Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-28614

Server crash in item_subselect.cc:6898 in Item_subselect::init_expr_cache_tracker(THD*)

    XMLWordPrintable

Details

    Description

      poc:

      CREATE TABLE v1223 ( v1224 INTEGER , v1225 INT , v1226 CHAR ( 1 ) NOT NULL CHECK ( ( NOT ( ( NOT ( v1226 NOT IN ( v1226 ) AND v1226 NOT IN ( 83 ) ) ) + v1226 AND v1226 = 5 ) > 42 OR v1226 > 'x' ) ) , v1227 INT , UNIQUE INDEX v1228 ( v1226 , v1224 ) ) ;
      		 
       CREATE TABLE v1229 ( v1230 INTEGER , v1231 INT , v1232 INT , v1233 INT , UNIQUE INDEX v1234 ( v1232 , v1233 ) ) ;
      		 
       CREATE UNIQUE INDEX v1235 USING BTREE ON v1229 ( v1232 ASC ) ;
      		 
       INSERT INTO v1229 ( v1230 ) VALUES ( 82 ) , ( 13 ) ;
      		 
       UPDATE v1229 SET v1232 = NULL WHERE v1230 BETWEEN -1 AND 10 ;
      		 
       SELECT v1233 FROM v1229 WHERE EXISTS ( SELECT v1230 FROM ( SELECT v1227 FROM ( SELECT DISTINCT v1227 , 84052104.000000 FROM v1223 UNION SELECT v1227 , v1225 FROM v1223 ) AS v1236 ) AS v1237 NATURAL JOIN v1229 AS v1238 NATURAL JOIN ( SELECT DISTINCT v1233 , ( v1232 = 17 OR v1231 > 'x' ) FROM v1229 ) AS v1239 NATURAL JOIN v1223 AS v1240 NATURAL JOIN v1229 WHERE v1231 IN ( 'x' = v1227 ) GROUP BY ( v1226 = -1 OR v1231 = TRUE OR 87 - v1225 > ( NOT ( v1226 = TRUE OR ( EXISTS ( SELECT DISTINCT v1231 FROM v1229 UNION SELECT v1232 FROM v1229 GROUP BY 'x' , 'x' , 'x' , 41446527.000000 HAVING ( v1232 IN ( CASE v1233 WHEN v1232 THEN 'x' WHEN 65 THEN ( ( ( NOT ( v1232 IS NULL ) ) ) + v1232 ) ELSE TRUE END != ( ( ( v1231 OR NOT v1233 ) BETWEEN 69 AND 10 ) ) ) ) ORDER BY v1231 ) AND v1233 = 53 ) ) ) ) , v1231 ) ;

      output:
      SUMMARY: AddressSanitizer: SEGV /server_10.3/sql/item_subselect.cc:6898 in Item_subselect::init_expr_cache_tracker(THD*)

      The full error log is in the attachment.

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. MDEV-28621 group by optimization incorrectly removing subquery where subject buried in a function

          • Blocker - Blocks development and/or testing work, production could not run.
          • In Review
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-32394 init_expr_cache_tracker: SEGV at /mariadb-11.3.0/sql/item_subselect.cc:7069

          • Major - Major loss of function.
          • Confirmed

          Activity

            People

              Johnston Rex Johnston
              nobody Shihao Wen
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.