Bug #14376 MySQL crash on scoped variable (re)initialization
Submitted: 27 Oct 2005 6:35 Modified: 2 Dec 2005 20:27
Reporter: Josh Chamas Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Stored Routines Severity:S1 (Critical)
Version:5.0.15-nt, 5.0.16-BK OS:Linux (Linux, Windows)
Assigned to: Per-Erik Martin CPU Architecture:Any

[27 Oct 2005 6:35] Josh Chamas 
Description:
Easy way to crash MySQL on windows at least:

## begin script
delimiter //

drop procedure if exists p1 //
create procedure p1()
begin
  declare x1 char(100) default 'outer';
  begin
	declare x1 char(100) default x1;
  end;
end;
//
call x1()
//
## end script

I am not saying we need to feature, init the one value
from the other in outer scope, however its pretty standard
type scoping syntax that one might expect to use.

The real problem of course is MySQL crashing.  The crash
occurs when defining the stored procedure, the call never
gets run.

How to repeat:

## begin script
delimiter //

drop procedure if exists p1 //
create procedure p1()
begin
  declare x1 char(100) default 'outer';
  begin
	declare x1 char(100) default x1;
  end;
end;
//
call x1()
//
## end script

Suggested fix:
Throw a syntax error or support the feature, but don't crash.
[27 Oct 2005 9:44] Valeriy Kravchuk 
Thank you for a bug report. This crash is easily repeatable both with 5.0.15 on Windows (note that procedure is called p1, not x1, as in original report):

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 325 to server version: 5.0.15-nt

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> use test;
Database changed
mysql> delimiter //
mysql> drop procedure if exists p1 //
Query OK, 0 rows affected, 1 warning (0.05 sec)

mysql> create procedure p1()
    -> begin
    ->   declare x1 char(100) default 'outer';
    ->   begin
    ->  declare x1 char(100) default x1;
    ->   end;
    -> end;
    -> //
Query OK, 0 rows affected (0.01 sec)

mysql> call p1()//
ERROR 2013 (HY000): Lost connection to MySQL server during query

and on my Fedora Core Linux with 5.0.16-BK (see the Changeset):

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 5 to server version: 5.0.16

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> delimiter //
mysql> drop procedure if exists p1 //
cQuery OK, 0 rows affected, 1 warning (0,00 sec)

mysql> create procedure p1()
    -> begin
    ->   declare x1 char(100) default 'outer';
    ->   begin
    ->     declare x1 char(100) default x1;
    ->   end;
    -> end;
    -> //
Query OK, 0 rows affected (0,02 sec)

mysql> call p1()//
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql>
Number of processes running now: 0
051027 12:35:27  mysqld restarted

This may even lead to a simple DoS attack...
[31 Oct 2005 2:09] Peter Gulutzan 
I believe this is the same thing:
If I say that a variable's default value is the variable name, crash.

mysql> create procedure px () begin declare x int default x; end//
Query OK, 0 rows affected (0.00 sec)

mysql> call px()//
ERROR 2013 (HY000): Lost connection to MySQL server during query
[1 Nov 2005 14:01] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/31736
[2 Dec 2005 12:52] Konstantin Osipov 
Approved by email with a few notes.
[2 Dec 2005 13:37] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/32961
[2 Dec 2005 16:03] Per-Erik Martin 
Pushed to 5.0.17 bk.
[2 Dec 2005 20:27] Paul DuBois 
Noted in 5.0.17 changelog.