
 
#4  0x0000556acb95a9d0 in Item::val_uint (this=0x0) at /data/src/10.3/sql/item.h:947
 
#5  0x0000556acb9a9a52 in handle_select (thd=0x7fd130000b00, lex=0x7fd130004730, result=0x7fd1300168e0, setup_tables_done_option=0) at /data/src/10.3/sql/sql_select.cc:395
 
#6  0x0000556acb974e05 in execute_sqlcom_select (thd=0x7fd130000b00, all_tables=0x0) at /data/src/10.3/sql/sql_parse.cc:6468
 
#7  0x0000556acb96b6ac in mysql_execute_command (thd=0x7fd130000b00) at /data/src/10.3/sql/sql_parse.cc:3740
 
#8  0x0000556acb97871e in mysql_parse (thd=0x7fd130000b00, rawbuf=0x7fd130014a68 "select f()", length=10, parser_state=0x7fd17c34b610, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:7922
 
#9  0x0000556acb9661f4 in dispatch_command (command=COM_QUERY, thd=0x7fd130000b00, packet=0x7fd13008f8b1 "", packet_length=10, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1828
 
#10 0x0000556acb964c15 in do_command (thd=0x7fd130000b00) at /data/src/10.3/sql/sql_parse.cc:1370
 
#11 0x0000556acbabc0ca in do_handle_one_connection (connect=0x556acef16290) at /data/src/10.3/sql/sql_connect.cc:1418
 
#12 0x0000556acbabbe57 in handle_one_connection (arg=0x556acef16290) at /data/src/10.3/sql/sql_connect.cc:1324
 
#13 0x0000556acbf3cbdc in pfs_spawn_thread (arg=0x556acef1e950) at /data/src/10.3/storage/perfschema/pfs.cc:1863
 
#14 0x00007fd184bf9494 in start_thread (arg=0x7fd17c34c700) at pthread_create.c:333
 
#15 0x00007fd182fdf93f in clone () from /lib/x86_64-linux-gnu/libc.so.6



 Comments   
Comment by Alexander Barkov [ 2017-11-14 ]

The same crash happens with:

SET sql_mode='ORACLE';
 
CREATE OR REPLACE TABLE t (id INT) ENGINE=INNODB;
 
DELIMITER $$
 
CREATE OR REPLACE FUNCTION f() RETURN INT
 
is
 
  CURSOR cur IS SELECT id FROM t;
 
  rec cur%ROWTYPE;
 
BEGIN
 
  RETURN 1;
 
END $$
 
DELIMITER ;
 
 
 
SELECT f();

Note, if I change ENGINE to MyISAM, the problem disappears.

Comment by Alexander Barkov [ 2017-11-14 ]

The problem is repeatable with MyISAM, but some INSERT queries is needed:

SET sql_mode='ORACLE';
 
CREATE OR REPLACE TABLE t (id INT) ENGINE=MyISAM;
 
INSERT INTO t VALUES (1),(2),(3),(4);
 
DELIMITER $$
 
CREATE OR REPLACE FUNCTION f() RETURN INT
 
is
 
  CURSOR cur IS SELECT id FROM t;
 
  rec cur%ROWTYPE;
 
BEGIN
 
  RETURN 1;
 
END $$
 
DELIMITER ;
 
 
 
SELECT f();

Comment by Alexander Barkov [ 2017-11-14 ]

The same crash happens with:

DROP TABLE IF EXISTS t1;
 
DROP FUNCTION IF EXISTS f1;
 
SET sql_mode='ORACLE';
 
CREATE TABLE t1 (id INT) ENGINE=MyISAM;
 
INSERT INTO t1 VALUES (0),(1),(2),(3);
 
DELIMITER $$
 
CREATE FUNCTION f1() RETURN INT is
 
BEGIN
 
  FOR v1 in (SELECT id FROM t1)
 
  loop
 
    NULL;
 
  end loop;
 
  RETURN 1;
 
END;
 
$$
 
DELIMITER ;
 
SELECT f1();

Generated at Thu Feb 08 08:13:09 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.