[MDEV-27875] The statement FOR var_name IN lower_bound .. upper_bound crashes server in case a stored function is specified for lower_bound/upper_bound Created: 2022-02-17  Updated: 2023-11-28

Status: Open
Project: MariaDB Server
Component/s: Stored routines
Affects Version/s: 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9
Fix Version/s: 10.4, 10.5, 10.6

Type: Bug Priority: Major
Reporter: Dmitry Shulga Assignee: Dmitry Shulga
Resolution: Unresolved Votes: 0
Labels: None


 Description   

Executing the following test case results in server abnormal termination

MariaDB [test]> CREATE TABLE t1(a INT);
 
Query OK, 0 rows affected (0,025 sec)
 
 
 
MariaDB [test]> CREATE TABLE t2(a INT);
 
Query OK, 0 rows affected (0,044 sec)
 
 
 
MariaDB [test]> delimiter $
 
MariaDB [test]> CREATE FUNCTION f() RETURNS INT  BEGIN RETURN (SELECT COUNT(a) FROM t1); END;$
 
Query OK, 0 rows affected (0,064 sec)
 
 
 
MariaDB [test]> FOR i IN 0..f() DO INSERT INTO t2 VALUES (i); END FOR$
 
ERROR 2013 (HY000): Lost connection to MySQL server during query

The following call stack shows the place where server crashed

(lldb) bt
 
* thread #8, stop reason = signal SIGSTOP
 
  * frame #0: 0x00000001081148d0 mariadbd`Item_sp::cleanup(this=0x00007fbb990ca9e0) at item.cc:2754:3
 
    frame #1: 0x00000001081afde0 mariadbd`Item_func_sp::cleanup(this=0x00007fbb990ca918) at item_func.cc:6588:12
 
    frame #2: 0x000000010843fe2a mariadbd`Item::delete_self(this=0x00007fbb990ca918) at item.h:2323:5
 
    frame #3: 0x000000010843823d mariadbd`Query_arena::free_items(this=0x00007fbb990cb578) at sql_class.cc:3854:16
 
    frame #4: 0x000000010839cf93 mariadbd`sp_instr::~sp_instr(this=0x00007fbb990cb578) at sp_head.h:1107:5
 
    frame #5: 0x000000010839ee34 mariadbd`sp_instr_set::~sp_instr_set(this=0x00007fbb990cb578) at sp_head.h:1343:4
 
    frame #6: 0x000000010839b3a5 mariadbd`sp_instr_set::~sp_instr_set(this=0x00007fbb990cb578) at sp_head.h:1343:3
 
    frame #7: 0x000000010839b3c9 mariadbd`sp_instr_set::~sp_instr_set(this=0x00007fbb990cb578) at sp_head.h:1343:3
 
    frame #8: 0x0000000108386e83 mariadbd`sp_head::~sp_head(this=0x00007fbb990c98a0) at sp_head.cc:881:5
 
    frame #9: 0x00000001083884f5 mariadbd`sp_head::~sp_head(this=0x00007fbb990c98a0) at sp_head.cc:872:1
 
    frame #10: 0x0000000108388519 mariadbd`sp_head::~sp_head(this=0x00007fbb990c98a0) at sp_head.cc:872:1
 
    frame #11: 0x0000000108386322 mariadbd`sp_head::destroy(sp=0x00007fbb990c98a0) at sp_head.cc:518:5
 
    frame #12: 0x000000010849497d mariadbd`lex_end_nops(lex=0x00007fbb9a0a4f98) at sql_lex.cc:1360:3
 
    frame #13: 0x0000000108492863 mariadbd`lex_end(lex=0x00007fbb9a0a4f98) at sql_lex.cc:1329:3
 
    frame #14: 0x00000001084401e2 mariadbd`THD::end_statement(this=0x00007fbb9a0a0e88) at sql_class.cc:3928:3
 
    frame #15: 0x00000001084d2681 mariadbd`mysql_parse(thd=0x00007fbb9a0a0e88, rawbuf="FOR i IN 0..f() DO INSERT INTO t2 VALUES (i); END FOR", length=53, parser_state=0x000070000cde5e48, is_com_multi=false, is_next_command=false) at sql_parse.cc:8122:10
 
    frame #16: 0x00000001084ce06e mariadbd`dispatch_command(command=COM_QUERY, thd=0x00007fbb9a0a0e88, packet="FOR i IN 0..f() DO INSERT INTO t2 VALUES (i); END FOR", packet_length=53, is_com_multi=false, is_next_command=false) at sql_parse.cc:1891:7
 
    frame #17: 0x00000001084d3483 mariadbd`do_command(thd=0x00007fbb9a0a0e88) at sql_parse.cc:1370:17
 
    frame #18: 0x00000001086f8997 mariadbd`do_handle_one_connection(connect=0x0000600001f206a8, put_in_cache=true) at sql_connect.cc:1418:11
 
    frame #19: 0x00000001086f861a mariadbd`::handle_one_connection(arg=0x0000600001f206a8) at sql_connect.cc:1312:5
 
    frame #20: 0x00000001089cb60f mariadbd`::pfs_spawn_thread(arg=0x00007fbb9981cc28) at pfs.cc:2201:3
 
    frame #21: 0x00007ff81fabd514 libsystem_pthread.dylib`_pthread_start + 125
 
    frame #22: 0x00007ff81fab902f libsystem_pthread.dylib`thread_start + 15
 
(lldb) list
 
   2751	void
 
   2752	Item_sp::cleanup()
 
   2753	{
 
   2754	  delete sp_result_field;
 
   2755	  sp_result_field= NULL;
 
   2756	  m_sp= NULL;
 
   2757	  delete func_ctx;
 
(lldb) p *sp_result_field
 
(Field) $0 = {
 
  ptr = 0x8f8f8f8f8f8f8f8f ""
 
  invisible = INVISIBLE_FULL | 0x8f8f8f8c
 
  null_ptr = 0x8f8f8f8f8f8f8f8f ""
 
  table = 0x8f8f8f8f8f8f8f8f
 
  orig_table = 0x8f8f8f8f8f8f8f8f
 
  table_name = 0x8f8f8f8f8f8f8f8f
 
  field_name = (str = "", length = 10344644715844964239)
 
  comment = (str = "", length = 10344644715844964239)
 
  option_list = 0x8f8f8f8f8f8f8f8f
 
  option_struct = 0x8f8f8f8f8f8f8f8f
 
  key_start = {
 
    buffer = ([0] = 10344644715844964239)
 
  }
 
  part_of_key = {
 
    buffer = ([0] = 10344644715844964239)
 
  }
 
  part_of_key_not_clustered = {
 
    buffer = ([0] = 10344644715844964239)
 
  }
 
  part_of_sortkey = {
 
    buffer = ([0] = 10344644715844964239)
 
  }
 
  unireg_check = 2408550287
 
  field_length = 2408550287
 
  flags = 2408550287
 
  field_index = 36751
 
  null_bit = '\x8f'
 
  is_created_from_null_item = true
 
  cond_selectivity = -9.9261575707946012E-234
 
  next_equal_field = 0x8f8f8f8f8f8f8f8f
 
  read_stats = 0x8f8f8f8f8f8f8f8f
 
  collected_stats = 0x8f8f8f8f8f8f8f8f
 
  vcol_info = 0x8f8f8f8f8f8f8f8f
 
  check_constraint = 0x8f8f8f8f8f8f8f8f
 
  default_value = 0x8f8f8f8f8f8f8f8f
 
}

As can be seen from the stack trace, server crashed on attempt to de-reference a pointer to already freed memory.
Generated at Thu Feb 08 09:56:15 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.