[MDEV-28082] Crash when using HAVING with IS NULL predicate in an equality - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Duplicate
Affects Version/s: 10.9.0, 10.4, 10.5, 10.6, 10.7, 10.8
Fix Version/s: 10.4.25, 10.5.16, 10.6.8, 10.7.4
Component/s: Optimizer
Labels:
None
Environment:
Linux jie-2 5.4.143-1-pve #1 SMP PVE 5.4.143-1 (Tue, 28 Sep 2021 09:10:37 +0200) x86_64 x86_64 x86_64 GNU/Linux

Description

PoC:

CREATE TABLE v0 ( v4 INT , v3 CHAR ( 127 ) NOT NULL , v2 INT , v1 INT NOT NULL ) ;

SELECT * FROM v0 GROUP BY TRUE HAVING v4 = (v1 IS NULL) ;

report:

Thread pointer: 0x7fc308000c58

Attempting backtrace. You can use the following information to find out

where mysqld died. If you see no messages after this, something went

terribly wrong...

stack_bottom = 0x7fc3ac1fce30 thread_stack 0x49000

mysys/stacktrace.c:212(my_print_stacktrace)[0xe12bae]

sql/signal_handler.cc:226(handle_fatal_signal)[0x973f04]

sigaction.c:0(__restore_rt)[0x7fc3c4abc3c0]

sql/item_cmpfunc.h:2728(Item_func_isnull::arg_is_datetime_notnull_field())[0x9bfdb3]

sql/item.h:5311(Used_tables_and_const_cache::used_tables_and_const_cache_join(Item const*))[0x68a080]

??:0(eliminate_item_equal(THD*, Item*, COND_EQUAL*, Item_equal*))[0x7ad9f9]

sql/sql_select.cc:16391(substitute_for_best_equal_field(THD*, st_join_table*, Item*, COND_EQUAL*, void*, bool))[0x796ebf]

sql/sql_select.cc:2612(JOIN::optimize_stage2())[0x78b60f]

sql/sql_select.cc:2492(JOIN::optimize_inner())[0x7922a2]

??:0(JOIN::optimize())[0x78af00]

sql/sql_select.cc:4993(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_

select_lex*))[0x785468]

sql/sql_select.cc:543(handle_select(THD*, LEX*, select_result*, unsigned long))[0x785330]

sql/sql_parse.cc:6252(execute_sqlcom_select(THD*, TABLE_LIST*))[0x754fea]

??:0(mysql_execute_command(THD*, bool))[0x74ef77]

sql/sql_class.h:2734(THD::enter_stage(PSI_stage_info_v1 const*, char const*, char const*, unsigned int))[0x74b207]

sql/sql_parse.cc:1896(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x7490c7]

sql/sql_parse.cc:1404(do_command(THD*, bool))[0x74b65e]

sql/sql_connect.cc:1418(do_handle_one_connection(CONNECT*, bool))[0x85bf2e]

sql/sql_connect.cc:1318(handle_one_connection)[0x85bd4d]

perfschema/pfs.cc:2203(pfs_spawn_thread)[0xb8496e]

nptl/pthread_create.c:478(start_thread)[0x7fc3c4ab0609]

??:0(clone)[0x7fc3c47d0163]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x7fc308010b40): SELECT * FROM v0 GROUP BY TRUE HAVING v4 = (v1 IS NULL)

Attachments

Issue Links

duplicates

MDEV-26402 A SEGV in Item_field::used_tables/update_depend_map_for_order or Assertion `fixed == 1'

Closed

relates to

MDEV-33611 Crashing the server

Confirmed

links to

CVE-2022-27446

Activity

People

Assignee:: Igor Babaev

Reporter:: Jingzhou Fu

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2022-03-16 09:19

Updated:: 2024-03-06 11:48

Resolved:: 2022-04-29 14:43

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.