Details
Description
~~~sql
SELECT x FROM ( SELECT * FROM ( SELECT 1 AS x UNION SELECT 1286608618 UNION SELECT 3 UNION SELECT 4 INTERSECT SELECT 5 ) AS x ) AS x WHERE x = DATABASE ( ) AND x = 'BASE TABLE' AND x IN ( SELECT x = 2 OR x = 2 AS x ) GROUP BY x HAVING x > 50 ORDER BY 1 ;
~~~
-
- Expected result
The server should either execute the query or return a normal SQL error without crashing.
- Expected result
-
- Actual result
The fuzzing run observed a server crash. The deduplicated stack signature is:
~~~
stack:ZN10Item_field10fix_fieldsEP3THDPP4Item|_Z17create_view_fieldP3THDP10TABLE_LISTPP4ItemP25st_mysql_const_lex_string|_Z23find_field_in_table_refP3THDP10TABLE_LISTRK16Lex_ident_columnPKcS7_S7_P4ListIS1_EPP4ItembbPtbPS2|_Z20find_field_in_tablesP3THDP10Item_identP10TABLE_LISTS4_P4ListIS3_EPP4Item27find_item_error_report_typebb|_ZN20Item_direct_view_ref10fix_fieldsEP3THDPP4Item|_ZN9Item_func10fix_fieldsEP3THDPP4Item|_ZN13st_select_lex31pushdown_from_having_into_whereEP3THDP4Item|_ZN4JOIN14optimize_innerEv
~~~
- Actual result
Top frames:
~~~
_ZN10Item_field10fix_fieldsEP3THDPP4Item
_Z17create_view_fieldP3THDP10TABLE_LISTPP4ItemP25st_mysql_const_lex_string
Z23find_field_in_table_refP3THDP10TABLE_LISTRK16Lex_ident_columnPKcS7_S7_P4ListIS1_EPP4ItembbPtbPS2
_Z20find_field_in_tablesP3THDP10Item_identP10TABLE_LISTS4_P4ListIS3_EPP4Item27find_item_error_report_typebb
_ZN20Item_direct_view_ref10fix_fieldsEP3THDPP4Item
_ZN9Item_func10fix_fieldsEP3THDPP4Item
_ZN13st_select_lex31pushdown_from_having_into_whereEP3THDP4Item
_ZN4JOIN14optimize_innerEv
~~~
Attachments
Issue Links
- relates to
-
MDEV-28506 SIGSEGV's in find_field_in_table[s][_ref], Item_field::fix_fields, create_view_field and MemcmpInterceptorCommon | Assertions `(*select_ref)->fixed' or '->is_fixed' and `table_list->table' failed
-
- Stalled
-