Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-39902

MariaDB crash triggered by recursive CTE with JSON_ARRAY_INSERT and EXISTS

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Duplicate
    • 10.11, 11.4, 11.8, 12.3, 12.3.2
    • N/A
    • Optimizer, Optimizer - CTE
    • None
    • Linux x86_64, Docker container
    • Not for Release Notes

    Description

      ~~~sql
      SELECT LOWER ( ( WITH RECURSIVE x ( x ) AS ( SELECT 1 UNION SELECT x FROM ( SELECT 1 AS x UNION SELECT 2 UNION SELECT json_array_insert ( '[ "a" ]' , '$[0][0]' , TRUE ) UNION SELECT 4 INTERSECT SELECT 5 WHERE EXISTS ( WITH x ( x ) AS ( SELECT truncate ( -5678.123535 , -4 ) AS x UNION SELECT format_bytes ( pow ( 2 , 400 ) ) FROM x ) SELECT * FROM x WHERE x = 4 ) ) AS x WHERE x >= 10 ) SELECT x FROM x WHERE x IN ( SELECT x FROM x WHERE x IN ( 2 , 'LG PACK' * 3 ) AND x NOT IN ( SELECT x FROM x WHERE x IN ( 2 ) UNION SELECT x FROM x WHERE x IN ( 3 ) ) ) GROUP BY ( x > 'o' ) , x % 2 ORDER BY x LIMIT 1 ) ) ;
      ~~~

        1. Expected result
          The server should either execute the query or return a normal SQL error without crashing.
        1. Actual result
          The fuzzing run observed a server crash. The deduplicated stack signature is:
          ~~~
          stack:Z19find_field_in_tableP3THDP5TABLERK16Lex_ident_columnbPt|_Z23find_field_in_table_refP3THDP10TABLE_LISTRK16Lex_ident_columnPKcS7_S7_P4ListIS1_EPP4ItembbPtbPS2|_Z20find_field_in_tablesP3THDP10Item_identP10TABLE_LISTS4_P4ListIS3_EPP4Item27find_item_error_report_typebb|_ZN10Item_field10fix_fieldsEP3THDPP4Item|_Z12setup_fieldsP3THD20Bounds_checked_arrayIP4ItemER4ListIS2_E17enum_column_usagePS6_S9_b9THD_WHERE|_ZN4JOIN7prepareEP10TABLE_LISTP4ItemjP8st_orderbS5_S3_S5_P13st_select_lexP18st_select_lex_unit|_ZN18st_select_lex_unit12prepare_joinEP3THDP13st_select_lexP13select_resultyb|_ZN18st_select_lex_unit7prepareEP10TABLE_LISTP13select_resulty
          ~~~

      Top frames:
      ~~~
      _Z19find_field_in_tableP3THDP5TABLERK16Lex_ident_columnbPt
      Z23find_field_in_table_refP3THDP10TABLE_LISTRK16Lex_ident_columnPKcS7_S7_P4ListIS1_EPP4ItembbPtbPS2
      _Z20find_field_in_tablesP3THDP10Item_identP10TABLE_LISTS4_P4ListIS3_EPP4Item27find_item_error_report_typebb
      _ZN10Item_field10fix_fieldsEP3THDPP4Item
      _Z12setup_fieldsP3THD20Bounds_checked_arrayIP4ItemER4ListIS2_E17enum_column_usagePS6_S9_b9THD_WHERE
      _ZN4JOIN7prepareEP10TABLE_LISTP4ItemjP8st_orderbS5_S3_S5_P13st_select_lexP18st_select_lex_unit
      _ZN18st_select_lex_unit12prepare_joinEP3THDP13st_select_lexP13select_resultyb
      _ZN18st_select_lex_unit7prepareEP10TABLE_LISTP13select_resulty
      ~~~

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. MDEV-28506 SIGSEGV's in find_field_in_table[s][_ref], Item_field::fix_fields, create_view_field and MemcmpInterceptorCommon | Assertions `(*select_ref)->fixed' or '->is_fixed' and `table_list->table' failed

          • Major - Major loss of function.
          • Stalled

          Activity

            People

              Unassigned Unassigned
              maohaogang maohaogang
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.