Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Duplicate
-
12.3.1
-
None
-
ubuntu22.04
mariadb13.1
-
Not for Release Notes
Description
Summary
Server crash (UBSAN null pointer dereference) in derived-condition pushdown path: Item_ref::transform during pushdown_cond_for_derived.
Environment
- Version: 12.3.1-MariaDB-asan-debug
- Build/runtime: ASAN + UBSAN enabled
- OS: Linux x86_64
Reproducer
DROP DATABASE IF EXISTS nonprep_only; |
CREATE DATABASE nonprep_only; |
USE nonprep_only; |
|
|
SET optimizer_switch='condition_pushdown_for_derived=on,condition_pushdown_from_having=on,derived_merge=on'; |
|
|
CREATE TABLE t(a INT,b INT); |
INSERT INTO t VALUES (1,1),(2,2),(3,3),(NULL,4); |
|
|
DROP VIEW IF EXISTS vv; |
CREATE VIEW vv AS |
SELECT IFNULL(CAST(a AS CHAR), CURRENT_USER()) x,b |
FROM (SELECT * FROM (SELECT a,b FROM t GROUP BY 0.1) q1) q2; |
|
|
DROP PROCEDURE IF EXISTS p_nonprep; |
DELIMITER $$
|
CREATE PROCEDURE p_nonprep() |
BEGIN
|
SELECT * FROM vv WHERE IFNULL(x, CURRENT_USER()) IN (x, CURRENT_USER()); |
END$$ |
DELIMITER ;
|
|
|
CALL p_nonprep();
|
CALL p_nonprep();
|
CALL p_nonprep();
|
Expected Result
Query/procedure returns rows (or SQL error). Server remains running.
Actual Result
Server crashes; subsequent connection attempt returns ERROR 2026 (HY000): TLS/SSL error: unexpected eof while reading.
Crash Stack
/public/home/mariadb-12.3.1/sql/item.cc:8857:3: runtime error: load of null pointer of type 'struct Item *'
|
#0 Item_ref::transform(...) sql/item.cc:8857
|
#1 Item_ref::transform(...) sql/item.cc:8860
|
#2 Item_args::transform_args(...) sql/item_func.cc:532
|
#3 Item_func::transform(...) sql/item_func.cc:568
|
#4 Item_args::transform_args(...) sql/item_func.cc:532
|
#5 Item_func::transform(...) sql/item_func.cc:568
|
#6 Item_ref::transform(...) sql/item.cc:8860
|
#7 Item_args::transform_args(...) sql/item_func.cc:532
|
#8 Item_func::transform(...) sql/item_func.cc:568
|
#9 Item_ref::transform(...) sql/item.cc:8860
|
#10 Item_args::transform_args(...) sql/item_func.cc:532
|
#11 Item_func::transform(...) sql/item_func.cc:568
|
#12 pushdown_cond_for_derived(...) sql/sql_derived.cc:1655
|
#13 JOIN::optimize_inner() sql/sql_select.cc:2580
|
#14 JOIN::optimize() sql/sql_select.cc:2016
|
#15 mysql_select(...) sql/sql_select.cc:5425
|
#16 handle_select(...) sql/sql_select.cc:636
|
#17 execute_sqlcom_select sql/sql_parse.cc:6212
|
#18 mysql_execute_command(...) sql/sql_parse.cc:3987
|
#19 Prepared_statement::execute(...) sql/sql_prepare.cc:5344
|
#20 Prepared_statement::execute_loop(...) sql/sql_prepare.cc:4703
|
#21 mysql_sql_stmt_execute sql/sql_prepare.cc:3635
|
#22 mysql_sql_stmt_execute(THD*) sql/sql_prepare.cc:3649
|
#23 mysql_execute_command(...) sql/sql_parse.cc:4003
|
#24 mysql_parse(...) sql/sql_parse.cc:7940
|
#25 dispatch_command(...) sql/sql_parse.cc:1896
|
#26 do_command(...) sql/sql_parse.cc:1432
|
#27 do_handle_one_connection(...) sql/sql_connect.cc:1503
|
#28 handle_one_connection sql/sql_connect.cc:1415
|
#29 pfs_spawn_thread storage/perfschema/pfs.cc:2198
|
Attachments
Issue Links
- duplicates
-
-
- Open
-