[MDEV-16209] JSON_EXTRACT in query crashes server - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.2.14, 10.2(EOL), 10.3(EOL)
Fix Version/s: 10.2.16
Component/s: JSON
Labels:
None

Description

select * from reeher_oneappeal_db.contact_restriction_mapping where client_id=68 and contact_restriction_mapping.one_appeal_restriction='Do Not Mail'

and contact_restriction_mapping.platform_restriction_description in (JSON_EXTRACT('{"SQI":"Square Inch (Opt In)","CWI":"Calvin World opt In","ND":"No Denomination Contact"}', '$.*'))

Crashes server with following backtrace:

Thread pointer: 0x7f0ce0050658

Attempting backtrace. You can use the following information to find out

where mysqld died. If you see no messages after this, something went

terribly wrong...

stack_bottom = 0x7f0dddf61d80 thread_stack 0x49000

/usr/sbin/mysqld(my_print_stacktrace+0x2b)[0x7f1aa12d8fab]

/usr/sbin/mysqld(handle_fatal_signal+0x535)[0x7f1aa0dad005]

sigaction.c:0(__restore_rt)[0x7f1aa02cd7e0]

sql/item_jsonfunc.cc:743(Item_func_json_extract::read_json(String*, json_value_types*, char**, int*))[0x7f1aa0efa2a6]

sql/item_jsonfunc.cc:3204(Arg_comparator::compare_json_str_basic(Item*, Item*))[0x7f1aa0efaec9]

sql/item_cmpfunc.cc:1144(Arg_comparator::compare_str_json())[0x7f1aa0dd98c6]

sql/item_cmpfunc.cc:1775(Item_func_eq::val_int())[0x7f1aa0ddd160]

sql/item.cc:112(Item::val_bool())[0x7f1aa0dbecdc]

sql/item_cmpfunc.cc:4947(Item_cond_and::val_int())[0x7f1aa0dd8eba]

sql/sql_select.cc:18789(evaluate_join_record)[0x7f1aa0c57c1d]

sql/sql_select.cc:18699(sub_select(JOIN*, st_join_table*, bool))[0x7f1aa0c60264]

sql/sql_select.cc:18236(do_select)[0x7f1aa0c7e559]

sql/sql_select.cc:3362(JOIN::exec())[0x7f1aa0c7e78c]

sql/sql_select.cc:3763(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x7f1aa0c7d69a]

sql/sql_select.cc:376(handle_select(THD*, LEX*, select_result*, unsigned long))[0x7f1aa0c7e9a4]

sql/sql_parse.cc:6469(execute_sqlcom_select)[0x7f1aa0b6e149]

sql/sql_parse.cc:3479(mysql_execute_command(THD*))[0x7f1aa0c2dda1]

sql/sql_parse.cc:7914(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x7f1aa0c327ca]

sql/sql_parse.cc:7729(wsrep_mysql_parse)[0x7f1aa0c328c0]

sql/sql_parse.cc:1797(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x7f1aa0c346fd]

sql/sql_parse.cc:1371(do_command(THD*))[0x7f1aa0c350ee]

sql/sql_connect.cc:1335(do_handle_one_connection(CONNECT*))[0x7f1aa0cf335f]

sql/sql_connect.cc:1243(handle_one_connection)[0x7f1aa0cf3484]

pthread_create.c:0(start_thread)[0x7f1aa02c5aa1]

/lib64/libc.so.6(clone+0x6d)[0x7f1a9e9ddbcd]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x7f0ce005dc30): select * from reeher_oneappeal_db.contact_restriction_mapping where client_id=68 and contact_restriction_mapping.one_appeal_restriction='Do Not Mail'

and contact_restriction_mapping.platform_restriction_description in (JSON_EXTRACT('{"SQI":"Square Inch (Opt In)","CWI":"Calvin World opt In","ND":"No Denomination Contact"}', '$.*'))

Connection ID (thread ID): 322883

Status: NOT_KILLED

Attachments

Issue Links

relates to

MDEV-21530 json_extract STILL crashes in Item_func_json_extract::read_json

Confirmed

Activity

Ascending order - Click to sort in descending order

Elena Stepanova added a comment - 2018-05-29 23:07

SET NAMES latin1;

CREATE TABLE t1 (c VARCHAR(8));

INSERT INTO t1 VALUES ('foo'),('bar');

SELECT * FROM t1 WHERE c IN (JSON_EXTRACT('{"a":"b"}', '$.*'));

# Cleanup

DROP TABLE t1;

10.2 b8fdd56a4d6
#3 <signal handler called>
#4 0x000055e1e1837683 in Item_func_json_extract::read_json (this=0x7f04cc015e10, str=0x7f04cc015db8, type=0x7f04e843fca4, out_val=0x7f04e843fcb0, value_len=0x7f04e843fca8) at /data/src/10.2/sql/item_jsonfunc.cc:743
#5 0x000055e1e183feb4 in Arg_comparator::compare_json_str_basic (this=0x7f04cc015d58, j=0x7f04cc015e10, s=0x7f04cc012ca8) at /data/src/10.2/sql/item_jsonfunc.cc:3204
#6 0x000055e1e1694bd0 in Arg_comparator::compare_str_json (this=0x7f04cc015d58) at /data/src/10.2/sql/item_cmpfunc.cc:1143
#7 0x000055e1e16a779c in Arg_comparator::compare (this=0x7f04cc015d58) at /data/src/10.2/sql/item_cmpfunc.h:87
#8 0x000055e1e16968f7 in Item_func_eq::val_int (this=0x7f04cc015c98) at /data/src/10.2/sql/item_cmpfunc.cc:1776
#9 0x000055e1e1452396 in evaluate_join_record (join=0x7f04cc0132b8, join_tab=0x7f04cc015348, error=0) at /data/src/10.2/sql/sql_select.cc:18805
#10 0x000055e1e1451fca in sub_select (join=0x7f04cc0132b8, join_tab=0x7f04cc015348, end_of_records=false) at /data/src/10.2/sql/sql_select.cc:18710
#11 0x000055e1e1451563 in do_select (join=0x7f04cc0132b8, procedure=0x0) at /data/src/10.2/sql/sql_select.cc:18254
#12 0x000055e1e142bc65 in JOIN::exec_inner (this=0x7f04cc0132b8) at /data/src/10.2/sql/sql_select.cc:3585
#13 0x000055e1e142b112 in JOIN::exec (this=0x7f04cc0132b8) at /data/src/10.2/sql/sql_select.cc:3380
#14 0x000055e1e142c2dd in mysql_select (thd=0x7f04cc000b00, tables=0x7f04cc012678, wild_num=1, fields=..., conds=0x7f04cc013068, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f04cc013298, unit=0x7f04cc0046a0, select_lex=0x7f04cc004dd8) at /data/src/10.2/sql/sql_select.cc:3780
#15 0x000055e1e14207f5 in handle_select (thd=0x7f04cc000b00, lex=0x7f04cc0045d8, result=0x7f04cc013298, setup_tables_done_option=0) at /data/src/10.2/sql/sql_select.cc:376
#16 0x000055e1e13ebfe5 in execute_sqlcom_select (thd=0x7f04cc000b00, all_tables=0x7f04cc012678) at /data/src/10.2/sql/sql_parse.cc:6477
#17 0x000055e1e13e2024 in mysql_execute_command (thd=0x7f04cc000b00) at /data/src/10.2/sql/sql_parse.cc:3484
#18 0x000055e1e13efe0f in mysql_parse (thd=0x7f04cc000b00, rawbuf=0x7f04cc012448 "SELECT * FROM t1 WHERE c IN (JSON_EXTRACT('{\"a\":\"b\"}', '$.*'))", length=62, parser_state=0x7f04e8441200, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:8002
#19 0x000055e1e13dd8b8 in dispatch_command (command=COM_QUERY, thd=0x7f04cc000b00, packet=0x7f04cc16b4b1 "", packet_length=62, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1821
#20 0x000055e1e13dc21b in do_command (thd=0x7f04cc000b00) at /data/src/10.2/sql/sql_parse.cc:1375
#21 0x000055e1e152b930 in do_handle_one_connection (connect=0x55e1e5365370) at /data/src/10.2/sql/sql_connect.cc:1335
#22 0x000055e1e152b6bd in handle_one_connection (arg=0x55e1e5365370) at /data/src/10.2/sql/sql_connect.cc:1241
#23 0x000055e1e194cb78 in pfs_spawn_thread (arg=0x55e1e533fee0) at /data/src/10.2/storage/perfschema/pfs.cc:1862
#24 0x00007f04ef63b494 in start_thread (arg=0x7f04e8442700) at pthread_create.c:333
#25 0x00007f04eda2193f in clone () from /lib/x86_64-linux-gnu/libc.so.6

If it doesn't crash, try ASAN:

10.2 ASAN 13c241c64f46
==19804==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55d9771bc92c sp 0x7f503946e760 bp 0x7f503946eec0 T5)
#0 0x55d9771bc92b in Item_func_json_extract::read_json(String, json_value_types, char*, int) /data/src/10.2/sql/item_jsonfunc.cc:743
#1 0x55d9771d04c8 in Arg_comparator::compare_json_str_basic(Item, Item) /data/src/10.2/sql/item_jsonfunc.cc:3204
#2 0x55d976dcd81a in Arg_comparator::compare_str_json() /data/src/10.2/sql/item_cmpfunc.cc:1143
#3 0x55d976e033fa in Arg_comparator::compare() /data/src/10.2/sql/item_cmpfunc.h:87
#4 0x55d976dd3d87 in Item_func_eq::val_int() /data/src/10.2/sql/item_cmpfunc.cc:1776
#5 0x55d97685b51a in evaluate_join_record /data/src/10.2/sql/sql_select.cc:18805
#6 0x55d97685a910 in sub_select(JOIN, st_join_table, bool) /data/src/10.2/sql/sql_select.cc:18710
#7 0x55d976858c62 in do_select /data/src/10.2/sql/sql_select.cc:18254
#8 0x55d9767f920e in JOIN::exec_inner() /data/src/10.2/sql/sql_select.cc:3585
#9 0x55d9767f6ea3 in JOIN::exec() /data/src/10.2/sql/sql_select.cc:3380
#10 0x55d9767fa28b in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.2/sql/sql_select.cc:3780
#11 0x55d9767d9a48 in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:376
#12 0x55d97675cbbb in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6477
#13 0x55d97674999a in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3484
#14 0x55d976765834 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:8002
#15 0x55d9767403a4 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1821
#16 0x55d97673d448 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1375
#17 0x55d976a7a6af in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
#18 0x55d976a7a0c4 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
#19 0x55d97748913b in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
#20 0x7f50458f4493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
#21 0x7f5043cda93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /data/src/10.2/sql/item_jsonfunc.cc:743 Item_func_json_extract::read_json(String, json_value_types, char*, int)
Thread T5 created by T0 here:
#0 0x7f5045b2dbba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
#1 0x55d977489703 in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1912
#2 0x55d97653a44e in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1239
#3 0x55d97654f339 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6451
#4 0x55d97654fa3e in create_new_thread /data/src/10.2/sql/mysqld.cc:6521
#5 0x55d976550a4f in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6796
#6 0x55d97654e88e in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6070
#7 0x55d9765387ef in main /data/src/10.2/sql/main.cc:25
#8 0x7f5043c122b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

==19804==ABORTING

Also reproducible on the current 10.3.

Elena Stepanova added a comment - 2018-05-29 23:07 SET NAMES latin1; CREATE TABLE t1 (c VARCHAR (8)); INSERT INTO t1 VALUES ( 'foo' ),( 'bar' ); SELECT * FROM t1 WHERE c IN (JSON_EXTRACT( '{"a":"b"}' , '$.*' )); # Cleanup DROP TABLE t1; 10.2 b8fdd56a4d6 #3 <signal handler called> #4 0x000055e1e1837683 in Item_func_json_extract::read_json (this=0x7f04cc015e10, str=0x7f04cc015db8, type=0x7f04e843fca4, out_val=0x7f04e843fcb0, value_len=0x7f04e843fca8) at /data/src/10.2/sql/item_jsonfunc.cc:743 #5 0x000055e1e183feb4 in Arg_comparator::compare_json_str_basic (this=0x7f04cc015d58, j=0x7f04cc015e10, s=0x7f04cc012ca8) at /data/src/10.2/sql/item_jsonfunc.cc:3204 #6 0x000055e1e1694bd0 in Arg_comparator::compare_str_json (this=0x7f04cc015d58) at /data/src/10.2/sql/item_cmpfunc.cc:1143 #7 0x000055e1e16a779c in Arg_comparator::compare (this=0x7f04cc015d58) at /data/src/10.2/sql/item_cmpfunc.h:87 #8 0x000055e1e16968f7 in Item_func_eq::val_int (this=0x7f04cc015c98) at /data/src/10.2/sql/item_cmpfunc.cc:1776 #9 0x000055e1e1452396 in evaluate_join_record (join=0x7f04cc0132b8, join_tab=0x7f04cc015348, error=0) at /data/src/10.2/sql/sql_select.cc:18805 #10 0x000055e1e1451fca in sub_select (join=0x7f04cc0132b8, join_tab=0x7f04cc015348, end_of_records=false) at /data/src/10.2/sql/sql_select.cc:18710 #11 0x000055e1e1451563 in do_select (join=0x7f04cc0132b8, procedure=0x0) at /data/src/10.2/sql/sql_select.cc:18254 #12 0x000055e1e142bc65 in JOIN::exec_inner (this=0x7f04cc0132b8) at /data/src/10.2/sql/sql_select.cc:3585 #13 0x000055e1e142b112 in JOIN::exec (this=0x7f04cc0132b8) at /data/src/10.2/sql/sql_select.cc:3380 #14 0x000055e1e142c2dd in mysql_select (thd=0x7f04cc000b00, tables=0x7f04cc012678, wild_num=1, fields=..., conds=0x7f04cc013068, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f04cc013298, unit=0x7f04cc0046a0, select_lex=0x7f04cc004dd8) at /data/src/10.2/sql/sql_select.cc:3780 #15 0x000055e1e14207f5 in handle_select (thd=0x7f04cc000b00, lex=0x7f04cc0045d8, result=0x7f04cc013298, setup_tables_done_option=0) at /data/src/10.2/sql/sql_select.cc:376 #16 0x000055e1e13ebfe5 in execute_sqlcom_select (thd=0x7f04cc000b00, all_tables=0x7f04cc012678) at /data/src/10.2/sql/sql_parse.cc:6477 #17 0x000055e1e13e2024 in mysql_execute_command (thd=0x7f04cc000b00) at /data/src/10.2/sql/sql_parse.cc:3484 #18 0x000055e1e13efe0f in mysql_parse (thd=0x7f04cc000b00, rawbuf=0x7f04cc012448 "SELECT * FROM t1 WHERE c IN (JSON_EXTRACT('{\"a\":\"b\"}', '$.*'))", length=62, parser_state=0x7f04e8441200, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:8002 #19 0x000055e1e13dd8b8 in dispatch_command (command=COM_QUERY, thd=0x7f04cc000b00, packet=0x7f04cc16b4b1 "", packet_length=62, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1821 #20 0x000055e1e13dc21b in do_command (thd=0x7f04cc000b00) at /data/src/10.2/sql/sql_parse.cc:1375 #21 0x000055e1e152b930 in do_handle_one_connection (connect=0x55e1e5365370) at /data/src/10.2/sql/sql_connect.cc:1335 #22 0x000055e1e152b6bd in handle_one_connection (arg=0x55e1e5365370) at /data/src/10.2/sql/sql_connect.cc:1241 #23 0x000055e1e194cb78 in pfs_spawn_thread (arg=0x55e1e533fee0) at /data/src/10.2/storage/perfschema/pfs.cc:1862 #24 0x00007f04ef63b494 in start_thread (arg=0x7f04e8442700) at pthread_create.c:333 #25 0x00007f04eda2193f in clone () from /lib/x86_64-linux-gnu/libc.so.6 If it doesn't crash, try ASAN: 10.2 ASAN 13c241c64f46 ==19804==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55d9771bc92c sp 0x7f503946e760 bp 0x7f503946eec0 T5) #0 0x55d9771bc92b in Item_func_json_extract::read_json(String*, json_value_types*, char**, int*) /data/src/10.2/sql/item_jsonfunc.cc:743 #1 0x55d9771d04c8 in Arg_comparator::compare_json_str_basic(Item*, Item*) /data/src/10.2/sql/item_jsonfunc.cc:3204 #2 0x55d976dcd81a in Arg_comparator::compare_str_json() /data/src/10.2/sql/item_cmpfunc.cc:1143 #3 0x55d976e033fa in Arg_comparator::compare() /data/src/10.2/sql/item_cmpfunc.h:87 #4 0x55d976dd3d87 in Item_func_eq::val_int() /data/src/10.2/sql/item_cmpfunc.cc:1776 #5 0x55d97685b51a in evaluate_join_record /data/src/10.2/sql/sql_select.cc:18805 #6 0x55d97685a910 in sub_select(JOIN*, st_join_table*, bool) /data/src/10.2/sql/sql_select.cc:18710 #7 0x55d976858c62 in do_select /data/src/10.2/sql/sql_select.cc:18254 #8 0x55d9767f920e in JOIN::exec_inner() /data/src/10.2/sql/sql_select.cc:3585 #9 0x55d9767f6ea3 in JOIN::exec() /data/src/10.2/sql/sql_select.cc:3380 #10 0x55d9767fa28b in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3780 #11 0x55d9767d9a48 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:376 #12 0x55d97675cbbb in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6477 #13 0x55d97674999a in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3484 #14 0x55d976765834 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:8002 #15 0x55d9767403a4 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1821 #16 0x55d97673d448 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1375 #17 0x55d976a7a6af in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335 #18 0x55d976a7a0c4 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241 #19 0x55d97748913b in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862 #20 0x7f50458f4493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493) #21 0x7f5043cda93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /data/src/10.2/sql/item_jsonfunc.cc:743 Item_func_json_extract::read_json(String*, json_value_types*, char**, int*) Thread T5 created by T0 here: #0 0x7f5045b2dbba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba) #1 0x55d977489703 in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1912 #2 0x55d97653a44e in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1239 #3 0x55d97654f339 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6451 #4 0x55d97654fa3e in create_new_thread /data/src/10.2/sql/mysqld.cc:6521 #5 0x55d976550a4f in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6796 #6 0x55d97654e88e in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6070 #7 0x55d9765387ef in main /data/src/10.2/sql/main.cc:25 #8 0x7f5043c122b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) ==19804==ABORTING Also reproducible on the current 10.3.

Alexey Botchkov added a comment - 2018-06-18 19:40

http://lists.askmonty.org/pipermail/commits/2018-June/012627.html

Alexey Botchkov added a comment - 2018-06-18 19:40 http://lists.askmonty.org/pipermail/commits/2018-June/012627.html

MariaDB Server

JSON_EXTRACT in query crashes server

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration