Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-39897

MariaDB crash triggered by recursive CTE with GIS/JSON IN-subquery

    XMLWordPrintable

Details

    • Bug
    • Status: Confirmed (View Workflow)
    • Major
    • Resolution: Unresolved
    • 10.11, 11.4, 11.8, 12.3, 12.3.2
    • 10.11, 11.8, 12.3
    • Optimizer
    • Linux x86_64, Docker container

    Description

      ~~~sql
      SELECT DISTINCT x FROM x WHERE x IN ( 1 , 2 , 3 ) ; SELECT * FROM ( WITH RECURSIVE x ( x ) AS ( SELECT 1 UNION SELECT x + 1 FROM x ) SELECT x FROM x WHERE x = 'database_name' AND FROM_UNIXTIME ( 946684800 ) = '20123' GROUP BY x , x HAVING x = CASE WHEN ( SELECT ( 1 ) WHERE x IS NULL OR ST_LONGFROMGEOHASH ( ST_GEOHASH ( -180 , 0 , 20 ) ) GROUP BY 'x' ) - 1 THEN ( 1 ^ x ) ELSE CASE WHEN CASE WHEN extractvalue ( '<a>A<b>B1</b><b>B2</b></a>' , '/a/b[count(.)=1]' ) NOT IN ( SELECT * FROM ( SELECT 2 UNION SELECT 3 UNION SELECT 'LINESTRING(0 0,-0.00 0)' ) AS x GROUP BY x HAVING NOT NOT ( x ) ) THEN 1 ELSE 1 END THEN 1 WHEN 'x' LIKE 'x' THEN 1 END END ORDER BY x , hex ( x ) ) AS x WHERE ( x = 3 AND x = 2 AND x = 1 ) OR ( ( x , x ) IN ( ( x LIKE '%DEFAULT%' , '2022-02-25' ) , ( 'I' , '2022-02-25' ) ) AND x = 1 ) OR ( x = 1 AND x = 2 AND x = 3 ) OR ( ( x IN ( 1 , 2 ) OR 0 ) <= NULL AND 1 AND x = 3 ) ;
      ~~~

        1. Expected result
          The server should either execute the query or return a normal SQL error without crashing.
        1. Actual result
          The fuzzing run observed a server crash. The deduplicated stack signature is:
          ~~~
          stack:_ZL13add_key_fieldP4JOINPP9KEY_FIELDjP14Item_bool_funcP5FieldbPP4ItemjyPP14SARGABLE_PARAMj|_ZL20add_key_equal_fieldsP4JOINPP9KEY_FIELDjP14Item_bool_funcP4ItembPS7_jyPP14SARGABLE_PARAMj|_ZN15Item_func_truth14add_key_fieldsEP4JOINPP9KEY_FIELDPjyPP14SARGABLE_PARAM|_ZL19update_ref_and_keysP3THDP16st_dynamic_arrayP13st_join_tablejP4ItemyP13st_select_lexPP14SARGABLE_PARAM|_ZN4JOIN14optimize_innerEv|_ZN4JOIN8optimizeEv|_ZN13st_select_lex31optimize_unflattened_subqueriesEb|_ZN4JOIN15optimize_stage2Ev
          ~~~

      Top frames:
      ~~~
      _ZL13add_key_fieldP4JOINPP9KEY_FIELDjP14Item_bool_funcP5FieldbPP4ItemjyPP14SARGABLE_PARAMj
      _ZL20add_key_equal_fieldsP4JOINPP9KEY_FIELDjP14Item_bool_funcP4ItembPS7_jyPP14SARGABLE_PARAMj
      _ZN15Item_func_truth14add_key_fieldsEP4JOINPP9KEY_FIELDPjyPP14SARGABLE_PARAM
      _ZL19update_ref_and_keysP3THDP16st_dynamic_arrayP13st_join_tablejP4ItemyP13st_select_lexPP14SARGABLE_PARAM
      _ZN4JOIN14optimize_innerEv
      _ZN4JOIN8optimizeEv
      _ZN13st_select_lex31optimize_unflattened_subqueriesEb
      _ZN4JOIN15optimize_stage2Ev
      ~~~

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. MDEV-39906 MariaDB crash triggered by recursive CTE with SHA/FROM_UNIXTIME and XML filter

          • Major - Major loss of function.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-28509 Server crash via Item_func_ne::add_key_fields in /sql/sql_bitmap.h:196, member access within null pointer of type 'struct JOIN_TAB' in add_key_field

          • Major - Major loss of function.
          • In Review

          Activity

            People

              psergei Sergei Petrunia
              maohaogang maohaogang
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.