[MDEV-21997] Server crashes in LEX::create_item_ident_sp upon use of unknown identifier Created: 2020-03-22  Updated: 2021-04-19  Resolved: 2020-07-22

Status: Closed
Project: MariaDB Server
Component/s: Parser
Affects Version/s: 10.4, 10.5
Fix Version/s: 10.4.14, 10.5.5

Type: Bug Priority: Blocker
Reporter: Elena Stepanova Assignee: Oleksandr Byelkin
Resolution: Fixed Votes: 1
Labels: None

Issue Links:
Blocks
Relates
relates to MDEV-23518 Syntax error in ond SP results in mis... Closed

 Description   

For MySQL client

 
IF 1 IN ( SELECT 2 ) OR foo = 3 THEN SELECT 4; END IF ;

For MTR

 
query
 
IF 1 IN ( SELECT 2 ) OR foo = 3 THEN SELECT 4; END IF ;

10.4 81f70001

 
#3  <signal handler called>
 
#4  0x000055a446b1a616 in LEX::create_item_ident_sp (this=0x7fc63412f178, thd=0x7fc634000af0, name=0x7fc646b01450, start=0x7fc634013308 "foo = 3 THEN SELECT 4", end=0x7fc63401330b " = 3 THEN SELECT 4") at /data/src/10.4/sql/sql_lex.cc:7587
 
#5  0x000055a446e16bbc in LEX::create_item_ident (this=0x7fc63412f178, thd=0x7fc634000af0, cname=0x7fc646b025b0) at /data/src/10.4/sql/sql_lex.h:3847
 
#6  0x000055a446e04e3e in MYSQLparse (thd=0x7fc634000af0) at /data/src/10.4/sql/sql_yacc.yy:15561
 
#7  0x000055a446b5503a in parse_sql (thd=0x7fc634000af0, parser_state=0x7fc646b03160, creation_ctx=0x0, do_pfs_digest=true) at /data/src/10.4/sql/sql_parse.cc:10206
 
#8  0x000055a446b4f85e in mysql_parse (thd=0x7fc634000af0, rawbuf=0x7fc6340132f0 "IF 1 IN ( SELECT 2 ) OR foo = 3 THEN SELECT 4", length=45, parser_state=0x7fc646b03160, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:7853
 
#9  0x000055a446b3abd0 in dispatch_command (command=COM_QUERY, thd=0x7fc634000af0, packet=0x7fc634136171 "IF 1 IN ( SELECT 2 ) OR foo = 3 THEN SELECT 4", packet_length=45, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:1842
 
#10 0x000055a446b3925d in do_command (thd=0x7fc634000af0) at /data/src/10.4/sql/sql_parse.cc:1360
 
#11 0x000055a446cc270f in do_handle_one_connection (connect=0x55a44a48f500) at /data/src/10.4/sql/sql_connect.cc:1412
 
#12 0x000055a446cc245e in handle_one_connection (arg=0x55a44a48f500) at /data/src/10.4/sql/sql_connect.cc:1316
 
#13 0x000055a4476cad6d in pfs_spawn_thread (arg=0x55a44a3a3490) at /data/src/10.4/storage/perfschema/pfs.cc:1869
 
#14 0x00007fc64e8e24a4 in start_thread (arg=0x7fc646b04700) at pthread_create.c:456
 
#15 0x00007fc64ca16d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

Reproducible on 10.4-10.5, on debug and non-debug alike.
Also crashes if the structure is used upon creation of a traditional (named) stored procedure, e.g.

--delimiter $
 
CREATE PROCEDURE pr()
 
BEGIN
 
  IF 1 IN ( SELECT 2 ) OR foo = 3
 
  THEN SELECT 4;
 
  END IF ;
 
END $
 
--delimiter ;
 
 
 
# Cleanup
 
DROP PROCEDURE pr;

10.3 does not crash, but it doesn't detect the unknown identifier, either, which might be wrong.

 Comments   
Comment by Alexander Barkov [ 2020-06-03 ]

Repeatable with the following scripts:

DELIMITER $$
 
BEGIN NOT ATOMIC
 
  IF (SELECT 2) OR foo = 3 THEN
 
    SELECT 4;
 
  END IF ;
 
END;
 
$$
 
DELIMITER ;


DELIMITER $$
 
CASE (SELECT 2) OR foo
 
WHEN 1 THEN
 
  SET @x=10;
 
END CASE;
 
$$
 
DELIMITER ;


DELIMITER $$
 
WHILE (SELECT 2) OR foo
 
  SET @x=10;
 
END WHILE;
 
$$
 
DELIMITER ;


DELIMITER $$
 
REPEAT
 
  SET @x=10;
 
UNTIL (SELECT 2) OR foo
 
END REPEAT;
 
$$
 
DELIMITER ;


DELIMITER $$
 
FOR i IN 1..(SELECT 2) OR foo
 
DO
 
  SET @x=10;
 
END FOR;
 
$$
 
DELIMITER ;

Comment by Alexander Barkov [ 2020-06-03 ]

sanja, this crash is related to select stack refactoring. Reassigning to you.

Comment by Oleksandr Byelkin [ 2020-07-21 ]

commit ec20992e1ecd928be5dee65c272e54de369c0c48 (HEAD > bb-10.4MDEV-21997, origin/bb-10.4-MDEV-21997)
Author: Oleksandr Byelkin <sanja@mariadb.com>
Date: Tue Jul 21 10:31:10 2020 +0200

MDEV-21997 Server crashes in LEX::create_item_ident_sp upon use of unknown identifier

If there is no current_select and variable is not found among SP variables it can be only an error.

Comment by Alexander Barkov [ 2020-07-22 ]

The patch github.com/MariaDB/server/commit/ec20992e1ecd928be5dee65c272e54de369c0c48 looks OK to push.

Thanks.

Generated at Thu Feb 08 09:11:24 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.