Summary
SELECT GROUPING(...) ... GROUP BY CUBE(...) causes Virtuoso to crash during SQL compilation inside make_grouping_bitmap_set, corrupting memory and triggering a segfault.
Steps to Reproduce
SELECT GROUPING ( x ) ,
COUNT ( CASE WHEN x IS NULL THEN 1
WHEN x >= 1024 THEN CONCAT ( ROUND ( x / 1024 , 2 ) , ' KB' )
END ) ,
( 'swarm' , 1 , 0 ) AS x
FROM ( SELECT 1 AS x ) AS x
GROUP BY CUBE ( x , x , 92 + 1 );Expected Behavior
Query returns a result set or raises a proper SQL error.
Actual Behavior
Virtuoso server process terminates with SIGABRT.
Stack Trace
#0 __nss_database_lookup+0x2078e ← crash site (memory corruption)
#1 make_grouping_bitmap_set+0x37d
#2 sqlg_dt_query_1+0x147a
#3 sqlg_top_1+0x107
#4 sqlo_top_select+0x166
#5 sql_stmt_comp+0x8bb
#6 sql_compile_1+0x1a62
#7 stmt_set_query+0x340
#8 sf_sql_execute+0x91f
#9 sf_sql_execute_w+0x17e
#10 sf_sql_execute_wrapper+0x3d
#11 future_wrapper+0x3fc
Analysis
The crash occurs in the SQL compilation phase (not execution). make_grouping_bitmap_set likely fails to properly bound-check when GROUPING() references columns that appear as expressions inside CUBE(...), resulting in a heap buffer overflow that corrupts unrelated memory (__nss_database_lookup).
Fuzzing Discovery Note
This test case is a textbook example of why cross-feature mutation finds bugs that manual testing misses.
Three independently-legal constructs collide here in a way no developer would intentionally test:
- Row constructor as a column alias —
('swarm', 1, 0) AS x defines a tuple expression as the alias x, which also happens to be the name used in CUBE(x, x, ...) and GROUPING(x).
- Arithmetic expression inside
CUBE — 92 + 1 is a constant expression used as a grouping set element, a pattern absent from all documented Virtuoso CUBE examples.
GROUPING() referencing a shadowed alias — the alias x simultaneously refers to the row-constructor and the outer SELECT 1 AS x subquery column.
Summary
SELECT GROUPING(...) ... GROUP BY CUBE(...)causes Virtuoso to crash during SQL compilation insidemake_grouping_bitmap_set, corrupting memory and triggering a segfault.Steps to Reproduce
Expected Behavior
Query returns a result set or raises a proper SQL error.
Actual Behavior
Virtuoso server process terminates with SIGABRT.
Stack Trace
Analysis
The crash occurs in the SQL compilation phase (not execution).
make_grouping_bitmap_setlikely fails to properly bound-check whenGROUPING()references columns that appear as expressions insideCUBE(...), resulting in a heap buffer overflow that corrupts unrelated memory (__nss_database_lookup).Fuzzing Discovery Note
This test case is a textbook example of why cross-feature mutation finds bugs that manual testing misses.
Three independently-legal constructs collide here in a way no developer would intentionally test:
('swarm', 1, 0) AS xdefines a tuple expression as the aliasx, which also happens to be the name used inCUBE(x, x, ...)andGROUPING(x).CUBE—92 + 1is a constant expression used as a grouping set element, a pattern absent from all documented Virtuoso CUBE examples.GROUPING()referencing a shadowed alias — the aliasxsimultaneously refers to the row-constructor and the outerSELECT 1 AS xsubquery column.