[MDEV-22044] Long function name crashes MariaDB 10.1 to 10.5 (debug) | Assertion `strlen(name_arg) <= (64*3)' failed in MDL_key::mdl_key_init Created: 2020-03-26  Updated: 2023-11-28

Status: Confirmed
Project: MariaDB Server
Component/s: Parser
Affects Version/s: 10.1, 10.2, 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10, 10.11
Fix Version/s: 10.4, 10.5, 10.6

Type: Bug Priority: Major
Reporter: Roel Van de Paar Assignee: Oleksandr Byelkin
Resolution: Unresolved Votes: 0
Labels: sporadic, upstream


 Description    

DROP FUNCTION a123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012;

or

DROP FUNCTION 0111111111122222222223333333333444444444455555555556666666666777777777788888888889999999999aaaaaaaaaabbbbbbbbbbccccccccccddddddddddeeeeeeeeeeffffffffffgggggggggghhhhhhhhhhiiiiiiiiiijjjjjjjjjjkk;

or 

USE test;
 
DROP FUNCTION f111111111122222222223333333333444444444455555555556666666666777777777788888888889999999999aaaaaaaaaabbbbbbbbbbccccccccccddddddddddeeeeeeeeeeffffffffffgggggggggghhhhhhhhhhiiiiiiiiiijjjjjjjjjjkk;

Leads to:

mysqld: /data/git/10.5_dbg/sql/mdl.h:426: void MDL_key::mdl_key_init(MDL_key::enum_mdl_namespace, const char*, const char*): Assertion `strlen(name_arg) <= (64*3)' failed.


Core was generated by `/data/MD180320-mariadb-10.5.2-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGABRT, Aborted.
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=6)
 
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
57	../sysdeps/unix/sysv/linux/pthread_kill.c: No such file or directory.
 
[Current thread is 1 (Thread 0x7f6054a03700 (LWP 28433))]
 
(gdb) bt
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=6)
 
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
#1  0x000055eeb83597d4 in my_write_core (sig=sig@entry=6) at /data/git/10.5_dbg/mysys/stacktrace.c:518
 
#2  0x000055eeb7b02b5f in handle_fatal_signal (sig=6) at /data/git/10.5_dbg/sql/signal_handler.cc:325
 
#3  <signal handler called>
 
#4  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
 
#5  0x00007f6053147801 in __GI_abort () at abort.c:79
 
#6  0x00007f605313739a in __assert_fail_base (
 
    fmt=0x7f60532be7d8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", 
    assertion=assertion@entry=0x55eeb84ef27e "strlen(name_arg) <= (64*3)", 
    file=file@entry=0x55eeb84be056 "/data/git/10.5_dbg/sql/mdl.h", line=line@entry=426, 
    function=function@entry=0x55eeb8508f20 <_ZZN7MDL_key12mdl_key_initENS_18enum_mdl_namespaceEPKcS2_E19__PRETTY_FUNCTION__> "void MDL_key::mdl_key_init(MDL_key::enum_mdl_namespace, const char*, const char*)")
 
    at assert.c:92
 
#7  0x00007f6053137412 in __GI___assert_fail (
 
    assertion=assertion@entry=0x55eeb84ef27e "strlen(name_arg) <= (64*3)", 
    file=file@entry=0x55eeb84be056 "/data/git/10.5_dbg/sql/mdl.h", line=line@entry=426, 
    function=function@entry=0x55eeb8508f20 <_ZZN7MDL_key12mdl_key_initENS_18enum_mdl_namespaceEPKcS2_E19__PRETTY_FUNCTION__> "void MDL_key::mdl_key_init(MDL_key::enum_mdl_namespace, const char*, const char*)")
 
    at assert.c:101
 
#8  0x000055eeb79b7e09 in MDL_key::mdl_key_init (
 
    name_arg=0x7f6027c74400 "a123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012", db=0x7f6027c744c8 "test", mdl_namespace_arg=MDL_key::FUNCTION, this=0x7f6054a01730)
 
    at /data/git/10.5_dbg/sql/mdl.h:426
 
#9  MDL_request::init_with_source (this=this@entry=0x7f6054a01710, 
    mdl_namespace=mdl_namespace@entry=MDL_key::FUNCTION, db_arg=<optimized out>,
 
    db_arg@entry=0x7f6027c744c8 "test", name_arg=<optimized out>, 
    name_arg@entry=0x7f6027c74400 "a123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012", mdl_type_arg=mdl_type_arg@entry=MDL_EXCLUSIVE, 
    mdl_duration_arg=mdl_duration_arg@entry=MDL_TRANSACTION, 
    src_file=0x55eeb868d960 "/data/git/10.5_dbg/sql/lock.cc", src_line=927)
 
    at /data/git/10.5_dbg/sql/mdl.cc:978
 
#10 0x000055eeb7c4cd5d in lock_object_name (thd=thd@entry=0x7f6027c15088, mdl_type=MDL_key::FUNCTION, 
    db=0x7f6027c744c8 "test", 
    name=0x7f6027c74400 "a123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012") at /data/git/10.5_dbg/sql/lock.cc:926
 
#11 0x000055eeb7cae405 in Sp_handler::sp_drop_routine (
 
    this=this@entry=0x55eeb8ffe908 <sp_handler_function>, thd=thd@entry=0x7f6027c15088, 
    name=0x7f6027c744d0) at /data/git/10.5_dbg/sql/sp.cc:1578
 
#12 0x000055eeb7864b27 in drop_routine (thd=thd@entry=0x7f6027c15088, lex=lex@entry=0x7f6027c18fc8)
 
    at /data/git/10.5_dbg/sql/sql_parse.cc:6462
 
#13 0x000055eeb786020a in mysql_execute_command (thd=thd@entry=0x7f6027c15088)
 
    at /data/git/10.5_dbg/sql/sql_parse.cc:5643
 
#14 0x000055eeb78687a5 in mysql_parse (thd=thd@entry=0x7f6027c15088, rawbuf=<optimized out>, 
    length=<optimized out>, parser_state=parser_state@entry=0x7f6054a02450, 
    is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false)
 
    at /data/git/10.5_dbg/sql/sql_parse.cc:7926
 
#15 0x000055eeb7854664 in dispatch_command (command=command@entry=COM_QUERY, 
    thd=thd@entry=0x7f6027c15088, 
    packet=packet@entry=0x7f6027c67089 "drop function a12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345"..., packet_length=packet_length@entry=207, 
    is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false)
 
    at /data/git/10.5_dbg/sql/sql_parse.cc:1839
 
#16 0x000055eeb7852eaf in do_command (thd=0x7f6027c15088) at /data/git/10.5_dbg/sql/sql_parse.cc:1358
 
#17 0x000055eeb79aca09 in do_handle_one_connection (connect=<optimized out>, 
    connect@entry=0x7f6030e2b3a8, put_in_cache=put_in_cache@entry=true)
 
    at /data/git/10.5_dbg/sql/sql_connect.cc:1422
 
#18 0x000055eeb79acd38 in handle_one_connection (arg=arg@entry=0x7f6030e2b3a8)
 
    at /data/git/10.5_dbg/sql/sql_connect.cc:1319
 
#19 0x000055eeb7e09cfc in pfs_spawn_thread (arg=0x7f6052445888)
 
    at /data/git/10.5_dbg/storage/perfschema/pfs.cc:2201
 
#20 0x00007f6053e2a6db in start_thread (arg=0x7f6054a03700) at pthread_create.c:463
 
#21 0x00007f605322888f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Reducing the length of the function name by one character stops the bug from happening; this is the minimum length required.

Bug confirmed present in:
MariaDB: 10.1.45 (dbg), 10.2.32 (dbg), 10.3.23 (dbg), 10.4.13 (dbg), 10.5.2 (dbg)
MariaDB: 10.1.46 (dbg), 10.2.33 (dbg), 10.3.24 (dbg), 10.4.14 (dbg), 10.5.5 (dbg)
MySQL: 5.6.47 (dbg)

Bug confirmed not present in:
MariaDB: 10.1.45 (opt), 10.2.32 (opt), 10.3.23 (opt), 10.4.13 (opt), 10.5.2 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.47 (opt), 5.7.29 (dbg), 5.7.29 (opt), 8.0.19 (dbg), 8.0.19 (opt)

 Comments   
Comment by Roel Van de Paar [ 2020-08-13 ]

Slightly different assert on 10.4 strlen(name_arg) <= (64U*3) - note the U

Comment by Roel Van de Paar [ 2022-09-01 ]

Updated versions report for MariaDB only. Issue seems to be somewhat sporadic. Also, there is a new stack for 10.6-10.11, as shown below.

DROP FUNCTION f111111111122222222223333333333444444444455555555556666666666777777777788888888889999999999aaaaaaaaaabbbbbbbbbbccccccccccddddddddddeeeeeeeeeeffffffffffgggggggggghhhhhhhhhhiiiiiiiiiijjjjjjjjjjkk;

Leads to the new UniqueID

strlen(name_arg) <= (64*3)|SIGABRT|MDL_key::mdl_key_init|MDL_request::init_with_source|lock_object_name|Sp_handler::sp_drop_routine

./stack

10.11.0 bc563f1a4b0b38de3b41fd0f0d3d8b7f1aacbd8b (Debug)

 
mysqld: /test/10.11_dbg/sql/mdl.h:430: void MDL_key::mdl_key_init(MDL_key::enum_mdl_namespace, const char*, const char*): Assertion `strlen(name_arg) <= (64*3)' failed.

10.11.0 bc563f1a4b0b38de3b41fd0f0d3d8b7f1aacbd8b (Debug)

 
Core was generated by `/test/MD190822-mariadb-10.11.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
 
Program terminated with signal SIGABRT, Aborted.
 
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
 
[Current thread is 1 (Thread 0x14e577765700 (LWP 2986609))]
 
(gdb) bt
 
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
 
#1  0x000014e5b0754859 in __GI_abort () at abort.c:79
 
#2  0x000014e5b0754729 in __assert_fail_base (fmt=0x14e5b08ea588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x558f9f53db92 "strlen(name_arg) <= (64*3)", file=0x558f9f5134de "/test/10.11_dbg/sql/mdl.h", line=430, function=<optimized out>) at assert.c:92
 
#3  0x000014e5b0765fd6 in __GI___assert_fail (assertion=assertion@entry=0x558f9f53db92 "strlen(name_arg) <= (64*3)", file=file@entry=0x558f9f5134de "/test/10.11_dbg/sql/mdl.h", line=line@entry=430, function=function@entry=0x558f9f53e190 "void MDL_key::mdl_key_init(MDL_key::enum_mdl_namespace, const char*, const char*)") at assert.c:101
 
#4  0x0000558f9eaa5f52 in MDL_key::mdl_key_init (name_arg=0x14e548013e38 "f111111111122222222223333333333444444444455555555556666666666777777777788888888889999999999aaaaaaaaaabbbbbbbbbbccccccccccddddddddddeeeeeeeeeeffffffffffgggggggggghhhhhhhhhhiiiiiiiiiijjjjjjjjjjkk", db=0x14e548013f00 "test", mdl_namespace_arg=MDL_key::FUNCTION, this=0x14e577763910) at /test/10.11_dbg/sql/mdl.h:430
 
#5  MDL_request::init_with_source (this=this@entry=0x14e5777638f0, mdl_namespace=mdl_namespace@entry=MDL_key::FUNCTION, db_arg=<optimized out>, db_arg@entry=0x14e548013f00 "test", name_arg=<optimized out>, name_arg@entry=0x14e548013e38 "f111111111122222222223333333333444444444455555555556666666666777777777788888888889999999999aaaaaaaaaabbbbbbbbbbccccccccccddddddddddeeeeeeeeeeffffffffffgggggggggghhhhhhhhhhiiiiiiiiiijjjjjjjjjjkk", mdl_type_arg=mdl_type_arg@entry=MDL_EXCLUSIVE, mdl_duration_arg=mdl_duration_arg@entry=MDL_TRANSACTION, src_file=0x558f9f6dd97b "/test/10.11_dbg/sql/lock.cc", src_line=961) at /test/10.11_dbg/sql/mdl.cc:1007
 
#6  0x0000558f9ed9574c in lock_object_name (thd=thd@entry=0x14e548000db8, mdl_type=MDL_key::FUNCTION, db=0x14e548013f00 "test", name=0x14e548013e38 "f111111111122222222223333333333444444444455555555556666666666777777777788888888889999999999aaaaaaaaaabbbbbbbbbbccccccccccddddddddddeeeeeeeeeeffffffffffgggggggggghhhhhhhhhhiiiiiiiiiijjjjjjjjjjkk") at /test/10.11_dbg/sql/lock.cc:961
 
#7  0x0000558f9edcb02f in Sp_handler::sp_drop_routine (this=this@entry=0x558f9fe08dc8 <sp_handler_function>, thd=thd@entry=0x14e548000db8, name=0x14e548013f08) at /test/10.11_dbg/sql/sp.cc:1591
 
#8  0x0000558f9e933546 in drop_routine (thd=thd@entry=0x14e548000db8, lex=lex@entry=0x14e548004f18) at /test/10.11_dbg/sql/sql_parse.cc:6573
 
#9  0x0000558f9e9407ad in mysql_execute_command (thd=thd@entry=0x14e548000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.11_dbg/sql/sql_parse.cc:5746
 
#10 0x0000558f9e929882 in mysql_parse (thd=thd@entry=0x14e548000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14e577764330) at /test/10.11_dbg/sql/sql_parse.cc:8035
 
#11 0x0000558f9e936e6a in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14e548000db8, packet=packet@entry=0x14e54800b6e9 "DROP FUNCTION f111111111122222222223333333333444444444455555555556666666666777777777788888888889999999999aaaaaaaaaabbbbbbbbbbccccccccccddddddddddeeeeeeeeeeffffffffffgggggggggghhhhhhhhhhiiiiiiiiiijjjjj"..., packet_length=packet_length@entry=207, blocking=blocking@entry=true) at /test/10.11_dbg/sql/sql_class.h:1339
 
#12 0x0000558f9e939574 in do_command (thd=0x14e548000db8, blocking=blocking@entry=true) at /test/10.11_dbg/sql/sql_parse.cc:1407
 
#13 0x0000558f9ea9b1da in do_handle_one_connection (connect=<optimized out>, connect@entry=0x558fa2a3c758, put_in_cache=put_in_cache@entry=true) at /test/10.11_dbg/sql/sql_connect.cc:1418
 
#14 0x0000558f9ea9b6e3 in handle_one_connection (arg=0x558fa2a3c758) at /test/10.11_dbg/sql/sql_connect.cc:1312
 
#15 0x000014e5b0c65609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#16 0x000014e5b0851133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.3.37 (dbg), 10.4.27 (dbg), 10.5.18 (dbg), 10.6.10 (dbg), 10.7.6 (dbg), 10.8.5 (dbg), 10.9.2 (dbg), 10.10.2 (dbg), 10.11.0 (dbg)
MySQL: 5.6.51 (dbg)

All UniqueID's seen thus far

strlen(name_arg) <= (64*3)|SIGABRT|MDL_key::mdl_key_init|MDL_request::init_with_source|lock_object_name|Sp_handler::sp_drop_routine
 
strlen(name_arg) <= (64U*3)|SIGABRT|MDL_key::mdl_key_init|MDL_request::init|lock_object_name|Sp_handler::sp_drop_routine
 
strlen(db) <= (64*3) && strlen(name) <= (64*3)|SIGABRT|MDL_key::mdl_key_init|MDL_request::init|lock_object_name|sp_drop_routine

Generated at Thu Feb 08 09:11:46 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.