[MDEV-25135] Server crashes in Column_definition::prepare_stage1 (with different rest of stack) upon creation of stored routine Created: 2021-03-14  Updated: 2023-04-27

Status: Confirmed
Project: MariaDB Server
Component/s: Parser
Affects Version/s: 10.3, 10.4, 10.5, 10.6, 10.7, 10.8
Fix Version/s: 10.4, 10.5, 10.6

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Dmitry Shulga
Resolution: Unresolved Votes: 0
Labels: affects-tests


 Description    

SET SQL_MODE= ORACLE;
 
 
 
--delimiter $
 
CREATE PROCEDURE p AS
 
  a ROW (x CHAR COLLATE DEFAULT);
 
BEGIN
 
END $
 
--delimiter ;

10.3 ecc1cd21

 
#3  <signal handler called>
 
#4  Column_definition::create_length_to_internal_length_string (this=0x7f845c0aa910) at /data/src/10.3/sql/field.h:4423
 
#5  0x000055885e03e8d0 in Column_definition::prepare_stage1_string (this=0x7f845c0aa910, thd=0x7f845c000d90, mem_root=0x7f845c0a9ab8, file=0x0, table_flags=16) at /data/src/10.3/sql/sql_table.cc:3208
 
#6  0x000055885e16993f in Type_handler_string_result::Column_definition_prepare_stage1 (this=0x55885f3bb9b8 <type_handler_string>, thd=0x7f845c000d90, mem_root=0x7f845c0a9ab8, def=0x7f845c0aa910, file=0x0, table_flags=16) at /data/src/10.3/sql/sql_type.cc:1715
 
#7  0x000055885e03eaf5 in Column_definition::prepare_stage1 (this=0x7f845c0aa910, thd=0x7f845c000d90, mem_root=0x7f845c0a9ab8, file=0x0, table_flags=16) at /data/src/10.3/sql/sql_table.cc:3248
 
#8  0x000055885e0429d1 in Column_definition::sp_prepare_create_field (this=0x7f845c0aa910, thd=0x7f845c000d90, mem_root=0x7f845c0a9ab8) at /data/src/10.3/sql/sql_table.cc:4507
 
#9  0x000055885de8ae29 in sp_head::fill_field_definition (this=0x7f845c0a9a78, thd=0x7f845c000d90, field_def=0x7f845c0aa910) at /data/src/10.3/sql/sp_head.h:662
 
#10 0x000055885de8aef3 in sp_head::fill_spvar_definition (this=0x7f845c0a9a78, thd=0x7f845c000d90, def=0x7f845c0aa910) at /data/src/10.3/sql/sp_head.h:684
 
#11 0x000055885de8ae9a in sp_head::row_fill_field_definitions (this=0x7f845c0a9a78, thd=0x7f845c000d90, row=0x7f845c0aa9f0) at /data/src/10.3/sql/sp_head.h:674
 
#12 0x000055885df3eacf in LEX::sp_variable_declarations_row_finalize (this=0x7f845c09a038, thd=0x7f845c000d90, nvars=1, row=0x7f845c0aa9f0, dflt_value_item=0x0) at /data/src/10.3/sql/sql_lex.cc:5509
 
#13 0x000055885e20440d in ORAparse (thd=0x7f845c000d90) at /data/src/10.3/sql/sql_yacc_ora.yy:3339
 
#14 0x000055885df7825d in parse_sql (thd=0x7f845c000d90, parser_state=0x7f846cb575c0, creation_ctx=0x0, do_pfs_digest=true) at /data/src/10.3/sql/sql_parse.cc:10153
 
#15 0x000055885df72b9d in mysql_parse (thd=0x7f845c000d90, rawbuf=0x7f845c012ad8 "CREATE PROCEDURE p AS\na ROW (x CHAR COLLATE DEFAULT);\nBEGIN\nEND", length=63, parser_state=0x7f846cb575c0, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:7819
 
#16 0x000055885df5f3f0 in dispatch_command (command=COM_QUERY, thd=0x7f845c000d90, packet=0x7f845c008f31 "CREATE PROCEDURE p AS\na ROW (x CHAR COLLATE DEFAULT);\nBEGIN\nEND ", packet_length=64, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1852
 
#17 0x000055885df5dd90 in do_command (thd=0x7f845c000d90) at /data/src/10.3/sql/sql_parse.cc:1398
 
#18 0x000055885e0dccb9 in do_handle_one_connection (connect=0x558861f686b0) at /data/src/10.3/sql/sql_connect.cc:1403
 
#19 0x000055885e0dca15 in handle_one_connection (arg=0x558861f686b0) at /data/src/10.3/sql/sql_connect.cc:1308
 
#20 0x000055885eaaafe1 in pfs_spawn_thread (arg=0x55886200d210) at /data/src/10.3/storage/perfschema/pfs.cc:1869
 
#21 0x00007f8473043609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#22 0x00007f8472c1d293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Reproducible on 10.3-10.6.
Reproducible on debug, release and ASAN builds alike.
Not applicable to 10.2.

Variations of stack trace with variations of the faulty statement have been observed, e.g.:

#3  <signal handler called>
 
#4  0x0000560b597a4317 in Column_definition::create_interval_from_interval_list (this=0x7f3dc40aae50, mem_root=0x7f3dc40a9dc8, reuse_interval_list_values=false) at /data/src/10.3/sql/field.cc:10311
 
#5  0x0000560b597a4b3e in Column_definition::prepare_interval_field (this=0x7f3dc40aae50, mem_root=0x7f3dc40a9dc8, reuse_interval_list_values=false) at /data/src/10.3/sql/field.cc:10411
 
#6  0x0000560b5956e734 in Column_definition::prepare_stage1_typelib (this=0x7f3dc40aae50, thd=0x7f3dc4000d90, mem_root=0x7f3dc40a9dc8, file=0x0, table_flags=16) at /data/src/10.3/sql/sql_table.cc:3187
 
#7  0x0000560b596998f9 in Type_handler_typelib::Column_definition_prepare_stage1 (this=0x560b5a8eb9b0 <type_handler_set>, thd=0x7f3dc4000d90, mem_root=0x7f3dc40a9dc8, def=0x7f3dc40aae50, file=0x0, table_flags=16) at /data/src/10.3/sql/sql_type.cc:1704
 
#8  0x0000560b5956eaf5 in Column_definition::prepare_stage1 (this=0x7f3dc40aae50, thd=0x7f3dc4000d90, mem_root=0x7f3dc40a9dc8, file=0x0, table_flags=16) at /data/src/10.3/sql/sql_table.cc:3248
 
#9  0x0000560b595729d1 in Column_definition::sp_prepare_create_field (this=0x7f3dc40aae50, thd=0x7f3dc4000d90, mem_root=0x7f3dc40a9dc8) at /data/src/10.3/sql/sql_table.cc:4507
 
#10 0x0000560b593bae29 in sp_head::fill_field_definition (this=0x7f3dc40a9d88, thd=0x7f3dc4000d90, field_def=0x7f3dc40aae50) at /data/src/10.3/sql/sp_head.h:662
 
#11 0x0000560b593baef3 in sp_head::fill_spvar_definition (this=0x7f3dc40a9d88, thd=0x7f3dc4000d90, def=0x7f3dc40aae50) at /data/src/10.3/sql/sp_head.h:684
 
#12 0x0000560b593bae9a in sp_head::row_fill_field_definitions (this=0x7f3dc40a9d88, thd=0x7f3dc4000d90, row=0x7f3dc40aaf68) at /data/src/10.3/sql/sp_head.h:674
 
#13 0x0000560b5946eacf in LEX::sp_variable_declarations_row_finalize (this=0x7f3dc4181868, thd=0x7f3dc4000d90, nvars=2, row=0x7f3dc40aaf68, dflt_value_item=0x0) at /data/src/10.3/sql/sql_lex.cc:5509
 
#14 0x0000560b5973440d in ORAparse (thd=0x7f3dc4000d90) at /data/src/10.3/sql/sql_yacc_ora.yy:3339
 
#15 0x0000560b594a825d in parse_sql (thd=0x7f3dc4000d90, parser_state=0x7f3ddb7675c0, creation_ctx=0x0, do_pfs_digest=true) at /data/src/10.3/sql/sql_parse.cc:10153
 
#16 0x0000560b594a2b9d in mysql_parse (thd=0x7f3dc4000d90, rawbuf=0x7f3dc4012ad8 "DECLARE Tuq4p EXCEPTION ; PRECEDES , E1_569z4 ROW ( LOCAL SET ( 'x' ) COLLATE DEFAULT ) ; BEGIN END", length=99, parser_state=0x7f3ddb7675c0, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:7819
 
#17 0x0000560b5948f3f0 in dispatch_command (command=COM_QUERY, thd=0x7f3dc4000d90, packet=0x7f3dc4008f31 "DECLARE Tuq4p EXCEPTION ; PRECEDES , E1_569z4 ROW ( LOCAL SET ( 'x' ) COLLATE DEFAULT ) ; BEGIN END ", packet_length=100, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1852
 
#18 0x0000560b5948dd90 in do_command (thd=0x7f3dc4000d90) at /data/src/10.3/sql/sql_parse.cc:1398
 
#19 0x0000560b5960ccb9 in do_handle_one_connection (connect=0x560b5c4586b0) at /data/src/10.3/sql/sql_connect.cc:1403
 
#20 0x0000560b5960ca15 in handle_one_connection (arg=0x560b5c4586b0) at /data/src/10.3/sql/sql_connect.cc:1308
 
#21 0x0000560b59fdafe1 in pfs_spawn_thread (arg=0x560b5c4fd210) at /data/src/10.3/storage/perfschema/pfs.cc:1869
 
#22 0x00007f3de5c9b609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#23 0x00007f3de5875293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95



 Comments   
Comment by Ramesh Sivaraman [ 2022-10-13 ]

Similar SP creation SQL statement crashes the server in default sql mode

CREATE PROCEDURE p0 (c CHAR COLLATE DEFAULT) BEGIN END;

Leads to:

10.8.6 2f70784c2aff3bcf67f89f4d8cd121e8f8c3355f (Debug)

 
mysqld: /test/10.8_dbg/sql/sql_table.cc:3972: bool Column_definition::sp_prepare_create_field(THD*, MEM_ROOT*): Assertion `charset' failed.

10.8.6 2f70784c2aff3bcf67f89f4d8cd121e8f8c3355f (Debug)

 
Core was generated by `/test/MD131022-mariadb-10.8.6-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGABRT, Aborted.
 
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
 
[Current thread is 1 (Thread 0x14640e182700 (LWP 3757005))]
 
(gdb) bt
 
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
 
#1  0x0000146426b0e859 in __GI_abort () at abort.c:79
 
#2  0x0000146426b0e729 in __assert_fail_base (fmt=0x146426ca4588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x5617be1cac68 "charset", file=0x5617be054540 "/test/10.8_dbg/sql/sql_table.cc", line=3972, function=<optimized out>) at assert.c:92
 
#3  0x0000146426b1ffd6 in __GI___assert_fail (assertion=assertion@entry=0x5617be1cac68 "charset", file=file@entry=0x5617be054540 "/test/10.8_dbg/sql/sql_table.cc", line=line@entry=3972, function=function@entry=0x5617be054e30 "bool Column_definition::sp_prepare_create_field(THD*, MEM_ROOT*)") at assert.c:101
 
#4  0x00005617bd55e5f4 in Column_definition::sp_prepare_create_field (this=this@entry=0x1463d8019ea8, thd=thd@entry=0x1463d8000d48, mem_root=0x1463d80191e0) at /test/10.8_dbg/sql/sql_table.cc:3972
 
#5  0x00005617bd46717e in sp_head::fill_field_definition (field_def=0x1463d8019ea8, thd=0x1463d8000d48, this=0x1463d80191a0) at /test/10.8_dbg/sql/sp_head.h:713
 
#6  sp_head::fill_spvar_definition (def=0x1463d8019ea8, thd=0x1463d8000d48, this=0x1463d80191a0) at /test/10.8_dbg/sql/sp_head.h:736
 
#7  sp_head::fill_spvar_definition (name=0x1463d8019e88, def=0x1463d8019ea8, thd=0x1463d8000d48, this=0x1463d80191a0) at /test/10.8_dbg/sql/sp_head.h:745
 
#8  LEX::sp_param_fill_definition (this=<optimized out>, spvar=0x1463d8019e88, def=@0x14640e180628: {<Lex_length_and_dec_st> = {m_length = 0x0, m_dec = 0x0}, m_handler = 0x5617be93c240 <type_handler_string>}) at /test/10.8_dbg/sql/sql_lex.cc:6402
 
#9  0x00005617bd6f1499 in MYSQLparse (thd=thd@entry=0x1463d8000d48) at /test/10.8_dbg/sql/sql_yacc.yy:18092
 
#10 0x00005617bd48b7c1 in parse_sql (thd=thd@entry=0x1463d8000d48, parser_state=parser_state@entry=0x14640e181310, creation_ctx=creation_ctx@entry=0x0, do_pfs_digest=do_pfs_digest@entry=true) at /test/10.8_dbg/sql/sql_parse.cc:10367
 
#11 0x00005617bd486c03 in mysql_parse (thd=thd@entry=0x1463d8000d48, rawbuf=<optimized out>, length=54, parser_state=parser_state@entry=0x14640e181310) at /test/10.8_dbg/sql/sql_parse.cc:7966
 
#12 0x00005617bd493d79 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1463d8000d48, packet=packet@entry=0x1463d800ad99 "CREATE PROCEDURE p0 (c CHAR COLLATE DEFAULT) BEGIN END", packet_length=packet_length@entry=54, blocking=blocking@entry=true) at /test/10.8_dbg/sql/sql_class.h:1369
 
#13 0x00005617bd496355 in do_command (thd=0x1463d8000d48, blocking=blocking@entry=true) at /test/10.8_dbg/sql/sql_parse.cc:1407
 
#14 0x00005617bd5ebe2f in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5617bf6c6d88, put_in_cache=put_in_cache@entry=true) at /test/10.8_dbg/sql/sql_connect.cc:1416
 
#15 0x00005617bd5ec2fe in handle_one_connection (arg=0x5617bf6c6d88) at /test/10.8_dbg/sql/sql_connect.cc:1318
 
#16 0x000014642701f609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#17 0x0000146426c0b133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.3.37 (dbg), 10.3.37 (opt), 10.4.27 (dbg), 10.5.18 (dbg), 10.6.11 (dbg), 10.7.7 (dbg), 10.8.6 (dbg)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.4.27 (opt), 10.5.18 (opt), 10.6.11 (opt), 10.7.7 (opt), 10.8.6 (opt), 10.9.4 (dbg), 10.9.4 (opt), 10.10.2 (opt), 10.10.2 (dbg), 10.11.0 (dbg), 10.11.0 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.39 (dbg), 5.7.39 (opt)

Comment by Roel Van de Paar [ 2023-03-21 ]

And this function creation crashes for the same versions (10.3-10.8) in a few different ways:

CREATE FUNCTION f() RETURNS CHAR COLLATE DEFAULT RETURN0;

Stacks/UniqueID's seen for this testcase across versions:

SIGSEGV|Column_definition::create_length_to_internal_length_string|Column_definition::prepare_stage1_string|Column_definition::sp_prepare_create_field|sp_head::fill_field_definition
 
SIGSEGV|Column_definition::create_length_to_internal_length_string|Column_definition::prepare_stage1_string|Type_handler_string_result::Column_definition_prepare_stage1|Column_definition::prepare_stage1
 
charset|SIGABRT|Column_definition::sp_prepare_create_field|sp_head::fill_field_definition|LEX::sf_return_fill_definition|MYSQLparse
 
charset|SIGABRT|Column_definition::sp_prepare_create_field|sp_head::fill_field_definition|MYSQLparse|parse_sql

Some of the same stacks are seen with the original testcase. However, that one also produces:

charset|SIGABRT|Column_definition::sp_prepare_create_field|sp_head::fill_field_definition|sp_head::fill_spvar_definition|sp_head::row_fill_field_definitions

Generated at Thu Feb 08 09:35:24 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.