[MDEV-29363] Constant subquery causing a crash in pushdown optimization - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.10.0, 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL), 11.1(EOL), 11.2(EOL)
Fix Version/s: 10.5.26, 10.6.19, 10.11.9, 11.1.6, 11.2.5, 11.4.3
Component/s: Optimizer
Labels:
None

Description

SUMMARY: AddressSanitizer: heap-use-after-free /home/wsh/database_fuzz/mysql_fuzz/Mariadb_10.3/sql/sql_select.cc:25688 in calc_group_buffer(TMP_TABLE_PARAM*, st_order*)

poc:

CREATE TABLE v1200 ( v1201 TEXT NOT NULL ) ;

 ( ( SELECT v1201 FROM v1200 WHERE v1201 IN ( 'x' = v1201 ) ORDER BY v1201 + v1201 , v1201 + v1201 ) ) ;

 UPDATE v1200 SET v1201 = 82 WHERE v1201 = 39 ;

 INSERT INTO v1200 ( v1201 ) VALUES ( 8 ) , ( 71 ) ;

 SELECT DISTINCT ( ( 52851147.000000 OR NOT TRUE ) - 46 ) , 21 FROM v1200 WINDOW v1208 AS ( PARTITION BY FALSE ORDER BY ( SELECT DISTINCT 90 FROM ( SELECT DISTINCT 'x' , ( WITH RECURSIVE v1202 AS ( SELECT DISTINCT v1201 FROM v1200 ) SELECT v1201 FROM ( SELECT DISTINCT ( ( NOT ( 14419645.000000 AND v1201 = 0 ) ) = 2147483647 AND v1201 = 58 ) % 83 , ( v1201 = 85 OR v1201 > 'x' ) FROM v1200 WHERE v1201 = 79 AND ( EXISTS ( SELECT ( v1201 NOT IN ( v1201 ) AND v1201 NOT IN ( 55 ^ v1201 ) ) , v1201 + v1201 FROM v1200 GROUP BY v1201 HAVING ( v1201 != 1 AND v1201 = v1201 AND ( NOT ( 'x' = 'x' AND FALSE = 84 ) ) AND v1201 LIKE 'x' ) WINDOW v1209 AS ( ORDER BY v1201 - v1201 , ( 0 < v1201 AND v1201 = 64 ) ) ) OR v1201 = -1 OR v1201 = 8 ) ) AS v1204 NATURAL JOIN v1200 WHERE ( v1201 = 1 OR v1201 = 25453422.000000 ) NOT LIKE 'x' AND CASE v1201 * 2147483647 = -1 WHEN 64 THEN 'x' WHEN -1 THEN 'x' ELSE 255 END != 9 GROUP BY v1201 , v1201 ORDER BY v1201 DESC LIMIT 1 OFFSET 1 ) , 127 , 73570201.000000 FROM v1200 ) AS v1205 JOIN v1200 AS v1206 NATURAL JOIN v1200 AS v1207 JOIN v1200 ) DESC RANGE BETWEEN 36297935.000000 FOLLOWING AND 89149539.000000 FOLLOWING ) ;

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

404_stack
14 kB
2022-08-23 12:52

Issue Links

blocks

MDEV-32424 Pushdown: server crashes at JOIN::save_explain_data()

Closed

includes

MDEV-32293 Pushdown: server crashes at check_simple_equality()

Closed

MDEV-32304 Pushdown: server crashes at Item_field::used_tables()

Closed

is caused by

MDEV-21184 Assertion `used_tables_cache == 0' failed in Item_func::fix_fields with condition_pushdown_from_having

Closed

is duplicated by

MDEV-32424 Pushdown: server crashes at JOIN::save_explain_data()

Closed

MDEV-32722 Heap-Use-After-Free at /mariadb-11.3.0/sql/sql_select.cc:28029

Closed

relates to

MDEV-32539 Server crash in Time_and_counter_tracker::incr_loops or Assertion failure in JOIN::save_explain_data

Closed

MDEV-34650 main.having_cond_pushdown test failure - crash server (s390x)

Closed

(1 is duplicated by, 2 relates to)

Activity

Transition	Time In Source Status	Execution Times

Alice Sherepa made transition - 2022-08-23 16:59

Open

Confirmed

4h 6m

Yuchen Pei made transition - 2023-12-08 00:17

Confirmed

In Progress

471d 7h 18m

Yuchen Pei made transition - 2024-02-08 07:35

In Progress

In Review

62d 7h 17m

Igor Babaev (Inactive) made transition - 2024-07-04 04:23

In Review

Stalled

146d 20h 48m

Galina Shalygina (Inactive) made transition - 2024-07-04 15:34

Stalled

Closed

11h 10m

People

Assignee:: Galina Shalygina (Inactive)

Reporter:: Shihao Wen

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Dates

Created:: 2022-08-23 12:52

Updated:: 2024-09-11 05:28

Resolved:: 2024-07-04 15:34

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates

Git Integration