SUMMARY: AddressSanitizer: stack-overflow /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_union.cc:2837 in st_select_lex_unit::set_unique_exclude()
poc:
CREATETEMPORARYTABLE x ( x TEXT ( 1 ) CHECK ( FALSENOTLIKE x * 1 = 1 + 1 ^ 1 ) ) ;
INSERTINTO x ( x ) VALUES ( 1 ) ;
UPDATE x SET x = 1 ;
INSERTINTO x ( x ) VALUES ( 1 ) , ( 1 ) ;
WITH x AS ( SELECT x FROM x ORDERBY 1.000000 ) SELECT EXISTS ( WITH RECURSIVE x ( x ) AS ( WITH x AS ( SELECT x FROM ( SELECT x FROM ( SELECT 1 AS x , 1 FROM x WHERE x = CASEWHEN x * ( SELECT 1 FROM x AS x WHERE x BETWEEN 1.000000 AND 1 WINDOW x AS ( ORDERBY x - x , ( 1 < x AND x = 1 ) ) ) ^ x THEN 1.000000 ELSE x END / 1 GROUPBY x ) AS x ) AS x WHERE ( x = 1 OR x = 1 ) NOTLIKE'x'AND x * 1 ) SELECTNOT ( ( 1.000000 ^ 1.000000 AND 1.000000 = ( SELECT x FROM x ) * 1 + 1 ^ 1 ) * ( x = 1 OR x = 1 ) NOTLIKE'x' ) AS x UNIONSELECT 1 - x LIMIT 1 ) SELECTDISTINCT ( NOT ( NOT ( NOT ( x = 'x'AND x = 'x'AND x = 'x' ) ) ISNULL ) ) AS x , ( ( TRUE , x ) NOTIN ( SELECT ( x % ( SELECT x FROM x WHERE 1 = x ) <= x ) , ( x = 1 AND x = 1 ) FROM x ) OR x > 'x' ) FROM x ) , 'x'FROM x WINDOW x AS ( PARTITION BY x ORDERBY x DESC ) ORDERBY x , x DESC ;
Thank you!
I repeated on 10.3-10.10. Also crashes non-debug version, but there is nothing in the error log then.
CREATETABLE t1 (x int);
INSERTINTO t1 VALUES (1),(2),(3);
WITH RECURSIVE t1 AS ( WITH cte AS (SELECT 1 FROM t1) SELECT 1 ) SELECT 1 ;
10.3 c7f8cfc9e733517cff4aaa6f
......
#7865 0x000055943c49db09 in st_select_lex_unit::set_unique_exclude (this=0x62b000001590) at /10.3/src/sql/sql_union.cc:2180
#7866 0x000055943c49db09 in st_select_lex_unit::set_unique_exclude (this=0x62b0000008d0) at /10.3/src/sql/sql_union.cc:2180
#7867 0x000055943c4ff691 in TABLE_LIST::set_check_materialized (this=0x62b000001e40) at /10.3/src/sql/table.cc:5998
#7868 0x000055943c0a56cf in TABLE_LIST::set_materialized_derived (this=0x62b000001e40) at /10.3/src/sql/table.h:2744
#7869 0x000055943c513fd4 in TABLE_LIST::init_derived (this=0x62b000001e40, thd=0x62a0000ba270, init_view=true) at /10.3/src/sql/table.cc:8686
#7870 0x000055943c1315dd in mysql_derived_init (thd=0x62a0000ba270, lex=0x62a0000be060, derived=0x62b000001e40) at /10.3/src/sql/sql_derived.cc:547
#7871 0x000055943c12f241 in mysql_handle_derived (lex=0x62a0000be060, phases=1) at /10.3/src/sql/sql_derived.cc:119
#7872 0x000055943c0898fa in open_and_lock_tables (thd=0x62a0000ba270, options=..., tables=0x62b000001e40, derived=true, flags=0, prelocking_strategy=0x7fca5e14c870) at /10.3/src/sql/sql_base.cc:5162
#7873 0x000055943bfed770 in open_and_lock_tables (thd=0x62a0000ba270, tables=0x62b000001e40, derived=true, flags=0) at /10.3/src/sql/sql_base.h:503
#7874 0x000055943c206c7a in execute_sqlcom_select (thd=0x62a0000ba270, all_tables=0x62b000001e40) at /10.3/src/sql/sql_parse.cc:6261
#7875 0x000055943c1f5718 in mysql_execute_command (thd=0x62a0000ba270) at /10.3/src/sql/sql_parse.cc:3871
#7876 0x000055943c21143a in mysql_parse (thd=0x62a0000ba270, rawbuf=0x62b000000290 "WITH RECURSIVE t1 AS \n( WITH cte AS (SELECT 1 FROM t1) SELECT 1 ) \nSELECT 1", length=77, parser_state=0x7fca5e14e860, is_com_multi=false, is_next_command=false) at /10.3/src/sql/sql_parse.cc:7871
#7877 0x000055943c1e8317 in dispatch_command (command=COM_QUERY, thd=0x62a0000ba270, packet=0x629000127271 "WITH RECURSIVE t1 AS \n( WITH cte AS (SELECT 1 FROM t1) SELECT 1 ) \nSELECT 1 ", packet_length=79, is_com_multi=false, is_next_command=false) at /10.3/src/sql/sql_parse.cc:1852
#7878 0x000055943c1e4e5a in do_command (thd=0x62a0000ba270) at /10.3/src/sql/sql_parse.cc:1398
#7879 0x000055943c5b8ee5 in do_handle_one_connection (connect=0x61100004def0) at /10.3/src/sql/sql_connect.cc:1403
#7880 0x000055943c5b879f in handle_one_connection (arg=0x61100004def0) at /10.3/src/sql/sql_connect.cc:1308
#7881 0x000055943dbe9a17 in pfs_spawn_thread (arg=0x61600000e1f0) at /10.3/src/storage/perfschema/pfs.cc:1869
#7882 0x00007fca74986609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#7883 0x00007fca748ab133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
! after fixing it - please check also the original test case
Alice Sherepa
added a comment - - edited Thank you!
I repeated on 10.3-10.10. Also crashes non-debug version, but there is nothing in the error log then.
CREATE TABLE t1 (x int );
INSERT INTO t1 VALUES (1),(2),(3);
WITH RECURSIVE t1 AS ( WITH cte AS ( SELECT 1 FROM t1) SELECT 1 ) SELECT 1 ;
10.3 c7f8cfc9e733517cff4aaa6f
......
#7865 0x000055943c49db09 in st_select_lex_unit::set_unique_exclude (this=0x62b000001590) at /10.3/src/sql/sql_union.cc:2180
#7866 0x000055943c49db09 in st_select_lex_unit::set_unique_exclude (this=0x62b0000008d0) at /10.3/src/sql/sql_union.cc:2180
#7867 0x000055943c4ff691 in TABLE_LIST::set_check_materialized (this=0x62b000001e40) at /10.3/src/sql/table.cc:5998
#7868 0x000055943c0a56cf in TABLE_LIST::set_materialized_derived (this=0x62b000001e40) at /10.3/src/sql/table.h:2744
#7869 0x000055943c513fd4 in TABLE_LIST::init_derived (this=0x62b000001e40, thd=0x62a0000ba270, init_view=true) at /10.3/src/sql/table.cc:8686
#7870 0x000055943c1315dd in mysql_derived_init (thd=0x62a0000ba270, lex=0x62a0000be060, derived=0x62b000001e40) at /10.3/src/sql/sql_derived.cc:547
#7871 0x000055943c12f241 in mysql_handle_derived (lex=0x62a0000be060, phases=1) at /10.3/src/sql/sql_derived.cc:119
#7872 0x000055943c0898fa in open_and_lock_tables (thd=0x62a0000ba270, options=..., tables=0x62b000001e40, derived=true, flags=0, prelocking_strategy=0x7fca5e14c870) at /10.3/src/sql/sql_base.cc:5162
#7873 0x000055943bfed770 in open_and_lock_tables (thd=0x62a0000ba270, tables=0x62b000001e40, derived=true, flags=0) at /10.3/src/sql/sql_base.h:503
#7874 0x000055943c206c7a in execute_sqlcom_select (thd=0x62a0000ba270, all_tables=0x62b000001e40) at /10.3/src/sql/sql_parse.cc:6261
#7875 0x000055943c1f5718 in mysql_execute_command (thd=0x62a0000ba270) at /10.3/src/sql/sql_parse.cc:3871
#7876 0x000055943c21143a in mysql_parse (thd=0x62a0000ba270, rawbuf=0x62b000000290 "WITH RECURSIVE t1 AS \n( WITH cte AS (SELECT 1 FROM t1) SELECT 1 ) \nSELECT 1", length=77, parser_state=0x7fca5e14e860, is_com_multi=false, is_next_command=false) at /10.3/src/sql/sql_parse.cc:7871
#7877 0x000055943c1e8317 in dispatch_command (command=COM_QUERY, thd=0x62a0000ba270, packet=0x629000127271 "WITH RECURSIVE t1 AS \n( WITH cte AS (SELECT 1 FROM t1) SELECT 1 ) \nSELECT 1 ", packet_length=79, is_com_multi=false, is_next_command=false) at /10.3/src/sql/sql_parse.cc:1852
#7878 0x000055943c1e4e5a in do_command (thd=0x62a0000ba270) at /10.3/src/sql/sql_parse.cc:1398
#7879 0x000055943c5b8ee5 in do_handle_one_connection (connect=0x61100004def0) at /10.3/src/sql/sql_connect.cc:1403
#7880 0x000055943c5b879f in handle_one_connection (arg=0x61100004def0) at /10.3/src/sql/sql_connect.cc:1308
#7881 0x000055943dbe9a17 in pfs_spawn_thread (arg=0x61600000e1f0) at /10.3/src/storage/perfschema/pfs.cc:1869
#7882 0x00007fca74986609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#7883 0x00007fca748ab133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
! after fixing it - please check also the original test case
MariaDB [test]> CREATE TEMPORARY TABLE x ( x TEXT ( 1 ) CHECK ( FALSE NOT LIKE x * 1 = 1 + 1 ^ 1 ) ) ;
Query OK, 0 rows affected (0.002 sec)
MariaDB [test]> INSERT INTO x ( x ) VALUES ( 1 ) ;
Query OK, 1 row affected (0.001 sec)
MariaDB [test]> UPDATE x SET x = 1 ;
Query OK, 0 rows affected (0.000 sec)
Rows matched: 1 Changed: 0 Warnings: 0
MariaDB [test]> INSERT INTO x ( x ) VALUES ( 1 ) , ( 1 ) ;
Query OK, 2 rows affected (0.001 sec)
Records: 2 Duplicates: 0 Warnings: 0
MariaDB [test]> WITH x AS ( SELECT x FROM x ORDER BY 1.000000 ) SELECT EXISTS ( WITH RECURSIVE x ( x ) AS ( WITH x AS ( SELECT x FROM ( SELECT x FROM ( SELECT 1 AS x , 1 FROM x WHERE x = CASE WHEN x * ( SELECT 1 FROM x AS x WHERE x BETWEEN 1.000000 AND 1 WINDOW x AS ( ORDER BY x - x , ( 1 < x AND x = 1 ) ) ) ^ x THEN 1.000000 ELSE x END / 1 GROUP BY x ) AS x ) AS x WHERE ( x = 1 OR x = 1 ) NOT LIKE 'x' AND x * 1 ) SELECT NOT ( ( 1.000000 ^ 1.000000 AND 1.000000 = ( SELECT x FROM x ) * 1 + 1 ^ 1 ) * ( x = 1 OR x = 1 ) NOT LIKE 'x' ) AS x UNION SELECT 1 - x LIMIT 1 ) SELECT DISTINCT ( NOT ( NOT ( NOT ( x = 'x' AND x = 'x' AND x = 'x' ) ) IS NULL ) ) AS x , ( ( TRUE , x ) NOT IN ( SELECT ( x % ( SELECT x FROM x WHERE 1 = x ) <= x ) , ( x = 1 AND x = 1 ) FROM x ) OR x > 'x' ) FROM x ) , 'x' FROM x WINDOW x AS ( PARTITION BY x ORDER BY x DESC ) ORDER BY x , x DESC ;
ERROR 1235 (42000): This version of MariaDB doesn't yet support 'global ORDER_BY/LIMIT in recursive CTE spec'
and
MariaDB [test]> CREATE TABLE t1 (x int);
Query OK, 0 rows affected (0.020 sec)
MariaDB [test]>
MariaDB [test]> INSERT INTO t1 VALUES (1),(2),(3);
Query OK, 3 rows affected (0.003 sec)
Records: 3 Duplicates: 0 Warnings: 0
MariaDB [test]> WITH RECURSIVE t1 AS ( WITH cte AS (SELECT 1 FROM t1) SELECT 1 ) SELECT 1 ;
ERROR 4005 (HY000): No anchors for recursive WITH element 't1'
This bug can be considered as a duplicate of MDEV-29361
Igor Babaev
added a comment - After the fix for MDEV-29361 we have:
MariaDB [test]> CREATE TEMPORARY TABLE x ( x TEXT ( 1 ) CHECK ( FALSE NOT LIKE x * 1 = 1 + 1 ^ 1 ) ) ;
Query OK, 0 rows affected (0.002 sec)
MariaDB [test]> INSERT INTO x ( x ) VALUES ( 1 ) ;
Query OK, 1 row affected (0.001 sec)
MariaDB [test]> UPDATE x SET x = 1 ;
Query OK, 0 rows affected (0.000 sec)
Rows matched: 1 Changed: 0 Warnings: 0
MariaDB [test]> INSERT INTO x ( x ) VALUES ( 1 ) , ( 1 ) ;
Query OK, 2 rows affected (0.001 sec)
Records: 2 Duplicates: 0 Warnings: 0
MariaDB [test]> WITH x AS ( SELECT x FROM x ORDER BY 1.000000 ) SELECT EXISTS ( WITH RECURSIVE x ( x ) AS ( WITH x AS ( SELECT x FROM ( SELECT x FROM ( SELECT 1 AS x , 1 FROM x WHERE x = CASE WHEN x * ( SELECT 1 FROM x AS x WHERE x BETWEEN 1.000000 AND 1 WINDOW x AS ( ORDER BY x - x , ( 1 < x AND x = 1 ) ) ) ^ x THEN 1.000000 ELSE x END / 1 GROUP BY x ) AS x ) AS x WHERE ( x = 1 OR x = 1 ) NOT LIKE 'x' AND x * 1 ) SELECT NOT ( ( 1.000000 ^ 1.000000 AND 1.000000 = ( SELECT x FROM x ) * 1 + 1 ^ 1 ) * ( x = 1 OR x = 1 ) NOT LIKE 'x' ) AS x UNION SELECT 1 - x LIMIT 1 ) SELECT DISTINCT ( NOT ( NOT ( NOT ( x = 'x' AND x = 'x' AND x = 'x' ) ) IS NULL ) ) AS x , ( ( TRUE , x ) NOT IN ( SELECT ( x % ( SELECT x FROM x WHERE 1 = x ) <= x ) , ( x = 1 AND x = 1 ) FROM x ) OR x > 'x' ) FROM x ) , 'x' FROM x WINDOW x AS ( PARTITION BY x ORDER BY x DESC ) ORDER BY x , x DESC ;
ERROR 1235 (42000): This version of MariaDB doesn't yet support 'global ORDER_BY/LIMIT in recursive CTE spec'
and
MariaDB [test]> CREATE TABLE t1 (x int);
Query OK, 0 rows affected (0.020 sec)
MariaDB [test]>
MariaDB [test]> INSERT INTO t1 VALUES (1),(2),(3);
Query OK, 3 rows affected (0.003 sec)
Records: 3 Duplicates: 0 Warnings: 0
MariaDB [test]> WITH RECURSIVE t1 AS ( WITH cte AS (SELECT 1 FROM t1) SELECT 1 ) SELECT 1 ;
ERROR 4005 (HY000): No anchors for recursive WITH element 't1'
This bug can be considered as a duplicate of MDEV-29361
Thank you!
I repeated on 10.3-10.10. Also crashes non-debug version, but there is nothing in the error log then.
10.3 c7f8cfc9e733517cff4aaa6f
......
#7865 0x000055943c49db09 in st_select_lex_unit::set_unique_exclude (this=0x62b000001590) at /10.3/src/sql/sql_union.cc:2180
#7866 0x000055943c49db09 in st_select_lex_unit::set_unique_exclude (this=0x62b0000008d0) at /10.3/src/sql/sql_union.cc:2180
#7867 0x000055943c4ff691 in TABLE_LIST::set_check_materialized (this=0x62b000001e40) at /10.3/src/sql/table.cc:5998
#7868 0x000055943c0a56cf in TABLE_LIST::set_materialized_derived (this=0x62b000001e40) at /10.3/src/sql/table.h:2744
#7869 0x000055943c513fd4 in TABLE_LIST::init_derived (this=0x62b000001e40, thd=0x62a0000ba270, init_view=true) at /10.3/src/sql/table.cc:8686
#7870 0x000055943c1315dd in mysql_derived_init (thd=0x62a0000ba270, lex=0x62a0000be060, derived=0x62b000001e40) at /10.3/src/sql/sql_derived.cc:547
#7871 0x000055943c12f241 in mysql_handle_derived (lex=0x62a0000be060, phases=1) at /10.3/src/sql/sql_derived.cc:119
#7872 0x000055943c0898fa in open_and_lock_tables (thd=0x62a0000ba270, options=..., tables=0x62b000001e40, derived=true, flags=0, prelocking_strategy=0x7fca5e14c870) at /10.3/src/sql/sql_base.cc:5162
#7873 0x000055943bfed770 in open_and_lock_tables (thd=0x62a0000ba270, tables=0x62b000001e40, derived=true, flags=0) at /10.3/src/sql/sql_base.h:503
#7874 0x000055943c206c7a in execute_sqlcom_select (thd=0x62a0000ba270, all_tables=0x62b000001e40) at /10.3/src/sql/sql_parse.cc:6261
#7875 0x000055943c1f5718 in mysql_execute_command (thd=0x62a0000ba270) at /10.3/src/sql/sql_parse.cc:3871
#7876 0x000055943c21143a in mysql_parse (thd=0x62a0000ba270, rawbuf=0x62b000000290 "WITH RECURSIVE t1 AS \n( WITH cte AS (SELECT 1 FROM t1) SELECT 1 ) \nSELECT 1", length=77, parser_state=0x7fca5e14e860, is_com_multi=false, is_next_command=false) at /10.3/src/sql/sql_parse.cc:7871
#7877 0x000055943c1e8317 in dispatch_command (command=COM_QUERY, thd=0x62a0000ba270, packet=0x629000127271 "WITH RECURSIVE t1 AS \n( WITH cte AS (SELECT 1 FROM t1) SELECT 1 ) \nSELECT 1 ", packet_length=79, is_com_multi=false, is_next_command=false) at /10.3/src/sql/sql_parse.cc:1852
#7878 0x000055943c1e4e5a in do_command (thd=0x62a0000ba270) at /10.3/src/sql/sql_parse.cc:1398
#7879 0x000055943c5b8ee5 in do_handle_one_connection (connect=0x61100004def0) at /10.3/src/sql/sql_connect.cc:1403
#7880 0x000055943c5b879f in handle_one_connection (arg=0x61100004def0) at /10.3/src/sql/sql_connect.cc:1308
#7881 0x000055943dbe9a17 in pfs_spawn_thread (arg=0x61600000e1f0) at /10.3/src/storage/perfschema/pfs.cc:1869
#7882 0x00007fca74986609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#7883 0x00007fca748ab133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
! after fixing it - please check also the original test case