Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-34086

MariaDB Server crashes at _ZN10Item_equal7val_intEv

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Duplicate
    • 11.3.2, 11.4.1
    • 10.4.34
    • Optimizer
    • None
    • Ubuntu 20.04 x86_64,CC=clang-12 CXX=clang++-12 cmake ../mariadb

    Description

      PoC:

      SELECT CASE WHEN (SELECT AVG('1000009:10:10') GROUP BY x HAVING x = 'a') THEN TRUE END FROM (SELECT '-Infinity' AS x UNION SELECT UPDATEXML(NULL, 1, 1)) AS x GROUP BY x;

      Backtrace:

      #0 0x561622997603 (_ZN10Item_equal7val_intEv+0x153)
      		 
      #1 0x56162255dd54 (_Z14end_send_groupP4JOINP13st_join_tableb+0x924)
      		 
      #2 0x56162252eb25 (_ZN4JOIN10exec_innerEv+0x22f5)
      		 
      #3 0x56162252c746 (_ZN4JOIN4execEv+0x66)
      		 
      #4 0x561622a8593b (_ZN30subselect_single_select_engine4execEv+0x5ab)
      		 
      #5 0x561622a7603a (_ZN14Item_subselect4execEv+0x5a)
      		 
      #6 0x561622a787c6 (_ZN24Item_singlerow_subselect8val_realEv+0x66)
      		 
      #7 0x56162295f077 (_ZN15Item_cache_real11cache_valueEv+0x57)
      		 
      #8 0x561622958595 (_ZN18Item_cache_wrapper8val_boolEv+0x145)
      		 
      #9 0x561622980a62 (_ZN23Item_func_case_searched9find_itemEv+0x62)
      		 
      #10 0x5616229810d3 (_ZN14Item_func_case6int_opEv+0x33)
      		 
      #11 0x56162294e50b (_ZN4Item17save_int_in_fieldEP5Fieldb+0x3b)
      		 
      #12 0x56162294e5f1 (_ZN4Item13save_in_fieldEP5Fieldb+0x51)
      		 
      #13 0x56162255d0f9 (_ZL9end_writeP4JOINP13st_join_tableb+0x1b9)
      		 
      #14 0x56162255f22d (_ZL20evaluate_join_recordP4JOINP13st_join_tablei+0x59d)
      		 
      #15 0x5616224f8ea6 (_Z10sub_selectP4JOINP13st_join_tableb+0x4f6)
      		 
      #16 0x56162252e275 (_ZN4JOIN10exec_innerEv+0x1a45)
      		 
      #17 0x56162252c746 (_ZN4JOIN4execEv+0x66)
      		 
      #18 0x5616224f9e4b (_Z12mysql_selectP3THDP10TABLE_LISTR4ListI4ItemEPS4_jP8st_orderS9_S7_S9_yP13select_resultP18st_select_lex_unitP13st_select_lex+0x5ab)
      		 
      #19 0x5616224f97e5 (_Z13handle_selectP3THDP3LEXP13select_resulty+0x265)
      		 
      #20 0x561622498fe9 (_ZL21execute_sqlcom_selectP3THDP10TABLE_LIST+0x639)
      		 
      #21 0x56162248f0fa (_Z21mysql_execute_commandP3THDb+0x3daa)
      		 
      #22 0x561622484e05 (_Z11mysql_parseP3THDPcjP12Parser_state+0x345)
      		 
      #23 0x5616224812ae (_Z16dispatch_command19enum_server_commandP3THDPcjb+0x17de)
      		 
      #24 0x561622485646 (_Z10do_commandP3THDb+0x4a6)
      		 
      #25 0x5616226ad115 (_Z24do_handle_one_connectionP7CONNECTb+0x2b5)
      		 
      #26 0x5616226acd47 (handle_one_connection+0xc7)
      		 
      #27 0x561622cf33ff (pfs_spawn_thread+0xff)
      		 
      #28 0x7fb0cb611609 (start_thread+0xd9)
      		 
      #29 0x7fb0cb333353 (clone+0x43)

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. MDEV-28621 group by optimization incorrectly removing subquery where subject buried in a function

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            People

              Unassigned Unassigned
              ApplePie Peng Zongrui
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.