Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-25188

JSON_TABLE: ASAN use-after-poison in Field_long::reset / Table_function_json_table::setup or malloc(): invalid size

    XMLWordPrintable

    Details

      Description

      SELECT * FROM JSON_TABLE(CONVERT('{"x":1}' USING utf8mb4), '$' COLUMNS(a INT PATH '$', b CHAR(64) PATH '$.*', c INT EXISTS PATH '$**.*')) AS jt;
      

      bb-10.6-mdev17399-hf 3530463bc2

      ==3804278==ERROR: AddressSanitizer: use-after-poison on address 0x61900008abdf at pc 0x55996dcdba92 bp 0x7f6cfeb33e50 sp 0x7f6cfeb33e40
      WRITE of size 1 at 0x61900008abdf thread T5
          #0 0x55996dcdba91 in Field_long::reset() /data/src/bb-10.6-mdev17399-hf/sql/field.h:2696
          #1 0x55996db6977b in Table_function_json_table::setup(THD*, TABLE_LIST*, st_select_lex*) /data/src/bb-10.6-mdev17399-hf/sql/json_table.cc:1157
          #2 0x55996d5b65b9 in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /data/src/bb-10.6-mdev17399-hf/sql/sql_select.cc:1249
          #3 0x55996d5dc222 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/bb-10.6-mdev17399-hf/sql/sql_select.cc:4723
          #4 0x55996d5ad821 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/bb-10.6-mdev17399-hf/sql/sql_select.cc:417
          #5 0x55996d5179c1 in execute_sqlcom_select /data/src/bb-10.6-mdev17399-hf/sql/sql_parse.cc:6230
          #6 0x55996d506ca3 in mysql_execute_command(THD*) /data/src/bb-10.6-mdev17399-hf/sql/sql_parse.cc:3926
          #7 0x55996d522c6c in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/bb-10.6-mdev17399-hf/sql/sql_parse.cc:8000
          #8 0x55996d4f96a7 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/src/bb-10.6-mdev17399-hf/sql/sql_parse.cc:1886
          #9 0x55996d4f63e2 in do_command(THD*, bool) /data/src/bb-10.6-mdev17399-hf/sql/sql_parse.cc:1397
          #10 0x55996d937e84 in do_handle_one_connection(CONNECT*, bool) /data/src/bb-10.6-mdev17399-hf/sql/sql_connect.cc:1410
          #11 0x55996d9377e1 in handle_one_connection /data/src/bb-10.6-mdev17399-hf/sql/sql_connect.cc:1312
          #12 0x55996e64208a in pfs_spawn_thread /data/src/bb-10.6-mdev17399-hf/storage/perfschema/pfs.cc:2201
          #13 0x7f6d0820b608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
          #14 0x7f6d07ddf292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
       
      0x61900008abdf is located 1119 bytes inside of 1124-byte region [0x61900008a780,0x61900008abe4)
      allocated by thread T5 here:
          #0 0x7f6d0875bbc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
          #1 0x55996f2797e3 in sf_malloc /data/src/bb-10.6-mdev17399-hf/mysys/safemalloc.c:121
          #2 0x55996f24632b in my_malloc /data/src/bb-10.6-mdev17399-hf/mysys/my_malloc.c:90
          #3 0x55996f22232b in alloc_root /data/src/bb-10.6-mdev17399-hf/mysys/my_alloc.c:244
          #4 0x55996d696e00 in Field::operator new(unsigned long, st_mem_root*) /data/src/bb-10.6-mdev17399-hf/sql/field.h:761
          #5 0x55996daca73d in Type_handler_long::make_table_field_from_def(TABLE_SHARE*, st_mem_root*, st_mysql_const_lex_string const*, Record_addr const&, Bit_addr const&, Column_definition_attributes const*, unsigned int) const /data/src/bb-10.6-mdev17399-hf/sql/sql_type.cc:8054
          #6 0x55996db6728a in Create_json_table::add_json_table_fields(THD*, TABLE*, Table_function_json_table*) /data/src/bb-10.6-mdev17399-hf/sql/json_table.cc:845
          #7 0x55996db67b23 in create_table_for_function(THD*, TABLE_LIST*) /data/src/bb-10.6-mdev17399-hf/sql/json_table.cc:900
          #8 0x55996d36d4b0 in open_and_process_table /data/src/bb-10.6-mdev17399-hf/sql/sql_base.cc:3690
          #9 0x55996d370c8b in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/bb-10.6-mdev17399-hf/sql/sql_base.cc:4283
          #10 0x55996d375b5f in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/bb-10.6-mdev17399-hf/sql/sql_base.cc:5241
          #11 0x55996d2cdb9b in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/bb-10.6-mdev17399-hf/sql/sql_base.h:507
          #12 0x55996d516f40 in execute_sqlcom_select /data/src/bb-10.6-mdev17399-hf/sql/sql_parse.cc:6151
          #13 0x55996d506ca3 in mysql_execute_command(THD*) /data/src/bb-10.6-mdev17399-hf/sql/sql_parse.cc:3926
          #14 0x55996d522c6c in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/bb-10.6-mdev17399-hf/sql/sql_parse.cc:8000
          #15 0x55996d4f96a7 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/src/bb-10.6-mdev17399-hf/sql/sql_parse.cc:1886
          #16 0x55996d4f63e2 in do_command(THD*, bool) /data/src/bb-10.6-mdev17399-hf/sql/sql_parse.cc:1397
          #17 0x55996d937e84 in do_handle_one_connection(CONNECT*, bool) /data/src/bb-10.6-mdev17399-hf/sql/sql_connect.cc:1410
          #18 0x55996d9377e1 in handle_one_connection /data/src/bb-10.6-mdev17399-hf/sql/sql_connect.cc:1312
          #19 0x55996e64208a in pfs_spawn_thread /data/src/bb-10.6-mdev17399-hf/storage/perfschema/pfs.cc:2201
          #20 0x7f6d0820b608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
       
      Thread T5 created by T0 here:
          #0 0x7f6d08688805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
          #1 0x55996e63d02e in my_thread_create /data/src/bb-10.6-mdev17399-hf/storage/perfschema/my_thread.h:38
          #2 0x55996e64247d in pfs_spawn_thread_v1 /data/src/bb-10.6-mdev17399-hf/storage/perfschema/pfs.cc:2252
          #3 0x55996d1e7bd8 in inline_mysql_thread_create /data/src/bb-10.6-mdev17399-hf/include/mysql/psi/mysql_thread.h:1139
          #4 0x55996d1fdb73 in create_thread_to_handle_connection(CONNECT*) /data/src/bb-10.6-mdev17399-hf/sql/mysqld.cc:5780
          #5 0x55996d1fe1f2 in create_new_thread(CONNECT*) /data/src/bb-10.6-mdev17399-hf/sql/mysqld.cc:5839
          #6 0x55996d1fe55f in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/bb-10.6-mdev17399-hf/sql/mysqld.cc:5901
          #7 0x55996d1fef0c in handle_connections_sockets() /data/src/bb-10.6-mdev17399-hf/sql/mysqld.cc:6023
          #8 0x55996d1fd380 in mysqld_main(int, char**) /data/src/bb-10.6-mdev17399-hf/sql/mysqld.cc:5675
          #9 0x55996d1e6efc in main /data/src/bb-10.6-mdev17399-hf/sql/main.cc:25
          #10 0x7f6d07ce40b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
       
      SUMMARY: AddressSanitizer: use-after-poison /data/src/bb-10.6-mdev17399-hf/sql/field.h:2696 in Field_long::reset()
      Shadow bytes around the buggy address:
        0x0c3280009520: f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c3280009530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f7 00
        0x0c3280009540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c3280009550: 00 00 00 00 00 00 00 00 00 00 f7 00 00 00 00 00
        0x0c3280009560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      =>0x0c3280009570: 00 00 00 00 00 00 00 00 00 f7 f7[f7]04 fa fa fa
        0x0c3280009580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c3280009590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c32800095a0: 00 00 00 00 f7 00 00 00 00 f7 f7 f7 f7 f7 f7 f7
        0x0c32800095b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c32800095c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
        Shadow gap:              cc
      ==3804278==ABORTING
      210318 17:10:18 [ERROR] mysqld got signal 6 ;
      This could be because you hit a bug. It is also possible that this binary
      or one of the libraries it was linked against is corrupt, improperly built,
      or misconfigured. This error can also be caused by malfunctioning hardware.
       
      To report this bug, see https://mariadb.com/kb/en/reporting-bugs
       
      We will try our best to scrape up some info that will hopefully help
      diagnose the problem, but since we have already crashed, 
      something is definitely wrong and this may fail.
       
      Server version: 10.6.0-MariaDB-debug-log
      key_buffer_size=1048576
      read_buffer_size=131072
      max_used_connections=1
      max_threads=153
      thread_count=1
      It is possible that mysqld could use up to 
      key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 63804 K  bytes of memory
      Hope that's ok; if not, decrease some variables in the equation.
       
      Thread pointer: 0x62b000069288
      Attempting backtrace. You can use the following information to find out
      where mysqld died. If you see no messages after this, something went
      terribly wrong...
      stack_bottom = 0x7f6cfeb36950 thread_stack 0x5fc00
      ??:0(__interceptor_tcgetattr)[0x7f6d086bad30]
      mysys/stacktrace.c:212(my_print_stacktrace)[0x55996f257dd7]
      sql/signal_handler.cc:212(handle_fatal_signal)[0x55996dd0b7c1]
      sigaction.c:0(__restore_rt)[0x7f6d082173c0]
      ??:0(gsignal)[0x7f6d07d0318b]
      ??:0(abort)[0x7f6d07ce2859]
      ??:0(__sanitizer_set_report_fd)[0x7f6d087796a2]
      ??:0(__sanitizer_get_module_and_offset_for_pc)[0x7f6d0878424c]
      ??:0(__sanitizer_ptr_cmp)[0x7f6d087658ec]
      ??:0(__asan_on_error)[0x7f6d08765363]
      ??:0(__asan_report_store1)[0x7f6d087663ee]
      sql/field.h:2696(Field_long::reset())[0x55996dcdba92]
      sql/json_table.cc:1160(Table_function_json_table::setup(THD*, TABLE_LIST*, st_select_lex*))[0x55996db6977c]
      sql/sql_select.cc:1248(JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x55996d5b65ba]
      sql/sql_select.cc:4723(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55996d5dc223]
      sql/sql_select.cc:417(handle_select(THD*, LEX*, select_result*, unsigned long))[0x55996d5ad822]
      sql/sql_parse.cc:6230(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55996d5179c2]
      sql/sql_parse.cc:3926(mysql_execute_command(THD*))[0x55996d506ca4]
      sql/sql_parse.cc:8000(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x55996d522c6d]
      sql/sql_parse.cc:1888(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x55996d4f96a8]
      sql/sql_parse.cc:1397(do_command(THD*, bool))[0x55996d4f63e3]
      sql/sql_connect.cc:1410(do_handle_one_connection(CONNECT*, bool))[0x55996d937e85]
      sql/sql_connect.cc:1314(handle_one_connection)[0x55996d9377e2]
      perfschema/pfs.cc:2203(pfs_spawn_thread)[0x55996e64208b]
      nptl/pthread_create.c:478(start_thread)[0x7f6d0820b609]
      ??:0(clone)[0x7f6d07ddf293]
       
      Trying to get some variables.
      Some pointers may be invalid and cause the dump to abort.
      Query (0x62b000038440): SELECT * FROM JSON_TABLE(CONVERT('{"x":1}' USING utf8mb4), '$' COLUMNS(a INT PATH '$', b CHAR(64) PATH '$.*', c INT EXISTS PATH '$**.*')) AS jt
       
      Connection ID (thread ID): 4
      Status: NOT_KILLED
       
      Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off
       
      The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains
      information that should help you find out what is causing the crash.
      Writing a core file...
      Working directory at /dev/shm/var_auto_Mb41/mysqld.1/data
      Resource Limits:
      Limit                     Soft Limit           Hard Limit           Units     
      Max cpu time              unlimited            unlimited            seconds   
      Max file size             unlimited            unlimited            bytes     
      Max data size             unlimited            unlimited            bytes     
      Max stack size            8388608              unlimited            bytes     
      Max core file size        unlimited            unlimited            bytes     
      Max resident set          unlimited            unlimited            bytes     
      Max processes             385874               385874               processes 
      Max open files            1024                 1024                 files     
      Max locked memory         67108864             67108864             bytes     
      Max address space         unlimited            unlimited            bytes     
      Max file locks            unlimited            unlimited            locks     
      Max pending signals       385874               385874               signals   
      Max msgqueue size         819200               819200               bytes     
      Max nice priority         0                    0                    
      Max realtime priority     0                    0                    
      Max realtime timeout      unlimited            unlimited            us        
      Core pattern: |/usr/share/apport/apport %p %s %c %d %P %E
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              holyfoot Alexey Botchkov
              Reporter:
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: