[MDEV-33985] Server crashes at Item_func_nextval::val_int - Jira

Details

Type: Bug
Status: Confirmed (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 11.3.2, 11.4.1, 10.5, 10.6, 10.11, 11.4, 11.8
Fix Version/s: 10.11, 11.4, 11.8
Component/s: None
Labels:
None
Environment:
Ubuntu 20.04 x86-64, docker image mariadb:11.4.1-rc

Description

PoC:

SELECT (WITH x(x) AS (SELECT 1) SELECT * FROM x WHERE (NEXTVAL(x)));

GDB backtrace:

Thread 13 "mariadbd" received signal SIGSEGV, Segmentation fault.

[Switching to LWP 112029]

0x00005595717f49e3 in Item_func_nextval::val_int() ()

(gdb) bt

#0  0x00005595717f49e3 in Item_func_nextval::val_int() ()

#1  0x0000559571579880 in JOIN::exec_inner() ()

#2  0x000055957157a43f in JOIN::exec() ()

#3  0x00005595715783cc in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) ()

#4  0x00005595714af0ab in ?? ()

#5  0x00005595714af520 in ?? ()

#6  0x00005595714aece5 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) ()

#7  0x00005595715773f7 in JOIN::optimize_inner() ()

#8  0x000055957157827a in JOIN::optimize() ()

#9  0x00005595714cff95 in st_select_lex::optimize_unflattened_subqueries(bool) ()

#10 0x00005595716764b5 in JOIN::optimize_constant_subqueries() ()

#11 0x0000559571576dc3 in JOIN::optimize_inner() ()

#12 0x000055957157827a in JOIN::optimize() ()

#13 0x0000559571578371 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) ()

#14 0x0000559571578bc4 in handle_select(THD*, LEX*, select_result*, unsigned long long) ()

#15 0x00005595714eb285 in ?? ()

#16 0x00005595714fa4af in mysql_execute_command(THD*, bool) ()

#17 0x00005595714fba17 in mysql_parse(THD*, char*, unsigned int, Parser_state*) ()

#18 0x00005595714fe20d in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) ()

#19 0x0000559571500118 in do_command(THD*, bool) ()

#20 0x000055957162cf6f in do_handle_one_connection(CONNECT*, bool) ()

#21 0x000055957162d2bd in handle_one_connection ()

#22 0x00005595719afaf6 in ?? ()

#23 0x00007f35b6856ac3 in ?? () from target:/lib/x86_64-linux-gnu/libc.so.6

#24 0x00007f35b68e7a04 in clone () from target:/lib/x86_64-linux-gnu/libc.so.6

Attachments

Issue Links

relates to

MDEV-36362 MariaDB crashes when parsing fuzzer generated PARTITION

Confirmed

Activity

Alice Sherepa added a comment - 2025-03-11 17:14 - edited

Thanks!
Repeatable on 10.5-11.8:

mariadbd: /10.5/src/sql/sql_base.cc:205: uint get_table_def_key(const TABLE_LIST*, const char**): Assertion `!strcmp(table_list->get_table_name().str, table_list->mdl_request.key.name())' failed.

250311 18:12:49 [ERROR] /home/alice/am/m5-10.5/bld/sql/mariadbd got signal 6 ;

Server version: 10.5.29-MariaDB-debug-log source revision: 7544fd4caeb959bdb573a4b09fbfa225a1ab37a6

/lib/x86_64-linux-gnu/libc.so.6(+0x33fd6)[0x7f8ec6772fd6]

sql/sql_base.cc:208(get_table_def_key(TABLE_LIST const*, char const**))[0x5611a95276a0]

sql/item_func.cc:7101(Item_func_nextval::val_int())[0x5611aa11f3dd]

sql/sql_select.cc:4526(JOIN::exec_inner())[0x5611a97c3181]

sql/sql_select.cc:4445(JOIN::exec())[0x5611a97c2060]

sql/sql_select.cc:4923(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x5611a97c650a]

sql/sql_derived.cc:1275(mysql_derived_fill(THD*, LEX*, TABLE_LIST*))[0x5611a95fd648]

sql/sql_derived.cc:1049(mysql_derived_optimize(THD*, LEX*, TABLE_LIST*))[0x5611a95fb926]

sql/sql_derived.cc:200(mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int))[0x5611a95f5d2f]

sql/sql_select.cc:2237(JOIN::optimize_inner())[0x5611a97a9f48]

sql/sql_select.cc:1765(JOIN::optimize())[0x5611a97a4ab5]

sql/sql_lex.cc:4962(st_select_lex::optimize_unflattened_subqueries(bool))[0x5611a9667692]

sql/opt_subselect.cc:5706(JOIN::optimize_constant_subqueries())[0x5611a9c64cf0]

sql/sql_select.cc:2080(JOIN::optimize_inner())[0x5611a97a7b6a]

sql/sql_select.cc:1765(JOIN::optimize())[0x5611a97a4ab5]

sql/sql_select.cc:4907(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x5611a97c6315]

sql/sql_select.cc:449(handle_select(THD*, LEX*, select_result*, unsigned long))[0x5611a9795980]

sql/sql_parse.cc:6452(execute_sqlcom_select(THD*, TABLE_LIST*))[0x5611a96f6703]

sql/sql_parse.cc:4043(mysql_execute_command(THD*))[0x5611a96e4b18]

sql/sql_parse.cc:8252(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x5611a9701ad1]

sql/sql_parse.cc:1894(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x5611a96d631e]

sql/sql_parse.cc:1375(do_command(THD*))[0x5611a96d2bf8]

sql/sql_connect.cc:1386(do_handle_one_connection(CONNECT*, bool))[0x5611a9b497f2]

sql/sql_connect.cc:1300(handle_one_connection)[0x5611a9b4934c]

perfschema/pfs.cc:2203(pfs_spawn_thread)[0x5611aa809820]

nptl/pthread_create.c:478(start_thread)[0x7f8ec6d23609]

Query (0x62b0000852a8): SELECT (WITH x(x) AS (SELECT 1) SELECT * FROM x WHERE (NEXTVAL(x)))

Server version: 10.5.28-MariaDB source revision: 7eded23be6597b4c485e8cad1538f2ae14541f91

sql/signal_handler.cc:229(handle_fatal_signal)[0x55e8f28090d7]

sigaction.c:0(__restore_rt)[0x7f0ebfca6420]

sql/item_func.h:3802(Item_func_nextval::update_table())[0x55e8f2878b9b]

sql/sql_select.cc:4526(JOIN::exec_inner())[0x55e8f264bcc4]

sql/sql_select.cc:4445(JOIN::exec())[0x55e8f264c433]

sql/sql_select.cc:4923(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55e8f264a49e]

sql/sql_derived.cc:1285(mysql_derived_fill(THD*, LEX*, TABLE_LIST*))[0x55e8f25a4da1]

sql/sql_derived.cc:1049(mysql_derived_optimize(THD*, LEX*, TABLE_LIST*))[0x55e8f25a5015]

sql/sql_derived.cc:200(mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int))[0x55e8f25a480d]

sql/sql_select.cc:2237(JOIN::optimize_inner())[0x55e8f2647664]

sql/sql_select.cc:1767(JOIN::optimize())[0x55e8f264a322]

sql/sql_lex.cc:4962(st_select_lex::optimize_unflattened_subqueries(bool))[0x55e8f25d3588]

sql/opt_subselect.cc:5707(JOIN::optimize_constant_subqueries())[0x55e8f2723361]

sql/sql_select.cc:2080(JOIN::optimize_inner())[0x55e8f2646f2a]

sql/sql_select.cc:1767(JOIN::optimize())[0x55e8f264a322]

sql/sql_select.cc:4907(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55e8f264a3f7]

sql/sql_select.cc:461(handle_select(THD*, LEX*, select_result*, unsigned long))[0x55e8f264b06a]

sql/sql_parse.cc:6453(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55e8f249a1d6]

sql/sql_parse.cc:4043(mysql_execute_command(THD*))[0x55e8f25ea6d7]

sql/sql_parse.cc:8252(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55e8f25ecc7c]

sql/sql_parse.cc:1953(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55e8f25ef338]

sql/sql_parse.cc:1376(do_command(THD*))[0x55e8f25f0892]

sql/sql_connect.cc:1386(do_handle_one_connection(CONNECT*, bool))[0x55e8f26e6378]

sql/sql_connect.cc:1304(handle_one_connection)[0x55e8f26e6614]

perfschema/pfs.cc:2204(pfs_spawn_thread)[0x55e8f2a73697]

nptl/pthread_create.c:478(start_thread)[0x7f0ebfc9a609]

Query (0x7f0e64010770): SELECT (WITH x(x) AS (SELECT 1) SELECT * FROM x WHERE (NEXTVAL(x)))

Alice Sherepa added a comment - 2025-03-11 17:14 - edited Thanks! Repeatable on 10.5-11.8: mariadbd: /10.5/src/sql/sql_base.cc:205: uint get_table_def_key(const TABLE_LIST*, const char**): Assertion `!strcmp(table_list->get_table_name().str, table_list->mdl_request.key.name())' failed. 250311 18:12:49 [ERROR] /home/alice/am/m5-10.5/bld/sql/mariadbd got signal 6 ; Server version: 10.5.29-MariaDB-debug-log source revision: 7544fd4caeb959bdb573a4b09fbfa225a1ab37a6 /lib/x86_64-linux-gnu/libc.so.6(+0x33fd6)[0x7f8ec6772fd6] sql/sql_base.cc:208(get_table_def_key(TABLE_LIST const*, char const**))[0x5611a95276a0] sql/item_func.cc:7101(Item_func_nextval::val_int())[0x5611aa11f3dd] sql/sql_select.cc:4526(JOIN::exec_inner())[0x5611a97c3181] sql/sql_select.cc:4445(JOIN::exec())[0x5611a97c2060] sql/sql_select.cc:4923(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x5611a97c650a] sql/sql_derived.cc:1275(mysql_derived_fill(THD*, LEX*, TABLE_LIST*))[0x5611a95fd648] sql/sql_derived.cc:1049(mysql_derived_optimize(THD*, LEX*, TABLE_LIST*))[0x5611a95fb926] sql/sql_derived.cc:200(mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int))[0x5611a95f5d2f] sql/sql_select.cc:2237(JOIN::optimize_inner())[0x5611a97a9f48] sql/sql_select.cc:1765(JOIN::optimize())[0x5611a97a4ab5] sql/sql_lex.cc:4962(st_select_lex::optimize_unflattened_subqueries(bool))[0x5611a9667692] sql/opt_subselect.cc:5706(JOIN::optimize_constant_subqueries())[0x5611a9c64cf0] sql/sql_select.cc:2080(JOIN::optimize_inner())[0x5611a97a7b6a] sql/sql_select.cc:1765(JOIN::optimize())[0x5611a97a4ab5] sql/sql_select.cc:4907(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x5611a97c6315] sql/sql_select.cc:449(handle_select(THD*, LEX*, select_result*, unsigned long))[0x5611a9795980] sql/sql_parse.cc:6452(execute_sqlcom_select(THD*, TABLE_LIST*))[0x5611a96f6703] sql/sql_parse.cc:4043(mysql_execute_command(THD*))[0x5611a96e4b18] sql/sql_parse.cc:8252(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x5611a9701ad1] sql/sql_parse.cc:1894(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x5611a96d631e] sql/sql_parse.cc:1375(do_command(THD*))[0x5611a96d2bf8] sql/sql_connect.cc:1386(do_handle_one_connection(CONNECT*, bool))[0x5611a9b497f2] sql/sql_connect.cc:1300(handle_one_connection)[0x5611a9b4934c] perfschema/pfs.cc:2203(pfs_spawn_thread)[0x5611aa809820] nptl/pthread_create.c:478(start_thread)[0x7f8ec6d23609] Query (0x62b0000852a8): SELECT (WITH x(x) AS (SELECT 1) SELECT * FROM x WHERE (NEXTVAL(x))) Server version: 10.5.28-MariaDB source revision: 7eded23be6597b4c485e8cad1538f2ae14541f91 sql/signal_handler.cc:229(handle_fatal_signal)[0x55e8f28090d7] sigaction.c:0(__restore_rt)[0x7f0ebfca6420] sql/item_func.h:3802(Item_func_nextval::update_table())[0x55e8f2878b9b] sql/sql_select.cc:4526(JOIN::exec_inner())[0x55e8f264bcc4] sql/sql_select.cc:4445(JOIN::exec())[0x55e8f264c433] sql/sql_select.cc:4923(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55e8f264a49e] sql/sql_derived.cc:1285(mysql_derived_fill(THD*, LEX*, TABLE_LIST*))[0x55e8f25a4da1] sql/sql_derived.cc:1049(mysql_derived_optimize(THD*, LEX*, TABLE_LIST*))[0x55e8f25a5015] sql/sql_derived.cc:200(mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int))[0x55e8f25a480d] sql/sql_select.cc:2237(JOIN::optimize_inner())[0x55e8f2647664] sql/sql_select.cc:1767(JOIN::optimize())[0x55e8f264a322] sql/sql_lex.cc:4962(st_select_lex::optimize_unflattened_subqueries(bool))[0x55e8f25d3588] sql/opt_subselect.cc:5707(JOIN::optimize_constant_subqueries())[0x55e8f2723361] sql/sql_select.cc:2080(JOIN::optimize_inner())[0x55e8f2646f2a] sql/sql_select.cc:1767(JOIN::optimize())[0x55e8f264a322] sql/sql_select.cc:4907(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55e8f264a3f7] sql/sql_select.cc:461(handle_select(THD*, LEX*, select_result*, unsigned long))[0x55e8f264b06a] sql/sql_parse.cc:6453(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55e8f249a1d6] sql/sql_parse.cc:4043(mysql_execute_command(THD*))[0x55e8f25ea6d7] sql/sql_parse.cc:8252(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55e8f25ecc7c] sql/sql_parse.cc:1953(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55e8f25ef338] sql/sql_parse.cc:1376(do_command(THD*))[0x55e8f25f0892] sql/sql_connect.cc:1386(do_handle_one_connection(CONNECT*, bool))[0x55e8f26e6378] sql/sql_connect.cc:1304(handle_one_connection)[0x55e8f26e6614] perfschema/pfs.cc:2204(pfs_spawn_thread)[0x55e8f2a73697] nptl/pthread_create.c:478(start_thread)[0x7f0ebfc9a609] Query (0x7f0e64010770): SELECT (WITH x(x) AS (SELECT 1) SELECT * FROM x WHERE (NEXTVAL(x)))

MariaDB Server

Server crashes at Item_func_nextval::val_int

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration