[MDEV-31192] Server crashes in check_grant on 2nd execution of PS Created: 2023-05-04  Updated: 2023-11-28

Status: Open
Project: MariaDB Server
Component/s: Authentication and Privilege System, Data Definition - Alter Table, Partitioning, Prepared Statements, Stored routines, Views
Affects Version/s: 10.3, 10.4, 10.5, 10.6, 10.8, 10.9, 10.10, 10.11, 11.0
Fix Version/s: 10.4, 10.5, 10.6, 10.11, 11.0

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Dmitry Shulga
Resolution: Unresolved Votes: 0
Labels: None


 Description   

The test case here is absolutely meaningless, but maybe a more practical one can be invented when the issue is analyzed and understood.
Upd: See comments for a somewhat better test case.

CREATE TABLE t (a INT);
 
--delimiter $
 
CREATE FUNCTION f() RETURNS INT
 
BEGIN
 
  DECLARE ret INT;
 
  SELECT COUNT(*) INTO ret FROM t t1 JOIN t t2;
 
  RETURN 1; 
END $
 
--delimiter ;
 
 
 
CREATE VIEW v AS SELECT f();
 
PREPARE stmt FROM 'ALTER TABLE v TRUNCATE PARTITION p';
 
--error ER_PARTITION_MGMT_ON_NONPARTITIONED
 
EXECUTE stmt;
 
EXECUTE stmt;
 
 
 
# Cleanup
 
DROP FUNCTION f;
 
DROP VIEW v;
 
DROP TABLE t;

10.3 55a53949

 
#3  <signal handler called>
 
#4  0x0000558f434f0717 in check_grant (thd=0x62a000060208, want_access=1, tables=0x6290000e1228, any_combination_will_do=false, number=4294967295, no_errors=false) at /data/src/10.3/sql/sql_acl.cc:7656
 
#5  0x0000558f436bcc7a in check_table_access (thd=0x62a000060208, requirements=1, tables=0x0, any_combination_of_privileges_will_do=false, number=4294967295, no_errors=false) at /data/src/10.3/sql/sql_parse.cc:6982
 
#6  0x0000558f436bc1a2 in check_one_table_access (thd=0x62a000060208, privilege=32, all_tables=0x62b000032b10) at /data/src/10.3/sql/sql_parse.cc:6795
 
#7  0x0000558f442d00cc in Sql_cmd_alter_table_truncate_partition::execute (this=0x62b0000331d8, thd=0x62a000060208) at /data/src/10.3/sql/sql_partition_admin.cc:783
 
#8  0x0000558f436b714d in mysql_execute_command (thd=0x62a000060208) at /data/src/10.3/sql/sql_parse.cc:6076
 
#9  0x0000558f43713b29 in Prepared_statement::execute (this=0x619000082a88, expanded_query=0x7fa364609dd0, open_cursor=false) at /data/src/10.3/sql/sql_prepare.cc:5029
 
#10 0x0000558f4370ef58 in Prepared_statement::execute_loop (this=0x619000082a88, expanded_query=0x7fa364609dd0, open_cursor=false, packet=0x0, packet_end=0x0) at /data/src/10.3/sql/sql_prepare.cc:4457
 
#11 0x0000558f43709148 in mysql_sql_stmt_execute (thd=0x62a000060208) at /data/src/10.3/sql/sql_prepare.cc:3545
 
#12 0x0000558f436a74fc in mysql_execute_command (thd=0x62a000060208) at /data/src/10.3/sql/sql_parse.cc:3887
 
#13 0x0000558f436c3180 in mysql_parse (thd=0x62a000060208, rawbuf=0x62b000000228 "EXECUTE stmt", length=12, parser_state=0x7fa36460b9b0, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:7855
 
#14 0x0000558f43699faf in dispatch_command (command=COM_QUERY, thd=0x62a000060208, packet=0x6290000dc209 "EXECUTE stmt", packet_length=12, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1852
 
#15 0x0000558f43696b47 in do_command (thd=0x62a000060208) at /data/src/10.3/sql/sql_parse.cc:1398
 
#16 0x0000558f43a5ef5c in do_handle_one_connection (connect=0x6080000006a8) at /data/src/10.3/sql/sql_connect.cc:1404
 
#17 0x0000558f43a5e889 in handle_one_connection (arg=0x6080000006a8) at /data/src/10.3/sql/sql_connect.cc:1309
 
#18 0x0000558f45045bd5 in pfs_spawn_thread (arg=0x615000003008) at /data/src/10.3/storage/perfschema/pfs.cc:1869
 
#19 0x00007fa36d4a7fd4 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
 
#20 0x00007fa36d5285bc in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Reproducible on all existing versions, including their releases far back, on debug- and non-debug builds alike.

 Comments   
Comment by Elena Stepanova [ 2023-05-15 ]

Here is a somewhat less meaningless test case, I suppose it's related as there are a lot of similarities with the one in the description.

CREATE TABLE t1 (a INT);
 
CREATE TABLE t2 (b INT);
 
CREATE TABLE xx (c INT);
 
 
 
CREATE TRIGGER tr BEFORE INSERT ON xx FOR EACH ROW INSERT INTO t2 VALUES (1);
 
 
 
PREPARE stmt FROM "INSERT INTO xx (c) VALUES (NULL)";
 
DROP TABLE xx;
 
CREATE VIEW xx AS SELECT * FROM t1;
 
 
 
--error ER_BAD_FIELD_ERROR
 
EXECUTE stmt;
 
EXECUTE stmt;
 
 
 
# Cleanup
 
DROP VIEW xx;
 
DROP TABLE t1, t2;

10.3 ca001cf2

 
#3  <signal handler called>
 
#4  0x00005605770e4717 in check_grant (thd=0x62a000060208, want_access=1, tables=0x62b0000335a0, any_combination_will_do=false, number=4294967295, no_errors=false) at /data/src/10.3/sql/sql_acl.cc:7656
 
#5  0x00005605772b0c7a in check_table_access (thd=0x62a000060208, requirements=1, tables=0x0, any_combination_of_privileges_will_do=false, number=4294967295, no_errors=false) at /data/src/10.3/sql/sql_parse.cc:6982
 
#6  0x00005605772b01a2 in check_one_table_access (thd=0x62a000060208, privilege=2, all_tables=0x62b000032b08) at /data/src/10.3/sql/sql_parse.cc:6795
 
#7  0x00005605772c2f5b in insert_precheck (thd=0x62a000060208, tables=0x62b000032b08) at /data/src/10.3/sql/sql_parse.cc:9623
 
#8  0x000056057729efeb in mysql_execute_command (thd=0x62a000060208) at /data/src/10.3/sql/sql_parse.cc:4501
 
#9  0x0000560577307b29 in Prepared_statement::execute (this=0x619000083988, expanded_query=0x7fae3acf7dd0, open_cursor=false) at /data/src/10.3/sql/sql_prepare.cc:5029
 
#10 0x0000560577302f58 in Prepared_statement::execute_loop (this=0x619000083988, expanded_query=0x7fae3acf7dd0, open_cursor=false, packet=0x0, packet_end=0x0) at /data/src/10.3/sql/sql_prepare.cc:4457
 
#11 0x00005605772fd148 in mysql_sql_stmt_execute (thd=0x62a000060208) at /data/src/10.3/sql/sql_prepare.cc:3545
 
#12 0x000056057729b4fc in mysql_execute_command (thd=0x62a000060208) at /data/src/10.3/sql/sql_parse.cc:3887
 
#13 0x00005605772b7180 in mysql_parse (thd=0x62a000060208, rawbuf=0x62b000000228 "EXECUTE stmt", length=12, parser_state=0x7fae3acf99b0, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:7855
 
#14 0x000056057728dfaf in dispatch_command (command=COM_QUERY, thd=0x62a000060208, packet=0x6290000dc209 "EXECUTE stmt", packet_length=12, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1852
 
#15 0x000056057728ab47 in do_command (thd=0x62a000060208) at /data/src/10.3/sql/sql_parse.cc:1398
 
#16 0x0000560577652f5c in do_handle_one_connection (connect=0x6080000006a8) at /data/src/10.3/sql/sql_connect.cc:1404
 
#17 0x0000560577652889 in handle_one_connection (arg=0x6080000006a8) at /data/src/10.3/sql/sql_connect.cc:1309
 
#18 0x0000560578c39bd5 in pfs_spawn_thread (arg=0x615000003008) at /data/src/10.3/storage/perfschema/pfs.cc:1869
 
#19 0x00007fae43ca7fd4 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
 
#20 0x00007fae43d285bc in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Generated at Thu Feb 08 10:21:58 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.