[#MDEV-22560] Crash on a table value constructor with an SP variable

#0  0x00007ffff76ce625 in raise () from /lib64/libc.so.6

#1  0x00007ffff76b78d9 in abort () from /lib64/libc.so.6

#2  0x00007ffff76b77a9 in __assert_fail_base.cold () from /lib64/libc.so.6

#3  0x00007ffff76c6a66 in __assert_fail () from /lib64/libc.so.6

#4  0x0000000000a95ffd in Item_splocal::fix_fields (this=0x7fff6801a860,

    thd=0x7fff68000d90, ref=0x0)

    at /home/bar/maria-git/server.10.3.floor/sql/item.cc:1872

#5  0x0000000000983df1 in fix_fields_for_tvc (thd=0x7fff68000d90, li=...)

    at /home/bar/maria-git/server.10.3.floor/sql/sql_tvc.cc:55

#6  0x000000000098444b in table_value_constr::prepare (this=0x7fff6801a960,

    thd=0x7fff68000d90, sl=0x7fff6801e1a0, tmp_result=0x7fff68020418,

    unit_arg=0x7fff6801da18)

    at /home/bar/maria-git/server.10.3.floor/sql/sql_tvc.cc:230

#7  0x000000000086c3da in st_select_lex_unit::prepare (this=0x7fff6801da18,

    derived_arg=0x0, sel_result=0x7fff680203f0, additional_options=268435456)

    at /home/bar/maria-git/server.10.3.floor/sql/sql_union.cc:1018

#8  0x0000000000868eee in mysql_union (thd=0x7fff68000d90, lex=0x7fff6801d958,

    result=0x7fff680203f0, unit=0x7fff6801da18, setup_tables_done_option=0)

    at /home/bar/maria-git/server.10.3.floor/sql/sql_union.cc:39

#9  0x00000000007b7baa in handle_select (thd=0x7fff68000d90,

    lex=0x7fff6801d958, result=0x7fff680203f0, setup_tables_done_option=0)

    at /home/bar/maria-git/server.10.3.floor/sql/sql_select.cc:360

#10 0x00000000007817e9 in execute_sqlcom_select (thd=0x7fff68000d90,

    all_tables=0x0)

    at /home/bar/maria-git/server.10.3.floor/sql/sql_parse.cc:6293

#11 0x0000000000778302 in mysql_execute_command (thd=0x7fff68000d90)

    at /home/bar/maria-git/server.10.3.floor/sql/sql_parse.cc:3820

#12 0x00000000006a07e6 in sp_instr_stmt::exec_core (this=0x7fff6801b280,

    thd=0x7fff68000d90, nextp=0x7ffff412ebc8)

    at /home/bar/maria-git/server.10.3.floor/sql/sp_head.cc:3609

#13 0x000000000069fcca in sp_lex_keeper::reset_lex_and_exec_core (

    this=0x7fff6801b2c8, thd=0x7fff68000d90, nextp=0x7ffff412ebc8,

    open_tables=false, instr=0x7fff6801b280)

    at /home/bar/maria-git/server.10.3.floor/sql/sp_head.cc:3341

#14 0x00000000006a03e0 in sp_instr_stmt::execute (this=0x7fff6801b280,

    thd=0x7fff68000d90, nextp=0x7ffff412ebc8)

    at /home/bar/maria-git/server.10.3.floor/sql/sp_head.cc:3515

#15 0x000000000069a3f4 in sp_head::execute (this=0x7fff68019858,

    thd=0x7fff68000d90, merge_da_on_success=true)

    at /home/bar/maria-git/server.10.3.floor/sql/sp_head.cc:1371

#16 0x000000000069cc6c in sp_head::execute_procedure (this=0x7fff68019858,

    thd=0x7fff68000d90, args=0x7fff68005a10)

    at /home/bar/maria-git/server.10.3.floor/sql/sp_head.cc:2311

#17 0x0000000000775ac9 in do_execute_sp (thd=0x7fff68000d90, sp=0x7fff68019858)

    at /home/bar/maria-git/server.10.3.floor/sql/sql_parse.cc:2991

#18 0x000000000077eda3 in mysql_execute_command (thd=0x7fff68000d90)

    at /home/bar/maria-git/server.10.3.floor/sql/sql_parse.cc:5642

#19 0x00000000007858ee in mysql_parse (thd=0x7fff68000d90,

    rawbuf=0x7fff680137b8 "BEGIN NOT ATOMIC\n  DECLARE a INT DEFAULT 0;\n  VALUES (a) UNION SELECT 1;\nEND", length=76, parser_state=0x7ffff41305c0,

    is_com_multi=false, is_next_command=false)

    at /home/bar/maria-git/server.10.3.floor/sql/sql_parse.cc:7817

#20 0x0000000000772947 in dispatch_command (command=COM_QUERY,

    thd=0x7fff68000d90,

    packet=0x7fff68008e11 "BEGIN NOT ATOMIC\n  DECLARE a INT DEFAULT 0;\n  VALUES (a) UNION SELECT 1;\nEND;", packet_length=77, is_com_multi=false,

    is_next_command=false)

    at /home/bar/maria-git/server.10.3.floor/sql/sql_parse.cc:1855

#21 0x000000000077132a in do_command (thd=0x7fff68000d90)

    at /home/bar/maria-git/server.10.3.floor/sql/sql_parse.cc:1401

#22 0x00000000008db1ef in do_handle_one_connection (connect=0x267c9c0)

    at /home/bar/maria-git/server.10.3.floor/sql/sql_connect.cc:1403

#23 0x00000000008daf57 in handle_one_connection (arg=0x267c9c0)

    at /home/bar/maria-git/server.10.3.floor/sql/sql_connect.cc:1308

#24 0x00007ffff7f924e2 in start_thread () from /lib64/libpthread.so.0

#25 0x00007ffff77936d3 in clone () from /lib64/libc.so.6

[MDEV-22560] Crash on a table value constructor with an SP variable Created: 2020-05-14 Updated: 2020-05-18 Resolved: 2020-05-15
Status:	Closed
Project:	MariaDB Server
Component/s:	Stored routines
Affects Version/s:	10.3, 10.4, 10.5
Fix Version/s:	10.5.4, 10.3.24, 10.4.14