[MDEV-39911] MariaDB crash triggered by ST_CONVEXHULL and ST_SIMPLIFY string concatenation - Jira

XML

Word

Printable

Details

Type: Bug
Status: In Review (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 12.3.2
Fix Version/s: 12.3
Component/s: Server
Labels:
- JSON
- ST_SIMPLIFY
Environment:
Linux x86_64, Docker container

Sprint:
Q2/2026 Server Development, Q3/2026 Server Maintenance

Description

~~~sql
SELECT ST_ASTEXT ( ST_CONVEXHULL ( ST_GEOMFROMTEXT ( x ) ) ) ; SELECT ST_ASTEXT ( ST_CONVEXHULL ( ST_GEOMFROMTEXT ( x ) ) ) ; SELECT ST_ASTEXT ( ST_CONVEXHULL ( ST_GEOMFROMTEXT ( 'LINESTRING(0 0,-0.00 0,0.0 0)' ) ) ) ; SELECT ST_ASTEXT ( ST_CONVEXHULL ( ST_GEOMFROMTEXT ( 'LINESTRING(0 0,0 5,5 5,5 0,0 0)' ) ) ) ; SELECT CONCAT_WS ( ST_SIMPLIFY ( ST_GEOMFROMTEXT ( 'MULTILINESTRING((0 0,5 5,0 10),(0 0,-5 5,0 10))' ) , 5 ) , 7 , 5 ) ;
~~~

1. Expected result
  The server should either execute the query or return a normal SQL error without crashing.

1. Actual result
  The fuzzing run observed a server crash. The deduplicated stack signature is:
  ~~~
  stack:pthread_kill|raise|abort|_fsetlocking|fortify_fail|_stack_chk_fail|_ZN19Item_func_concat_ws7val_strEP6String|_ZNK12Type_handler13Item_send_strEP4ItemP8ProtocolP8st_value
  ~~~

Top frames:
~~~
pthread_kill
raise
abort
__fsetlocking
__fortify_fail
__stack_chk_fail
_ZN19Item_func_concat_ws7val_strEP6String
_ZNK12Type_handler13Item_send_strEP4ItemP8ProtocolP8st_value
~~~

Attachments

Issue Links

relates to

MDEV-34141 Implement the GIS function ST_Simplify

Closed

MDEV-39914 MariaDB crash triggered by INFORMATION_SCHEMA query with ROW_NUMBER and GIS simplify

In Review

Activity

People

Assignee:: Alexey Botchkov

Reporter:: maohaogang

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2026-06-07 16:09

Updated:: 4 days ago 13:57

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.