Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-29358

Server crashed with stack-overflow in st_select_lex_unit::set_unique_exclude()

Details

    Description

      output:

      SUMMARY: AddressSanitizer: stack-overflow /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_union.cc:2837 in st_select_lex_unit::set_unique_exclude()

      poc:

      CREATE TEMPORARY TABLE x ( x TEXT ( 1 ) CHECK ( FALSE NOT LIKE x * 1 = 1 + 1 ^ 1 ) ) ;
       INSERT INTO x ( x ) VALUES ( 1 ) ;
       UPDATE x SET x = 1 ;
       INSERT INTO x ( x ) VALUES ( 1 ) , ( 1 ) ;
       WITH x AS ( SELECT x FROM x ORDER BY 1.000000 ) SELECT EXISTS ( WITH RECURSIVE x ( x ) AS ( WITH x AS ( SELECT x FROM ( SELECT x FROM ( SELECT 1 AS x , 1 FROM x WHERE x = CASE WHEN x * ( SELECT 1 FROM x AS x WHERE x BETWEEN 1.000000 AND 1 WINDOW x AS ( ORDER BY x - x , ( 1 < x AND x = 1 ) ) ) ^ x THEN 1.000000 ELSE x END / 1 GROUP BY x ) AS x ) AS x WHERE ( x = 1 OR x = 1 ) NOT LIKE 'x' AND x * 1 ) SELECT NOT ( ( 1.000000 ^ 1.000000 AND 1.000000 = ( SELECT x FROM x ) * 1 + 1 ^ 1 ) * ( x = 1 OR x = 1 ) NOT LIKE 'x' ) AS x UNION SELECT 1 - x LIMIT 1 ) SELECT DISTINCT ( NOT ( NOT ( NOT ( x = 'x' AND x = 'x' AND x = 'x' ) ) IS NULL ) ) AS x , ( ( TRUE , x ) NOT IN ( SELECT ( x % ( SELECT x FROM x WHERE 1 = x ) <= x ) , ( x = 1 AND x = 1 ) FROM x ) OR x > 'x' ) FROM x ) , 'x' FROM x WINDOW x AS ( PARTITION BY x ORDER BY x DESC ) ORDER BY x , x DESC ;
      

      Attachments

        Issue Links

          Activity

            alice Alice Sherepa added a comment - - edited

            Thank you!
            I repeated on 10.3-10.10. Also crashes non-debug version, but there is nothing in the error log then.

            CREATE TABLE t1 (x int);
            INSERT INTO t1 VALUES (1),(2),(3);
             
            WITH RECURSIVE t1 AS ( WITH cte AS (SELECT 1 FROM t1) SELECT 1 ) SELECT 1  ;
            

            10.3 c7f8cfc9e733517cff4aaa6f

            ......
            #7865 0x000055943c49db09 in st_select_lex_unit::set_unique_exclude (this=0x62b000001590) at /10.3/src/sql/sql_union.cc:2180
            #7866 0x000055943c49db09 in st_select_lex_unit::set_unique_exclude (this=0x62b0000008d0) at /10.3/src/sql/sql_union.cc:2180
            #7867 0x000055943c4ff691 in TABLE_LIST::set_check_materialized (this=0x62b000001e40) at /10.3/src/sql/table.cc:5998
            #7868 0x000055943c0a56cf in TABLE_LIST::set_materialized_derived (this=0x62b000001e40) at /10.3/src/sql/table.h:2744
            #7869 0x000055943c513fd4 in TABLE_LIST::init_derived (this=0x62b000001e40, thd=0x62a0000ba270, init_view=true) at /10.3/src/sql/table.cc:8686
            #7870 0x000055943c1315dd in mysql_derived_init (thd=0x62a0000ba270, lex=0x62a0000be060, derived=0x62b000001e40) at /10.3/src/sql/sql_derived.cc:547
            #7871 0x000055943c12f241 in mysql_handle_derived (lex=0x62a0000be060, phases=1) at /10.3/src/sql/sql_derived.cc:119
            #7872 0x000055943c0898fa in open_and_lock_tables (thd=0x62a0000ba270, options=..., tables=0x62b000001e40, derived=true, flags=0, prelocking_strategy=0x7fca5e14c870) at /10.3/src/sql/sql_base.cc:5162
            #7873 0x000055943bfed770 in open_and_lock_tables (thd=0x62a0000ba270, tables=0x62b000001e40, derived=true, flags=0) at /10.3/src/sql/sql_base.h:503
            #7874 0x000055943c206c7a in execute_sqlcom_select (thd=0x62a0000ba270, all_tables=0x62b000001e40) at /10.3/src/sql/sql_parse.cc:6261
            #7875 0x000055943c1f5718 in mysql_execute_command (thd=0x62a0000ba270) at /10.3/src/sql/sql_parse.cc:3871
            #7876 0x000055943c21143a in mysql_parse (thd=0x62a0000ba270, rawbuf=0x62b000000290 "WITH RECURSIVE t1 AS \n( WITH cte AS (SELECT 1 FROM t1)  SELECT 1 ) \nSELECT  1", length=77, parser_state=0x7fca5e14e860, is_com_multi=false, is_next_command=false) at /10.3/src/sql/sql_parse.cc:7871
            #7877 0x000055943c1e8317 in dispatch_command (command=COM_QUERY, thd=0x62a0000ba270, packet=0x629000127271 "WITH RECURSIVE t1 AS \n( WITH cte AS (SELECT 1 FROM t1)  SELECT 1 ) \nSELECT  1  ", packet_length=79, is_com_multi=false, is_next_command=false) at /10.3/src/sql/sql_parse.cc:1852
            #7878 0x000055943c1e4e5a in do_command (thd=0x62a0000ba270) at /10.3/src/sql/sql_parse.cc:1398
            #7879 0x000055943c5b8ee5 in do_handle_one_connection (connect=0x61100004def0) at /10.3/src/sql/sql_connect.cc:1403
            #7880 0x000055943c5b879f in handle_one_connection (arg=0x61100004def0) at /10.3/src/sql/sql_connect.cc:1308
            #7881 0x000055943dbe9a17 in pfs_spawn_thread (arg=0x61600000e1f0) at /10.3/src/storage/perfschema/pfs.cc:1869
            #7882 0x00007fca74986609 in start_thread (arg=<optimized out>) at pthread_create.c:477
            #7883 0x00007fca748ab133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
            

            ! after fixing it - please check also the original test case

            alice Alice Sherepa added a comment - - edited Thank you! I repeated on 10.3-10.10. Also crashes non-debug version, but there is nothing in the error log then. CREATE TABLE t1 (x int ); INSERT INTO t1 VALUES (1),(2),(3);   WITH RECURSIVE t1 AS ( WITH cte AS ( SELECT 1 FROM t1) SELECT 1 ) SELECT 1 ; 10.3 c7f8cfc9e733517cff4aaa6f ...... #7865 0x000055943c49db09 in st_select_lex_unit::set_unique_exclude (this=0x62b000001590) at /10.3/src/sql/sql_union.cc:2180 #7866 0x000055943c49db09 in st_select_lex_unit::set_unique_exclude (this=0x62b0000008d0) at /10.3/src/sql/sql_union.cc:2180 #7867 0x000055943c4ff691 in TABLE_LIST::set_check_materialized (this=0x62b000001e40) at /10.3/src/sql/table.cc:5998 #7868 0x000055943c0a56cf in TABLE_LIST::set_materialized_derived (this=0x62b000001e40) at /10.3/src/sql/table.h:2744 #7869 0x000055943c513fd4 in TABLE_LIST::init_derived (this=0x62b000001e40, thd=0x62a0000ba270, init_view=true) at /10.3/src/sql/table.cc:8686 #7870 0x000055943c1315dd in mysql_derived_init (thd=0x62a0000ba270, lex=0x62a0000be060, derived=0x62b000001e40) at /10.3/src/sql/sql_derived.cc:547 #7871 0x000055943c12f241 in mysql_handle_derived (lex=0x62a0000be060, phases=1) at /10.3/src/sql/sql_derived.cc:119 #7872 0x000055943c0898fa in open_and_lock_tables (thd=0x62a0000ba270, options=..., tables=0x62b000001e40, derived=true, flags=0, prelocking_strategy=0x7fca5e14c870) at /10.3/src/sql/sql_base.cc:5162 #7873 0x000055943bfed770 in open_and_lock_tables (thd=0x62a0000ba270, tables=0x62b000001e40, derived=true, flags=0) at /10.3/src/sql/sql_base.h:503 #7874 0x000055943c206c7a in execute_sqlcom_select (thd=0x62a0000ba270, all_tables=0x62b000001e40) at /10.3/src/sql/sql_parse.cc:6261 #7875 0x000055943c1f5718 in mysql_execute_command (thd=0x62a0000ba270) at /10.3/src/sql/sql_parse.cc:3871 #7876 0x000055943c21143a in mysql_parse (thd=0x62a0000ba270, rawbuf=0x62b000000290 "WITH RECURSIVE t1 AS \n( WITH cte AS (SELECT 1 FROM t1) SELECT 1 ) \nSELECT 1", length=77, parser_state=0x7fca5e14e860, is_com_multi=false, is_next_command=false) at /10.3/src/sql/sql_parse.cc:7871 #7877 0x000055943c1e8317 in dispatch_command (command=COM_QUERY, thd=0x62a0000ba270, packet=0x629000127271 "WITH RECURSIVE t1 AS \n( WITH cte AS (SELECT 1 FROM t1) SELECT 1 ) \nSELECT 1 ", packet_length=79, is_com_multi=false, is_next_command=false) at /10.3/src/sql/sql_parse.cc:1852 #7878 0x000055943c1e4e5a in do_command (thd=0x62a0000ba270) at /10.3/src/sql/sql_parse.cc:1398 #7879 0x000055943c5b8ee5 in do_handle_one_connection (connect=0x61100004def0) at /10.3/src/sql/sql_connect.cc:1403 #7880 0x000055943c5b879f in handle_one_connection (arg=0x61100004def0) at /10.3/src/sql/sql_connect.cc:1308 #7881 0x000055943dbe9a17 in pfs_spawn_thread (arg=0x61600000e1f0) at /10.3/src/storage/perfschema/pfs.cc:1869 #7882 0x00007fca74986609 in start_thread (arg=<optimized out>) at pthread_create.c:477 #7883 0x00007fca748ab133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 ! after fixing it - please check also the original test case
            igor Igor Babaev added a comment -

            After the fix for MDEV-29361 we have:

            MariaDB [test]> CREATE TEMPORARY TABLE x ( x TEXT ( 1 ) CHECK ( FALSE NOT LIKE x * 1 = 1 + 1 ^ 1 ) ) ;
            Query OK, 0 rows affected (0.002 sec)
             
            MariaDB [test]>  INSERT INTO x ( x ) VALUES ( 1 ) ;
            Query OK, 1 row affected (0.001 sec)
             
            MariaDB [test]>  UPDATE x SET x = 1 ;
            Query OK, 0 rows affected (0.000 sec)
            Rows matched: 1  Changed: 0  Warnings: 0
             
            MariaDB [test]>  INSERT INTO x ( x ) VALUES ( 1 ) , ( 1 ) ;
            Query OK, 2 rows affected (0.001 sec)
            Records: 2  Duplicates: 0  Warnings: 0
             
            MariaDB [test]>  WITH x AS ( SELECT x FROM x ORDER BY 1.000000 ) SELECT EXISTS ( WITH RECURSIVE x ( x ) AS ( WITH x AS ( SELECT x FROM ( SELECT x FROM ( SELECT 1 AS x , 1 FROM x WHERE x = CASE WHEN x * ( SELECT 1 FROM x AS x WHERE x BETWEEN 1.000000 AND 1 WINDOW x AS ( ORDER BY x - x , ( 1 < x AND x = 1 ) ) ) ^ x THEN 1.000000 ELSE x END / 1 GROUP BY x ) AS x ) AS x WHERE ( x = 1 OR x = 1 ) NOT LIKE 'x' AND x * 1 ) SELECT NOT ( ( 1.000000 ^ 1.000000 AND 1.000000 = ( SELECT x FROM x ) * 1 + 1 ^ 1 ) * ( x = 1 OR x = 1 ) NOT LIKE 'x' ) AS x UNION SELECT 1 - x LIMIT 1 ) SELECT DISTINCT ( NOT ( NOT ( NOT ( x = 'x' AND x = 'x' AND x = 'x' ) ) IS NULL ) ) AS x , ( ( TRUE , x ) NOT IN ( SELECT ( x % ( SELECT x FROM x WHERE 1 = x ) <= x ) , ( x = 1 AND x = 1 ) FROM x ) OR x > 'x' ) FROM x ) , 'x' FROM x WINDOW x AS ( PARTITION BY x ORDER BY x DESC ) ORDER BY x , x DESC ;
            ERROR 1235 (42000): This version of MariaDB doesn't yet support 'global ORDER_BY/LIMIT in recursive CTE spec'
            

            and

            MariaDB [test]> CREATE TABLE t1 (x int);
            Query OK, 0 rows affected (0.020 sec)
             
            MariaDB [test]> 
            MariaDB [test]> INSERT INTO t1 VALUES (1),(2),(3);
            Query OK, 3 rows affected (0.003 sec)
            Records: 3  Duplicates: 0  Warnings: 0
             
            MariaDB [test]> WITH RECURSIVE t1 AS ( WITH cte AS (SELECT 1 FROM t1) SELECT 1 ) SELECT 1  ;
            ERROR 4005 (HY000): No anchors for recursive WITH element 't1'
            

            This bug can be considered as a duplicate of MDEV-29361

            igor Igor Babaev added a comment - After the fix for MDEV-29361 we have: MariaDB [test]> CREATE TEMPORARY TABLE x ( x TEXT ( 1 ) CHECK ( FALSE NOT LIKE x * 1 = 1 + 1 ^ 1 ) ) ; Query OK, 0 rows affected (0.002 sec)   MariaDB [test]> INSERT INTO x ( x ) VALUES ( 1 ) ; Query OK, 1 row affected (0.001 sec)   MariaDB [test]> UPDATE x SET x = 1 ; Query OK, 0 rows affected (0.000 sec) Rows matched: 1 Changed: 0 Warnings: 0   MariaDB [test]> INSERT INTO x ( x ) VALUES ( 1 ) , ( 1 ) ; Query OK, 2 rows affected (0.001 sec) Records: 2 Duplicates: 0 Warnings: 0   MariaDB [test]> WITH x AS ( SELECT x FROM x ORDER BY 1.000000 ) SELECT EXISTS ( WITH RECURSIVE x ( x ) AS ( WITH x AS ( SELECT x FROM ( SELECT x FROM ( SELECT 1 AS x , 1 FROM x WHERE x = CASE WHEN x * ( SELECT 1 FROM x AS x WHERE x BETWEEN 1.000000 AND 1 WINDOW x AS ( ORDER BY x - x , ( 1 < x AND x = 1 ) ) ) ^ x THEN 1.000000 ELSE x END / 1 GROUP BY x ) AS x ) AS x WHERE ( x = 1 OR x = 1 ) NOT LIKE 'x' AND x * 1 ) SELECT NOT ( ( 1.000000 ^ 1.000000 AND 1.000000 = ( SELECT x FROM x ) * 1 + 1 ^ 1 ) * ( x = 1 OR x = 1 ) NOT LIKE 'x' ) AS x UNION SELECT 1 - x LIMIT 1 ) SELECT DISTINCT ( NOT ( NOT ( NOT ( x = 'x' AND x = 'x' AND x = 'x' ) ) IS NULL ) ) AS x , ( ( TRUE , x ) NOT IN ( SELECT ( x % ( SELECT x FROM x WHERE 1 = x ) <= x ) , ( x = 1 AND x = 1 ) FROM x ) OR x > 'x' ) FROM x ) , 'x' FROM x WINDOW x AS ( PARTITION BY x ORDER BY x DESC ) ORDER BY x , x DESC ; ERROR 1235 (42000): This version of MariaDB doesn't yet support 'global ORDER_BY/LIMIT in recursive CTE spec' and MariaDB [test]> CREATE TABLE t1 (x int); Query OK, 0 rows affected (0.020 sec)   MariaDB [test]> MariaDB [test]> INSERT INTO t1 VALUES (1),(2),(3); Query OK, 3 rows affected (0.003 sec) Records: 3 Duplicates: 0 Warnings: 0   MariaDB [test]> WITH RECURSIVE t1 AS ( WITH cte AS (SELECT 1 FROM t1) SELECT 1 ) SELECT 1 ; ERROR 4005 (HY000): No anchors for recursive WITH element 't1' This bug can be considered as a duplicate of MDEV-29361
            igor Igor Babaev added a comment -

            Closed a duplicate of MDEV-29361 that is fixed

            igor Igor Babaev added a comment - Closed a duplicate of MDEV-29361 that is fixed

            People

              igor Igor Babaev
              nobody Shihao Wen
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.