Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-38939

SIGSEGV in With_clause::find_table_def() when executing WITH RECURSIVE + nested WITH + set operations (UNION DISTINCT/EXCEPT)

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Cannot Reproduce
    • 10.2(EOL)
    • N/A
    • Optimizer - CTE
    • None
    • Not for Release Notes

    Description

      复现用例

       -- repro_cte_find_table_def_segv.sql
      		 
        -- MariaDB 10.2.5-MariaDB-debug
      		 
        -- Crash: SIGSEGV in With_clause::find_table_def (sql/sql_cte.cc:225)
      		 
       
      		 
        DROP DATABASE IF EXISTS repro_cte;
      		 
        CREATE DATABASE repro_cte;
      		 
        USE repro_cte;
      		 
       
      		 
        -- Minimal schema so the FROM/JOIN table list exists
      		 
        DROP TABLE IF EXISTS mysql_4, tmp5, tmp8, tmp10, mysql_1, tmp3;
      		 
       
      		 
        CREATE TABLE mysql_4 (
      		 
          col_int       INT,
      		 
          col_varchar   VARCHAR(64),
      		 
          col_date      DATE,
      		 
          col_timestamp DATETIME,
      		 
          col_numeric   DECIMAL(65,30)
      		 
        );
      		 
        CREATE TABLE tmp5  LIKE mysql_4;
      		 
        CREATE TABLE tmp8  LIKE mysql_4;
      		 
        CREATE TABLE tmp10 LIKE mysql_4;
      		 
        CREATE TABLE mysql_1 LIKE mysql_4;
      		 
        CREATE TABLE tmp3  LIKE mysql_4;
      		 
       
      		 
        -- Optional: seed rows (not required for crash, but keeps runtime paths realistic)
      		 
        INSERT INTO mysql_4 VALUES (1,'a','2012-04-16','2012-04-16 00:00:00',1.0);
      		 
        INSERT INTO tmp5    VALUES (1,'a','2012-04-16','2012-04-16 00:00:00',1.0);
      		 
        INSERT INTO tmp8    VALUES (1,'a','2012-04-16','2012-04-16 00:00:00',1.0);
      		 
        INSERT INTO tmp10   VALUES (1,'a','2012-04-16','2012-04-16 00:00:00',1.0);
      		 
        INSERT INTO mysql_1 VALUES (1,'a','2012-04-16','2012-04-16 00:00:00',1.0);
      		 
        INSERT INTO tmp3    VALUES (1,'a','2012-04-16','2012-04-16 00:00:00',1.0);
      		 
       
      		 
        -- Repro query (trimmed from mariadbd_20260301_230701.log:230)
      		 
        WITH RECURSIVE cte1 AS (
      		 
          WITH cte1 AS (
      		 
            SELECT a1.col_int, a1.col_varchar, a2.col_date, a1.col_timestamp, a1.col_numeric
      		 
            FROM mysql_4 a1
      		 
              NATURAL RIGHT JOIN tmp5  a2
      		 
              NATURAL RIGHT JOIN tmp8  a3
      		 
              NATURAL LEFT  JOIN tmp10 a4
      		 
            WHERE a3.col_date IS NULL
      		 
          ),
      		 
          cte2 AS (
      		 
            SELECT a2.col_int, a1.col_varchar, a1.col_date, a1.col_timestamp, a1.col_numeric
      		 
            FROM tmp8 a1
      		 
              LEFT OUTER JOIN mysql_1 a2
      		 
                ON (a1.col_int = a2.col_int OR NOT (a2.col_numeric IS NOT NULL)
      		 
                    AND a1.col_numeric = -1234567891234567891234567890000000000000)
      		 
            WHERE a1.col_date >= '2012-04-16'
      		 
          )
      		 
          SELECT * FROM cte2
      		 
            JOIN tmp3 ON cte2.col_int = mysql_1.col_int
      		 
          GROUP BY col_varchar
      		 
        )
      		 
        SELECT t11.* FROM cte1 t11
      		 
        UNION DISTINCT SELECT t11.* FROM cte1 t11
      		 
        EXCEPT        SELECT t11.* FROM cte1 t11;

      • mysqld args (observed via pgrep -a mysqld):
      • --no-defaults
      • --basedir=/data/mariadb/build_cov
      • --datadir=/data/mariadb/build_cov/data
      • --socket=/data/mariadb/build_cov/data/mysql.sock
      • --port=3307
      • --bind-address=0.0.0.0
      • --user=root
      • --log-error=/data/mariadb/build_cov/logs/mariadbd_*.log

      Reproducibility

      • Reproducible. Running the “Minimal Repro SQL” above results in server crash and core dump.

      Steps to Reproduce
      1. Start mysqld with the above args.
      2. Run repro_cte_find_table_def_segv.sql (see script above).

      Expected Result

      • SQL should either execute or fail with a normal SQL error (syntax/semantic), but server must not crash.

      Actual Result

      • Client reports ERROR 2013 (HY000): Lost connection to MySQL server during query
      • Server terminates with SIGSEGV and dumps core.

      Backtrace (example, reproduced)

        From core core.4190071 (same signature seen in other cores):
      		 
        #0  With_clause::find_table_def (...) at /data/mariadb/sql/sql_cte.cc:225
      		 
        #1  st_select_lex::find_table_def_in_with_clauses (...) at /data/mariadb/sql/sql_cte.cc:940
      		 
        #2  open_and_process_table (...) at /data/mariadb/sql/sql_base.cc:3255
      		 
        #3  open_tables (...) at /data/mariadb/sql/sql_base.cc:3926
      		 
        #4  open_and_lock_tables (...) at /data/mariadb/sql/sql_base.cc:4681
      		 
        #6  execute_sqlcom_select (...) at /data/mariadb/sql/sql_parse.cc:6336
      		 
        #8  mysql_parse (...) at /data/mariadb/sql/sql_parse.cc:7862
      		 
        #9  dispatch_command (...) at /data/mariadb/sql/sql_parse.cc:1811

      Attachments

        Activity

          People

            Unassigned Unassigned
            chunlingqin chunlingqin
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.