[MDEV-15703] Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT, UBSAN runtime error: member call on null pointer of type 'struct TABLE_LIST' in Item_param::save_in_field Created: 2018-03-28  Updated: 2024-02-08

Status: Stalled
Project: MariaDB Server
Component/s: Prepared Statements
Affects Version/s: 10.2, 10.3, 10.4, 10.5, 10.6, 10.9, 10.10, 10.11, 11.0, 11.1, 11.2, 11.3
Fix Version/s: 10.4, 10.5, 10.6, 10.11, 11.0, 11.1, 11.2

Type: Bug Priority: Critical
Reporter: Alexander Barkov Assignee: Dmitry Shulga
Resolution: Unresolved Votes: 0
Labels: UBSAN, affects-tests, crash

Issue Links:
Relates
relates to MDEV-21028 Server crashes in Query_arena::set_qu... Closed

 Description   

These (intentionally incorrect) queries crash the server:

EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT;


EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING IGNORE;

I didn't check binding the same constants in the client-server protocol, but most likely they'll also crash.

10.2 73af8af094

 
#3  <signal handler called>
 
#4  0x0000562f979d290a in TABLE_LIST::top_table (this=0x0) at /data/src/10.2/sql/table.h:2214
 
#5  0x0000562f97cc55f7 in Item_param::save_in_field (this=0x7f3268158770, field=0x7f32680133d8, no_conversions=true) at /data/src/10.2/sql/item.cc:3803
 
#6  0x0000562f97b51d83 in make_empty_rec (thd=0x7f3268000b00, buff=0x7f3268008086 "\001", table_options=8, create_fields=..., reclength=5, data_offset=1) at /data/src/10.2/sql/unireg.cc:998
 
#7  0x0000562f97b4f4d5 in build_frm_image (thd=0x7f3268000b00, table=0x7f3268158048 "t1", create_info=0x7f327a8a7630, create_fields=..., keys=0, key_info=0x7f32680133c8, db_file=0x7f3268012ce8) at /data/src/10.2/sql/unireg.cc:308
 
#8  0x0000562f97afd73b in mysql_create_frm_image (thd=0x7f3268000b00, db=0x7f3268158690 "test", table_name=0x7f3268158048 "t1", create_info=0x7f327a8a7630, alter_info=0x7f327a8a7580, create_table_mode=0, key_info=0x7f327a8a7010, key_count=0x7f327a8a7004, frm=0x7f327a8a7020) at /data/src/10.2/sql/sql_table.cc:4660
 
#9  0x0000562f97afe0ec in create_table_impl (thd=0x7f3268000b00, orig_db=0x7f3268158690 "test", orig_table_name=0x7f3268158048 "t1", db=0x7f3268158690 "test", table_name=0x7f3268158048 "t1", path=0x7f327a8a7030 "./test/t1", options=..., create_info=0x7f327a8a7630, alter_info=0x7f327a8a7580, create_table_mode=0, is_trans=0x7f327a8a728e, key_info=0x7f327a8a7010, key_count=0x7f327a8a7004, frm=0x7f327a8a7020) at /data/src/10.2/sql/sql_table.cc:4896
 
#10 0x0000562f97afe73b in mysql_create_table_no_lock (thd=0x7f3268000b00, db=0x7f3268158690 "test", table_name=0x7f3268158048 "t1", create_info=0x7f327a8a7630, alter_info=0x7f327a8a7580, is_trans=0x7f327a8a728e, create_table_mode=0) at /data/src/10.2/sql/sql_table.cc:5012
 
#11 0x0000562f97afe9af in mysql_create_table (thd=0x7f3268000b00, create_table=0x7f3268158080, create_info=0x7f327a8a7630, alter_info=0x7f327a8a7580) at /data/src/10.2/sql/sql_table.cc:5075
 
#12 0x0000562f97a36e9b in mysql_execute_command (thd=0x7f3268000b00) at /data/src/10.2/sql/sql_parse.cc:3983
 
#13 0x0000562f97a60b18 in Prepared_statement::execute (this=0x7f32680066b0, expanded_query=0x7f327a8a83d0, open_cursor=false) at /data/src/10.2/sql/sql_prepare.cc:4774
 
#14 0x0000562f97a5ee73 in Prepared_statement::execute_loop (this=0x7f32680066b0, expanded_query=0x7f327a8a83d0, open_cursor=false, packet=0x0, packet_end=0x0) at /data/src/10.2/sql/sql_prepare.cc:4203
 
#15 0x0000562f97a6106e in Prepared_statement::execute_immediate (this=0x7f32680066b0, query=0x7f3268012750 "CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)", query_len=44) at /data/src/10.2/sql/sql_prepare.cc:4898
 
#16 0x0000562f97a5bc0f in mysql_sql_stmt_execute_immediate (thd=0x7f3268000b00) at /data/src/10.2/sql/sql_prepare.cc:2893
 
#17 0x0000562f97a35a04 in mysql_execute_command (thd=0x7f3268000b00) at /data/src/10.2/sql/sql_parse.cc:3485
 
#18 0x0000562f97a433a8 in mysql_parse (thd=0x7f3268000b00, rawbuf=0x7f3268012640 "EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT", length=78, parser_state=0x7f327a8a9200, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7914
 
#19 0x0000562f97a31263 in dispatch_command (command=COM_QUERY, thd=0x7f3268000b00, packet=0x7f326816b521 "EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT", packet_length=78, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1815
 
#20 0x0000562f97a2fbc6 in do_command (thd=0x7f3268000b00) at /data/src/10.2/sql/sql_parse.cc:1369
 
#21 0x0000562f97b7e480 in do_handle_one_connection (connect=0x562f99f6c400) at /data/src/10.2/sql/sql_connect.cc:1335
 
#22 0x0000562f97b7e20d in handle_one_connection (arg=0x562f99f6c400) at /data/src/10.2/sql/sql_connect.cc:1241
 
#23 0x0000562f97f9e3de in pfs_spawn_thread (arg=0x562f99f46ec0) at /data/src/10.2/storage/perfschema/pfs.cc:1862
 
#24 0x00007f32822a4494 in start_thread (arg=0x7f327a8aa700) at pthread_create.c:333
 
#25 0x00007f328068a93f in clone () from /lib/x86_64-linux-gnu/libc.so.6

Note, the queries are incorrect. DEFAULT/IGNORE should not be allowed as bind parameters in this context.

The expected behaviour should be to return an error, e.g. like this query does:

MariaDB [test]> EXECUTE IMMEDIATE 'SELECT 1=?' USING DEFAULT;
 
ERROR 4032 (HY000): Default/ignore value is not supported for such parameter usage



 Comments   
Comment by Roel Van de Paar [ 2020-05-11 ] 

CREATE PROCEDURE p(IN c INT) SET max_connections=100;
 
EXECUTE IMMEDIATE 'CALL p(?)' USING DEFAULT;

The encapsulated SET is not important; it can be anything else.

Leads to:

10.5.3 64488a6f2dd6aa43462292b757e783cfba11a8c6

 
Core was generated by `/test/MD050520-mariadb-10.5.3-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
 
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
[Current thread is 1 (Thread 0x15234b3c7700 (LWP 121254))]
 
(gdb) bt
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
#1  0x000056217ea96757 in my_write_core (sig=sig@entry=11) at /test/10.5_opt/mysys/stacktrace.c:518
 
#2  0x000056217e45881a in handle_fatal_signal (sig=11) at /test/10.5_opt/sql/signal_handler.cc:329
 
#3  <signal handler called>
 
#4  TABLE_LIST::top_table (this=0x0) at /test/10.5_opt/sql/table.h:2535
 
#5  Item_param::save_in_field (this=0x15232810ee58, field=0x152328049e00, no_conversions=<optimized out>) at /test/10.5_opt/sql/item.cc:4274
 
#6  0x000056217e4372b3 in Field::sp_prepare_and_store_item (this=0x152328049e00, thd=0x152328012018, value=<optimized out>) at /test/10.5_opt/sql/field.cc:1430
 
#7  0x000056217e1c9097 in THD::sp_eval_expr (this=this@entry=0x152328012018, result_field=<optimized out>, expr_item_ptr=<optimized out>) at /test/10.5_opt/sql/sp_head.cc:431
 
#8  0x000056217e1d5c53 in sp_rcontext::set_variable (this=this@entry=0x152328048ac8, thd=thd@entry=0x152328012018, idx=idx@entry=0, value=<optimized out>) at /test/10.5_opt/sql/sp_rcontext.cc:639
 
#9  0x000056217e1cbb2d in sp_rcontext::set_parameter (value=<optimized out>, var_idx=<optimized out>, thd=<optimized out>, this=<optimized out>) at /test/10.5_opt/sql/sp_rcontext.h:191
 
#10 sp_head::execute_procedure (this=0x152328051030, thd=thd@entry=0x152328012018, args=0x15232810dfc0) at /test/10.5_opt/sql/sp_head.cc:2353
 
#11 0x000056217e260f55 in do_execute_sp (thd=thd@entry=0x152328012018, sp=sp@entry=0x152328051030) at /test/10.5_opt/sql/sql_parse.cc:3013
 
#12 0x000056217e2615e6 in Sql_cmd_call::execute (this=0x15232810ec60, thd=0x152328012018) at /test/10.5_opt/sql/sql_parse.cc:3258
 
#13 0x000056217e263010 in mysql_execute_command (thd=0x152328012018) at /test/10.5_opt/sql/sql_parse.cc:5912
 
#14 0x000056217e280975 in Prepared_statement::execute (this=this@entry=0x15232807c418, expanded_query=expanded_query@entry=0x15234b3c5d60, open_cursor=open_cursor@entry=false) at /test/10.5_opt/sql/sql_prepare.cc:4786
 
#15 0x000056217e280a72 in Prepared_statement::execute_loop (this=0x15232807c418, expanded_query=0x15234b3c5d60, open_cursor=<optimized out>, packet=<optimized out>, packet_end=<optimized out>) at /test/10.5_opt/sql/sql_prepare.cc:4275
 
#16 0x000056217e280f5b in Prepared_statement::execute_immediate (this=this@entry=0x15232807c418, query=<optimized out>, query_len=9) at /test/10.5_opt/sql/sql_prepare.cc:4914
 
#17 0x000056217e2811ae in mysql_sql_stmt_execute_immediate (thd=thd@entry=0x152328012018) at /test/10.5_opt/sql/sql_prepare.cc:2941
 
#18 0x000056217e263564 in mysql_execute_command (thd=thd@entry=0x152328012018) at /test/10.5_opt/sql/sql_parse.cc:3907
 
#19 0x000056217e26a27c in mysql_parse (thd=0x152328012018, rawbuf=<optimized out>, length=43, parser_state=0x15234b3c64d0, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /test/10.5_opt/sql/sql_parse.cc:7957
 
#20 0x000056217e25f8a5 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x152328012018, packet=packet@entry=0x15232803a019 "EXECUTE IMMEDIATE 'CALL p(?)' USING DEFAULT", packet_length=packet_length@entry=43, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_opt/sql/sql_parse.cc:1839
 
#21 0x000056217e25db36 in do_command (thd=0x152328012018) at /test/10.5_opt/sql/sql_parse.cc:1358
 
#22 0x000056217e3522ee in do_handle_one_connection (connect=<optimized out>, connect@entry=0x1523490329b8, put_in_cache=put_in_cache@entry=true) at /test/10.5_opt/sql/sql_connect.cc:1422
 
#23 0x000056217e352494 in handle_one_connection (arg=arg@entry=0x1523490329b8) at /test/10.5_opt/sql/sql_connect.cc:1319
 
#24 0x000056217e6be5ea in pfs_spawn_thread (arg=0x15234904b018) at /test/10.5_opt/storage/perfschema/pfs.cc:2201
 
#25 0x000015234a7ee6db in start_thread (arg=0x15234b3c7700) at pthread_create.c:463
 
#26 0x0000152349bec88f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.2.32 (dbg), 10.2.32 (opt), 10.3.23 (dbg), 10.3.23 (opt), 10.4.13 (dbg), 10.4.13 (opt), 10.5.2 (dbg), 10.5.2 (opt), 10.5.3 (dbg), 10.5.3 (opt)

Bug confirmed not present in:
MariaDB: 10.1.45 (dbg), 10.1.45 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.47 (dbg), 5.6.47 (opt), 5.7.29 (dbg), 5.7.29 (opt), 8.0.19 (dbg), 8.0.19 (opt)

Comment by Oleksandr Byelkin [ 2020-07-09 ]

there are 2 version 10.2 and 10.4:

commit f9ee717c3440645b2b34857fe0297e7230332bcd (HEAD > bb-10.2MDEV-15703)
Author: Oleksandr Byelkin <sanja@mariadb.com>
Date: Thu Jul 9 14:36:41 2020 +0200

MDEV-15703 Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT

Check usage of IGNORE out of allowed commands.
Check that table is opened for DEFAULT.

commit 4a499d8b2fca929db0f4f9080f360284f49c3e5a (HEAD > bb-10.4MDEV-15703, origin/bb-10.4-MDEV-15703)
Author: Oleksandr Byelkin <sanja@mariadb.com>
Date: Thu Jul 9 15:37:55 2020 +0200

MDEV-15703 Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT

10.4 version: check evaluablity on Field::make_empty_rec_store_default_value

10.2 version changed with ASSERTS.

Comment by Alexander Barkov [ 2020-07-10 ]

More similar crashes:

EXECUTE IMMEDIATE 'BEGIN NOT ATOMIC DECLARE a INT DEFAULT ?; END' USING DEFAULT;


EXECUTE IMMEDIATE 'BEGIN NOT ATOMIC DECLARE a INT DEFAULT ?; END' USING IGNORE;

Comment by Oleksandr Byelkin [ 2020-07-10 ]

commit d476d9bc84b2267fb093e70563a15adaa874ae2b (HEAD > bb-10.2MDEV-15703, origin/bb-10.2-MDEV-15703)
Author: Oleksandr Byelkin <sanja@mariadb.com>
Date: Fri Jul 10 15:17:07 2020 +0200

MDEV-15703 Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT

part 2: check that expressions are evaluable for
making empty row and assigning PS variable
(Item::is_evaluable_expression() bakported from 10.4).

commit 9d26f1d10a71732cf1d03906cfde809810058f98
Author: Oleksandr Byelkin <sanja@mariadb.com>
Date: Thu Jul 9 14:36:41 2020 +0200

MDEV-15703 Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT

Part 1: make better asserts.

Comment by Oleksandr Byelkin [ 2020-07-10 ]

commit 70d1c6337c9d548d04f771c1762d8bfa08f415e9 (HEAD > bb-10.2MDEV-15703, origin/bb-10.2-MDEV-15703)
Author: Oleksandr Byelkin <sanja@mariadb.com>
Date: Fri Jul 10 15:17:07 2020 +0200

MDEV-15703 Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT

part 2:

  • check that expressions are evaluable for
    making empty row and assigning PS variable
  • Item::raise_error_not_evaluable() bakported from 10.4 and made vitrual
  • Item::is_evaluable_expression() bakported from 10.4
  • Item::check_is_evaluable_expression_or_error() bakported from 10.4
  • Item::Print bakported from 10.4

commit 9d26f1d10a71732cf1d03906cfde809810058f98
Author: Oleksandr Byelkin <sanja@mariadb.com>
Date: Thu Jul 9 14:36:41 2020 +0200

MDEV-15703 Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT

Part 1: make better asserts.

Comment by Alexander Barkov [ 2020-07-13 ]

The patch
https://github.com/MariaDB/server/commit/70d1c6337c9d548d04f771c1762d8bfa08f415e9
looks ok for me.

Comment by Alexander Barkov [ 2020-07-13 ]

This query also makes the server crash:

EXECUTE IMMEDIATE 'SELECT ? UNION SELECT 1' USING DEFAULT;

Comment by Oleksandr Byelkin [ 2020-07-15 ]

The other problem in default found due to asserts but repeatable on 10.2 vanilla:

CREATE TABLE t1 (a INT, b INT default a);
 
INSERT into t1 values (1,2),(2,3);
 
CREATE TABLE t2 (a INT, b INT default a);
 
INSERT into t2 values (1,10),(2,30);
 
 
 
UPDATE t1,t2 SET t1.b = DEFAULT, t2.b = DEFAULT WHERE t1.a=t2.a;
 
SELECT * from t1;
 
SELECT * from t2;
 
 
 
# Cleanup
 
DROP TABLE t1, t2;

Comment by Oleksandr Byelkin [ 2020-07-15 ]

The crash is the same as for https://jira.mariadb.org/browse/MDEV-21028 (because in both cases we try to apply complex default to a temporary table) but bugs are different.

Comment by Oleksandr Byelkin [ 2020-07-17 ]

commit bc73b455ba255d5fd6b277a3477ab47d368241a1
Author: Oleksandr Byelkin <sanja@mariadb.com>
Date: Fri Jul 10 15:17:07 2020 +0200

MDEV-15703 Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT

part 2:

  • check that expressions are evaluable for
    making empty row and assigning PS variable
  • correctly handling writing to a temporary tabe during multi-update
    by setting associated field
  • Item::raise_error_not_evaluable() bakported from 10.4 and made vitrual
  • Item::is_evaluable_expression() bakported from 10.4
  • Item::check_is_evaluable_expression_or_error() bakported from 10.4
  • Item::Print bakported from 10.4

commit 7311586ca259b619cac949da70e79ddd9f8f6da8
Author: Oleksandr Byelkin <sanja@mariadb.com>
Date: Thu Jul 9 14:36:41 2020 +0200

MDEV-15703 Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT

Part 1: make better asserts.

Comment by Oleksandr Byelkin [ 2020-10-07 ]

I fixed small issues, answered big one, but what to do with big ones I have no idea (partially because thay was requirements of first reviews)

commit 6d02ddda888dc85a91f5d5e6a92696a7d69a5b12 (HEAD -> bb-10.2-MDEV-15703, origin/bb-10.2-MDEV-15703)
 
Author: Oleksandr Byelkin <sanja@mariadb.com>
 
Date:   Tue Jul 14 10:12:22 2020 +0200
 
 
 
    Fix of typo in the comment.
 
 
 
commit 62c35fe93e14ff469007dac2488f5c34a76ce9de
 
Author: Oleksandr Byelkin <sanja@mariadb.com>
 
Date:   Fri Jul 10 15:17:07 2020 +0200
 
 
 
    MDEV-15703 Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT
 
    
    part 2:
 
    
    - check that expressions are evaluable for
 
      making empty row and assigning PS variable
 
    
    - correctly handling writing to a temporary tabe during multi-update
 
      by setting associated field
 
    
    - Item::raise_error_not_evaluable() bakported from 10.4 and made vitrual
 
    
    - Item::is_evaluable_expression() bakported from 10.4
 
    
    - Item::check_is_evaluable_expression_or_error() bakported from 10.4
 
 
 
commit f584d567dbb499485b1d1122e4370db43cb27c4c
 
Author: Oleksandr Byelkin <sanja@mariadb.com>
 
Date:   Thu Jul 9 14:36:41 2020 +0200
 
 
 
    MDEV-15703 Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT
 
    
    Part 1: make better asserts.

Comment by Roel Van de Paar [ 2023-03-25 ]

Please also test any fixes with:

CREATE PROCEDURE p(IN c INT) SET max_connections=100;
 
EXECUTE IMMEDIATE 'CALL p(?)' USING DEFAULT;

Comment by Roel Van de Paar [ 2023-05-13 ]

UBSAN also sees an issue: runtime error: member call on null pointer of type 'struct TABLE_LIST':

EXECUTE IMMEDIATE 'CREATE TABLE t(c INT DEFAULT ?)' USING IGNORE;

Leads to:

11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Debug, UBASAN)

 
/test/11.0_dbg_san/sql/item.cc:4496:55: runtime error: member call on null pointer of type 'struct TABLE_LIST'
 
    #0 0x559d8948e909 in Item_param::save_in_field(Field*, bool) /test/11.0_dbg_san/sql/item.cc:4496
 
    #1 0x559d8922e440 in Field::make_empty_rec_store_default_value(THD*, Item*) /test/11.0_dbg_san/sql/field.cc:1561
 
    #2 0x559d885d2452 in make_empty_rec_store_default /test/11.0_dbg_san/sql/unireg.cc:1168
 
    #3 0x559d885d2452 in make_empty_rec /test/11.0_dbg_san/sql/unireg.cc:1243
 
    #4 0x559d885d2452 in build_frm_image(THD*, st_mysql_const_lex_string const&, HA_CREATE_INFO*, List<Create_field>&, unsigned int, st_key*, handler*) /test/11.0_dbg_san/sql/unireg.cc:578
 
    #5 0x559d8836f7b1 in mysql_create_frm_image(THD*, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, HA_CREATE_INFO*, Alter_info*, int, st_key**, unsigned int*, st_mysql_const_unsigned_lex_string*) /test/11.0_dbg_san/sql/sql_table.cc:4340
 
    #6 0x559d883710b2 in create_table_impl /test/11.0_dbg_san/sql/sql_table.cc:4647
 
    #7 0x559d88374f6f in mysql_create_table_no_lock(THD*, st_ddl_log_state*, st_ddl_log_state*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /test/11.0_dbg_san/sql/sql_table.cc:4772
 
    #8 0x559d88380988 in mysql_create_table /test/11.0_dbg_san/sql/sql_table.cc:4888
 
    #9 0x559d88380988 in Sql_cmd_create_table_like::execute(THD*) /test/11.0_dbg_san/sql/sql_table.cc:12492
 
    #10 0x559d87cf0054 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:6015
 
    #11 0x559d87df5f20 in Prepared_statement::execute(String*, bool) /test/11.0_dbg_san/sql/sql_prepare.cc:5223
 
    #12 0x559d87df9a1f in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /test/11.0_dbg_san/sql/sql_prepare.cc:4646
 
    #13 0x559d87e04f6d in Prepared_statement::execute_immediate(char const*, unsigned int) /test/11.0_dbg_san/sql/sql_prepare.cc:5374
 
    #14 0x559d87e0606c in mysql_sql_stmt_execute_immediate(THD*) /test/11.0_dbg_san/sql/sql_prepare.cc:3099
 
    #15 0x559d87cc9f6e in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3955
 
    #16 0x559d87cf9973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014
 
    #17 0x559d87d09707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894
 
    #18 0x559d87d17542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407
 
    #19 0x559d886ec8b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416
 
    #20 0x559d886eddd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318
 
    #21 0x14f758294b42 in start_thread nptl/pthread_create.c:442
 
    #22 0x14f7583269ff  (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)
 
 
 
/test/11.0_dbg_san/sql/table.h:2872:14: runtime error: member access within null pointer of type 'struct TABLE_LIST'
 
    #0 0x559d8948e91f in TABLE_LIST::top_table() /test/11.0_dbg_san/sql/table.h:2872
 
    #1 0x559d8948e91f in Item_param::save_in_field(Field*, bool) /test/11.0_dbg_san/sql/item.cc:4496
 
    #2 0x559d8922e440 in Field::make_empty_rec_store_default_value(THD*, Item*) /test/11.0_dbg_san/sql/field.cc:1561
 
    #3 0x559d885d2452 in make_empty_rec_store_default /test/11.0_dbg_san/sql/unireg.cc:1168
 
    #4 0x559d885d2452 in make_empty_rec /test/11.0_dbg_san/sql/unireg.cc:1243
 
    #5 0x559d885d2452 in build_frm_image(THD*, st_mysql_const_lex_string const&, HA_CREATE_INFO*, List<Create_field>&, unsigned int, st_key*, handler*) /test/11.0_dbg_san/sql/unireg.cc:578
 
    #6 0x559d8836f7b1 in mysql_create_frm_image(THD*, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, HA_CREATE_INFO*, Alter_info*, int, st_key**, unsigned int*, st_mysql_const_unsigned_lex_string*) /test/11.0_dbg_san/sql/sql_table.cc:4340
 
    #7 0x559d883710b2 in create_table_impl /test/11.0_dbg_san/sql/sql_table.cc:4647
 
    #8 0x559d88374f6f in mysql_create_table_no_lock(THD*, st_ddl_log_state*, st_ddl_log_state*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /test/11.0_dbg_san/sql/sql_table.cc:4772
 
    #9 0x559d88380988 in mysql_create_table /test/11.0_dbg_san/sql/sql_table.cc:4888
 
    #10 0x559d88380988 in Sql_cmd_create_table_like::execute(THD*) /test/11.0_dbg_san/sql/sql_table.cc:12492
 
    #11 0x559d87cf0054 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:6015
 
    #12 0x559d87df5f20 in Prepared_statement::execute(String*, bool) /test/11.0_dbg_san/sql/sql_prepare.cc:5223
 
    #13 0x559d87df9a1f in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /test/11.0_dbg_san/sql/sql_prepare.cc:4646
 
    #14 0x559d87e04f6d in Prepared_statement::execute_immediate(char const*, unsigned int) /test/11.0_dbg_san/sql/sql_prepare.cc:5374
 
    #15 0x559d87e0606c in mysql_sql_stmt_execute_immediate(THD*) /test/11.0_dbg_san/sql/sql_prepare.cc:3099
 
    #16 0x559d87cc9f6e in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3955
 
    #17 0x559d87cf9973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014
 
    #18 0x559d87d09707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894
 
    #19 0x559d87d17542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407
 
    #20 0x559d886ec8b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416
 
    #21 0x559d886eddd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318
 
    #22 0x14f758294b42 in start_thread nptl/pthread_create.c:442
 
    #23 0x14f7583269ff  (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)
 
 
 
230513 13:17:36 [ERROR] mysqld got signal 11 ;

Comment by Roel Van de Paar [ 2023-07-01 ]

This testcase:

CREATE PROCEDURE p0 (IN i INT) DETERMINISTIC NO SQL SET @c=i +0;
 
EXECUTE IMMEDIATE 'CALL p0 (?)' USING DEFAULT;

Leads to this additional stack:

11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Debug)

 
/test/11.0_dbg_san/sql/item.cc:4492:56: runtime error: member call on null pointer of type 'struct TABLE_LIST'
 
/test/11.0_dbg_san/sql/table.h:2872:14: runtime error: member access within null pointer of type 'struct TABLE_LIST'

11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Debug)

 
    #0 0x55adc55fb73e in Item_param::save_in_field(Field*, bool) /test/11.0_dbg_san/sql/item.cc:4492
 
    #1 0x55adc53bb206 in Field::sp_prepare_and_store_item(THD*, Item**) /test/11.0_dbg_san/sql/field.cc:1498
 
    #2 0x55adc3823a68 in THD::sp_eval_expr(Field*, Item**) /test/11.0_dbg_san/sql/sp_head.cc:453
 
    #3 0x55adc38b93af in sp_rcontext::set_variable(THD*, unsigned int, Item**) /test/11.0_dbg_san/sql/sp_rcontext.cc:640
 
    #4 0x55adc383fa88 in sp_rcontext::set_parameter(THD*, unsigned int, Item**) /test/11.0_dbg_san/sql/sp_rcontext.h:194
 
    #5 0x55adc383fa88 in sp_head::bind_input_param(THD*, Item*, unsigned int, sp_rcontext*, bool) /test/11.0_dbg_san/sql/sp_head.cc:2567
 
    #6 0x55adc3842d11 in sp_head::execute_procedure(THD*, List<Item>*) /test/11.0_dbg_san/sql/sp_head.cc:2363
 
    #7 0x55adc3dd71d3 in do_execute_sp /test/11.0_dbg_san/sql/sql_parse.cc:3026
 
    #8 0x55adc3df418d in Sql_cmd_call::execute(THD*) /test/11.0_dbg_san/sql/sql_parse.cc:3271
 
    #9 0x55adc3e5d054 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:6015
 
    #10 0x55adc3f62f20 in Prepared_statement::execute(String*, bool) /test/11.0_dbg_san/sql/sql_prepare.cc:5223
 
    #11 0x55adc3f66a1f in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /test/11.0_dbg_san/sql/sql_prepare.cc:4646
 
    #12 0x55adc3f71f6d in Prepared_statement::execute_immediate(char const*, unsigned int) /test/11.0_dbg_san/sql/sql_prepare.cc:5374
 
    #13 0x55adc3f7306c in mysql_sql_stmt_execute_immediate(THD*) /test/11.0_dbg_san/sql/sql_prepare.cc:3099
 
    #14 0x55adc3e36f6e in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3955
 
    #15 0x55adc3e66973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014
 
    #16 0x55adc3e76707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894
 
    #17 0x55adc3e84542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407
 
    #18 0x55adc48598b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416
 
    #19 0x55adc485add0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318
 
    #20 0x148b38e94b42 in start_thread nptl/pthread_create.c:442
 
    #21 0x148b38f269ff  (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)

Comment by Roel Van de Paar [ 2023-10-31 ]

Please also test any fixes with:

CREATE PROCEDURE p1(IN i INT) EXECUTE s;
 
EXECUTE IMMEDIATE 'CALL p1(?)' USING IGNORE;

Comment by Dmitry Shulga [ 2024-01-16 ]

Branch for review is bb-10.4-MDEV-15703-1

Comment by Oleksandr Byelkin [ 2024-02-06 ]

OK to push, lets discuss if it is safe for 10.4

Generated at Thu Feb 08 08:23:23 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.