[MDEV-28080] Crash when using HAVING with NOT EXIST predicate in an equality - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Duplicate
Affects Version/s: 10.9.0, 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL)
Fix Version/s: 10.4.25, 10.5.16, 10.6.8, 10.7.4
Component/s: Optimizer
Labels:
None
Environment:
Linux jie-2 5.4.143-1-pve #1 SMP PVE 5.4.143-1 (Tue, 28 Sep 2021 09:10:37 +0200) x86_64 x86_64 x86_64 GNU/Linux

Description

PoC:

CREATE TABLE v2 ( v3 INT ( 29 ) ) ;

SELECT ( 'x' ) FROM v2 GROUP BY v3 HAVING v3 = ( NOT EXISTS ( SELECT * WHERE 'x' ) ) ;

report (compiled with ASAN):

Thread pointer: 0x7f0dac000c58

Attempting backtrace. You can use the following information to find out

where mysqld died. If you see no messages after this, something went

terribly wrong...

stack_bottom = 0x7f0e10057e30 thread_stack 0x49000

mysys/stacktrace.c:212(my_print_stacktrace)[0xe12bae]

sql/signal_handler.cc:226(handle_fatal_signal)[0x973f04]

sigaction.c:0(__restore_rt)[0x7f0e1b8b53c0]

sql/item_subselect.cc:4026(subselect_single_select_engine::exec())[0xa36cdc]

sql/item_subselect.cc:858(Item_subselect::exec())[0xa2e4bc]

sql/item_subselect.cc:1872(Item_exists_subselect::val_bool())[0xa30a1e]

sql/item_cmpfunc.cc:202(Item_func_not::val_int())[0x9a6739]

sql/sql_type.cc:8716(Type_handler_int_result::Item_eq_value(THD*, Type_cmp_attributes const*, Item*, Item*) const)[0x8d676c]

sql/item_cmpfunc.cc:6746(Item_equal::add_const(THD*, Item*))[0x9b79d8]

??:0(Item_equal::merge_with_check(THD*, Item_equal*, bool))[0x9b7d7b]

sql/sql_list.h:429(base_list_iterator::next())[0x7aec59]

sql/field.h:429(Context)[0x899f87]

??:0(JOIN::optimize_inner())[0x79112c]

??:0(JOIN::optimize())[0x78af00]

sql/sql_select.cc:4993(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_

select_lex*))[0x785468]

sql/sql_select.cc:543(handle_select(THD*, LEX*, select_result*, unsigned long))[0x785330]

sql/sql_parse.cc:6252(execute_sqlcom_select(THD*, TABLE_LIST*))[0x754fea]

??:0(mysql_execute_command(THD*, bool))[0x74ef77]

sql/sql_class.h:2734(THD::enter_stage(PSI_stage_info_v1 const*, char const*, char const*, unsigned int))[0x74b207]

sql/sql_parse.cc:1896(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x7490c7]

sql/sql_parse.cc:1404(do_command(THD*, bool))[0x74b65e]

sql/sql_connect.cc:1418(do_handle_one_connection(CONNECT*, bool))[0x85bf2e]

sql/sql_connect.cc:1318(handle_one_connection)[0x85bd4d]

perfschema/pfs.cc:2203(pfs_spawn_thread)[0xb8496e]

nptl/pthread_create.c:478(start_thread)[0x7f0e1b8a9609]

??:0(clone)[0x7f0e1b5c9163]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x7f0dac010b50): SELECT ( 'x' ) FROM v2 GROUP BY v3 HAVING v3 = ( NOT EXISTS ( SELECT * WHERE 'x' ) )

Attachments

Issue Links

duplicates

MDEV-26402 A SEGV in Item_field::used_tables/update_depend_map_for_order or Assertion `fixed == 1'

Closed

relates to

MDEV-25084 Assertion failure when moving equality from having to where

Stalled

links to

CVE-2022-27444

Activity

People

Assignee:: Igor Babaev

Reporter:: Jingzhou Fu

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2022-03-16 09:13

Updated:: 2022-05-03 06:46

Resolved:: 2022-04-29 14:43

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.