JSON_TABLE: ASAN global-buffer-overflow in my_strnncoll_binary upon inserting query with join into query cache

SET @qcache= @@global.query_cache_type;

SET GLOBAL query_cache_type= ON;

SET query_cache_type= ON;

CREATE TABLE t (a INT);

SELECT * FROM t JOIN JSON_TABLE('{}' , '$' COLUMNS(b FOR ORDINALITY)) AS jt;

# Cleanup

DROP TABLE t;

SET GLOBAL query_cache_type= @qcache;

==3780665==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55fd83e064a1 at pc 0x7f18e6781dfd bp 0x7f18dcb89de0 sp 0x7f18dcb89588

READ of size 7 at 0x55fd83e064a1 thread T5

    #0 0x7f18e6781dfc  (/lib/x86_64-linux-gnu/libasan.so.5+0xdadfc)

    #1 0x55fd838815b5 in my_strnncoll_binary /data/src/bb-10.6-mdev17399-hf/strings/ctype-bin.c:87

    #2 0x55fd8379178f in hashcmp /data/src/bb-10.6-mdev17399-hf/mysys/hash.c:373

    #3 0x55fd83791002 in my_hash_first_from_hash_value /data/src/bb-10.6-mdev17399-hf/mysys/hash.c:288

    #4 0x55fd83790e1d in my_hash_first /data/src/bb-10.6-mdev17399-hf/mysys/hash.c:262

    #5 0x55fd83790b10 in my_hash_search /data/src/bb-10.6-mdev17399-hf/mysys/hash.c:235

    #6 0x55fd81964354 in Query_cache::insert_table(THD*, unsigned long, char const*, Query_cache_block_table*, unsigned long, unsigned char, unsigned char, char (*)(THD*, char const*, unsigned int, unsigned long long*), unsigned long long, char) /data/src/bb-10.6-mdev17399-hf/sql/sql_cache.cc:3519

    #7 0x55fd81963a0a in Query_cache::register_tables_from_list(THD*, TABLE_LIST*, unsigned int, Query_cache_block_table**) /data/src/bb-10.6-mdev17399-hf/sql/sql_cache.cc:3429

    #8 0x55fd8196404c in Query_cache::register_all_tables(THD*, Query_cache_block*, TABLE_LIST*, unsigned int) /data/src/bb-10.6-mdev17399-hf/sql/sql_cache.cc:3475

    #9 0x55fd81957783 in Query_cache::store_query(THD*, TABLE_LIST*) /data/src/bb-10.6-mdev17399-hf/sql/sql_cache.cc:1551

    #10 0x55fd81ac79bf in execute_sqlcom_select /data/src/bb-10.6-mdev17399-hf/sql/sql_parse.cc:6229

    #11 0x55fd81ab6cc3 in mysql_execute_command(THD*) /data/src/bb-10.6-mdev17399-hf/sql/sql_parse.cc:3926

    #12 0x55fd81ad2c90 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/bb-10.6-mdev17399-hf/sql/sql_parse.cc:8001

    #13 0x55fd81aa96c7 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/src/bb-10.6-mdev17399-hf/sql/sql_parse.cc:1886

    #14 0x55fd81aa6402 in do_command(THD*, bool) /data/src/bb-10.6-mdev17399-hf/sql/sql_parse.cc:1397

    #15 0x55fd81ee7ea8 in do_handle_one_connection(CONNECT*, bool) /data/src/bb-10.6-mdev17399-hf/sql/sql_connect.cc:1410

    #16 0x55fd81ee7805 in handle_one_connection /data/src/bb-10.6-mdev17399-hf/sql/sql_connect.cc:1312

    #17 0x55fd82bf1f48 in pfs_spawn_thread /data/src/bb-10.6-mdev17399-hf/storage/perfschema/pfs.cc:2201

    #18 0x7f18e6264608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477

    #19 0x7f18e5e38292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

0x55fd83e064a1 is located 0 bytes to the right of global variable '*.LC38' defined in '/data/src/bb-10.6-mdev17399-hf/sql/json_table.cc' (0x55fd83e064a0) of size 1

  '*.LC38' is ascii string ''

0x55fd83e064a1 is located 63 bytes to the left of global variable '*.LC39' defined in '/data/src/bb-10.6-mdev17399-hf/sql/json_table.cc' (0x55fd83e064e0) of size 6

  '*.LC39' is ascii string 'FALSE'

SUMMARY: AddressSanitizer: global-buffer-overflow (/lib/x86_64-linux-gnu/libasan.so.5+0xdadfc) 

Shadow bytes around the buggy address:

  0x0ac0307b8c40: f9 f9 f9 f9 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9

  0x0ac0307b8c50: 00 00 00 00 00 00 05 f9 f9 f9 f9 f9 00 00 00 00

  0x0ac0307b8c60: 00 01 f9 f9 f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9

  0x0ac0307b8c70: 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9

  0x0ac0307b8c80: 02 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 06 f9 f9

=>0x0ac0307b8c90: f9 f9 f9 f9[01]f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9

  0x0ac0307b8ca0: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9

  0x0ac0307b8cb0: 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 07 f9 f9 f9

  0x0ac0307b8cc0: f9 f9 f9 f9 00 00 00 00 00 00 05 f9 f9 f9 f9 f9

  0x0ac0307b8cd0: 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9 00 00 00 05

  0x0ac0307b8ce0: f9 f9 f9 f9 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07 

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

Thread T5 created by T0 here:

    #0 0x7f18e66e1805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)

    #1 0x55fd82beceec in my_thread_create /data/src/bb-10.6-mdev17399-hf/storage/perfschema/my_thread.h:38

    #2 0x55fd82bf233b in pfs_spawn_thread_v1 /data/src/bb-10.6-mdev17399-hf/storage/perfschema/pfs.cc:2252

    #3 0x55fd81797bd8 in inline_mysql_thread_create /data/src/bb-10.6-mdev17399-hf/include/mysql/psi/mysql_thread.h:1139

    #4 0x55fd817adb73 in create_thread_to_handle_connection(CONNECT*) /data/src/bb-10.6-mdev17399-hf/sql/mysqld.cc:5780

    #5 0x55fd817ae1f2 in create_new_thread(CONNECT*) /data/src/bb-10.6-mdev17399-hf/sql/mysqld.cc:5839

    #6 0x55fd817ae55f in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/bb-10.6-mdev17399-hf/sql/mysqld.cc:5901

    #7 0x55fd817aef0c in handle_connections_sockets() /data/src/bb-10.6-mdev17399-hf/sql/mysqld.cc:6023

    #8 0x55fd817ad380 in mysqld_main(int, char**) /data/src/bb-10.6-mdev17399-hf/sql/mysqld.cc:5675

    #9 0x55fd81796efc in main /data/src/bb-10.6-mdev17399-hf/sql/main.cc:25

    #10 0x7f18e5d3d0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

==3780665==ABORTING

210318 14:57:10 [ERROR] mysqld got signal 6 ;

This could be because you hit a bug. It is also possible that this binary

or one of the libraries it was linked against is corrupt, improperly built,

or misconfigured. This error can also be caused by malfunctioning hardware.

To report this bug, see https://mariadb.com/kb/en/reporting-bugs

We will try our best to scrape up some info that will hopefully help

diagnose the problem, but since we have already crashed, 

something is definitely wrong and this may fail.

Server version: 10.6.0-MariaDB-debug-log

key_buffer_size=1048576

read_buffer_size=131072

max_used_connections=1

max_threads=153

thread_count=1

It is possible that mysqld could use up to 

key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 63804 K  bytes of memory

Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x62b000069288

Attempting backtrace. You can use the following information to find out

where mysqld died. If you see no messages after this, something went

terribly wrong...

stack_bottom = 0x7f18dcb8c950 thread_stack 0x5fc00

??:0(__interceptor_tcgetattr)[0x7f18e6713d30]

mysys/stacktrace.c:212(my_print_stacktrace)[0x55fd83807c95]

sql/signal_handler.cc:212(handle_fatal_signal)[0x55fd822bb67f]

sigaction.c:0(__restore_rt)[0x7f18e62703c0]

??:0(gsignal)[0x7f18e5d5c18b]

??:0(abort)[0x7f18e5d3b859]

??:0(__sanitizer_set_report_fd)[0x7f18e67d26a2]

??:0(__sanitizer_get_module_and_offset_for_pc)[0x7f18e67dd24c]

??:0(__sanitizer_ptr_cmp)[0x7f18e67be8ec]

??:0(__asan_on_error)[0x7f18e67be363]

??:0(__sanitizer_weak_hook_memcmp)[0x7f18e6781e1c]

strings/ctype-bin.c:87(my_strnncoll_binary)[0x55fd838815b6]

mysys/hash.c:372(hashcmp)[0x55fd83791790]

mysys/hash.c:288(my_hash_first_from_hash_value)[0x55fd83791003]

mysys/hash.c:262(my_hash_first)[0x55fd83790e1e]

mysys/hash.c:235(my_hash_search)[0x55fd83790b11]

sql/sql_cache.cc:3519(Query_cache::insert_table(THD*, unsigned long, char const*, Query_cache_block_table*, unsigned long, unsigned char, unsigned char, char (*)(THD*, char const*, unsigned int, unsigned long long*), unsigned long long, char))[0x55fd81964355]

sql/sql_cache.cc:3429(Query_cache::register_tables_from_list(THD*, TABLE_LIST*, unsigned int, Query_cache_block_table**))[0x55fd81963a0b]

sql/sql_cache.cc:3475(Query_cache::register_all_tables(THD*, Query_cache_block*, TABLE_LIST*, unsigned int))[0x55fd8196404d]

sql/sql_cache.cc:1551(Query_cache::store_query(THD*, TABLE_LIST*))[0x55fd81957784]

sql/sql_parse.cc:6230(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55fd81ac79c0]

sql/sql_parse.cc:3926(mysql_execute_command(THD*))[0x55fd81ab6cc4]

sql/sql_parse.cc:8001(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x55fd81ad2c91]

sql/sql_parse.cc:1888(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x55fd81aa96c8]

sql/sql_parse.cc:1397(do_command(THD*, bool))[0x55fd81aa6403]

sql/sql_connect.cc:1410(do_handle_one_connection(CONNECT*, bool))[0x55fd81ee7ea9]

sql/sql_connect.cc:1314(handle_one_connection)[0x55fd81ee7806]

perfschema/pfs.cc:2203(pfs_spawn_thread)[0x55fd82bf1f49]

nptl/pthread_create.c:478(start_thread)[0x7f18e6264609]

??:0(clone)[0x7f18e5e38293]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x62b0000382a8): SELECT * FROM t JOIN JSON_TABLE('{}' , '$' COLUMNS(b FOR ORDINALITY)) AS jt

Connection ID (thread ID): 4

Status: NOT_KILLED

Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off

The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains

information that should help you find out what is causing the crash.

Writing a core file...

Working directory at /dev/shm/var_auto_lAdf/mysqld.1/data

Resource Limits:

Limit                     Soft Limit           Hard Limit           Units     

Max cpu time              unlimited            unlimited            seconds   

Max file size             unlimited            unlimited            bytes     

Max data size             unlimited            unlimited            bytes     

Max stack size            8388608              unlimited            bytes     

Max core file size        unlimited            unlimited            bytes     

Max resident set          unlimited            unlimited            bytes     

Max processes             385874               385874               processes 

Max open files            1024                 1024                 files     

Max locked memory         67108864             67108864             bytes     

Max address space         unlimited            unlimited            bytes     

Max file locks            unlimited            unlimited            locks     

Max pending signals       385874               385874               signals   

Max msgqueue size         819200               819200               bytes     

Max nice priority         0                    0                    

Max realtime priority     0                    0                    

Max realtime timeout      unlimited            unlimited            us        

Core pattern: |/usr/share/apport/apport %p %s %c %d %P %E