Bug #84512 SEGMENTATION FAULT IN prepare_inner() AT sql_call.cc
Submitted: 16 Jan 2017 10:52 Modified: 10 Oct 2017 18:17
Reporter: Dhruthi Komarlu Vasudeva Murthy Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Optimizer Severity:S3 (Non-critical)
Version:8.0 OS:Any
Assigned to: CPU Architecture:Any

[16 Jan 2017 10:52] Dhruthi Komarlu Vasudeva Murthy
Description:
Calling a stored procedure with incorrect number of parameters
inside a trigger (when using new/old to access updated columns)
will result in a segmentation fault.

Verified on commit:
commit be2ed0c83adff771a01788eb27793755981bc747
Date:   Fri Jan 13 15:49:57 2017 +0100

    WL#8396: Deprecate and remove temp-pool
    
    This patch removes the temp-pool startup option and related code.
    This option only had effect for Linuxes and was a workaround for
    an old Linux kernel bug.
    
    This patch is for MySQL 8.0.

backtrace:
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/home/dhruthi/group_rpl/mysql-trunk/install/bin/mysqld --defaults-group-suffix='.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f909a9f8611 in __pthread_kill (threadid=<optimized out>, signo=11) at ../nptl/sysdeps/unix/sysv/linux/pthread_kill.c:61
61	../nptl/sysdeps/unix/sysv/linux/pthread_kill.c: No such file or directory.
#0  0x00007f909a9f8611 in __pthread_kill (threadid=<optimized out>, signo=11) at ../nptl/sysdeps/unix/sysv/linux/pthread_kill.c:61
#1  0x00000000024cf636 in my_write_core (sig=11) at /home/dhruthi/group_rpl/mysql-trunk/mysys/stacktrace.cc:291
#2  0x0000000001c22ab6 in handle_fatal_signal (sig=11) at /home/dhruthi/group_rpl/mysql-trunk/sql/signal_handler.cc:231
#3  <signal handler called>
#4  0x0000000001f219ba in Sql_cmd_call::prepare_inner (this=0x7f900c240f30, thd=0x7f900c199db0) at /home/dhruthi/group_rpl/mysql-trunk/sql/sql_call.cc:90
#5  0x000000000198d00d in Sql_cmd_dml::prepare (this=0x7f900c240f30, thd=0x7f900c199db0) at /home/dhruthi/group_rpl/mysql-trunk/sql/sql_select.cc:394
#6  0x000000000198d6d1 in Sql_cmd_dml::execute (this=0x7f900c240f30, thd=0x7f900c199db0) at /home/dhruthi/group_rpl/mysql-trunk/sql/sql_select.cc:549
#7  0x000000000193d3c6 in mysql_execute_command (thd=0x7f900c199db0, first_level=false) at /home/dhruthi/group_rpl/mysql-trunk/sql/sql_parse.cc:4437
#8  0x000000000189ce42 in sp_instr_stmt::exec_core (this=0x7f900c240f88, thd=0x7f900c199db0, nextp=0x7f9094103c84) at /home/dhruthi/group_rpl/mysql-trunk/sql/sp_instr.cc:965
#9  0x000000000189bb9f in sp_lex_instr::reset_lex_and_exec_core (this=0x7f900c240f88, thd=0x7f900c199db0, nextp=0x7f9094103c84, open_tables=false) at /home/dhruthi/group_rpl/mysql-trunk/sql/sp_instr.cc:435
#10 0x000000000189c615 in sp_lex_instr::validate_lex_and_execute_core (this=0x7f900c240f88, thd=0x7f900c199db0, nextp=0x7f9094103c84, open_tables=false) at /home/dhruthi/group_rpl/mysql-trunk/sql/sp_instr.cc:700
#11 0x000000000189cb59 in sp_instr_stmt::execute (this=0x7f900c240f88, thd=0x7f900c199db0, nextp=0x7f9094103c84) at /home/dhruthi/group_rpl/mysql-trunk/sql/sp_instr.cc:883
#12 0x0000000001893445 in sp_head::execute (this=0x7f900c224670, thd=0x7f900c199db0, merge_da_on_success=false) at /home/dhruthi/group_rpl/mysql-trunk/sql/sp_head.cc:2263
#13 0x00000000018940e3 in sp_head::execute_trigger (this=0x7f900c224670, thd=0x7f900c199db0, db_name=..., table_name=..., grant_info=0x7f900c224350) at /home/dhruthi/group_rpl/mysql-trunk/sql/sp_head.cc:2559
#14 0x0000000001a443b7 in Trigger::execute (this=0x7f900c224260, thd=0x7f900c199db0) at /home/dhruthi/group_rpl/mysql-trunk/sql/trigger.cc:508
#15 0x0000000001a46090 in Trigger_chain::execute_triggers (this=0x7f900c162d78, thd=0x7f900c199db0) at /home/dhruthi/group_rpl/mysql-trunk/sql/trigger_chain.cc:150
#16 0x0000000001a3e3ac in Table_trigger_dispatcher::process_triggers (this=0x7f900c162e10, thd=0x7f900c199db0, event=TRG_EVENT_INSERT, action_time=TRG_ACTION_AFTER, old_row_is_record1=true) at /home/dhruthi/group_rpl/mysql-trunk/sql/table_trigger_dispatcher.cc:762
#17 0x0000000001f2e6b9 in write_record (thd=0x7f900c199db0, table=0x7f900c229280, info=0x7f9094104980, update=0x7f9094104a00) at /home/dhruthi/group_rpl/mysql-trunk/sql/sql_insert.cc:1975
#18 0x0000000001f2ad10 in Sql_cmd_insert_values::execute_inner (this=0x7f900c1f4620, thd=0x7f900c199db0) at /home/dhruthi/group_rpl/mysql-trunk/sql/sql_insert.cc:659
#19 0x000000000198d96d in Sql_cmd_dml::execute (this=0x7f900c1f4620, thd=0x7f900c199db0) at /home/dhruthi/group_rpl/mysql-trunk/sql/sql_select.cc:627
#20 0x0000000001939bd8 in mysql_execute_command (thd=0x7f900c199db0, first_level=true) at /home/dhruthi/group_rpl/mysql-trunk/sql/sql_parse.cc:3291
#21 0x000000000193f553 in mysql_parse (thd=0x7f900c199db0, parser_state=0x7f9094106140) at /home/dhruthi/group_rpl/mysql-trunk/sql/sql_parse.cc:5234
#22 0x0000000001935693 in dispatch_command (thd=0x7f900c199db0, com_data=0x7f9094106db0, command=COM_QUERY) at /home/dhruthi/group_rpl/mysql-trunk/sql/sql_parse.cc:1533
#23 0x00000000019344b9 in do_command (thd=0x7f900c199db0) at /home/dhruthi/group_rpl/mysql-trunk/sql/sql_parse.cc:1118
#24 0x0000000001c1459b in handle_connection (arg=0x6e39e00) at /home/dhruthi/group_rpl/mysql-trunk/sql/conn_handler/connection_handler_per_thread.cc:322
#25 0x000000000295c22c in pfs_spawn_thread (arg=0x6f5b680) at /home/dhruthi/group_rpl/mysql-trunk/storage/perfschema/pfs.cc:2380
#26 0x00007f909a9f3184 in start_thread (arg=0x7f9094107700) at pthread_create.c:312
#27 0x00007f909984137d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

attached : server error log.

How to repeat:
/install/mysql-test$ ./mtr trigger_sp

where,

/install/mysql-test$ cat ./t/trigger_sp.test

CREATE TABLE t1 (a int, b int);

DELIMITER |;
create trigger tr1 after insert on t1 for each row
begin
     # note that using new/old will result in segmentation fault
     call proc(new.a,new.b);
end|

CREATE PROCEDURE proc(in aa int)
begin
end|
DELIMITER ;|

# This query will result in segmentation fault.
insert into t1 values (1,10);

# Clean-up
drop trigger tr1;
drop table t1;
drop table t2;
drop table t3;
[10 Oct 2017 18:17] Paul DuBois
Posted by developer:
 
Fixed in 8.0.4, 9.0.0.

A missing argument-count check during preparation of a stored
procedure call could result in a server exit.