[MDEV-21530] json_extract STILL crashes in Item_func_json_extract::read_json - Jira

Details

Type: Bug
Status: In Review (View Workflow)
Priority: Critical
Resolution: Unresolved
Affects Version/s: 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.9(EOL), 10.10(EOL), 10.11, 11.1(EOL), 11.2(EOL)
Fix Version/s: 10.5, 10.6, 10.11, 11.4
Component/s: JSON
Labels:
- crash
Environment:
Linux x64

Description

Version: '10.5.0-MariaDB'  MariaDB Server

Thread 26 "mysqld" received signal SIGSEGV, Segmentation fault.

[Switching to Thread 0x7ffff44af700 (LWP 23029)]

Item_func_json_extract::read_json at ./sql/item_jsonfunc.cc:757

757	in ./sql/item_jsonfunc.cc

(gdb) bt

#0  Item_func_json_extract::read_json at ./sql/item_jsonfunc.cc:757

#1  in Arg_comparator::compare_e_json_str_basic at ./sql/item_jsonfunc.cc:3603

#2  in Item_func_equal::val_int at ./sql/item_cmpfunc.cc:1795

#3  in Type_handler::Item_send_long at ./sql/sql_type.cc:7171

#4  in Protocol::send_result_set_row at ./sql/protocol.cc:1035

#5  in select_send::send_data at ./sql/sql_class.cc:3021

#6  in JOIN::exec_inner at ./sql/sql_select.cc:4259

#7  in JOIN::exec at ./sql/sql_select.cc:4172

#8  in mysql_select at ./sql/sql_select.cc:4596

#9  in handle_select at ./sql/sql_select.cc:428

#10 in execute_sqlcom_select at ./sql/sql_parse.cc:6217

#11 in mysql_execute_command at ./sql/sql_parse.cc:3905

#12 in mysql_parse at ./sql/sql_parse.cc:7986

#13 in dispatch_command at ./sql/sql_parse.cc:1846

#14 in do_command at ./sql/sql_parse.cc:1364

#15 in do_handle_one_connection at ./sql/sql_connect.cc:1422

#16 in handle_one_connection at ./sql/sql_connect.cc:1319

#17 in start_thread at pthread_create.c:479

How to Repeat:

select null<=>json_extract('1',json_object(null,'{ }',null,null),'{}');

Attachments

Issue Links

is duplicated by

MDEV-35352 Server crash when using JSON<=>VARCHAR

Closed

relates to

MDEV-16209 JSON_EXTRACT in query crashes server

Closed

Activity

Ascending order - Click to sort in descending order

Alice Sherepa added a comment - 2020-01-20 10:22

sbester1 Thanks!

10.2 c4195305b2a8431f39a4c75cc1c
=================================================================
==28787==ERROR: AddressSanitizer: use-after-poison on address 0x62b0000005b0 at pc 0x00000127a455 bp 0x7f7350f07320 sp 0x7f7350f07310
READ of size 8 at 0x62b0000005b0 thread T5
#0 0x127a454 in Item_func_json_extract::read_json(String, json_value_types, char*, int) /10.2/sql/item_jsonfunc.cc:768
#1 0x12908cf in Arg_comparator::compare_e_json_str_basic(Item, Item) /10.2/sql/item_jsonfunc.cc:3611
#2 0xe92b2e in Arg_comparator::compare_e_json_str() /10.2/sql/item_cmpfunc.cc:1169
#3 0xec9a80 in Arg_comparator::compare() /10.2/sql/item_cmpfunc.h:87
#4 0xe991b3 in Item_func_equal::val_int() /10.2/sql/item_cmpfunc.cc:1814
#5 0xe4ff24 in Item::send(Protocol, String) /10.2/sql/item.cc:6958
#6 0x63ebd3 in Protocol::send_result_set_row(List<Item>*) /10.2/sql/protocol.cc:990
#7 0x75de98 in select_send::send_data(List<Item>&) /10.2/sql/sql_class.cc:2725
#8 0x8b68fe in JOIN::exec_inner() /10.2/sql/sql_select.cc:3505
#9 0x8b581d in JOIN::exec() /10.2/sql/sql_select.cc:3424
#10 0x8b8c32 in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /10.2/sql/sql_select.cc:3824
#11 0x897d8f in handle_select(THD, LEX, select_result*, unsigned long) /10.2/sql/sql_select.cc:373
#12 0x81c264 in execute_sqlcom_select /10.2/sql/sql_parse.cc:6225
#13 0x80aa77 in mysql_execute_command(THD*) /10.2/sql/sql_parse.cc:3532
#14 0x824d1a in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /10.2/sql/sql_parse.cc:7740
#15 0x801381 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /10.2/sql/sql_parse.cc:1831
#16 0x7fe477 in do_command(THD*) /10.2/sql/sql_parse.cc:1385
#17 0xb3809c in do_handle_one_connection(CONNECT*) /10.2/sql/sql_connect.cc:1336
#18 0xb37a80 in handle_one_connection /10.2/sql/sql_connect.cc:1241
#19 0x1d27d11 in pfs_spawn_thread /10.2/storage/perfschema/pfs.cc:1862
#20 0x7f735c5196b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
#21 0x7f735b9ae41c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

Alice Sherepa added a comment - 2020-01-20 10:22 sbester1 Thanks! 10.2 c4195305b2a8431f39a4c75cc1c ================================================================= ==28787==ERROR: AddressSanitizer: use-after-poison on address 0x62b0000005b0 at pc 0x00000127a455 bp 0x7f7350f07320 sp 0x7f7350f07310 READ of size 8 at 0x62b0000005b0 thread T5 #0 0x127a454 in Item_func_json_extract::read_json(String*, json_value_types*, char**, int*) /10.2/sql/item_jsonfunc.cc:768 #1 0x12908cf in Arg_comparator::compare_e_json_str_basic(Item*, Item*) /10.2/sql/item_jsonfunc.cc:3611 #2 0xe92b2e in Arg_comparator::compare_e_json_str() /10.2/sql/item_cmpfunc.cc:1169 #3 0xec9a80 in Arg_comparator::compare() /10.2/sql/item_cmpfunc.h:87 #4 0xe991b3 in Item_func_equal::val_int() /10.2/sql/item_cmpfunc.cc:1814 #5 0xe4ff24 in Item::send(Protocol*, String*) /10.2/sql/item.cc:6958 #6 0x63ebd3 in Protocol::send_result_set_row(List<Item>*) /10.2/sql/protocol.cc:990 #7 0x75de98 in select_send::send_data(List<Item>&) /10.2/sql/sql_class.cc:2725 #8 0x8b68fe in JOIN::exec_inner() /10.2/sql/sql_select.cc:3505 #9 0x8b581d in JOIN::exec() /10.2/sql/sql_select.cc:3424 #10 0x8b8c32 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.2/sql/sql_select.cc:3824 #11 0x897d8f in handle_select(THD*, LEX*, select_result*, unsigned long) /10.2/sql/sql_select.cc:373 #12 0x81c264 in execute_sqlcom_select /10.2/sql/sql_parse.cc:6225 #13 0x80aa77 in mysql_execute_command(THD*) /10.2/sql/sql_parse.cc:3532 #14 0x824d1a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.2/sql/sql_parse.cc:7740 #15 0x801381 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.2/sql/sql_parse.cc:1831 #16 0x7fe477 in do_command(THD*) /10.2/sql/sql_parse.cc:1385 #17 0xb3809c in do_handle_one_connection(CONNECT*) /10.2/sql/sql_connect.cc:1336 #18 0xb37a80 in handle_one_connection /10.2/sql/sql_connect.cc:1241 #19 0x1d27d11 in pfs_spawn_thread /10.2/storage/perfschema/pfs.cc:1862 #20 0x7f735c5196b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) #21 0x7f735b9ae41c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

Alice Sherepa added a comment - 2024-11-06 10:20

from ~~MDEV-35352~~:

2024-11-06 11:13:52 0 [Note] Starting MariaDB 10.5.28-MariaDB-debug-log source revision ecdccddaae96bde43adba59451ea1f5796ad9f6d

Version: '10.5.28-MariaDB-debug-log'

=================================================================

==423516==ERROR: AddressSanitizer: use-after-poison on address 0x62b0000858e0 at pc 0x563b25b9fabb bp 0x7f237f7b1350 sp 0x7f237f7b1340

READ of size 8 at 0x62b0000858e0 thread T17

    #0 0x563b25b9faba in Item_func_json_extract::read_json(String*, json_value_types*, char**, int*) /10.5/src/sql/item_jsonfunc.cc:925

    #1 0x563b25bbc108 in Arg_comparator::compare_e_json_str_basic(Item*, Item*) /10.5/src/sql/item_jsonfunc.cc:3951

    #2 0x563b25f62de4 in Arg_comparator::compare_e_json_str() /10.5/src/sql/item_cmpfunc.cc:1146

    #3 0x563b25fa630d in Arg_comparator::compare() /10.5/src/sql/item_cmpfunc.h:117

    #4 0x563b25f6b52d in Item_func_equal::val_int() /10.5/src/sql/item_cmpfunc.cc:1839

    #5 0x563b25c3a64b in Type_handler::Item_send_long(Item*, Protocol*, st_value*) const /10.5/src/sql/sql_type.cc:7598

    #6 0x563b25c58385 in Type_handler_long::Item_send(Item*, Protocol*, st_value*) const /10.5/src/sql/sql_type.h:5736

    #7 0x563b25313beb in Item::send(Protocol*, st_value*) /10.5/src/sql/item.h:1083

    #8 0x563b25303de3 in Protocol::send_result_set_row(List<Item>*) /10.5/src/sql/protocol.cc:1086

    #9 0x563b254c8445 in select_send::send_data(List<Item>&) /10.5/src/sql/sql_class.cc:3161

    #10 0x563b257a780c in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /10.5/src/sql/sql_class.h:5580

    #11 0x563b256da649 in JOIN::exec_inner() /10.5/src/sql/sql_select.cc:4529

    #12 0x563b256d91e9 in JOIN::exec() /10.5/src/sql/sql_select.cc:4441

    #13 0x563b256dd693 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.5/src/sql/sql_select.cc:4918

    #14 0x563b256acc45 in handle_select(THD*, LEX*, select_result*, unsigned long) /10.5/src/sql/sql_select.cc:449

    #15 0x563b2560e733 in execute_sqlcom_select /10.5/src/sql/sql_parse.cc:6437

    #16 0x563b255fcaf7 in mysql_execute_command(THD*) /10.5/src/sql/sql_parse.cc:4029

    #17 0x563b25619b02 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.5/src/sql/sql_parse.cc:8237

    #18 0x563b255ee475 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.5/src/sql/sql_parse.cc:1891

    #19 0x563b255ead4f in do_command(THD*) /10.5/src/sql/sql_parse.cc:1375

    #20 0x563b25a5dc0b in do_handle_one_connection(CONNECT*, bool) /10.5/src/sql/sql_connect.cc:1407

    #21 0x563b25a5d765 in handle_one_connection /10.5/src/sql/sql_connect.cc:1319

    #22 0x563b2671b9fb in pfs_spawn_thread /10.5/src/storage/perfschema/pfs.cc:2201

    #23 0x7f239be7c608 in start_thread /build/glibc-LcI20x/glibc-2.31/nptl/pthread_create.c:477

    #24 0x7f239b9b7352 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f352) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)

0x62b0000858e0 is located 1760 bytes inside of 24740-byte region [0x62b000085200,0x62b00008b2a4)

allocated by thread T17 here:

    #0 0x7f239c4698ff in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69

    #1 0x563b2756b28a in sf_malloc /10.5/src/mysys/safemalloc.c:121

    #2 0x563b275388b0 in my_malloc /10.5/src/mysys/my_malloc.c:91

    #3 0x563b2751373e in reset_root_defaults /10.5/src/mysys/my_alloc.c:148

    #4 0x563b254ba156 in THD::init_for_queries() /10.5/src/sql/sql_class.cc:1409

    #5 0x563b25a5d015 in prepare_new_connection_state(THD*) /10.5/src/sql/sql_connect.cc:1246

    #6 0x563b25a5d7ea in thd_prepare_connection(THD*) /10.5/src/sql/sql_connect.cc:1340

    #7 0x563b25a5dbd4 in do_handle_one_connection(CONNECT*, bool) /10.5/src/sql/sql_connect.cc:1397

    #8 0x563b25a5d765 in handle_one_connection /10.5/src/sql/sql_connect.cc:1319

    #9 0x563b2671b9fb in pfs_spawn_thread /10.5/src/storage/perfschema/pfs.cc:2201

    #10 0x7f239be7c608 in start_thread /build/glibc-LcI20x/glibc-2.31/nptl/pthread_create.c:477

Thread T17 created by T0 here:

    #0 0x7f239c3d5175 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:208

    #1 0x563b267175b0 in my_thread_create /10.5/src/storage/perfschema/my_thread.h:52

    #2 0x563b2671bdee in pfs_spawn_thread_v1 /10.5/src/storage/perfschema/pfs.cc:2252

    #3 0x563b252ac807 in inline_mysql_thread_create /10.5/src/include/mysql/psi/mysql_thread.h:1323

    #4 0x563b252c3b11 in create_thread_to_handle_connection(CONNECT*) /10.5/src/sql/mysqld.cc:6116

    #5 0x563b252c4168 in create_new_thread(CONNECT*) /10.5/src/sql/mysqld.cc:6175

    #6 0x563b252c447c in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.5/src/sql/mysqld.cc:6240

    #7 0x563b252c50e2 in handle_connections_sockets() /10.5/src/sql/mysqld.cc:6367

    #8 0x563b252c1d13 in run_main_loop /10.5/src/sql/mysqld.cc:5357

    #9 0x563b252c335b in mysqld_main(int, char**) /10.5/src/sql/mysqld.cc:5768

    #10 0x563b252ab07c in main /10.5/src/sql/main.cc:25

    #11 0x7f239b8bc082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: use-after-poison /10.5/src/sql/item_jsonfunc.cc:925 in Item_func_json_extract::read_json(String*, json_value_types*, char**, int*)

Shadow bytes around the buggy address:

  0x62b000085600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x62b000085680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x62b000085700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x62b000085780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x62b000085800: 00 00 00 00 f7 00 00 f7 03 f7 00 00 00 00 00 00

=>0x62b000085880: 00 00 00 00 00 00 00 00 00 00 00 00[f7]07 f7 00

  0x62b000085900: 05 f7 03 f7 00 00 00 00 00 00 00 00 00 00 00 00

  0x62b000085980: 00 00 00 00 00 00 f7 07 f7 00 05 f7 00 00 00 f7

  0x62b000085a00: 00 00 f7 02 f7 00 00 00 00 00 00 00 00 00 00 00

  0x62b000085a80: 00 00 00 00 00 00 00 f7 04 f7 00 02 f7 00 00 f7

  0x62b000085b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

==423516==ABORTING

241106 11:12:05 [ERROR] mysqld got signal 11 ;

Server version: 11.7.0-preview-MariaDB source revision: 7391f7143b462b29ecdaee049c5ebdfd1aefa6d7

mysys/stacktrace.c:216(my_print_stacktrace)[0x561168d25b4e]

sql/signal_handler.cc:239(handle_fatal_signal)[0x56116874780f]

sigaction.c:0(__restore_rt)[0x7fb8f3ab5420]

sql/item_jsonfunc.cc:1053(Item_func_json_extract::read_json(String*, json_value_types*, char**, int*))[0x56116864adf7]

sql/item_jsonfunc.cc:4174(Arg_comparator::compare_e_json_str_basic(Item*, Item*))[0x56116864f2e3]

sql/item_cmpfunc.cc:1916(Item_func_equal::val_int())[0x56116878636a]

sql/sql_type.cc:7671(Type_handler::Item_send_long(Item*, Protocol*, st_value*) const)[0x5611686936b9]

sql/protocol.cc:1353(Protocol::send_result_set_row(List<Item>*))[0x561168412c0d]

sql/sql_class.cc:3276(select_send::send_data(List<Item>&))[0x561168478592]

sql/sql_select.cc:4894(JOIN::exec_inner())[0x56116854dd8b]

sql/sql_select.cc:4810(JOIN::exec())[0x56116854e353]

sql/sql_select.cc:5342(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x56116854c3cf]

sql/sql_select.cc:637(handle_select(THD*, LEX*, select_result*, unsigned long long))[0x56116854ccd4]

sql/sql_parse.cc:6158(execute_sqlcom_select(THD*, TABLE_LIST*))[0x561168363bc0]

sql/sql_parse.cc:3955(mysql_execute_command(THD*, bool))[0x5611684dc620]

sql/sql_parse.cc:7880(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x5611684de20b]

sql/sql_parse.cc:1953(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x5611684e069a]

sql/sql_parse.cc:1407(do_command(THD*, bool))[0x5611684e1ba3]

sql/sql_connect.cc:1448(do_handle_one_connection(CONNECT*, bool))[0x5611685f5107]

sql/sql_connect.cc:1356(handle_one_connection)[0x5611685f53b0]

perfschema/pfs.cc:2201(pfs_spawn_thread)[0x5611689bca57]

nptl/pthread_create.c:478(start_thread)[0x7fb8f3aa9609]

Query (0x7fb8800235c0): select '[]'<=>json_extract('[]','$')

Alice Sherepa added a comment - 2024-11-06 10:20 from MDEV-35352 : 2024-11-06 11:13:52 0 [Note] Starting MariaDB 10.5.28-MariaDB-debug-log source revision ecdccddaae96bde43adba59451ea1f5796ad9f6d Version: '10.5.28-MariaDB-debug-log' ================================================================= ==423516==ERROR: AddressSanitizer: use-after-poison on address 0x62b0000858e0 at pc 0x563b25b9fabb bp 0x7f237f7b1350 sp 0x7f237f7b1340 READ of size 8 at 0x62b0000858e0 thread T17 #0 0x563b25b9faba in Item_func_json_extract::read_json(String*, json_value_types*, char**, int*) /10.5/src/sql/item_jsonfunc.cc:925 #1 0x563b25bbc108 in Arg_comparator::compare_e_json_str_basic(Item*, Item*) /10.5/src/sql/item_jsonfunc.cc:3951 #2 0x563b25f62de4 in Arg_comparator::compare_e_json_str() /10.5/src/sql/item_cmpfunc.cc:1146 #3 0x563b25fa630d in Arg_comparator::compare() /10.5/src/sql/item_cmpfunc.h:117 #4 0x563b25f6b52d in Item_func_equal::val_int() /10.5/src/sql/item_cmpfunc.cc:1839 #5 0x563b25c3a64b in Type_handler::Item_send_long(Item*, Protocol*, st_value*) const /10.5/src/sql/sql_type.cc:7598 #6 0x563b25c58385 in Type_handler_long::Item_send(Item*, Protocol*, st_value*) const /10.5/src/sql/sql_type.h:5736 #7 0x563b25313beb in Item::send(Protocol*, st_value*) /10.5/src/sql/item.h:1083 #8 0x563b25303de3 in Protocol::send_result_set_row(List<Item>*) /10.5/src/sql/protocol.cc:1086 #9 0x563b254c8445 in select_send::send_data(List<Item>&) /10.5/src/sql/sql_class.cc:3161 #10 0x563b257a780c in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /10.5/src/sql/sql_class.h:5580 #11 0x563b256da649 in JOIN::exec_inner() /10.5/src/sql/sql_select.cc:4529 #12 0x563b256d91e9 in JOIN::exec() /10.5/src/sql/sql_select.cc:4441 #13 0x563b256dd693 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.5/src/sql/sql_select.cc:4918 #14 0x563b256acc45 in handle_select(THD*, LEX*, select_result*, unsigned long) /10.5/src/sql/sql_select.cc:449 #15 0x563b2560e733 in execute_sqlcom_select /10.5/src/sql/sql_parse.cc:6437 #16 0x563b255fcaf7 in mysql_execute_command(THD*) /10.5/src/sql/sql_parse.cc:4029 #17 0x563b25619b02 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.5/src/sql/sql_parse.cc:8237 #18 0x563b255ee475 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.5/src/sql/sql_parse.cc:1891 #19 0x563b255ead4f in do_command(THD*) /10.5/src/sql/sql_parse.cc:1375 #20 0x563b25a5dc0b in do_handle_one_connection(CONNECT*, bool) /10.5/src/sql/sql_connect.cc:1407 #21 0x563b25a5d765 in handle_one_connection /10.5/src/sql/sql_connect.cc:1319 #22 0x563b2671b9fb in pfs_spawn_thread /10.5/src/storage/perfschema/pfs.cc:2201 #23 0x7f239be7c608 in start_thread /build/glibc-LcI20x/glibc-2.31/nptl/pthread_create.c:477 #24 0x7f239b9b7352 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f352) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e) 0x62b0000858e0 is located 1760 bytes inside of 24740-byte region [0x62b000085200,0x62b00008b2a4) allocated by thread T17 here: #0 0x7f239c4698ff in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69 #1 0x563b2756b28a in sf_malloc /10.5/src/mysys/safemalloc.c:121 #2 0x563b275388b0 in my_malloc /10.5/src/mysys/my_malloc.c:91 #3 0x563b2751373e in reset_root_defaults /10.5/src/mysys/my_alloc.c:148 #4 0x563b254ba156 in THD::init_for_queries() /10.5/src/sql/sql_class.cc:1409 #5 0x563b25a5d015 in prepare_new_connection_state(THD*) /10.5/src/sql/sql_connect.cc:1246 #6 0x563b25a5d7ea in thd_prepare_connection(THD*) /10.5/src/sql/sql_connect.cc:1340 #7 0x563b25a5dbd4 in do_handle_one_connection(CONNECT*, bool) /10.5/src/sql/sql_connect.cc:1397 #8 0x563b25a5d765 in handle_one_connection /10.5/src/sql/sql_connect.cc:1319 #9 0x563b2671b9fb in pfs_spawn_thread /10.5/src/storage/perfschema/pfs.cc:2201 #10 0x7f239be7c608 in start_thread /build/glibc-LcI20x/glibc-2.31/nptl/pthread_create.c:477 Thread T17 created by T0 here: #0 0x7f239c3d5175 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:208 #1 0x563b267175b0 in my_thread_create /10.5/src/storage/perfschema/my_thread.h:52 #2 0x563b2671bdee in pfs_spawn_thread_v1 /10.5/src/storage/perfschema/pfs.cc:2252 #3 0x563b252ac807 in inline_mysql_thread_create /10.5/src/include/mysql/psi/mysql_thread.h:1323 #4 0x563b252c3b11 in create_thread_to_handle_connection(CONNECT*) /10.5/src/sql/mysqld.cc:6116 #5 0x563b252c4168 in create_new_thread(CONNECT*) /10.5/src/sql/mysqld.cc:6175 #6 0x563b252c447c in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.5/src/sql/mysqld.cc:6240 #7 0x563b252c50e2 in handle_connections_sockets() /10.5/src/sql/mysqld.cc:6367 #8 0x563b252c1d13 in run_main_loop /10.5/src/sql/mysqld.cc:5357 #9 0x563b252c335b in mysqld_main(int, char**) /10.5/src/sql/mysqld.cc:5768 #10 0x563b252ab07c in main /10.5/src/sql/main.cc:25 #11 0x7f239b8bc082 in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: use-after-poison /10.5/src/sql/item_jsonfunc.cc:925 in Item_func_json_extract::read_json(String*, json_value_types*, char**, int*) Shadow bytes around the buggy address: 0x62b000085600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x62b000085680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x62b000085700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x62b000085780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x62b000085800: 00 00 00 00 f7 00 00 f7 03 f7 00 00 00 00 00 00 =>0x62b000085880: 00 00 00 00 00 00 00 00 00 00 00 00[f7]07 f7 00 0x62b000085900: 05 f7 03 f7 00 00 00 00 00 00 00 00 00 00 00 00 0x62b000085980: 00 00 00 00 00 00 f7 07 f7 00 05 f7 00 00 00 f7 0x62b000085a00: 00 00 f7 02 f7 00 00 00 00 00 00 00 00 00 00 00 0x62b000085a80: 00 00 00 00 00 00 00 f7 04 f7 00 02 f7 00 00 f7 0x62b000085b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==423516==ABORTING 241106 11:12:05 [ERROR] mysqld got signal 11 ; Server version: 11.7.0-preview-MariaDB source revision: 7391f7143b462b29ecdaee049c5ebdfd1aefa6d7 mysys/stacktrace.c:216(my_print_stacktrace)[0x561168d25b4e] sql/signal_handler.cc:239(handle_fatal_signal)[0x56116874780f] sigaction.c:0(__restore_rt)[0x7fb8f3ab5420] sql/item_jsonfunc.cc:1053(Item_func_json_extract::read_json(String*, json_value_types*, char**, int*))[0x56116864adf7] sql/item_jsonfunc.cc:4174(Arg_comparator::compare_e_json_str_basic(Item*, Item*))[0x56116864f2e3] sql/item_cmpfunc.cc:1916(Item_func_equal::val_int())[0x56116878636a] sql/sql_type.cc:7671(Type_handler::Item_send_long(Item*, Protocol*, st_value*) const)[0x5611686936b9] sql/protocol.cc:1353(Protocol::send_result_set_row(List<Item>*))[0x561168412c0d] sql/sql_class.cc:3276(select_send::send_data(List<Item>&))[0x561168478592] sql/sql_select.cc:4894(JOIN::exec_inner())[0x56116854dd8b] sql/sql_select.cc:4810(JOIN::exec())[0x56116854e353] sql/sql_select.cc:5342(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x56116854c3cf] sql/sql_select.cc:637(handle_select(THD*, LEX*, select_result*, unsigned long long))[0x56116854ccd4] sql/sql_parse.cc:6158(execute_sqlcom_select(THD*, TABLE_LIST*))[0x561168363bc0] sql/sql_parse.cc:3955(mysql_execute_command(THD*, bool))[0x5611684dc620] sql/sql_parse.cc:7880(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x5611684de20b] sql/sql_parse.cc:1953(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x5611684e069a] sql/sql_parse.cc:1407(do_command(THD*, bool))[0x5611684e1ba3] sql/sql_connect.cc:1448(do_handle_one_connection(CONNECT*, bool))[0x5611685f5107] sql/sql_connect.cc:1356(handle_one_connection)[0x5611685f53b0] perfschema/pfs.cc:2201(pfs_spawn_thread)[0x5611689bca57] nptl/pthread_create.c:478(start_thread)[0x7fb8f3aa9609] Query (0x7fb8800235c0): select '[]'<=>json_extract('[]','$')

Rucha Deodhar added a comment - 2025-04-16 16:56

Patch: https://github.com/MariaDB/server/commit/ac401a368d67bc5db23a2d2bddfb8c787514bd73

Rucha Deodhar added a comment - 2025-04-16 16:56 Patch: https://github.com/MariaDB/server/commit/ac401a368d67bc5db23a2d2bddfb8c787514bd73

MariaDB Server

json_extract STILL crashes in Item_func_json_extract::read_json

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration