Bug #25382 Passing NULL to an UDF called from stored procedures crashes server
Submitted: 3 Jan 2007 11:38 Modified: 30 Jan 2007 3:39
Reporter: Axel Schwenke Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: User-defined functions ( UDF ) Severity:S1 (Critical)
Version:5.0.32 OS:
Assigned to: Georgi Kodinov CPU Architecture:Any
Tags: bfsm_2007_01_18, Q1, udf

[3 Jan 2007 11:38] Axel Schwenke
Description:
Passing a NULL value to an UDF called from within a stored procedure crashes the server. Calling the UDF with NULL directly works. According to customer this was introduced with 5.0.32 but did not happen with 5.0.30. Verified with 5.0.34bk.

Here ist the relevant part of the stack trace; seems the NULL argument is accessed, leading to NULL pointer dereference

#5  <signal handler called>
#6  0x081187fc in String::ptr (this=0x0) at sql_string.h:97
#7  0x08133c50 in udf_handler::fix_fields (this=0x8bb916c, thd=0x8b782b8, 
    func=0x8bb90f8, arg_count=1, arguments=0x8bb9148) at item_func.cc:2741
#8  0x0813c1ed in Item_udf_func::fix_fields (this=0x8bb90f8, thd=0x8b782b8, 
    ref=0x8bb9210) at item_func.h:945
#9  0x082e7700 in sp_prepare_func_item (thd=0x8b782b8, it_addr=0x8bb9210)
    at sp_head.cc:293
#10 0x082e77e0 in sp_eval_expr (thd=0x8b782b8, result_field=0x8bb18c0, 
    expr_item_ptr=0x8bb9210) at sp_head.cc:325
#11 0x082f126f in sp_rcontext::set_return_value (this=0x8bc13f8, 
    thd=0x8b782b8, return_value_item=0x8bb9210) at sp_rcontext.cc:158
#12 0x082ed67a in sp_instr_freturn::exec_core (this=0x8bb91f0, thd=0x8b782b8, 
    nextp=0xbdffe5dc) at sp_head.cc:2787
#13 0x082ec9e5 in sp_lex_keeper::reset_lex_and_exec_core (this=0x8bb9218, 
    thd=0x8b782b8, nextp=0xbdffe5dc, open_tables=true, instr=0x8bb91f0)
    at sp_head.cc:2370
#14 0x082ed64b in sp_instr_freturn::execute (this=0x8bb91f0, thd=0x8b782b8, 
    nextp=0xbdffe5dc) at sp_head.cc:2765
#15 0x082e9879 in sp_head::execute (this=0x8bb8bc8, thd=0x8b782b8)
    at sp_head.cc:1059
#16 0x082ea65f in sp_head::execute_function (this=0x8bb8bc8, thd=0x8b782b8, 
    argp=0x8bb01d0, argcount=1, return_value_fld=0x8bb18c0) at sp_head.cc:1500

How to repeat:
1. setup example_udf.so as described in the manual; create functions

CREATE FUNCTION metaphon RETURNS STRING SONAME "udf_example.so";
CREATE FUNCTION myfunc_double RETURNS REAL SONAME "udf_example.so";

2. create stored functions

delimiter //
create function f1(p1 varchar(255))
returns varchar(255)
begin
  return metaphon(p1);
end//

create function f2(p1 varchar(255))
returns double
begin
  return myfunc_double(p1);
end//

delimiter ;

3. call the functions

select metaphon('foobar');
select f1('foobar');
select metaphon(NULL);
select f1(NULL);
-> Crash

select myfunc_double('foobar');
select f2('foobar');
select myfunc_double(NULL);
select f2(NULL);
-> Crash
[15 Jan 2007 12:38] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/18113

ChangeSet@1.2380, 2007-01-15 14:38:17+02:00, gkodinov@macbook.gmz +3 -0
  Bug #25382: Passing NULL to an UDF called from stored procedures 
   crashes server
   Check for null value is reliable only after calling some of the 
   val_xxx() methods.
   Fixed by swapping the order of val_xxx() and null_value check.
[18 Jan 2007 15:34] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/18342

ChangeSet@1.2380, 2007-01-18 17:33:38+02:00, gkodinov@macbook.gmz +3 -0
  Bug #25382: Passing NULL to an UDF called from stored procedures 
   crashes server
   Check for null value is reliable only after calling some of the 
   val_xxx() methods. If the val_xxx() method is not called
   the null_value flag will be set only for certain types of NULL
   values (like SQL constant NULLs for example).
   This caused a crash while trying to dereference a NULL pointer
   that is returned by val_str() for NULL values.
   Fixed by swapping the order of val_xxx() and null_value check.
[28 Jan 2007 2:24] Igor Babaev
The fix has been pushed into 5.0.36, 5.1.16-beta main trees.
[30 Jan 2007 3:39] Paul DuBois
Noted in 5.0.36, 5.1.16 changelogs.

Passing a NULL value to a user-defined function from within a stored
procedure crashes the server.