MDEV-37489: SIGSEGV in get_param_default_value | store_schema_params

Problem:
  When an SP instruction fails during execution, it is re-parsed. During
  this process, the items created on-behalf of the SP instruction are
  cleaned up, re-parsed and SP instruction state is updated. The clean
  up step frees the default parameters and the update step partially
  updates the SP instruction state, leaving the `default_value` in
  `sp_variable` pointing to the dangling reference.

Fix:
  The SP instruction state is updated correctly, making the
  `default_value` in `sp_variable` ponit to the re-parsed item.

Author: raghunandanbhat

mysql-test/main/sp-default-param.result

@@ -130,4 +130,85 @@ SET p2 = p2 + 1;
 END;
 DELIMITER ;$$
 ERROR 42000: This version of MariaDB doesn't yet support 'IN sparam1 <type> DEFAULT <expr>, OUT spparam2 <type>'
+#
+# MDEV-37489: SIGSEGV in get_param_default_value | store_schema_params
+#
+CREATE OR REPLACE PROCEDURE p0 (x INT DEFAULT func())
+BEGIN
+SELECT x;
+END;
+//
+SET SESSION max_session_mem_used=8192;
+CALL p0();
+ERROR HY000: The MariaDB server is running with the --max-session-mem-used=8192 option so it cannot execute this statement
+SET @@max_session_mem_used=DEFAULT;
+CALL p0();
+ERROR 42000: FUNCTION test.func does not exist
+SELECT * FROM information_schema.PARAMETERS where specific_name = 'p0';
+SPECIFIC_CATALOG	SPECIFIC_SCHEMA	SPECIFIC_NAME	ORDINAL_POSITION	PARAMETER_MODE	PARAMETER_NAME	DATA_TYPE	CHARACTER_MAXIMUM_LENGTH	CHARACTER_OCTET_LENGTH	NUMERIC_PRECISION	NUMERIC_SCALE	DATETIME_PRECISION	CHARACTER_SET_NAME	COLLATION_NAME	DTD_IDENTIFIER	ROUTINE_TYPE
+def	test	p0	1	IN	x	int	NULL	NULL	10	0	NULL	NULL	NULL	int(11)	PROCEDURE
+# with func() defined
+CREATE FUNCTION func(x INT DEFAULT 10) RETURNS INT
+BEGIN
+RETURN x;
+END;
+//
+CREATE OR REPLACE PROCEDURE p0 (x INT DEFAULT func())
+BEGIN
+SELECT x;
+END;
+//
+SET SESSION max_session_mem_used=8192;
+CALL p0();
+ERROR HY000: The MariaDB server is running with the --max-session-mem-used=8192 option so it cannot execute this statement
+SET @@max_session_mem_used=DEFAULT;
+CALL p0();
+x
+10
+SELECT * FROM information_schema.PARAMETERS where specific_name = 'p0';
+SPECIFIC_CATALOG	SPECIFIC_SCHEMA	SPECIFIC_NAME	ORDINAL_POSITION	PARAMETER_MODE	PARAMETER_NAME	DATA_TYPE	CHARACTER_MAXIMUM_LENGTH	CHARACTER_OCTET_LENGTH	NUMERIC_PRECISION	NUMERIC_SCALE	DATETIME_PRECISION	CHARACTER_SET_NAME	COLLATION_NAME	DTD_IDENTIFIER	ROUTINE_TYPE
+def	test	p0	1	IN	x	int	NULL	NULL	10	0	NULL	NULL	NULL	int(11)	PROCEDURE
+# with multiple functions
+CREATE FUNCTION func2(x INT DEFAULT 10) RETURNS INT
+BEGIN
+RETURN x;
+END;
+//
+CREATE OR REPLACE PROCEDURE p0 (x INT DEFAULT func(), y INT DEFAULT func2())
+BEGIN
+SELECT x, y;
+END;
+//
+SET SESSION max_session_mem_used=8192;
+CALL p0();
+ERROR HY000: The MariaDB server is running with the --max-session-mem-used=8192 option so it cannot execute this statement
+SET @@max_session_mem_used=DEFAULT;
+CALL p0();
+x	y
+10	10
+SELECT * FROM information_schema.PARAMETERS where specific_name = 'p0';
+SPECIFIC_CATALOG	SPECIFIC_SCHEMA	SPECIFIC_NAME	ORDINAL_POSITION	PARAMETER_MODE	PARAMETER_NAME	DATA_TYPE	CHARACTER_MAXIMUM_LENGTH	CHARACTER_OCTET_LENGTH	NUMERIC_PRECISION	NUMERIC_SCALE	DATETIME_PRECISION	CHARACTER_SET_NAME	COLLATION_NAME	DTD_IDENTIFIER	ROUTINE_TYPE
+def	test	p0	1	IN	x	int	NULL	NULL	10	0	NULL	NULL	NULL	int(11)	PROCEDURE
+def	test	p0	2	IN	y	int	NULL	NULL	10	0	NULL	NULL	NULL	int(11)	PROCEDURE
+# with function and constant default param
+CREATE OR REPLACE PROCEDURE p0 (x INT DEFAULT func(), y INT DEFAULT func2(), z INT DEFAULT 10)
+BEGIN
+SELECT x, y, z;
+END;
+//
+SET SESSION max_session_mem_used=8192;
+CALL p0();
+ERROR HY000: The MariaDB server is running with the --max-session-mem-used=8192 option so it cannot execute this statement
+SET @@max_session_mem_used=DEFAULT;
+CALL p0();
+x	y	z
+10	10	10
+SELECT * FROM information_schema.PARAMETERS where specific_name = 'p0';
+SPECIFIC_CATALOG	SPECIFIC_SCHEMA	SPECIFIC_NAME	ORDINAL_POSITION	PARAMETER_MODE	PARAMETER_NAME	DATA_TYPE	CHARACTER_MAXIMUM_LENGTH	CHARACTER_OCTET_LENGTH	NUMERIC_PRECISION	NUMERIC_SCALE	DATETIME_PRECISION	CHARACTER_SET_NAME	COLLATION_NAME	DTD_IDENTIFIER	ROUTINE_TYPE
+def	test	p0	1	IN	x	int	NULL	NULL	10	0	NULL	NULL	NULL	int(11)	PROCEDURE
+def	test	p0	2	IN	y	int	NULL	NULL	10	0	NULL	NULL	NULL	int(11)	PROCEDURE
+def	test	p0	3	IN	z	int	NULL	NULL	10	0	NULL	NULL	NULL	int(11)	PROCEDURE
+DROP PROCEDURE p0;
+DROP FUNCTION func;
+DROP FUNCTION func2;
 # End of 11.8 tests

mysql-test/main/sp-default-param.test

@@ -139,4 +139,96 @@ BEGIN
 END;
 DELIMITER ;$$
 
+--echo #
+--echo # MDEV-37489: SIGSEGV in get_param_default_value | store_schema_params
+--echo #
+
+--DELIMITER //
+CREATE OR REPLACE PROCEDURE p0 (x INT DEFAULT func())
+BEGIN
+  SELECT x;
+END;
+//
+--DELIMITER ;
+
+SET SESSION max_session_mem_used=8192;
+--ERROR ER_OPTION_PREVENTS_STATEMENT
+CALL p0();
+
+SET @@max_session_mem_used=DEFAULT;
+--ERROR ER_SP_DOES_NOT_EXIST
+CALL p0();
+
+SELECT * FROM information_schema.PARAMETERS where specific_name = 'p0';
+
+--echo # with func() defined
+--DELIMITER //
+CREATE FUNCTION func(x INT DEFAULT 10) RETURNS INT
+BEGIN
+    RETURN x;
+END;
+//
+
+CREATE OR REPLACE PROCEDURE p0 (x INT DEFAULT func())
+BEGIN
+  SELECT x;
+END;
+//
+--DELIMITER ;
+
+SET SESSION max_session_mem_used=8192;
+--ERROR ER_OPTION_PREVENTS_STATEMENT
+CALL p0();
+
+SET @@max_session_mem_used=DEFAULT;
+CALL p0();
+
+SELECT * FROM information_schema.PARAMETERS where specific_name = 'p0';
+
+--echo # with multiple functions
+--DELIMITER //
+CREATE FUNCTION func2(x INT DEFAULT 10) RETURNS INT
+BEGIN
+    RETURN x;
+END;
+//
+
+CREATE OR REPLACE PROCEDURE p0 (x INT DEFAULT func(), y INT DEFAULT func2())
+BEGIN
+  SELECT x, y;
+END;
+//
+--DELIMITER ;
+
+SET SESSION max_session_mem_used=8192;
+--ERROR ER_OPTION_PREVENTS_STATEMENT
+CALL p0();
+
+SET @@max_session_mem_used=DEFAULT;
+CALL p0();
+
+SELECT * FROM information_schema.PARAMETERS where specific_name = 'p0';
+
+--echo # with function and constant default param
+--DELIMITER //
+CREATE OR REPLACE PROCEDURE p0 (x INT DEFAULT func(), y INT DEFAULT func2(), z INT DEFAULT 10)
+BEGIN
+  SELECT x, y, z;
+END;
+//
+--DELIMITER ;
+
+SET SESSION max_session_mem_used=8192;
+--ERROR ER_OPTION_PREVENTS_STATEMENT
+CALL p0();
+
+SET @@max_session_mem_used=DEFAULT;
+CALL p0();
+
+SELECT * FROM information_schema.PARAMETERS where specific_name = 'p0';
+
+DROP PROCEDURE p0;
+DROP FUNCTION func;
+DROP FUNCTION func2;
+
 --echo # End of 11.8 tests

mysql-test/suite/compat/oracle/r/sp-default-param.result

@@ -222,4 +222,91 @@ SET p2 = p2 + 1;
 END;
 DELIMITER ;$$
 ERROR 42000: This version of MariaDB doesn't yet support 'sparam1 IN <type> DEFAULT <expr>, spparam2 OUT <type>'
+#
+# MDEV-37489: SIGSEGV in get_param_default_value | store_schema_params
+#
+CREATE OR REPLACE PROCEDURE p0 (x INT DEFAULT func())
+AS
+BEGIN
+SELECT x;
+END;
+//
+SET SESSION max_session_mem_used=8192;
+CALL p0();
+ERROR HY000: The MariaDB server is running with the --max-session-mem-used=8192 option so it cannot execute this statement
+SET @@max_session_mem_used=DEFAULT;
+CALL p0();
+ERROR 42000: FUNCTION test.func does not exist
+SELECT * FROM information_schema.PARAMETERS where specific_name = 'p0';
+SPECIFIC_CATALOG	SPECIFIC_SCHEMA	SPECIFIC_NAME	ORDINAL_POSITION	PARAMETER_MODE	PARAMETER_NAME	DATA_TYPE	CHARACTER_MAXIMUM_LENGTH	CHARACTER_OCTET_LENGTH	NUMERIC_PRECISION	NUMERIC_SCALE	DATETIME_PRECISION	CHARACTER_SET_NAME	COLLATION_NAME	DTD_IDENTIFIER	ROUTINE_TYPE
+def	test	p0	1	IN	x	int	NULL	NULL	10	0	NULL	NULL	NULL	int(11)	PROCEDURE
+# with func() defined
+CREATE FUNCTION func(x INT DEFAULT 10) RETURN INT
+AS
+BEGIN
+RETURN x;
+END;
+//
+CREATE OR REPLACE PROCEDURE p0 (x INT DEFAULT func())
+AS
+BEGIN
+SELECT x;
+END;
+//
+SET SESSION max_session_mem_used=8192;
+CALL p0();
+ERROR HY000: The MariaDB server is running with the --max-session-mem-used=8192 option so it cannot execute this statement
+SET @@max_session_mem_used=DEFAULT;
+CALL p0();
+x
+10
+SELECT * FROM information_schema.PARAMETERS where specific_name = 'p0';
+SPECIFIC_CATALOG	SPECIFIC_SCHEMA	SPECIFIC_NAME	ORDINAL_POSITION	PARAMETER_MODE	PARAMETER_NAME	DATA_TYPE	CHARACTER_MAXIMUM_LENGTH	CHARACTER_OCTET_LENGTH	NUMERIC_PRECISION	NUMERIC_SCALE	DATETIME_PRECISION	CHARACTER_SET_NAME	COLLATION_NAME	DTD_IDENTIFIER	ROUTINE_TYPE
+def	test	p0	1	IN	x	int	NULL	NULL	10	0	NULL	NULL	NULL	int(11)	PROCEDURE
+# with multiple functions
+CREATE FUNCTION func2(x INT DEFAULT 10) RETURN INT
+AS
+BEGIN
+RETURN x;
+END;
+//
+CREATE OR REPLACE PROCEDURE p0 (x INT DEFAULT func(), y INT DEFAULT func2())
+AS
+BEGIN
+SELECT x, y;
+END;
+//
+SET SESSION max_session_mem_used=8192;
+CALL p0();
+ERROR HY000: The MariaDB server is running with the --max-session-mem-used=8192 option so it cannot execute this statement
+SET @@max_session_mem_used=DEFAULT;
+CALL p0();
+x	y
+10	10
+SELECT * FROM information_schema.PARAMETERS where specific_name = 'p0';
+SPECIFIC_CATALOG	SPECIFIC_SCHEMA	SPECIFIC_NAME	ORDINAL_POSITION	PARAMETER_MODE	PARAMETER_NAME	DATA_TYPE	CHARACTER_MAXIMUM_LENGTH	CHARACTER_OCTET_LENGTH	NUMERIC_PRECISION	NUMERIC_SCALE	DATETIME_PRECISION	CHARACTER_SET_NAME	COLLATION_NAME	DTD_IDENTIFIER	ROUTINE_TYPE
+def	test	p0	1	IN	x	int	NULL	NULL	10	0	NULL	NULL	NULL	int(11)	PROCEDURE
+def	test	p0	2	IN	y	int	NULL	NULL	10	0	NULL	NULL	NULL	int(11)	PROCEDURE
+# with function and constant default param
+CREATE OR REPLACE PROCEDURE p0 (x INT DEFAULT func(), y INT DEFAULT func2(), z INT DEFAULT 10)
+AS
+BEGIN
+SELECT x, y, z;
+END;
+//
+SET SESSION max_session_mem_used=8192;
+CALL p0();
+ERROR HY000: The MariaDB server is running with the --max-session-mem-used=8192 option so it cannot execute this statement
+SET @@max_session_mem_used=DEFAULT;
+CALL p0();
+x	y	z
+10	10	10
+SELECT * FROM information_schema.PARAMETERS where specific_name = 'p0';
+SPECIFIC_CATALOG	SPECIFIC_SCHEMA	SPECIFIC_NAME	ORDINAL_POSITION	PARAMETER_MODE	PARAMETER_NAME	DATA_TYPE	CHARACTER_MAXIMUM_LENGTH	CHARACTER_OCTET_LENGTH	NUMERIC_PRECISION	NUMERIC_SCALE	DATETIME_PRECISION	CHARACTER_SET_NAME	COLLATION_NAME	DTD_IDENTIFIER	ROUTINE_TYPE
+def	test	p0	1	IN	x	int	NULL	NULL	10	0	NULL	NULL	NULL	int(11)	PROCEDURE
+def	test	p0	2	IN	y	int	NULL	NULL	10	0	NULL	NULL	NULL	int(11)	PROCEDURE
+def	test	p0	3	IN	z	int	NULL	NULL	10	0	NULL	NULL	NULL	int(11)	PROCEDURE
+DROP PROCEDURE p0;
+DROP FUNCTION func;
+DROP FUNCTION func2;
 # End of 11.8 tests

mysql-test/suite/compat/oracle/t/sp-default-param.test

@@ -244,4 +244,102 @@ BEGIN
 END;
 DELIMITER ;$$
 
+--echo #
+--echo # MDEV-37489: SIGSEGV in get_param_default_value | store_schema_params
+--echo #
+
+--DELIMITER //
+CREATE OR REPLACE PROCEDURE p0 (x INT DEFAULT func())
+AS
+BEGIN
+  SELECT x;
+END;
+//
+--DELIMITER ;
+
+SET SESSION max_session_mem_used=8192;
+--ERROR ER_OPTION_PREVENTS_STATEMENT
+CALL p0();
+
+SET @@max_session_mem_used=DEFAULT;
+--ERROR ER_SP_DOES_NOT_EXIST
+CALL p0();
+
+SELECT * FROM information_schema.PARAMETERS where specific_name = 'p0';
+
+--echo # with func() defined
+--DELIMITER //
+CREATE FUNCTION func(x INT DEFAULT 10) RETURN INT
+AS
+BEGIN
+    RETURN x;
+END;
+//
+
+CREATE OR REPLACE PROCEDURE p0 (x INT DEFAULT func())
+AS
+BEGIN
+  SELECT x;
+END;
+//
+--DELIMITER ;
+
+SET SESSION max_session_mem_used=8192;
+--ERROR ER_OPTION_PREVENTS_STATEMENT
+CALL p0();
+
+SET @@max_session_mem_used=DEFAULT;
+CALL p0();
+
+SELECT * FROM information_schema.PARAMETERS where specific_name = 'p0';
+
+--echo # with multiple functions
+--DELIMITER //
+CREATE FUNCTION func2(x INT DEFAULT 10) RETURN INT
+AS
+BEGIN
+    RETURN x;
+END;
+//
+
+CREATE OR REPLACE PROCEDURE p0 (x INT DEFAULT func(), y INT DEFAULT func2())
+AS
+BEGIN
+  SELECT x, y;
+END;
+//
+--DELIMITER ;
+
+SET SESSION max_session_mem_used=8192;
+--ERROR ER_OPTION_PREVENTS_STATEMENT
+CALL p0();
+
+SET @@max_session_mem_used=DEFAULT;
+CALL p0();
+
+SELECT * FROM information_schema.PARAMETERS where specific_name = 'p0';
+
+--echo # with function and constant default param
+--DELIMITER //
+CREATE OR REPLACE PROCEDURE p0 (x INT DEFAULT func(), y INT DEFAULT func2(), z INT DEFAULT 10)
+AS
+BEGIN
+  SELECT x, y, z;
+END;
+//
+--DELIMITER ;
+
+SET SESSION max_session_mem_used=8192;
+--ERROR ER_OPTION_PREVENTS_STATEMENT
+CALL p0();
+
+SET @@max_session_mem_used=DEFAULT;
+CALL p0();
+
+SELECT * FROM information_schema.PARAMETERS where specific_name = 'p0';
+
+DROP PROCEDURE p0;
+DROP FUNCTION func;
+DROP FUNCTION func2;
+
 --echo # End of 11.8 tests

sql/sp_instr.h

@@ -655,6 +655,14 @@ class sp_instr_set : public sp_lex_instr,
     m_value= thd->lex->current_select->item_list.head();
     DBUG_ASSERT(m_value != nullptr);
 
+    /*
+      In case there is a default value, update the dangling pointer
+      left after clean up of item before re-parsing of SP instruction
+    */
+    sp_variable *spvar= m_ctx->find_variable(offset());
+    if (spvar->default_value)
+      spvar->default_value= m_value;
+
     // Return error in release version if m_value == nullptr
     return m_value == nullptr;
   }