[MDEV-22022] Various mangled SQL statements will crash 10.3 to 10.5 debug builds Created: 2020-03-24  Updated: 2021-01-14  Resolved: 2020-08-05

Status: Closed
Project: MariaDB Server
Component/s: Parser
Affects Version/s: 10.3, 10.4, 10.5
Fix Version/s: 10.3.26, 10.4.16, 10.5.7

Type: Bug Priority: Critical
Reporter: Roel Van de Paar Assignee: Alexander Barkov
Resolution: Fixed Votes: 0
Labels: affects-tests, not-10.1, not-10.2, regression

Attachments: File Additional_testcase_n.sql    

 Description    

 SOURCE in.sql

With in.sql file defined as:

if(`systeminfo /FO LIST;

Will result in:

10.5.2>source /tmp/in.sql
 
ERROR 2013 (HY000) at line 1 in file: '/tmp/in.sql': Lost connection to MySQL server during query


Core was generated by `/data/MD180320-mariadb-10.5.2-linux-x86_64-debug/bin/mysqld --no-defaults --cor'.
 
Program terminated with signal SIGABRT, Aborted.
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=6)
 
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
57	../sysdeps/unix/sysv/linux/pthread_kill.c: No such file or directory.
 
[Current thread is 1 (Thread 0x7f8e51804700 (LWP 15910))]
 
(gdb) bt
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=6)
 
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
#1  0x000055a54106f7d4 in my_write_core (sig=sig@entry=6) at /data/git/10.5_dbg/mysys/stacktrace.c:518
 
#2  0x000055a540818b5f in handle_fatal_signal (sig=6) at /data/git/10.5_dbg/sql/signal_handler.cc:325
 
#3  <signal handler called>
 
#4  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
 
#5  0x00007f8e4ff48801 in __GI_abort () at abort.c:79
 
#6  0x00007f8e4ff3839a in __assert_fail_base (
 
    fmt=0x7f8e500bf7d8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", 
    assertion=assertion@entry=0x55a5411e30d8 "end <= thd->m_parser_state->m_lip.get_end_of_query()", 
    file=file@entry=0x55a5411e2c18 "/data/git/10.5_dbg/sql/sql_lex.cc", line=line@entry=8170, 
    function=function@entry=0x55a5411e4780 <LEX::create_item_ident_sp(THD*, Lex_ident_sys_st*, char const*, char const*)::__PRETTY_FUNCTION__> "Item* LEX::create_item_ident_sp(THD*, Lex_ident_sys_st*, const char*, const char*)") at assert.c:92
 
#7  0x00007f8e4ff38412 in __GI___assert_fail (
 
    assertion=assertion@entry=0x55a5411e30d8 "end <= thd->m_parser_state->m_lip.get_end_of_query()", 
    file=file@entry=0x55a5411e2c18 "/data/git/10.5_dbg/sql/sql_lex.cc", line=line@entry=8170, 
    function=function@entry=0x55a5411e4780 <LEX::create_item_ident_sp(THD*, Lex_ident_sys_st*, char const*, char const*)::__PRETTY_FUNCTION__> "Item* LEX::create_item_ident_sp(THD*, Lex_ident_sys_st*, const char*, const char*)") at assert.c:101
 
#8  0x000055a540550855 in LEX::create_item_ident_sp (this=this@entry=0x7f8e24c890a0, thd=thd@entry=
 
    0x7f8e24c15088, name=name@entry=0x7f8e51802530, start=0x7f8e24c740a3 "`systeminfo /FO LIST", 
    end=0x7f8e24c740b8 "\004") at /data/git/10.5_dbg/sql/sql_lex.cc:8170
 
#9  0x000055a5407a3619 in LEX::create_item_ident (cname=0x7f8e51802708, thd=0x7f8e24c15088, 
    this=0x7f8e24c890a0) at /data/git/10.5_dbg/sql/sql_lex.h:3915
 
#10 MYSQLparse (thd=thd@entry=0x7f8e24c15088) at /data/git/10.5_dbg/sql/sql_yacc.yy:14908
 
#11 0x000055a540584135 in parse_sql (thd=thd@entry=0x7f8e24c15088, 
    parser_state=parser_state@entry=0x7f8e51803450, creation_ctx=creation_ctx@entry=0x0, 
    do_pfs_digest=do_pfs_digest@entry=true) at /data/git/10.5_dbg/sql/sql_parse.cc:10232
 
#12 0x000055a54057e5ab in mysql_parse (thd=thd@entry=0x7f8e24c15088, rawbuf=<optimized out>, length=23, 
    parser_state=parser_state@entry=0x7f8e51803450, is_com_multi=is_com_multi@entry=false, 
    is_next_command=is_next_command@entry=false) at /data/git/10.5_dbg/sql/sql_parse.cc:7879
 
#13 0x000055a54056a664 in dispatch_command (command=command@entry=COM_QUERY, 
    thd=thd@entry=0x7f8e24c15088, packet=packet@entry=0x7f8e24c67089 "if(`systeminfo /FO LIST;", 
    packet_length=packet_length@entry=24, is_com_multi=is_com_multi@entry=false, 
    is_next_command=is_next_command@entry=false) at /data/git/10.5_dbg/sql/sql_parse.cc:1839
 
#14 0x000055a540568eaf in do_command (thd=0x7f8e24c15088) at /data/git/10.5_dbg/sql/sql_parse.cc:1358
 
#15 0x000055a5406c2a09 in do_handle_one_connection (connect=<optimized out>, 
    connect@entry=0x7f8e2de2b3a8, put_in_cache=put_in_cache@entry=true)
 
    at /data/git/10.5_dbg/sql/sql_connect.cc:1422
 
#16 0x000055a5406c2d38 in handle_one_connection (arg=arg@entry=0x7f8e2de2b3a8)
 
    at /data/git/10.5_dbg/sql/sql_connect.cc:1319
 
#17 0x000055a540b1fcfc in pfs_spawn_thread (arg=0x7f8e4f445888)
 
    at /data/git/10.5_dbg/storage/perfschema/pfs.cc:2201
 
#18 0x00007f8e50c2b6db in start_thread (arg=0x7f8e51804700) at pthread_create.c:463
 
#19 0x00007f8e5002988f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.3.23 (dbg), 10.4.13 (dbg), 10.5.2 (dbg)

Bug confirmed not present in:
MariaDB: 10.1.45 (dbg), 10.1.45 (opt), 10.2.32 (dbg), 10.2.32 (opt), 10.3.23 (opt), 10.4.13 (opt), 10.5.2 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.47 (dbg), 5.6.47 (opt), 5.7.29 (dbg), 5.7.29 (opt), 8.0.19 (dbg), 8.0.19 (opt)

Correct parsing will/should result in:

10.1.45>source /tmp/in.sql
 
ERROR 1064 (42000) at line 1 in file: '/tmp/in.sql': You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' at line 1

In case it matters, OS is Ubuntu 18.04.4 LTS x64

 Comments   
Comment by Alexander Barkov [ 2020-03-26 ]

Also repeatable with these SQL statements:

EXECUTE IMMEDIATE 'if(`systeminfo /FO LIST';


EXECUTE IMMEDIATE 'if(`systeminfo';

Comment by Roel Van de Paar [ 2020-05-15 ]

One more

SOURCE in.sql

With in.sql file defined as:

IF(`SELECT @@a=;

or 

EXECUTE IMMEDIATE 'IF(`SELECT @@a=';

Bug confirmed present in:
MariaDB: 10.3.23 (dbg), 10.4.13 (dbg), 10.5.2 (dbg), 10.5.3 (dbg), 10.5.4 (dbg)

Bug confirmed not present in:
MariaDB: 10.1.45 (dbg), 10.1.45 (opt), 10.2.32 (dbg), 10.2.32 (opt), 10.3.23 (opt), 10.4.13 (opt), 10.5.2 (opt), 10.5.3 (opt), 10.5.4 (opt), 10.6.0 (dbg), 10.6.0 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.47 (dbg), 5.6.47 (opt), 5.7.29 (dbg), 5.7.29 (opt), 8.0.19 (dbg), 8.0.19 (opt)

If you prefix the testcase with 

set SQL_MODE=Oracle;

The stack is slightly different.

Comment by Roel Van de Paar [ 2020-05-22 ] 

SET CHARACTER_SET_CLIENT=17;
 
SELECT doc.`Children`.0 FROM t1;

Leads to:

10.5.3 cfe5ee90c8e4b9dfa98a41fcd299197a59261be7

 
mysqld: /test/10.5_dbg/sql/sql_lex.cc:8016: Item* LEX::create_item_ident(THD*, const Lex_ident_cli_st*, const Lex_ident_cli_st*): Assertion `end <= thd->m_parser_state->m_lip.get_end_of_query()' failed.

10.5.3 cfe5ee90c8e4b9dfa98a41fcd299197a59261be7

 
Core was generated by `/test/MD110520-mariadb-10.5.3-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGABRT, Aborted.
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=6)
 
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
[Current thread is 1 (Thread 0x14e8379e2700 (LWP 280505))]
 
(gdb) bt
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
#1  0x000055758015ac11 in my_write_core (sig=sig@entry=6) at /test/10.5_dbg/mysys/stacktrace.c:518
 
#2  0x000055757f8fff8d in handle_fatal_signal (sig=6) at /test/10.5_dbg/sql/signal_handler.cc:329
 
#3  <signal handler called>
 
#4  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
 
#5  0x000014e836126801 in __GI_abort () at abort.c:79
 
#6  0x000014e83611639a in __assert_fail_base (fmt=0x14e83629d7d8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x5575802cdf00 "end <= thd->m_parser_state->m_lip.get_end_of_query()", file=file@entry=0x5575802cc1cc "/test/10.5_dbg/sql/sql_lex.cc", line=line@entry=8016, function=function@entry=0x5575802cf6a0 <LEX::create_item_ident(THD*, Lex_ident_cli_st const*, Lex_ident_cli_st const*)::__PRETTY_FUNCTION__> "Item* LEX::create_item_ident(THD*, const Lex_ident_cli_st*, const Lex_ident_cli_st*)") at assert.c:92
 
#7  0x000014e836116412 in __GI___assert_fail (assertion=assertion@entry=0x5575802cdf00 "end <= thd->m_parser_state->m_lip.get_end_of_query()", file=file@entry=0x5575802cc1cc "/test/10.5_dbg/sql/sql_lex.cc", line=line@entry=8016, function=function@entry=0x5575802cf6a0 <LEX::create_item_ident(THD*, Lex_ident_cli_st const*, Lex_ident_cli_st const*)::__PRETTY_FUNCTION__> "Item* LEX::create_item_ident(THD*, const Lex_ident_cli_st*, const Lex_ident_cli_st*)") at assert.c:101
 
#8  0x000055757f63ba08 in LEX::create_item_ident (this=0x14e814c18fd0, thd=thd@entry=0x14e814c15088, ca=ca@entry=0x14e8379e0720, cb=cb@entry=0x14e8379e0750) at /test/10.5_dbg/sql/sql_lex.cc:8016
 
#9  0x000055757f88ab54 in MYSQLparse (thd=thd@entry=0x14e814c15088) at /test/10.5_dbg/sql/sql_yacc.yy:14955
 
#10 0x000055757f669086 in parse_sql (thd=thd@entry=0x14e814c15088, parser_state=parser_state@entry=0x14e8379e13e0, creation_ctx=creation_ctx@entry=0x0, do_pfs_digest=do_pfs_digest@entry=true) at /test/10.5_dbg/sql/sql_parse.cc:10263
 
#11 0x000055757f66360a in mysql_parse (thd=thd@entry=0x14e814c15088, rawbuf=<optimized out>, length=31, parser_state=parser_state@entry=0x14e8379e13e0, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:7910
 
#12 0x000055757f64fffd in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14e814c15088, packet=packet@entry=0x14e814c67089 "SELECT doc.`Children`.0 FROM t1", packet_length=packet_length@entry=31, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:1839
 
#13 0x000055757f64e8cc in do_command (thd=0x14e814c15088) at /test/10.5_dbg/sql/sql_parse.cc:1358
 
#14 0x000055757f7a899d in do_handle_one_connection (connect=<optimized out>, connect@entry=0x14e8168433a8, put_in_cache=put_in_cache@entry=true) at /test/10.5_dbg/sql/sql_connect.cc:1411
 
#15 0x000055757f7a90b9 in handle_one_connection (arg=arg@entry=0x14e8168433a8) at /test/10.5_dbg/sql/sql_connect.cc:1313
 
#16 0x000055757fc0710a in pfs_spawn_thread (arg=0x14e835445888) at /test/10.5_dbg/storage/perfschema/pfs.cc:2201
 
#17 0x000014e836e096db in start_thread (arg=0x14e8379e2700) at pthread_create.c:463
 
#18 0x000014e83620788f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.3.23 (dbg), 10.4.13 (dbg), 10.5.2 (dbg), 10.5.3 (dbg)

Bug confirmed not present in:
MariaDB: 10.1.45 (dbg), 10.1.45 (opt), 10.2.32 (dbg), 10.2.32 (opt), 10.3.23 (opt), 10.4.13 (opt), 10.5.2 (opt), 10.5.3 (opt), 10.5.4 (dbg), 10.5.4 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.47 (dbg), 5.6.47 (opt), 5.7.29 (dbg), 5.7.29 (opt), 8.0.19 (dbg), 8.0.19 (opt)

Comment by Roel Van de Paar [ 2020-05-26 ]

Optimized:

10.5.4 8569dac1ec9f6853a0b2f3ea9bcbda67644ead24

 
10.5.4>SELECT doc.`Children`.0 FROM t1;
 
ERROR 1300 (HY000): Invalid filename character string: 'Children`0 FROM t1'

Comment by Roel Van de Paar [ 2020-07-21 ]

Discovered another one. For this one EXECUTE IMMEDIATE does not work.

SOURCE Additional_testcase_n.sql   # Attached to ticket

Leads to:

10.5.5 30e7a0a866dce530d8328c6d614e48d39a264f9b (Debug)

 
mysqld: /test/10.5_dbg/sql/sql_lex.cc:8185: Item* LEX::create_item_ident_sp(THD*, Lex_ident_sys_st*, const char*, const char*): Assertion `end <= thd->m_parser_state->m_lip.get_end_of_query()' failed.

10.5.5 30e7a0a866dce530d8328c6d614e48d39a264f9b (Debug)

 
Core was generated by `/test/MD140720-mariadb-10.5.5-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGABRT, Aborted.
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=6)
 
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
[Current thread is 1 (Thread 0x1500d5749700 (LWP 3667075))]
 
(gdb) bt
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
#1  0x0000562c168234d7 in my_write_core (sig=sig@entry=6) at /test/10.5_dbg/mysys/stacktrace.c:518
 
#2  0x0000562c15fdd9ba in handle_fatal_signal (sig=6) at /test/10.5_dbg/sql/signal_handler.cc:330
 
#3  <signal handler called>
 
#4  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
 
#5  0x00001500d39df8b1 in __GI_abort () at abort.c:79
 
#6  0x00001500d39cf42a in __assert_fail_base (fmt=0x1500d3b56a38 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x562c1699e0a8 "end <= thd->m_parser_state->m_lip.get_end_of_query()", file=file@entry=0x562c1699c36c "/test/10.5_dbg/sql/sql_lex.cc", line=line@entry=8185, function=function@entry=0x562c1699f740 <LEX::create_item_ident_sp(THD*, Lex_ident_sys_st*, char const*, char const*)::__PRETTY_FUNCTION__> "Item* LEX::create_item_ident_sp(THD*, Lex_ident_sys_st*, const char*, const char*)") at assert.c:92
 
#7  0x00001500d39cf4a2 in __GI___assert_fail (assertion=assertion@entry=0x562c1699e0a8 "end <= thd->m_parser_state->m_lip.get_end_of_query()", file=file@entry=0x562c1699c36c "/test/10.5_dbg/sql/sql_lex.cc", line=line@entry=8185, function=function@entry=0x562c1699f740 <LEX::create_item_ident_sp(THD*, Lex_ident_sys_st*, char const*, char const*)::__PRETTY_FUNCTION__> "Item* LEX::create_item_ident_sp(THD*, Lex_ident_sys_st*, const char*, const char*)") at assert.c:101
 
#8  0x0000562c15d1109b in LEX::create_item_ident_sp (this=this@entry=0x1500b14890a0, thd=thd@entry=0x1500b1415088, name=name@entry=0x1500d57474a0, start=0x1500b14740a4 "`select count(*) = 0 from information_schema.session_variables where variable_name = 'abcdefghijklmnopqrstuvwxyz' and variable_value = 'abcdefghijklmnopqrstuvwxyz'", end=0x1500b1474148 "\004") at /test/10.5_dbg/sql/sql_lex.cc:8185
 
#9  0x0000562c15f68b47 in LEX::create_item_ident (cname=0x1500d5747678, thd=0x1500b1415088, this=0x1500b14890a0) at /test/10.5_dbg/sql/sql_lex.h:3930
 
#10 MYSQLparse (thd=thd@entry=0x1500b1415088) at /test/10.5_dbg/sql/sql_yacc.yy:14951
 
#11 0x0000562c15d43fd4 in parse_sql (thd=thd@entry=0x1500b1415088, parser_state=parser_state@entry=0x1500d5748350, creation_ctx=creation_ctx@entry=0x0, do_pfs_digest=do_pfs_digest@entry=true) at /test/10.5_dbg/sql/sql_parse.cc:10299
 
#12 0x0000562c15d3e558 in mysql_parse (thd=thd@entry=0x1500b1415088, rawbuf=<optimized out>, length=167, parser_state=parser_state@entry=0x1500d5748350, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:7946
 
#13 0x0000562c15d2b204 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1500b1415088, packet=packet@entry=0x1500b1467089 "if (`select count(*) = 0 from information_schema.session_variables where variable_name = 'abcdefghijklmnopqrstuvwxyz' and variable_value = 'abcdefghijklmnopqrstuvwxyz';", packet_length=packet_length@entry=168, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:1866
 
#14 0x0000562c15d299de in do_command (thd=0x1500b1415088) at /test/10.5_dbg/sql/sql_parse.cc:1347
 
#15 0x0000562c15e85c3b in do_handle_one_connection (connect=<optimized out>, connect@entry=0x1500b48c73a8, put_in_cache=put_in_cache@entry=true) at /test/10.5_dbg/sql/sql_connect.cc:1411
 
#16 0x0000562c15e86357 in handle_one_connection (arg=arg@entry=0x1500b48c73a8) at /test/10.5_dbg/sql/sql_connect.cc:1313
 
#17 0x0000562c162e9ca8 in pfs_spawn_thread (arg=0x1500d2446508) at /test/10.5_dbg/storage/perfschema/pfs.cc:2201
 
#18 0x00001500d46c26db in start_thread (arg=0x1500d5749700) at pthread_create.c:463
 
#19 0x00001500d3ac0a3f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Generated at Thu Feb 08 09:11:36 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.