Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-33985

Server crashes at Item_func_nextval::val_int

Details

    • Bug
    • Status: Confirmed (View Workflow)
    • Major
    • Resolution: Unresolved
    • 11.3.2, 11.4.1, 10.5, 10.6, 10.11, 11.4, 11.8
    • 10.11, 11.4, 11.8
    • None
    • None
    • Ubuntu 20.04 x86-64, docker image mariadb:11.4.1-rc

    Description

      PoC:

      SELECT (WITH x(x) AS (SELECT 1) SELECT * FROM x WHERE (NEXTVAL(x)));

      GDB backtrace:

      Thread 13 "mariadbd" received signal SIGSEGV, Segmentation fault.
      		 
      [Switching to LWP 112029]
      		 
      0x00005595717f49e3 in Item_func_nextval::val_int() ()
      		 
      (gdb) bt
      		 
      #0  0x00005595717f49e3 in Item_func_nextval::val_int() ()
      		 
      #1  0x0000559571579880 in JOIN::exec_inner() ()
      		 
      #2  0x000055957157a43f in JOIN::exec() ()
      		 
      #3  0x00005595715783cc in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) ()
      		 
      #4  0x00005595714af0ab in ?? ()
      		 
      #5  0x00005595714af520 in ?? ()
      		 
      #6  0x00005595714aece5 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) ()
      		 
      #7  0x00005595715773f7 in JOIN::optimize_inner() ()
      		 
      #8  0x000055957157827a in JOIN::optimize() ()
      		 
      #9  0x00005595714cff95 in st_select_lex::optimize_unflattened_subqueries(bool) ()
      		 
      #10 0x00005595716764b5 in JOIN::optimize_constant_subqueries() ()
      		 
      #11 0x0000559571576dc3 in JOIN::optimize_inner() ()
      		 
      #12 0x000055957157827a in JOIN::optimize() ()
      		 
      #13 0x0000559571578371 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) ()
      		 
      #14 0x0000559571578bc4 in handle_select(THD*, LEX*, select_result*, unsigned long long) ()
      		 
      #15 0x00005595714eb285 in ?? ()
      		 
      #16 0x00005595714fa4af in mysql_execute_command(THD*, bool) ()
      		 
      #17 0x00005595714fba17 in mysql_parse(THD*, char*, unsigned int, Parser_state*) ()
      		 
      #18 0x00005595714fe20d in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) ()
      		 
      #19 0x0000559571500118 in do_command(THD*, bool) ()
      		 
      #20 0x000055957162cf6f in do_handle_one_connection(CONNECT*, bool) ()
      		 
      #21 0x000055957162d2bd in handle_one_connection ()
      		 
      #22 0x00005595719afaf6 in ?? ()
      		 
      #23 0x00007f35b6856ac3 in ?? () from target:/lib/x86_64-linux-gnu/libc.so.6
      		 
      #24 0x00007f35b68e7a04 in clone () from target:/lib/x86_64-linux-gnu/libc.so.6

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-36362 MariaDB crashes when parsing fuzzer generated PARTITION

          • Critical - Crashes, loss of data, severe memory leak.
          • Confirmed

          Activity

            People

              sanja Oleksandr Byelkin
              fuboat Jingzhou Fu
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.