Changeset: 6112a678cebf for MonetDB
URL: https://dev.monetdb.org/hg/MonetDB/rev/6112a678cebf
Added Files:
sql/test/BugTracker-2026/Tests/7856-crash-exp-match.test
sql/test/BugTracker-2026/Tests/7857-rollup-crash.test
Modified Files:
sql/server/rel_select.c
sql/test/BugTracker-2026/Tests/All
Branch: Dec2025
Log Message:
fixed issues #7856 and #7857
both crash because of access after free, caused by list_rollup not copying data
diffs (59 lines):
diff --git a/sql/server/rel_select.c b/sql/server/rel_select.c
--- a/sql/server/rel_select.c
+++ b/sql/server/rel_select.c
@@ -4417,18 +4417,18 @@ list_power_set(allocator *sa, list* inpu
}
static list*
-list_rollup(allocator *sa, list* input)
+list_rollup(mvc *sql, list* input)
{
- list *res = sa_list(sa);
+ list *res = sa_list(sql->sa);
for (int counter = input->cnt; counter > 0; counter--) {
- list *ll = sa_list(sa);
+ list *ll = sa_list(sql->sa);
int j = 0;
for (node *n = input->h; n && j < counter; j++, n = n->next)
- list_append(ll, n->data);
+ list_append(ll, exps_copy(sql, n->data));
list_append(res, ll);
}
- list_append(res, sa_list(sa)); /* global aggregate case */
+ list_append(res, sa_list(sql->sa)); /* global aggregate case */
return res;
}
@@ -4520,7 +4520,7 @@ rel_groupings(sql_query *query, sql_rel
}
if (is_sql_group_totals(f)) {
if (grouping->token == SQL_ROLLUP)
- next_set = list_rollup(sql->sa,
set_cols);
+ next_set = list_rollup(sql,
set_cols);
else if (grouping->token == SQL_CUBE)
next_set =
list_power_set(sql->sa, set_cols);
else /* the list of sets is not used in
the "GROUP BY a, b, ..." case */
diff --git a/sql/test/BugTracker-2026/Tests/7856-crash-exp-match.test
b/sql/test/BugTracker-2026/Tests/7856-crash-exp-match.test
new file mode 100644
--- /dev/null
+++ b/sql/test/BugTracker-2026/Tests/7856-crash-exp-match.test
@@ -0,0 +1,2 @@
+statement error conversion of string to type bte failed.
+SELECT covar_pop ( 1 , 1 ) OVER ( ) , covar_samp ( 1 , 1 ) OVER ( ) , corr ( 1
, x IN ( SELECT ( row_number ( ) OVER ( ) ) FROM ( SELECT * FROM ( SELECT 1 AS
x ) WHERE x IN ( SELECT ALL sql_min ( NULL , NULL ) FROM ( SELECT * FROM ( WITH
x AS ( SELECT 1 ) SELECT ( SELECT CASE WHEN NOT NULL THEN 4 * - 48 * 51 * - -
54 * - 77 * 46 WHEN NOT ( NULL ) IN ( - ( - - 49 ) * - 1 , - 41 , - 14 % - CASE
- - 1 WHEN - - 82 THEN - 22 ^ COUNT ( * ) END / 46 - - 87 * 52 ) THEN 56 ELSE
NULL END FROM ( SELECT SUM ( 0 ) OVER ( ORDER BY SUM ( 0 BETWEEN 1 AND 1 ) )
FROM x GROUP BY rollup ( x , x ) ORDER BY x , x , x ) , ( SELECT 5 AS x ) WHERE
x = 'x' ) , 'x' FROM x ) WHERE ( x % 7 ) = 0 ) ) ) ) ) OVER ( ) , covar_pop ( 1
, NULL ) OVER ( ) , covar_samp ( 1 , NULL ) OVER ( ) , corr ( 1 , NULL ) OVER (
ROWS BETWEEN 2 PRECEDING AND UNBOUNDED FOLLOWING ) FROM ( SELECT 1 AS x UNION
SELECT 0 AS x UNION SELECT 3 AS x ) ;
diff --git a/sql/test/BugTracker-2026/Tests/7857-rollup-crash.test
b/sql/test/BugTracker-2026/Tests/7857-rollup-crash.test
new file mode 100644
--- /dev/null
+++ b/sql/test/BugTracker-2026/Tests/7857-rollup-crash.test
@@ -0,0 +1,2 @@
+statement error 22018!conversion of string 'x' to type bte failed.
+SELECT * FROM ( SELECT * FROM ( SELECT 1 AS x ) WHERE x IN ( SELECT ALL
sql_min ( NULL , NULL ) FROM ( SELECT * FROM ( WITH x AS ( SELECT 1 ) SELECT (
SELECT CASE WHEN NOT NULL THEN 4 * - 48 * 51 * - - 54 * - 77 * 46 WHEN NOT (
NULL ) IN ( - ( - - 49 ) * - 1 , - 41 , - 14 % - CASE - - 1 WHEN - - 82 THEN -
22 ^ COUNT ( * ) END / 46 - - 87 * 52 ) THEN 56 ELSE NULL END FROM ( SELECT SUM
( 0 ) OVER ( ORDER BY SUM ( '$.f2' BETWEEN 1 AND 1 ) ) FROM x GROUP BY rollup (
x , x ) ORDER BY x , x , x ) , ( SELECT x AS x ) WHERE x = 'x' ) , 'x' FROM x )
WHERE ( x % 7 ) = 0 ) ) )
diff --git a/sql/test/BugTracker-2026/Tests/All
b/sql/test/BugTracker-2026/Tests/All
--- a/sql/test/BugTracker-2026/Tests/All
+++ b/sql/test/BugTracker-2026/Tests/All
@@ -57,3 +57,5 @@ KNOWNFAIL?7774-insert-into-renamed-table
7853-in-rcte-generator
7854-rcte-trims
7855-ntile
+7856-crash-exp-match
+7857-rollup-crash
_______________________________________________
checkin-list mailing list -- [email protected]
To unsubscribe send an email to [email protected]
