Turso issue report: panic with aggregate FILTER containing IN subquery
Title
Panic: cursor id 0 is None for COUNT(*) FILTER (WHERE 1 IN (SELECT ...)) in HAVING
Summary
Turso panics while executing a valid SQLite query that uses an aggregate FILTER clause in HAVING, where the filter predicate contains an IN (SELECT ...) subquery.
SQLite accepts the query and returns no rows. Turso aborts with:
thread 'main' panicked at core\vdbe\execute.rs:5227:42:
cursor id 0 is None
Minimal reproducer
SELECT 1
GROUP BY 1
HAVING COUNT(*) FILTER (WHERE 1 IN (SELECT 2)) = 1;
Expected behavior
The query should execute without panicking. SQLite returns no rows:
Actual behavior
Turso panics:
thread 'main' panicked at core\vdbe\execute.rs:5227:42:
cursor id 0 is None
stack backtrace:
0: std::panicking::begin_panic_handler
1: core::panicking::panic_fmt
2: turso_core::vdbe::execute::seek_internal::inner::closure$4
at .\core\vdbe\mod.rs:1167
3: core::option::Option<T>::unwrap_or_else
4: turso_core::vdbe::execute::seek_internal::inner
at .\core\vdbe\mod.rs:1162
5: turso_core::vdbe::execute::seek_internal
at .\core\vdbe\execute.rs:5309
6: turso_core::vdbe::execute::op_found
at .\core\vdbe\execute.rs:12209
Reproduction commands
From the Turso repo root:
cargo build -p turso_cli --bin tursodb --features turso_core/pure-rust-crypto
Then run:
@'
SELECT 1
GROUP BY 1
HAVING COUNT(*) FILTER (WHERE 1 IN (SELECT 2)) = 1;
'@ | .\target\debug\tursodb.exe -q -m list
SQLite comparison:
@'
SELECT 1
GROUP BY 1
HAVING COUNT(*) FILTER (WHERE 1 IN (SELECT 2)) = 1;
'@ | sqlite3 :memory:
Environment
- Repo:
tursodatabase/turso
- Commit tested:
c99371562 Disable some vacuum test cases
- OS: Windows
- Rust:
rustc 1.88.0
cargo 1.88.0
Note: on this Windows environment, --features turso_core/pure-rust-crypto was used to avoid requiring clang-cl.exe for the default crypto build path.
How it was found
The issue was initially found by Turso's differential fuzzer:
differential_fuzzer seed: 16599484592799081184
panic: cursor id 0 is None
The original fuzzed query was reduced to the single-query reproducer above.
Notes
The crash appears related to code generation/execution for an IN subquery inside an aggregate FILTER predicate used by a grouped HAVING expression. The backtrace reaches op_found through seek_internal, where cursor id 0 is missing.
Turso issue report: panic with aggregate FILTER containing IN subquery
Title
Panic:
cursor id 0 is NoneforCOUNT(*) FILTER (WHERE 1 IN (SELECT ...))inHAVINGSummary
Turso panics while executing a valid SQLite query that uses an aggregate
FILTERclause inHAVING, where the filter predicate contains anIN (SELECT ...)subquery.SQLite accepts the query and returns no rows. Turso aborts with:
Minimal reproducer
Expected behavior
The query should execute without panicking. SQLite returns no rows:
Actual behavior
Turso panics:
Reproduction commands
From the Turso repo root:
Then run:
SQLite comparison:
Environment
tursodatabase/tursoc99371562 Disable some vacuum test casesNote: on this Windows environment,
--features turso_core/pure-rust-cryptowas used to avoid requiringclang-cl.exefor the default crypto build path.How it was found
The issue was initially found by Turso's differential fuzzer:
The original fuzzed query was reduced to the single-query reproducer above.
Notes
The crash appears related to code generation/execution for an
INsubquery inside an aggregateFILTERpredicate used by a groupedHAVINGexpression. The backtrace reachesop_foundthroughseek_internal, where cursor id0is missing.