[MDEV-28622] Item_subselect eliminated flag set but Item still evaluated/used. - Jira

XML

Word

Printable

Details

Type: Bug
Status: Stalled (View Workflow)
Priority: Critical
Resolution: Unresolved
Affects Version/s: 10.3.35, 10.2, 10.3, 10.4, 10.5, 10.6, 10.9, 10.10, 10.11, 11.0
Fix Version/s: 10.4, 10.5, 10.6, 10.11, 11.0, 11.1, 11.2, 11.3, 11.4
Component/s: None
Labels:
- fuzzer
Environment:
ubuntu 18.04

Description

poc:

CREATE TABLE v896 ( CONSTRAINT v901 PRIMARY KEY ( v900 , v899 ) , v897 INTEGER , v898 BIGINT , v899 INT , v900 VARCHAR ( 1 ) , CONSTRAINT v902 UNIQUE INDEX v903 ( v897 , v899 ) ) ;

 CREATE VIEW v904 ( v911 ) AS SELECT EXISTS ( SELECT 1 ) FROM ( WITH v906 AS ( SELECT v897 % 27 != 52 FROM ( SELECT 81 , 15 , v897 FROM v896 WHERE v899 = 78 ) AS v905 GROUP BY v897 ) SELECT -1 * -128 FROM ( SELECT DISTINCT v900 , 'x' FROM v896 ) AS v907 NATURAL JOIN v906 AS v908 , v906 AS v909 NATURAL JOIN v906 ) AS v910 NATURAL JOIN v896 ;

 SELECT DISTINCT ( SELECT v911 FROM v904 WHERE ( v911 ) NOT IN ( SELECT 8 < v911 AND v911 = 0 FROM v904 AS v912 NATURAL JOIN v904 WHERE v911 != -2147483648 GROUP BY v911 ) ) * 63 , ( v911 = -128 OR v911 > 'x' ) FROM v904 WHERE v911 = 40 AND ( v911 = 26 OR v911 = -1 OR v911 = -1 ) LIMIT 1 OFFSET 1 ;

 DROP TABLE v896 ;

 INSERT INTO x VALUES ( -32768 ) ;

output:
SUMMARY: AddressSanitizer: SEGV /sql/item_subselect.cc:2996 in Item_exists_subselect::exists2in_processor(void*)

The full error log is in the attachment.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

354_stack
7 kB
2022-05-19 03:04

Issue Links

includes

MDEV-28621 group by optimization incorrectly removing subquery where subject buried in a function

In Review

MDEV-29411 SIGSEGV's st_select_lex_unit::set_limit and st_select_lex::get_offset, and Assertion `!eliminated' failed in Item_subselect::exec on SELECT

Confirmed

MDEV-30842 Item_subselect::get_cache_parameters and UBSAN member access within null pointer of type 'struct st_select_lex' in Item_subselect::get_cache_parameters on INSERT

Stalled

is duplicated by

MDEV-32309 Server crashes at Item_subselect::is_expensive

Closed

MDEV-32406 Segmentation fault at /mariadb-11.3.0/sql/item_subselect.cc:3114

Closed

relates to

MDEV-28437 Assertion `!eliminated' failed in Item_subselect::exec

Closed

MDEV-28620 Server crash in /sql/item_subselect.cc:812 in Item_subselect::get_cache_parameters(List<Item>&)

Confirmed

MDEV-28833 SIGSEGV in Item_field::used_tables on PREPARED STATEMENT with nested SELECT's

Confirmed

MDEV-28034 SIGSEGV in Item_args::walk_args and libstdc++ __cxa_pure_virtual terminate/SIGABRT in Item::check_type_scalar

Closed

MDEV-31432 tmp_table field accessed after free

Closed

MDEV-33126 virtual bool Item_subselect::exec(): Assertion `!eliminated' failed

Closed

(6 relates to)

Activity

People

Assignee:: Rex Johnston

Reporter:: Shihao Wen

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 2022-05-19 03:04

Updated:: 2 days ago 01:47

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.