Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-34087

MariaDB Server crashes at st_select_lex::handle_derived(LEX*, unsigned int)

    XMLWordPrintable

Details

    • Bug
    • Status: Confirmed (View Workflow)
    • Major
    • Resolution: Unresolved
    • 11.3.2, 11.4.1
    • 10.6
    • None
    • None
    • Ubuntu 20.04 x86_64,docker image mariadb:11.4.1-rc

    Description

      PoC:

      SELECT (WITH RECURSIVE x AS (WITH x AS (SELECT x FROM x) SELECT COALESCE FROM x UNION SELECT 1 FROM x) SELECT ST_X FROM x);

      Backtrace:

      #0  0x0000559a452ddb8c in st_select_lex::handle_derived(LEX*, unsigned int) ()
      		 
      #1  0x0000559a4540edb6 in TABLE_LIST::handle_derived(LEX*, unsigned int) ()
      		 
      #2  0x0000559a452ddbc7 in st_select_lex::handle_derived(LEX*, unsigned int) ()
      		 
      #3  0x0000559a4540edb6 in TABLE_LIST::handle_derived(LEX*, unsigned int) ()
      		 
      ...
      		 
      #6036 0x0000559a452ddbc7 in st_select_lex::handle_derived(LEX*, unsigned int) ()
      		 
      #6037 0x0000559a45373daf in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) ()
      		 
      #6038 0x0000559a45676888 in ?? ()
      		 
      #6039 0x0000559a45675f4d in Item_subselect::fix_fields(THD*, Item**) ()
      		 
      #6040 0x0000559a45297c71 in setup_fields(THD*, Bounds_checked_array<Item*>, List<Item>&, enum_column_usage, List<Item>*, List<Item>*, bool) ()
      		 
      #6041 0x0000559a45374089 in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) ()
      		 
      #6042 0x0000559a453888c4 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) ()
      		 
      #6043 0x0000559a45388bc4 in handle_select(THD*, LEX*, select_result*, unsigned long long) ()
      		 
      #6044 0x0000559a452fb285 in ?? ()
      		 
      --Type <RET> for more, q to quit, c to continue without paging--
      		 
      #6045 0x0000559a4530a4af in mysql_execute_command(THD*, bool) ()
      		 
      #6046 0x0000559a4530ba17 in mysql_parse(THD*, char*, unsigned int, Parser_state*) ()
      		 
      #6047 0x0000559a4530e20d in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) ()
      		 
      #6048 0x0000559a45310118 in do_command(THD*, bool) ()
      		 
      #6049 0x0000559a4543cf6f in do_handle_one_connection(CONNECT*, bool) ()
      		 
      #6050 0x0000559a4543d2bd in handle_one_connection ()
      		 
      #6051 0x0000559a457bfaf6 in ?? ()
      		 
      #6052 0x00007f4cb3ab1ac3 in ?? () from target:/lib/x86_64-linux-gnu/libc.so.6
      		 
      #6053 0x00007f4cb3b42a04 in clone () from target:/lib/x86_64-linux-gnu/libc.so.6

      Attachments

        Activity

          People

            Johnston Rex Johnston
            ApplePie Peng Zongrui
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.