Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Fixed
-
10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL)
Description
Possibly (though likely not) related to MDEV-11464.
SELECT JSON_VALID ('{"开源数据库":"MariaDB"}'); |
Leads to:
10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized) |
/test/10.7_opt_san/strings/json_lib.c:844:25: runtime error: index 24320 out of bounds for type 'json_string_char_classes [128]'
|
10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized) |
#0 0x56352c145f0e in skip_key /test/10.7_opt_san/strings/json_lib.c:844
|
#1 0x56352c146c1a in json_scan_next /test/10.7_opt_san/strings/json_lib.c:974
|
#2 0x56352c151ae7 in json_valid /test/10.7_opt_san/strings/json_lib.c:2041
|
#3 0x563528966d9f in Item_func_json_valid::val_int() /test/10.7_opt_san/sql/item_jsonfunc.cc:392
|
#4 0x563528b2f280 in Type_handler::Item_send_long(Item*, Protocol*, st_value*) const /test/10.7_opt_san/sql/sql_type.cc:7488
|
#5 0x5635277a5791 in Protocol::send_result_set_row(List<Item>*) /test/10.7_opt_san/sql/protocol.cc:1327
|
#6 0x563527b0d839 in select_send::send_data(List<Item>&) /test/10.7_opt_san/sql/sql_class.cc:3072
|
#7 0x5635281d3b77 in JOIN::exec_inner() /test/10.7_opt_san/sql/sql_select.cc:4601
|
#8 0x5635281d7b99 in JOIN::exec() /test/10.7_opt_san/sql/sql_select.cc:4513
|
#9 0x5635281c7705 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.7_opt_san/sql/sql_select.cc:4991
|
#10 0x5635281cb5b3 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.7_opt_san/sql/sql_select.cc:545
|
#11 0x563527e07f4f in execute_sqlcom_select /test/10.7_opt_san/sql/sql_parse.cc:6253
|
#12 0x563527e47a53 in mysql_execute_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:3944
|
#13 0x563527dd7fe8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_opt_san/sql/sql_parse.cc:8028
|
#14 0x563527e2d655 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_opt_san/sql/sql_parse.cc:1894
|
#15 0x563527e38e52 in do_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:1402
|
#16 0x5635286e47bd in do_handle_one_connection(CONNECT*, bool) /test/10.7_opt_san/sql/sql_connect.cc:1418
|
#17 0x5635286e72b4 in handle_one_connection /test/10.7_opt_san/sql/sql_connect.cc:1312
|
#18 0x56352a6afce1 in pfs_spawn_thread /test/10.7_opt_san/storage/perfschema/pfs.cc:2201
|
#19 0x1508e5149608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
|
#20 0x1508e43bf292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
|
|
/test/10.7_opt_san/strings/json_lib.c:844:25: runtime error: load of address 0x563534f2bca0 with insufficient space for an object of type 'json_string_char_classes'
|
0x563534f2bca0: note: pointer points here
|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
^
|
#0 0x56352c146021 in skip_key /test/10.7_opt_san/strings/json_lib.c:844
|
#1 0x56352c146c1a in json_scan_next /test/10.7_opt_san/strings/json_lib.c:974
|
#2 0x56352c151ae7 in json_valid /test/10.7_opt_san/strings/json_lib.c:2041
|
#3 0x563528966d9f in Item_func_json_valid::val_int() /test/10.7_opt_san/sql/item_jsonfunc.cc:392
|
#4 0x563528b2f280 in Type_handler::Item_send_long(Item*, Protocol*, st_value*) const /test/10.7_opt_san/sql/sql_type.cc:7488
|
#5 0x5635277a5791 in Protocol::send_result_set_row(List<Item>*) /test/10.7_opt_san/sql/protocol.cc:1327
|
#6 0x563527b0d839 in select_send::send_data(List<Item>&) /test/10.7_opt_san/sql/sql_class.cc:3072
|
#7 0x5635281d3b77 in JOIN::exec_inner() /test/10.7_opt_san/sql/sql_select.cc:4601
|
#8 0x5635281d7b99 in JOIN::exec() /test/10.7_opt_san/sql/sql_select.cc:4513
|
#9 0x5635281c7705 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.7_opt_san/sql/sql_select.cc:4991
|
#10 0x5635281cb5b3 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.7_opt_san/sql/sql_select.cc:545
|
#11 0x563527e07f4f in execute_sqlcom_select /test/10.7_opt_san/sql/sql_parse.cc:6253
|
#12 0x563527e47a53 in mysql_execute_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:3944
|
#13 0x563527dd7fe8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_opt_san/sql/sql_parse.cc:8028
|
#14 0x563527e2d655 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_opt_san/sql/sql_parse.cc:1894
|
#15 0x563527e38e52 in do_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:1402
|
#16 0x5635286e47bd in do_handle_one_connection(CONNECT*, bool) /test/10.7_opt_san/sql/sql_connect.cc:1418
|
#17 0x5635286e72b4 in handle_one_connection /test/10.7_opt_san/sql/sql_connect.cc:1312
|
#18 0x56352a6afce1 in pfs_spawn_thread /test/10.7_opt_san/storage/perfschema/pfs.cc:2201
|
#19 0x1508e5149608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
|
#20 0x1508e43bf292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
|
10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Debug) |
#0 0x56436f81f8bb in skip_key /test/10.7_dbg_san/strings/json_lib.c:844
|
#1 0x56436f82019f in json_scan_next /test/10.7_dbg_san/strings/json_lib.c:974
|
#2 0x56436f8273ae in json_valid /test/10.7_dbg_san/strings/json_lib.c:2041
|
#3 0x56436bde7c82 in Item_func_json_valid::val_int() /test/10.7_dbg_san/sql/item_jsonfunc.cc:392
|
#4 0x56436bfee4a6 in Type_handler::Item_send_long(Item*, Protocol*, st_value*) const /test/10.7_dbg_san/sql/sql_type.cc:7488
|
#5 0x56436c05de78 in Type_handler_long::Item_send(Item*, Protocol*, st_value*) const /test/10.7_dbg_san/sql/sql_type.h:5681
|
#6 0x56436a69e35f in Item::send(Protocol*, st_value*) /test/10.7_dbg_san/sql/item.h:1227
|
#7 0x56436a8439a5 in Protocol::send_result_set_row(List<Item>*) /test/10.7_dbg_san/sql/protocol.cc:1327
|
#8 0x56436ac8d4c3 in select_send::send_data(List<Item>&) /test/10.7_dbg_san/sql/sql_class.cc:3072
|
#9 0x56436b46ef9a in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/10.7_dbg_san/sql/sql_class.h:5631
|
#10 0x56436b46ef9a in JOIN::exec_inner() /test/10.7_dbg_san/sql/sql_select.cc:4601
|
#11 0x56436b4767a8 in JOIN::exec() /test/10.7_dbg_san/sql/sql_select.cc:4513
|
#12 0x56436b4670fa in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.7_dbg_san/sql/sql_select.cc:4991
|
#13 0x56436b468a82 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.7_dbg_san/sql/sql_select.cc:545
|
#14 0x56436b002590 in execute_sqlcom_select /test/10.7_dbg_san/sql/sql_parse.cc:6253
|
#15 0x56436b0664ec in mysql_execute_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:3944
|
#16 0x56436afcac94 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_dbg_san/sql/sql_parse.cc:8028
|
#17 0x56436b03f67a in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1894
|
#18 0x56436b0560c2 in do_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1402
|
#19 0x56436bae12aa in do_handle_one_connection(CONNECT*, bool) /test/10.7_dbg_san/sql/sql_connect.cc:1418
|
#20 0x56436bae4143 in handle_one_connection /test/10.7_dbg_san/sql/sql_connect.cc:1312
|
#21 0x56436df044ee in pfs_spawn_thread /test/10.7_dbg_san/storage/perfschema/pfs.cc:2201
|
#22 0x1553641f5608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
|
#23 0x15536346b292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
|
|
/test/10.7_dbg_san/strings/json_lib.c:844:25: runtime error: load of address 0x564379283dc0 with insufficient space for an object of type 'json_string_char_classes'
|
0x564379283dc0: note: pointer points here
|
00 00 00 00 00 11 28 79 43 56 00 00 20 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 60 67 28 70
|
^
|
#0 0x56436f81f8d5 in skip_key /test/10.7_dbg_san/strings/json_lib.c:844
|
#1 0x56436f82019f in json_scan_next /test/10.7_dbg_san/strings/json_lib.c:974
|
#2 0x56436f8273ae in json_valid /test/10.7_dbg_san/strings/json_lib.c:2041
|
#3 0x56436bde7c82 in Item_func_json_valid::val_int() /test/10.7_dbg_san/sql/item_jsonfunc.cc:392
|
#4 0x56436bfee4a6 in Type_handler::Item_send_long(Item*, Protocol*, st_value*) const /test/10.7_dbg_san/sql/sql_type.cc:7488
|
#5 0x56436c05de78 in Type_handler_long::Item_send(Item*, Protocol*, st_value*) const /test/10.7_dbg_san/sql/sql_type.h:5681
|
#6 0x56436a69e35f in Item::send(Protocol*, st_value*) /test/10.7_dbg_san/sql/item.h:1227
|
#7 0x56436a8439a5 in Protocol::send_result_set_row(List<Item>*) /test/10.7_dbg_san/sql/protocol.cc:1327
|
#8 0x56436ac8d4c3 in select_send::send_data(List<Item>&) /test/10.7_dbg_san/sql/sql_class.cc:3072
|
#9 0x56436b46ef9a in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/10.7_dbg_san/sql/sql_class.h:5631
|
#10 0x56436b46ef9a in JOIN::exec_inner() /test/10.7_dbg_san/sql/sql_select.cc:4601
|
#11 0x56436b4767a8 in JOIN::exec() /test/10.7_dbg_san/sql/sql_select.cc:4513
|
#12 0x56436b4670fa in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.7_dbg_san/sql/sql_select.cc:4991
|
#13 0x56436b468a82 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.7_dbg_san/sql/sql_select.cc:545
|
#14 0x56436b002590 in execute_sqlcom_select /test/10.7_dbg_san/sql/sql_parse.cc:6253
|
#15 0x56436b0664ec in mysql_execute_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:3944
|
#16 0x56436afcac94 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_dbg_san/sql/sql_parse.cc:8028
|
#17 0x56436b03f67a in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1894
|
#18 0x56436b0560c2 in do_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1402
|
#19 0x56436bae12aa in do_handle_one_connection(CONNECT*, bool) /test/10.7_dbg_san/sql/sql_connect.cc:1418
|
#20 0x56436bae4143 in handle_one_connection /test/10.7_dbg_san/sql/sql_connect.cc:1312
|
#21 0x56436df044ee in pfs_spawn_thread /test/10.7_dbg_san/storage/perfschema/pfs.cc:2201
|
#22 0x1553641f5608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
|
#23 0x15536346b292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
|
Setup:
Compiled with GCC >=7.5.0 (I use GCC 9.3.0) and:
|
-DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON
|
Set before execution:
|
export ASAN_OPTIONS=quarantine_size_mb=512:atexit=1:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1
|
export UBSAN_OPTIONS=print_stacktrace=1
|
Bug confirmed present in:
MariaDB: 10.3.32 (dbg), 10.3.32 (opt), 10.4.22 (dbg), 10.4.22 (opt), 10.5.13 (dbg), 10.5.13 (opt), 10.6.5 (dbg), 10.6.5 (opt), 10.7.1 (dbg), 10.7.1 (opt)
Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.2.41 (dbg), 10.2.41 (opt)
Attachments
Issue Links
- relates to
-
MDEV-25454 Make MariaDB server UBSAN safe
- Confirmed