Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-36364

MariaDB crashes when handling WINDOW functions

Details

    Description

      The MariaDB server crashes when executing the following fuzzer generated statement: 

      DROP DATABASE IF EXISTS test123;
      		 
      CREATE DATABASE IF NOT EXISTS test123;
      		 
      USE test123;
      		 
      CREATE TABLE v00 (c01 INT, c02 TEXT);
      		 
      CREATE INDEX i03 ON v00 (c01);
      		 
      INSERT INTO v00 (c01, c02) VALUES (0, 'abc');
      		 
      SELECT SQL_BIG_RESULT FALSE > TRUE IN ( SELECT 'string' ), INTERVAL FALSE > AVG ( ALL FALSE <=> INTERVAL 'string' DAY_SECOND + FALSE + INTERVAL FALSE != TRUE IN ( SELECT 'string' ) DAY_SECOND NOT IN ( SELECT ( SELECT 'string' ) ) ) OVER ( PARTITION BY TRUE ASC, FALSE <= AVG ( ALL FALSE && FALSE < TRUE IN ( SELECT 'string' ) OR FALSE > TRUE IN ( SELECT 'string' ) ) OVER ( ) ASC ) MINUTE_SECOND + TRUE >= FALSE IN ( SELECT 'string' ) = TRUE IN ( SELECT 'string' ) FROM v00 GROUP BY TRUE ASC WITH ROLLUP WINDOW no_window_name AS ( ORDER BY FALSE, TRUE ASC );

      Crash stack:

      #0 0x0000000000000000 in ?? ()
      #1 0x000000000192ac3c in Arg_comparator::compare (this=<optimized out>) at /home/mariadb/mariadb-server/sql/item_cmpfunc.h:114
      #2 Item_func_gt::val_bool (this=<optimized out>) at /home/mariadb/mariadb-server/sql/item_cmpfunc.cc:1931
      #3 0x000000000195a198 in Item_cond_or::val_bool (this=<optimized out>) at /home/mariadb/mariadb-server/sql/item_cmpfunc.cc:5689
      #4 0x00000000009a20c8 in Item_bool_func::val_int (this=0xffff754f8078) at /home/mariadb/mariadb-server/sql/item_cmpfunc.h:245
      #5 0x00000000019f6a84 in Item_int_func::val_real (this=0xffff754f8078) at /home/mariadb/mariadb-server/sql/item_func.cc:761
      #6 0x0000000001c12afc in Item_sum_sum::add_helper (this=0xffff4e6a0c90, perform_removal=<optimized out>)
      at /home/mariadb/mariadb-server/sql/item_sum.cc:1690
      #7 0x0000000001c17780 in Item_sum_sum::add (this=0xffff4e6a0c90) at /home/mariadb/mariadb-server/sql/item_sum.cc:1617
      #8 Item_sum_avg::add (this=0xffff4e6a0c90) at /home/mariadb/mariadb-server/sql/item_sum.cc:2042
      #9 0x000000000159ab58 in Frame_cursor::add_value_to_items (this=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_window.cc:1176
      #10 Frame_range_current_row_bottom::pre_next_partition (this=<optimized out>, rownum=<optimized out>)
      at /home/mariadb/mariadb-server/sql/sql_window.cc:1586
      #11 0x0000000001599354 in Cursor_manager::notify_cursors_partition_changed (this=<optimized out>, rownum=0)
      at /home/mariadb/mariadb-server/sql/sql_window.cc:1235
      #12 0x0000000001590848 in compute_window_func (thd=<optimized out>, window_functions=..., cursor_managers=..., tbl=<optimized out>,
      filesort_result=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_window.cc:2926
      #13 0x0000000001591dc8 in Window_func_runner::exec (this=<optimized out>, thd=<optimized out>, tbl=<optimized out>, filesort_result=<optimized out>)
      at /home/mariadb/mariadb-server/sql/sql_window.cc:3068
      #14 0x0000000001592208 in Window_funcs_sort::exec (this=0xffff4e6afb98, join=<optimized out>, keep_filesort_result=true)
      at /home/mariadb/mariadb-server/sql/sql_window.cc:3096
      #15 0x0000000001594f64 in Window_funcs_computation::exec (this=<optimized out>, join=0xffff4e6a53b8, keep_last_filesort_result=<optimized out>)
      at /home/mariadb/mariadb-server/sql/sql_window.cc:3225
      #16 0x0000000000f21754 in AGGR_OP::end_send (this=0xffff4e6af9b8) at /home/mariadb/mariadb-server/sql/sql_select.cc:33256
      #17 0x0000000000e97718 in sub_select_postjoin_aggr (join=0xffff4e6a53b8, join_tab=0xffff4e6ae670, end_of_records=36)
      at /home/mariadb/mariadb-server/sql/sql_select.cc:23782
      #18 0x0000000000e24dc8 in sub_select (join=0xffff4e6a53b8, join_tab=0xffff4e6ae1f8, end_of_records=<optimized out>)
      at /home/mariadb/mariadb-server/sql/sql_select.cc:24037
      #19 0x0000000000ea8768 in do_select (join=0xffff4e6a53b8, procedure=0x0) at /home/mariadb/mariadb-server/sql/sql_select.cc:23617
      #20 JOIN::exec_inner (this=0xffff4e6a53b8) at /home/mariadb/mariadb-server/sql/sql_select.cc:5046
      #21 0x0000000000ea4dc0 in JOIN::exec (this=0xffff4e6a53b8) at /home/mariadb/mariadb-server/sql/sql_select.cc:4829
      #22 0x0000000000e27d78 in mysql_select (thd=0xffff4f662218, tables=<optimized out>, fields=..., conds=<optimized out>, og_num=<optimized out>,
      order=<optimized out>, group=<optimized out>, having=<optimized out>, proc_param=0x0, select_options=<optimized out>, result=0xffff4e6a5388,
      unit=0xffff4f666590, select_lex=0xffff754f0908) at /home/mariadb/mariadb-server/sql/sql_select.cc:5362
      #23 0x0000000000e26f08 in handle_select (thd=0xffff4f662218, lex=0xffff4f6664b0, result=0xffff4e6a5388, setup_tables_done_option=0)
      at /home/mariadb/mariadb-server/sql/sql_select.cc:633
      #24 0x0000000000d4c2c0 in execute_sqlcom_select (thd=0xffff4f662218, all_tables=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_parse.cc:6191
      #25 0x0000000000d30e80 in mysql_execute_command (thd=0xffff4f662218, is_called_from_prepared_stmt=<optimized out>)
      at /home/mariadb/mariadb-server/sql/sql_parse.cc:3979
      #26 0x0000000000d1cd24 in mysql_parse (thd=0xffff4f662218, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>)
      at /home/mariadb/mariadb-server/sql/sql_parse.cc:7915
      #27 0x0000000000d120f0 in dispatch_command (command=<optimized out>, thd=<optimized out>, packet=<optimized out>, packet_length=<optimized out>,
      blocking=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_parse.cc:1902
      #28 0x0000000000d1dbf4 in do_command (thd=0xffff4f662218, blocking=true) at /home/mariadb/mariadb-server/sql/sql_parse.cc:1415
      #29 0x00000000012846f8 in do_handle_one_connection (connect=<optimized out>, put_in_cache=true) at /home/mariadb/mariadb-server/sql/sql_connect.cc:1415
      #30 0x00000000012841b4 in handle_one_connection (arg=0xffff7b61da38) at /home/mariadb/mariadb-server/sql/sql_connect.cc:1327
      #31 0x0000000002200c38 in pfs_spawn_thread (arg=0xffff75009a98) at /home/mariadb/mariadb-server/storage/perfschema/pfs.cc:2198
      #32 0x0000ffff81167624 in start_thread (arg=0x883ac8 <asan_thread_start(void*)>) at pthread_create.c:477
      #33 0x0000ffff80e8966c in thread_start () at ../sysdeps/unix/sysv/linux/aarch64/clone.S:78

      Thank you for the efficient bug analysis and quick reply!

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. MDEV-32415 Nested window funcs? SEGV at /mariadb-11.3.0/sql/item_func.h:771

          • Major - Major loss of function.
          • Confirmed

          Activity

            People

              Unassigned Unassigned
              luy70 Yu Liang
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.