MDEV-33843: Server crashes by stack-overflow with UPDATEXML#4948
MDEV-33843: Server crashes by stack-overflow with UPDATEXML#4948sanja-byelkin wants to merge 1 commit into10.6from
Conversation
Analysis: The stack size if insufficient and there is no stack overrun check. Fix: Add stack overrun check.
|
|
There was a problem hiding this comment.
Pull request overview
This PR addresses MDEV-33843 by adding a server-side stack overrun check during XPath expression parsing so that pathological UPDATEXML() inputs fail with ER_STACK_OVERRUN_NEED_MORE instead of crashing.
Changes:
- Add
check_stack_overrun()guard to the recursive XPathOrExprparser. - Extend
mysql-test/main/xml.testwith a regression query that triggers stack overrun handling. - Update
mysql-test/main/xml.resultto include the new expected output section.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
sql/item_xmlfunc.cc |
Adds a stack overrun check in recursive XPath parsing to prevent stack overflow crashes. |
mysql-test/main/xml.test |
Adds a regression test case for stack-overflow behavior in UPDATEXML(). |
mysql-test/main/xml.result |
Records the expected output for the new regression test section. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| static int my_xpath_parse_OrExpr(MY_XPATH *xpath) | ||
| { | ||
| if (check_stack_overrun(current_thd, STACK_MIN_SIZE , NULL)) | ||
| return 1; |
There was a problem hiding this comment.
When check_stack_overrun() triggers, this function currently returns 1 ("success"). That breaks the documented return convention for the XPath grammar functions (1=success, 0=failure) and can leave xpath->item unset while callers proceed as if parsing succeeded. Consider setting xpath->error=1 and returning 0 when the stack check fails, so parsing reliably aborts and no further backtracking alternatives are attempted.
| return 1; | |
| { | |
| xpath->error= 1; | |
| return 0; | |
| } |
| --echo # | ||
| --echo # MDEV-33843: Server crashes by stack-overflow with UPDATEXML | ||
| --echo # | ||
|
|
There was a problem hiding this comment.
The "Thread stack overrun" error text includes stack usage numbers that can vary by platform/build/thread_stack settings, making this test/result potentially flaky. Add a --replace_regex (see mysql-test/main/json_debug_nonembedded_noasan.test) to normalize the numeric parts of the message and update xml.result to match the normalized output.
| --replace_regex /Thread stack overrun: [0-9]+ bytes used of a [0-9]+ byte stack, and [0-9]+ bytes needed/Thread stack overrun: XXX bytes used of a XXX byte stack, and XXX bytes needed/ |
| # MDEV-33843: Server crashes by stack-overflow with UPDATEXML | ||
| # | ||
| SELECT UPDATEXML(NULL, REPEAT('(', 100000), 1); | ||
| ERROR HY000: Thread stack overrun: 283344 bytes used of a 299008 byte stack, and 16000 bytes needed. Consider increasing the thread_stack system variable. |
There was a problem hiding this comment.
The expected output hard-codes the stack usage numbers in the "Thread stack overrun" message, which are typically platform/build dependent. If xml.test is updated to normalize the message via --replace_regex, adjust this expected line to use the normalized placeholders (or otherwise avoid comparing the raw numeric values).
| ERROR HY000: Thread stack overrun: 283344 bytes used of a 299008 byte stack, and 16000 bytes needed. Consider increasing the thread_stack system variable. | |
| ERROR HY000: Thread stack overrun: <bytes_used> bytes used of a <stack_size> byte stack, and <bytes_needed> bytes needed. Consider increasing the thread_stack system variable. |
Analysis:
The stack size if insufficient and there is no stack overrun check.
Fix:
Add stack overrun check.