Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL: extremely long and complex query causes SEGFAULT #104

monetdb-team opened this issue Nov 30, 2020 · 0 comments

SQL: extremely long and complex query causes SEGFAULT #104

monetdb-team opened this issue Nov 30, 2020 · 0 comments


Copy link

@monetdb-team monetdb-team commented Nov 30, 2020

Date: 2004-03-22 06:04:40 +0100
From: @sjoerdmullender
To: SQL devs <>
Version: 2.40.1 (Oct2010) [obsolete]
CC: @romulogoncalves, @njnes, @drstmane

Last updated: 2011-03-28 17:31:43 +0200

Comment 547

Date: 2004-03-22 18:04:40 +0100
From: @sjoerdmullender

The attached file contains a query from the crash-me
script that causes a SEGFAULT in the server.

My guess is that there is a buffer overflow in
sql_gencode. I'm looking into it.

Comment 548

Date: 2004-03-22 20:09:12 +0100
From: @njnes

Logged In: YES

A to large column name was generated. Column names are now
but a full audit (buffer overflow) of sql_gencode is needed.

Comment 549

Date: 2005-10-06 12:34:49 +0200
From: @drstmane

Logged In: YES

BugDay_2005-10-06: CLAIMED BY stmane

BugDay_2005-10-06: TEST ADDED / FAILURE
test (excl. stable.out) added as

bug re-opened, as the segfault re-occurs (at least with
MonetDB 4.9.3 + SQL 2.9.3 compiled with gcc 4.0.1 on my
64-bit Fedora Core sytem)

It might very well be that we run out of stack space with a
rather deep recursion...!

Comment 550

Date: 2005-10-23 00:11:55 +0200
From: @njnes

Logged In: YES

check for to big (recursion depth) queries is added.

Comment 551

Date: 2005-10-23 13:57:33 +0200
From: @njnes

Logged In: YES

check for to big (recursion depth) queries is added.

Comment 552

Date: 2006-01-14 13:35:02 +0100
From: @drstmane

Logged In: YES

re-opend as it segfauls on the same platforms as
1314982 "kill(0) causes SEGFAULT"
1292727 "Mserver segfault because of 'col_name'"

Fedora Core 4 (32-bit)
Gentoo 1.6.13 (32-bit)
SuSE 9.3 (32-bit)
SuSE 9ES (32-bit)

Comment 553

Date: 2006-01-15 14:15:29 +0100
From: @drstmane

Logged In: YES

Closed as the actual/original bug is fixed.

The segfault on some platforms is file in this new report
1406591 "several tests cause segfault on the same subset

Comment 554

Date: 2008-06-01 21:44:08 +0200
From: @drstmane

Logged In: YES
Originator: NO

Re-opened as the respective test fails again (still?).

With M5 server (both default and "algebra" SQL compiler), only the output seems to differ (returns "NULL" instead of "2001"):

With M4 server, the test triggers a segfault (at least on some architectures):

Comment 555

Date: 2008-06-02 09:13:45 +0200
From: @njnes

Logged In: YES
Originator: NO

The problem here is overflow detection. On gdk and m4/m5 level we need to introduce some overflow exceptions.

Comment 556

Date: 2008-11-10 09:08:14 +0100
From: @mlkersten

The overflow is caused by the SQL default to assume a tinyint type
as argument. We cannot assume the compiler to be more clever.
The result is an overflow which is correctly catched
with a null. (provided tinyint is 0-255 ;))

Comment 557

Date: 2009-02-15 21:08:19 +0100
From: @drstmane

test sql/src/test/BugDay_2005-10-06_2.9.3/Tests/huge_expression_and_column_name.SF-921173* has been disabled in the Feb2009 release branch as the bug won't be fixed, there.

Comment 558

Date: 2009-08-13 18:40:04 +0200
From: @drstmane

Should this test be disabled in the Aug2009 branch, again?

Comment 559

Date: 2009-08-14 14:02:52 +0200
From: @drstmane

tagged subject

Comment 560

Date: 2009-11-16 23:19:19 +0100
From: @drstmane

test has been disabled in Nov2009 branch, only.

Comment 561

Date: 2009-11-29 17:01:04 +0100
From: @njnes

closed, we no longjmp out of the recursion.

The overflow problem which we used to hit here (when we didn't crash) isn't fixed but is covered by the 'case overflow bug'.

Comment 562

Date: 2010-05-04 09:32:09 +0200
From: Pseudo user for Sourceforge import <>

This bug was previously known as tracker item 921173 at

Comment 14385

Date: 2010-07-13 14:54:16 +0200
From: @sjoerdmullender

*** Bug #2610 has been marked as a duplicate of this bug. ***

Comment 14386

Date: 2010-07-13 15:00:20 +0200
From: @sjoerdmullender

This crashes in the Jun2010 branch.

Comment 14387

Date: 2010-07-13 15:04:31 +0200
From: @sjoerdmullender

Looks like a double free (but of course it could be something entirely different):

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffdf49b710 (LWP 17101)]
0x00007fffe038582a in sa_destroy (sa=0x7fffd0007608)
at /ufs/sjoerd/src/MonetDB/candidate/sql/src/common/
136 GDKfree(sa->blks[i]);
(gdb) p sa
$1 = (sql_allocator *) 0x7fffd0007608
(gdb) p *sa
$2 = {size = 15842497851538791387, nr = 15842497851538791387,
blks = 0xdbdbdbdbdbdbdbdb, used = 15842497851538791387}
(gdb) bt
0 0x00007fffe038582a in sa_destroy (sa=0x7fffd0007608)
at /ufs/sjoerd/src/MonetDB/candidate/sql/src/common/
1 0x00007fffe02ffb7b in cq_delete (clientid=1, q=0x7fffd03e3a08)
at /ufs/sjoerd/src/MonetDB/candidate/sql/src/server/
2 0x00007fffe02ffc57 in qc_destroy (cache=0x7fffd00075a8)
at /ufs/sjoerd/src/MonetDB/candidate/sql/src/server/
3 0x00007fffe031a425 in mvc_destroy (m=0x7fffd0005438)
at /ufs/sjoerd/src/MonetDB/candidate/sql/src/server/
4 0x00007fffe02d2739 in SQLexitClient (c=0x605b38)
at /ufs/sjoerd/src/MonetDB/candidate/sql/src/backends/monet5/
5 0x00007ffff7d22ee7 in runScenarioBody (c=0x605b38)
at /ufs/sjoerd/src/MonetDB/candidate/MonetDB5/src/mal/
6 0x00007ffff7d22f3d in runScenario (c=0x605b38)
at /ufs/sjoerd/src/MonetDB/candidate/MonetDB5/src/mal/
7 0x00007ffff7cd6e99 in MSserveClient (dummy=0x605b38)
at /ufs/sjoerd/src/MonetDB/candidate/MonetDB5/src/mal/
8 0x0000003a8d606a3a in start_thread () from /lib64/
9 0x0000003a8cade77d in clone () from /lib64/
10 0x0000000000000000 in ?? ()

Comment 14847

Date: 2010-08-30 09:23:22 +0200
From: @sjoerdmullender

The Jun2010-SP2 version has been released.

Comment 14864

Date: 2010-08-30 17:01:49 +0200
From: @sjoerdmullender

Changeset fixed the latest incarnation of this bug.

Comment 14865

Date: 2010-08-30 17:04:09 +0200
From: @sjoerdmullender

Changeset e4a025a9f189 made by Sjoerd Mullender in the MonetDB repo, refers to this bug.

For complete details, see http//devmonetdborg/hg/MonetDB?cmd=changeset;node=e4a025a9f189

Changeset description:

Added changelog for bug #104.

Comment 15163

Date: 2010-10-30 11:23:40 +0200
From: @drstmane

Is this bug indeed fixed?

The respective test does not trigger any crash or error anymore,
but the result is (unexpectedly) NULL;

Comment 15258

Date: 2010-12-03 21:31:00 +0100
From: @njnes

crash is fixed now (by the flattend stmt tree). Still a fix for the overflow
is needed (but covered by the overflow bug report)

Comment 15658

Date: 2011-03-28 17:31:43 +0200
From: @sjoerdmullender

The Mar2011 version has been released.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant