[MDEV-36353] MariaDB SEGV in Item_subselect::init when executing query - Jira

Details

Type: Bug
Status: Confirmed (View Workflow)
Priority: Critical
Resolution: Unresolved
Affects Version/s: 10.11, 11.4, 11.8, 12.0
Fix Version/s: 10.11, 11.4, 11.8
Component/s: Optimizer
Labels:
- UBSAN
- null-pointer-use

Description

MariaDB crashes when executing the following statement:

drop database if exists test123;

create database if not exists test123;

use test123;

DESC FOR CONNECTION + INTERVAL TRUE IN ( SELECT 'string' ) YEAR_MONTH + FALSE <=> TRUE NOT IN ( SELECT * );

Crash stack:

#0  0x0000000001bbe8bc in Item_subselect::init (this=0xffff7e8f2640, select_lex=0xffff7e8f17b8, result=0xffff7e8f2850)

    at /home/mariadb/mariadb-server/sql/item_subselect.cc:124

#1  0x0000000001bccc44 in Item_in_subselect::Item_in_subselect (this=0xffff7e8f2640, thd=0xffff58e5b218, left_exp=<optimized out>,

    select_lex=0xffff7e8f17b8) at /home/mariadb/mariadb-server/sql/item_subselect.cc:1664

#2  0x0000000001649b48 in MYSQLparse (thd=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_yacc.yy:9670

#3  0x0000000000d575c0 in parse_sql (thd=0xffff58e5b218, parser_state=<optimized out>, creation_ctx=0x0, do_pfs_digest=true)

    at /home/mariadb/mariadb-server/sql/sql_parse.cc:10328

#4  0x0000000000d1c8b8 in mysql_parse (thd=0xffff58e5b218,

    rawbuf=0xffff7e8f0438 "DESC FOR CONNECTION + INTERVAL TRUE IN ( SELECT 'string' ) YEAR_MONTH + FALSE <=> TRUE NOT IN ( SELECT * )",

    length=<optimized out>, parser_state=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_parse.cc:7867

#5  0x0000000000d120f0 in dispatch_command (command=<optimized out>, thd=<optimized out>, packet=<optimized out>, packet_length=<optimized out>,

    blocking=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_parse.cc:1902

#6  0x0000000000d1dbf4 in do_command (thd=0xffff58e5b218, blocking=true) at /home/mariadb/mariadb-server/sql/sql_parse.cc:1415

#7  0x00000000012846f8 in do_handle_one_connection (connect=<optimized out>, put_in_cache=true) at /home/mariadb/mariadb-server/sql/sql_connect.cc:1415

#8  0x00000000012841b4 in handle_one_connection (arg=0xffff84a34db8) at /home/mariadb/mariadb-server/sql/sql_connect.cc:1327

#9  0x0000000002200c38 in pfs_spawn_thread (arg=0xffff7e405f18) at /home/mariadb/mariadb-server/storage/perfschema/pfs.cc:2198

#10 0x0000ffff8a44d624 in start_thread (arg=0x883ac8 <asan_thread_start(void*)>) at pthread_create.c:477

#11 0x0000ffff8a16f66c in thread_start () at ../sysdeps/unix/sysv/linux/aarch64/clone.S:78

Attachments

Issue Links

is part of

MDEV-25454 Make MariaDB server UBSAN safe

Confirmed

relates to

MDEV-31292 Procedure call with boolean expression parameter using more than one exists function crash the server

Confirmed

Activity

Ascending order - Click to sort in descending order

Yu Liang created issue - 2025-03-22 19:14

Roel Van de Paar made changes - 2025-03-24 05:29

Field	Original Value	New Value
Description	MariaDB crashes when executing the following statement: {code:sql} drop database if exists test123; create database if not exists test123; use test123; DESC FOR CONNECTION + INTERVAL TRUE IN ( SELECT 'string' ) YEAR_MONTH + FALSE <=> TRUE NOT IN ( SELECT * ); {code} Crash stack: {quote} #0 0x0000000001bbe8bc in Item_subselect::init (this=0xffff7e8f2640, select_lex=0xffff7e8f17b8, result=0xffff7e8f2850) at /home/mariadb/mariadb-server/sql/item_subselect.cc:124 #1 0x0000000001bccc44 in Item_in_subselect::Item_in_subselect (this=0xffff7e8f2640, thd=0xffff58e5b218, left_exp=<optimized out>, select_lex=0xffff7e8f17b8) at /home/mariadb/mariadb-server/sql/item_subselect.cc:1664 #2 0x0000000001649b48 in MYSQLparse (thd=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_yacc.yy:9670 #3 0x0000000000d575c0 in parse_sql (thd=0xffff58e5b218, parser_state=<optimized out>, creation_ctx=0x0, do_pfs_digest=true) at /home/mariadb/mariadb-server/sql/sql_parse.cc:10328 #4 0x0000000000d1c8b8 in mysql_parse (thd=0xffff58e5b218, rawbuf=0xffff7e8f0438 "DESC FOR CONNECTION + INTERVAL TRUE IN ( SELECT 'string' ) YEAR_MONTH + FALSE <=> TRUE NOT IN ( SELECT * )", length=<optimized out>, parser_state=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_parse.cc:7867 #5 0x0000000000d120f0 in dispatch_command (command=<optimized out>, thd=<optimized out>, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_parse.cc:1902 #6 0x0000000000d1dbf4 in do_command (thd=0xffff58e5b218, blocking=true) at /home/mariadb/mariadb-server/sql/sql_parse.cc:1415 #7 0x00000000012846f8 in do_handle_one_connection (connect=<optimized out>, put_in_cache=true) at /home/mariadb/mariadb-server/sql/sql_connect.cc:1415 #8 0x00000000012841b4 in handle_one_connection (arg=0xffff84a34db8) at /home/mariadb/mariadb-server/sql/sql_connect.cc:1327 #9 0x0000000002200c38 in pfs_spawn_thread (arg=0xffff7e405f18) at /home/mariadb/mariadb-server/storage/perfschema/pfs.cc:2198 #10 0x0000ffff8a44d624 in start_thread (arg=0x883ac8 <asan_thread_start(void*)>) at pthread_create.c:477 #11 0x0000ffff8a16f66c in thread_start () at ../sysdeps/unix/sysv/linux/aarch64/clone.S:78 {quote}	MariaDB crashes when executing the following statement: {code:sql} drop database if exists test123; create database if not exists test123; use test123; DESC FOR CONNECTION + INTERVAL TRUE IN ( SELECT 'string' ) YEAR_MONTH + FALSE <=> TRUE NOT IN ( SELECT * ); {code} Crash stack: {noformat} #0 0x0000000001bbe8bc in Item_subselect::init (this=0xffff7e8f2640, select_lex=0xffff7e8f17b8, result=0xffff7e8f2850) at /home/mariadb/mariadb-server/sql/item_subselect.cc:124 #1 0x0000000001bccc44 in Item_in_subselect::Item_in_subselect (this=0xffff7e8f2640, thd=0xffff58e5b218, left_exp=<optimized out>, select_lex=0xffff7e8f17b8) at /home/mariadb/mariadb-server/sql/item_subselect.cc:1664 #2 0x0000000001649b48 in MYSQLparse (thd=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_yacc.yy:9670 #3 0x0000000000d575c0 in parse_sql (thd=0xffff58e5b218, parser_state=<optimized out>, creation_ctx=0x0, do_pfs_digest=true) at /home/mariadb/mariadb-server/sql/sql_parse.cc:10328 #4 0x0000000000d1c8b8 in mysql_parse (thd=0xffff58e5b218, rawbuf=0xffff7e8f0438 "DESC FOR CONNECTION + INTERVAL TRUE IN ( SELECT 'string' ) YEAR_MONTH + FALSE <=> TRUE NOT IN ( SELECT * )", length=<optimized out>, parser_state=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_parse.cc:7867 #5 0x0000000000d120f0 in dispatch_command (command=<optimized out>, thd=<optimized out>, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_parse.cc:1902 #6 0x0000000000d1dbf4 in do_command (thd=0xffff58e5b218, blocking=true) at /home/mariadb/mariadb-server/sql/sql_parse.cc:1415 #7 0x00000000012846f8 in do_handle_one_connection (connect=<optimized out>, put_in_cache=true) at /home/mariadb/mariadb-server/sql/sql_connect.cc:1415 #8 0x00000000012841b4 in handle_one_connection (arg=0xffff84a34db8) at /home/mariadb/mariadb-server/sql/sql_connect.cc:1327 #9 0x0000000002200c38 in pfs_spawn_thread (arg=0xffff7e405f18) at /home/mariadb/mariadb-server/storage/perfschema/pfs.cc:2198 #10 0x0000ffff8a44d624 in start_thread (arg=0x883ac8 <asan_thread_start(void*)>) at pthread_create.c:477 #11 0x0000ffff8a16f66c in thread_start () at ../sysdeps/unix/sysv/linux/aarch64/clone.S:78 {noformat}

Roel Van de Paar made changes - 2025-03-24 05:30

Environment

Ubuntu ARM64 VM

Roel Van de Paar made changes - 2025-03-24 05:30

Labels

crash

Roel Van de Paar made changes - 2025-03-24 05:31

Summary

MariaDB SEGV when executing query

MariaDB SEGV in Item_subselect::init when executing query

Roel Van de Paar made changes - 2025-03-24 05:34

Affects Version/s

11.7.2 [ 29914 ]

Roel Van de Paar made changes - 2025-03-24 05:34

Fix Version/s		10.11 [ 27614 ]
Fix Version/s		11.4 [ 29301 ]
Fix Version/s		11.8 [ 29921 ]
Affects Version/s		10.11 [ 27614 ]
Affects Version/s		11.4 [ 29301 ]
Affects Version/s		11.8 [ 29921 ]
Affects Version/s		12.0 [ 29945 ]

Roel Van de Paar made changes - 2025-03-24 05:35

Labels

UBSAN

Roel Van de Paar made changes - 2025-03-24 05:35

Labels

UBSAN

UBSAN null-pointer-use

Roel Van de Paar made changes - 2025-03-24 05:38

Status

Open [ 1 ]

Confirmed [ 10101 ]

Roel Van de Paar made changes - 2025-03-24 05:38

Component/s

Parser [ 10201 ]

Roel Van de Paar made changes - 2025-03-24 05:38

Component/s

Optimizer [ 10200 ]

Roel Van de Paar made changes - 2025-03-24 05:38

Assignee

Sergei Petrunia [ psergey ]

Daniel Black made changes - 2025-03-25 01:04

Link

This issue is part of MDEV-25454 [ MDEV-25454 ]

Alice Sherepa made changes - 2025-03-25 13:16

Link

This issue relates to MDEV-31292 [ MDEV-31292 ]

People

Assignee:: Sergei Petrunia

Reporter:: Yu Liang

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2025-03-22 19:14

Updated:: 2025-03-25 13:31

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration