Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-22236

JSON_ARRAYAGG query leads to SIGSEGV in Charset::swap on optimized builds

Details

    Description

      USE test;
      CREATE TABLE t (c INT);
      SELECT JSON_ARRAYAGG(TRUE) FROM t;
      

      Changing the last query from "TRUE" to "0" or "1" produces the same result.

      Leads to:

      10.5.3 364e7a9ae6b5fbf69494cec30733b5ad28738cbb

      Core was generated by `/test/MD110420-mariadb-10.5.3-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
      Program terminated with signal SIGSEGV, Segmentation fault.
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
          at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
      [Current thread is 1 (Thread 0x7f162a68d700 (LWP 23097))]
      (gdb) bt
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
      #1  0x000055f2a39a121e in my_write_core (sig=sig@entry=11) at /test/10.5_dbg/mysys/stacktrace.c:518
      #2  0x000055f2a314708f in handle_fatal_signal (sig=11) at /test/10.5_dbg/sql/signal_handler.cc:329
      #3  <signal handler called>
      #4  0x000055f2a3344f72 in Charset::swap (other=..., this=0x7f162a68af20) at /test/10.5_dbg/sql/sql_string.h:182
      #5  String::swap (s=..., this=0x7f162a68af20) at /test/10.5_dbg/sql/sql_string.h:987
      #6  Item_func_json_arrayagg::val_str (this=<optimized out>, str=0x0) at /test/10.5_dbg/sql/item_jsonfunc.cc:3638
      #7  0x000055f2a308296c in Type_handler::Item_send_str (this=<optimized out>, item=0x7f15fc874698, protocol=0x7f15fc815650, buf=<optimized out>) at /test/10.5_dbg/sql/sql_type.cc:7137
      #8  0x000055f2a2fd7a0f in Type_handler_string_result::Item_send (this=<optimized out>, item=<optimized out>, protocol=<optimized out>, buf=<optimized out>) at /test/10.5_dbg/sql/sql_type.h:5180
      #9  0x000055f2a2daf23f in Item::send (this=0x7f15fc874698, protocol=0x7f15fc815650, buffer=0x7f162a68b020) at /test/10.5_dbg/sql/item.h:1054
      #10 0x000055f2a2dacfaf in Protocol::send_result_set_row (this=this@entry=0x7f15fc815650, row_items=row_items@entry=0x7f15fc875fa8) at /test/10.5_dbg/sql/protocol.cc:1082
      #11 0x000055f2a2e3efa8 in select_send::send_data (this=0x7f15fc875bc8, items=...) at /test/10.5_dbg/sql/sql_class.cc:3006
      #12 0x000055f2a2ef6de0 in select_result_sink::send_data_with_check (sent=<optimized out>, u=<optimized out>, items=..., this=<optimized out>) at /test/10.5_dbg/sql/sql_class.h:5236
      #13 end_send_group (join=0x7f15fc875bf0, join_tab=<optimized out>, end_of_records=<optimized out>) at /test/10.5_dbg/sql/sql_select.cc:21947
      #14 0x000055f2a2ee36e5 in sub_select (join=0x7f15fc875bf0, join_tab=0x7f15fc876e68, end_of_records=<optimized out>) at /test/10.5_dbg/sql/sql_select.cc:20550
      #15 0x000055f2a2f1b902 in do_select (procedure=<optimized out>, join=0x7f15fc875bf0) at /test/10.5_dbg/sql/sql_select.cc:20141
      #16 JOIN::exec_inner (this=this@entry=0x7f15fc875bf0) at /test/10.5_dbg/sql/sql_select.cc:4463
      #17 0x000055f2a2f1bc6b in JOIN::exec (this=this@entry=0x7f15fc875bf0) at /test/10.5_dbg/sql/sql_select.cc:4244
      #18 0x000055f2a2f19f80 in mysql_select (thd=thd@entry=0x7f15fc815088, tables=<optimized out>, fields=..., conds=0x0, og_num=0, order=<optimized out>, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f15fc875bc8, unit=0x7f15fc819090, select_lex=0x7f15fc874148) at /test/10.5_dbg/sql/sql_select.cc:4668
      #19 0x000055f2a2f1a2af in handle_select (thd=thd@entry=0x7f15fc815088, lex=lex@entry=0x7f15fc818fc8, result=result@entry=0x7f15fc875bc8, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.5_dbg/sql/sql_select.cc:417
      #20 0x000055f2a2ea499a in execute_sqlcom_select (thd=thd@entry=0x7f15fc815088, all_tables=0x7f15fc874b78) at /test/10.5_dbg/sql/sql_parse.cc:6168
      #21 0x000055f2a2e9d3ed in mysql_execute_command (thd=thd@entry=0x7f15fc815088) at /test/10.5_dbg/sql/sql_parse.cc:3901
      #22 0x000055f2a2eaa9d1 in mysql_parse (thd=thd@entry=0x7f15fc815088, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x7f162a68c450, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:7953
      #23 0x000055f2a2e96719 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7f15fc815088, packet=packet@entry=0x7f15fc867089 "", packet_length=packet_length@entry=33, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:1839
      #24 0x000055f2a2e94f6f in do_command (thd=0x7f15fc815088) at /test/10.5_dbg/sql/sql_parse.cc:1358
      #25 0x000055f2a2fefa53 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x7f16010433a8, put_in_cache=put_in_cache@entry=true) at /test/10.5_dbg/sql/sql_connect.cc:1422
      #26 0x000055f2a2fefd82 in handle_one_connection (arg=arg@entry=0x7f16010433a8) at /test/10.5_dbg/sql/sql_connect.cc:1319
      #27 0x000055f2a3450080 in pfs_spawn_thread (arg=0x7f1628045888) at /test/10.5_dbg/storage/perfschema/pfs.cc:2201
      #28 0x00007f1629ab46db in start_thread (arg=0x7f162a68d700) at pthread_create.c:463
      #29 0x00007f1628eb288f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
      

      Bug confirmed present in:
      MariaDB: 10.5.2 (dbg), 10.5.2 (opt), 10.5.3 (dbg), 10.5.3 (opt)

      Bug confirmed not present in:
      MariaDB: 10.1.45 (dbg), 10.1.45 (opt), 10.2.32 (dbg), 10.2.32 (opt), 10.3.23 (dbg), 10.3.23 (opt), 10.4.13 (dbg), 10.4.13 (opt)
      MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.47 (dbg), 5.6.47 (opt), 5.7.29 (dbg), 5.7.29 (opt), 8.0.19 (dbg), 8.0.19 (opt)

      Syntax is not valid in MariaDB 10.4.13:

      10.4.13

      10.4.13>SELECT JSON_ARRAYAGG(TRUE) FROM t;
      ERROR 1305 (42000): FUNCTION test.JSON_ARRAYAGG does not exist
      

      Attachments

        Issue Links

          Activity

            holyfoot Alexey Botchkov added a comment - https://github.com/MariaDB/server/commit/e545a60bf41bf6efe1e9d7730cc474bda9d3fc62

            Note to self; one more testcase seen to check on patch later;

            USE test;
            CREATE TEMPORARY TABLE t0(a INT) ENGINE=InnoDB;
            SELECT 0x0=JSON_ARRAYAGG(a) FROM t0;
            

            Leads to:

            10.5.3 98003440c2f8d20164a191ced1b7d92b283bb68f

            Core was generated by `/test/MD210420-mariadb-10.5.3-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
            Program terminated with signal SIGSEGV, Segmentation fault.
            #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
                at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
            [Current thread is 1 (Thread 0x7f9352361700 (LWP 550838))]
            (gdb) bt
            #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
            #1  0x0000563e6008e03d in my_write_core (sig=sig@entry=11) at /test/10.5_dbg/mysys/stacktrace.c:518
            #2  0x0000563e5f833d7b in handle_fatal_signal (sig=11) at /test/10.5_dbg/sql/signal_handler.cc:329
            #3  <signal handler called>
            #4  0x0000563e5fa31c76 in Charset::swap (other=..., this=0x7f935235eec0) at /test/10.5_dbg/sql/sql_string.h:182
            #5  String::swap (s=..., this=0x7f935235eec0) at /test/10.5_dbg/sql/sql_string.h:987
            #6  Item_func_json_arrayagg::val_str (this=<optimized out>, str=0x0) at /test/10.5_dbg/sql/item_jsonfunc.cc:3638
            #7  0x0000563e5f49b865 in Item::str_result (this=<optimized out>, tmp=<optimized out>) at /test/10.5_dbg/sql/item.h:1561
            #8  0x0000563e5f854468 in Item_ref::val_str (this=0x7f9324c765e8, tmp=0x7f9324c74e90) at /test/10.5_dbg/sql/item.cc:8219
            #9  0x0000563e5f87ff29 in Arg_comparator::compare_string (this=0x7f9324c74d40) at /test/10.5_dbg/sql/item_cmpfunc.cc:773
            #10 0x0000563e5f87e353 in Arg_comparator::compare (this=0x7f9324c74d40) at /test/10.5_dbg/sql/item_cmpfunc.h:102
            #11 Item_func_eq::val_int (this=0x7f9324c74c70) at /test/10.5_dbg/sql/item_cmpfunc.cc:1780
            #12 0x0000563e5f76f8e5 in Type_handler::Item_send_long (this=<optimized out>, item=0x7f9324c74c70, protocol=0x7f9324c15650, buf=<optimized out>) at /test/10.5_dbg/sql/sql_type.cc:7170
            #13 0x0000563e5f77703d in Type_handler_long::Item_send (this=<optimized out>, item=<optimized out>, protocol=<optimized out>, buf=<optimized out>) at /test/10.5_dbg/sql/sql_type.h:5415
            #14 0x0000563e5f49b69f in Item::send (this=0x7f9324c74c70, protocol=0x7f9324c15650, buffer=0x7f935235f020) at /test/10.5_dbg/sql/item.h:1054
            #15 0x0000563e5f49940f in Protocol::send_result_set_row (this=this@entry=0x7f9324c15650, row_items=row_items@entry=0x7f9324c762c8) at /test/10.5_dbg/sql/protocol.cc:1082
            #16 0x0000563e5f52b4fa in select_send::send_data (this=0x7f9324c75ee8, items=...) at /test/10.5_dbg/sql/sql_class.cc:3006
            #17 0x0000563e5f5e3314 in select_result_sink::send_data_with_check (sent=<optimized out>, u=<optimized out>, items=..., this=<optimized out>) at /test/10.5_dbg/sql/sql_class.h:5237
            #18 end_send_group (join=0x7f9324c75f10, join_tab=<optimized out>, end_of_records=<optimized out>) at /test/10.5_dbg/sql/sql_select.cc:21948
            #19 0x0000563e5f5cfc5b in sub_select (join=0x7f9324c75f10, join_tab=0x7f9324c77338, end_of_records=<optimized out>) at /test/10.5_dbg/sql/sql_select.cc:20551
            #20 0x0000563e5f607dda in do_select (procedure=<optimized out>, join=0x7f9324c75f10) at /test/10.5_dbg/sql/sql_select.cc:20142
            #21 JOIN::exec_inner (this=this@entry=0x7f9324c75f10) at /test/10.5_dbg/sql/sql_select.cc:4464
            #22 0x0000563e5f608143 in JOIN::exec (this=this@entry=0x7f9324c75f10) at /test/10.5_dbg/sql/sql_select.cc:4245
            #23 0x0000563e5f606458 in mysql_select (thd=thd@entry=0x7f9324c15088, tables=<optimized out>, fields=..., conds=0x0, og_num=0, order=<optimized out>, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f9324c75ee8, unit=0x7f9324c19098, select_lex=0x7f9324c74150) at /test/10.5_dbg/sql/sql_select.cc:4669
            #24 0x0000563e5f606787 in handle_select (thd=thd@entry=0x7f9324c15088, lex=lex@entry=0x7f9324c18fd0, result=result@entry=0x7f9324c75ee8, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.5_dbg/sql/sql_select.cc:417
            #25 0x0000563e5f590ef4 in execute_sqlcom_select (thd=thd@entry=0x7f9324c15088, all_tables=0x7f9324c74f18) at /test/10.5_dbg/sql/sql_parse.cc:6172
            #26 0x0000563e5f589919 in mysql_execute_command (thd=thd@entry=0x7f9324c15088) at /test/10.5_dbg/sql/sql_parse.cc:3901
            #27 0x0000563e5f596f2b in mysql_parse (thd=thd@entry=0x7f9324c15088, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x7f9352360450, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:7957
            #28 0x0000563e5f582c45 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7f9324c15088, packet=packet@entry=0x7f9324c67089 "", packet_length=packet_length@entry=35, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:1839
            #29 0x0000563e5f58149b in do_command (thd=0x7f9324c15088) at /test/10.5_dbg/sql/sql_parse.cc:1358
            #30 0x0000563e5f6dc415 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x7f93307c53a8, put_in_cache=put_in_cache@entry=true) at /test/10.5_dbg/sql/sql_connect.cc:1422
            #31 0x0000563e5f6dc744 in handle_one_connection (arg=arg@entry=0x7f93307c53a8) at /test/10.5_dbg/sql/sql_connect.cc:1319
            #32 0x0000563e5fb3cfb0 in pfs_spawn_thread (arg=0x7f9350045b08) at /test/10.5_dbg/storage/perfschema/pfs.cc:2201
            #33 0x00007f93517886db in start_thread (arg=0x7f9352361700) at pthread_create.c:463
            #34 0x00007f9350b8688f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
            

            Roel Roel Van de Paar added a comment - Note to self; one more testcase seen to check on patch later; USE test; CREATE TEMPORARY TABLE t0(a INT) ENGINE=InnoDB; SELECT 0x0=JSON_ARRAYAGG(a) FROM t0; Leads to: 10.5.3 98003440c2f8d20164a191ced1b7d92b283bb68f Core was generated by `/test/MD210420-mariadb-10.5.3-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'. Program terminated with signal SIGSEGV, Segmentation fault. #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57 [Current thread is 1 (Thread 0x7f9352361700 (LWP 550838))] (gdb) bt #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57 #1 0x0000563e6008e03d in my_write_core (sig=sig@entry=11) at /test/10.5_dbg/mysys/stacktrace.c:518 #2 0x0000563e5f833d7b in handle_fatal_signal (sig=11) at /test/10.5_dbg/sql/signal_handler.cc:329 #3 <signal handler called> #4 0x0000563e5fa31c76 in Charset::swap (other=..., this=0x7f935235eec0) at /test/10.5_dbg/sql/sql_string.h:182 #5 String::swap (s=..., this=0x7f935235eec0) at /test/10.5_dbg/sql/sql_string.h:987 #6 Item_func_json_arrayagg::val_str (this=<optimized out>, str=0x0) at /test/10.5_dbg/sql/item_jsonfunc.cc:3638 #7 0x0000563e5f49b865 in Item::str_result (this=<optimized out>, tmp=<optimized out>) at /test/10.5_dbg/sql/item.h:1561 #8 0x0000563e5f854468 in Item_ref::val_str (this=0x7f9324c765e8, tmp=0x7f9324c74e90) at /test/10.5_dbg/sql/item.cc:8219 #9 0x0000563e5f87ff29 in Arg_comparator::compare_string (this=0x7f9324c74d40) at /test/10.5_dbg/sql/item_cmpfunc.cc:773 #10 0x0000563e5f87e353 in Arg_comparator::compare (this=0x7f9324c74d40) at /test/10.5_dbg/sql/item_cmpfunc.h:102 #11 Item_func_eq::val_int (this=0x7f9324c74c70) at /test/10.5_dbg/sql/item_cmpfunc.cc:1780 #12 0x0000563e5f76f8e5 in Type_handler::Item_send_long (this=<optimized out>, item=0x7f9324c74c70, protocol=0x7f9324c15650, buf=<optimized out>) at /test/10.5_dbg/sql/sql_type.cc:7170 #13 0x0000563e5f77703d in Type_handler_long::Item_send (this=<optimized out>, item=<optimized out>, protocol=<optimized out>, buf=<optimized out>) at /test/10.5_dbg/sql/sql_type.h:5415 #14 0x0000563e5f49b69f in Item::send (this=0x7f9324c74c70, protocol=0x7f9324c15650, buffer=0x7f935235f020) at /test/10.5_dbg/sql/item.h:1054 #15 0x0000563e5f49940f in Protocol::send_result_set_row (this=this@entry=0x7f9324c15650, row_items=row_items@entry=0x7f9324c762c8) at /test/10.5_dbg/sql/protocol.cc:1082 #16 0x0000563e5f52b4fa in select_send::send_data (this=0x7f9324c75ee8, items=...) at /test/10.5_dbg/sql/sql_class.cc:3006 #17 0x0000563e5f5e3314 in select_result_sink::send_data_with_check (sent=<optimized out>, u=<optimized out>, items=..., this=<optimized out>) at /test/10.5_dbg/sql/sql_class.h:5237 #18 end_send_group (join=0x7f9324c75f10, join_tab=<optimized out>, end_of_records=<optimized out>) at /test/10.5_dbg/sql/sql_select.cc:21948 #19 0x0000563e5f5cfc5b in sub_select (join=0x7f9324c75f10, join_tab=0x7f9324c77338, end_of_records=<optimized out>) at /test/10.5_dbg/sql/sql_select.cc:20551 #20 0x0000563e5f607dda in do_select (procedure=<optimized out>, join=0x7f9324c75f10) at /test/10.5_dbg/sql/sql_select.cc:20142 #21 JOIN::exec_inner (this=this@entry=0x7f9324c75f10) at /test/10.5_dbg/sql/sql_select.cc:4464 #22 0x0000563e5f608143 in JOIN::exec (this=this@entry=0x7f9324c75f10) at /test/10.5_dbg/sql/sql_select.cc:4245 #23 0x0000563e5f606458 in mysql_select (thd=thd@entry=0x7f9324c15088, tables=<optimized out>, fields=..., conds=0x0, og_num=0, order=<optimized out>, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f9324c75ee8, unit=0x7f9324c19098, select_lex=0x7f9324c74150) at /test/10.5_dbg/sql/sql_select.cc:4669 #24 0x0000563e5f606787 in handle_select (thd=thd@entry=0x7f9324c15088, lex=lex@entry=0x7f9324c18fd0, result=result@entry=0x7f9324c75ee8, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.5_dbg/sql/sql_select.cc:417 #25 0x0000563e5f590ef4 in execute_sqlcom_select (thd=thd@entry=0x7f9324c15088, all_tables=0x7f9324c74f18) at /test/10.5_dbg/sql/sql_parse.cc:6172 #26 0x0000563e5f589919 in mysql_execute_command (thd=thd@entry=0x7f9324c15088) at /test/10.5_dbg/sql/sql_parse.cc:3901 #27 0x0000563e5f596f2b in mysql_parse (thd=thd@entry=0x7f9324c15088, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x7f9352360450, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:7957 #28 0x0000563e5f582c45 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7f9324c15088, packet=packet@entry=0x7f9324c67089 "", packet_length=packet_length@entry=35, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:1839 #29 0x0000563e5f58149b in do_command (thd=0x7f9324c15088) at /test/10.5_dbg/sql/sql_parse.cc:1358 #30 0x0000563e5f6dc415 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x7f93307c53a8, put_in_cache=put_in_cache@entry=true) at /test/10.5_dbg/sql/sql_connect.cc:1422 #31 0x0000563e5f6dc744 in handle_one_connection (arg=arg@entry=0x7f93307c53a8) at /test/10.5_dbg/sql/sql_connect.cc:1319 #32 0x0000563e5fb3cfb0 in pfs_spawn_thread (arg=0x7f9350045b08) at /test/10.5_dbg/storage/perfschema/pfs.cc:2201 #33 0x00007f93517886db in start_thread (arg=0x7f9352361700) at pthread_create.c:463 #34 0x00007f9350b8688f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
            Roel Roel Van de Paar added a comment - - edited

            All testcases from this bug pass, however there is a new testcase which fails. Logging new bug.
            MDEV-22449

            Roel Roel Van de Paar added a comment - - edited All testcases from this bug pass, however there is a new testcase which fails. Logging new bug. MDEV-22449

            People

              holyfoot Alexey Botchkov
              Roel Roel Van de Paar
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.