Details
-
Bug
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
12.3.1
-
None
-
None
-
Ubuntu22.04
Description
Summary
Server crashes at Item_func_lastval::val_int and Item_func_setval::val_int with CTE alias, similar to MDEV-33985.
Description
MDEV-33985 fixed crash for NEXTVAL(...) when identifier resolves to alias/CTE name.
However, similar paths for LASTVAL(...) and SETVAL(...) are still crashable.
On MariaDB 12.3.1 source build, the following queries cause server SIGSEGV and client disconnect.
Environment
- Version: 12.3.1-MariaDB
- Source revision: 21a0714a118614982d20bfa504763d7247800091
- OS: Linux x86_64 (4.18.0-553.el8_10.x86_64)
- Server launch: mariadbd-safe (auto-restart observed after crash)
Reproducer SQL + Actual result
Case A: LASTVAL crash
DROP DATABASE IF EXISTS m33985_like; |
CREATE DATABASE m33985_like; |
USE m33985_like; |
CREATE SEQUENCE s; |
SELECT (WITH x(x) AS (SELECT 1) SELECT * FROM x WHERE (LASTVAL(x))); |
Actual client output:
--------------
|
SELECT (WITH x(x) AS (SELECT 1) SELECT * FROM x WHERE (LASTVAL(x)))
|
--------------
|
|
|
ERROR 2026 (HY000) at line 1: TLS/SSL error: unexpected eof while reading
|
Actual server log highlights:
... got signal 11 ...
|
... Item_func_lastval::val_int ...
|
... Query: SELECT (WITH x(x) AS (SELECT 1) SELECT * FROM x WHERE (LASTVAL(x))) ...
|
Case B: SETVAL crash
DROP DATABASE IF EXISTS m33985_setval; |
CREATE DATABASE m33985_setval; |
USE m33985_setval; |
CREATE SEQUENCE s; |
SELECT (WITH x(x) AS (SELECT 1) SELECT * FROM x WHERE (SETVAL(x,1))); |
Actual client output:
--------------
|
SELECT (WITH x(x) AS (SELECT 1) SELECT * FROM x WHERE (SETVAL(x,1)))
|
--------------
|
|
|
ERROR 2026 (HY000) at line 1: TLS/SSL error: unexpected eof while reading
|
Actual server log highlights:
... got signal 11 ...
|
... Item_func_setval::val_int ...
|
... Query: SELECT (WITH x(x) AS (SELECT 1) SELECT * FROM x WHERE (SETVAL(x,1))) ...
|
Control / Expected-safe reference
MDEV-33985 fixed path (NEXTVAL) in same environment
DROP DATABASE IF EXISTS m33985; |
CREATE DATABASE m33985; |
USE m33985; |
|
|
SELECT * FROM (SELECT 1 AS a) x WHERE (NEXTVAL(x)); |
SELECT (WITH x(x) AS (SELECT 1) SELECT * FROM x WHERE (NEXTVAL(x))); |
|
|
CREATE SEQUENCE s; |
SELECT NEXT VALUE FOR s1 FROM s AS s1; |
DROP SEQUENCE s; |
Actual outputs (no crash):
ERROR 1146 (42S02): Table 'm33985.x' doesn't exist
|
ERROR 4090 (42S02): 'x' is not a SEQUENCE
|
ERROR 1146 (42S02): Table 'm33985.s1' doesn't exist
|
Server remains alive:
VERSION()
|
12.3.1-MariaDB
|
Expected result
LASTVAL(...) and SETVAL(...) with alias/CTE identifiers should return semantic errors (similar to NEXTVAL behavior), not crash the server.
Actual result
Server crashes (SIGSEGV) and connection drops (ERROR 2026).
Analysis
Likely same bug class as MDEV-33985, but LASTVAL / SETVAL paths are not guarded equivalently.
Related issue
Attachments
Issue Links
- relates to
-
-
- Closed
-