Uploaded image for project: 'MariaDB ColumnStore'
  1. MariaDB ColumnStore
  2. MCOL-6329

Server crash on GROUP_CONCAT with REPEAT using extremely large length argument

    XMLWordPrintable

Details

    • Bug
    • Status: Open (View Workflow)
    • Critical
    • Resolution: Unresolved
    • None
    • None
    • None

    Description

      Description

      Server crashes (Lost connection, ERROR 2013) when GROUP_CONCAT processes a REPEAT() call with UINT64_MAX as length argument. MCOL-5385 (closed/fixed) addressed RAM accounting in GROUP_CONCAT, but this case still crashes — likely an unchecked allocation before the accounting logic kicks in.

      Minimal reproducer

      CREATE TABLE t (id INT) ENGINE=Columnstore;
      		 
      INSERT INTO t VALUES (1);
      		 
       
      		 
      -- CRASHES server:
      		 
      SELECT GROUP_CONCAT((SELECT REPEAT('x', 18446744073709551615))) FROM t;

      InnoDB returns a truncation warning and empty result, no crash.

      Environment

      • MariaDB 11.4.11-8, Columnstore 25.10.4 (stable-23.10)
      • OS: Ubuntu 24.04

      Found by SQL mutation fuzzer.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MCOL-5385 GROUP_CONCAT execution doesn't count RAM used to store data properly crashing PrimProc runtime

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Activity

            People

              Unassigned Unassigned
              abukhalov Aleksei Bukhalov
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.