Details
-
Bug
-
Status: Confirmed (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.7, 10.8, 10.9, 10.10, 10.11
-
None
-
None
Description
--source include/have_innodb.inc
|
|
|
CREATE TABLE t1 ( |
i text CHARACTER SET utf8mb4 COLLATE utf8mb4_bin |
) ENGINE=InnoDB DEFAULT CHARSET=latin1; |
|
|
INSERT INTO t1 VALUES ('0'),('1'); |
|
|
select json_normalize(i) from t1; |
#UPDATE t1 SET i = json_normalize(i); |
|
10.7 ddf511c44dcddaa153f6b0b3 |
Version: '10.7.5-MariaDB-debug-log'
|
=================================================================
|
==338114==ERROR: AddressSanitizer: use-after-poison on address 0x6290002ee2a1 at pc 0x559ca936b4f0 bp 0x7f6a54b10f90 sp 0x7f6a54b10f80
|
READ of size 1 at 0x6290002ee2a1 thread T11
|
#0 0x559ca936b4ef in json_normalize_number /10.7/src/strings/json_normalize.c:151
|
#1 0x559ca936ce57 in json_norm_value_number_init /10.7/src/strings/json_normalize.c:517
|
#2 0x559ca936d14b in json_norm_value_init /10.7/src/strings/json_normalize.c:586
|
#3 0x559ca936e3be in json_norm_build /10.7/src/strings/json_normalize.c:771
|
#4 0x559ca936e893 in json_normalize /10.7/src/strings/json_normalize.c:835
|
#5 0x559ca7b4d9b4 in Item_func_json_normalize::val_str(String*) /10.7/src/sql/item_jsonfunc.cc:4005
|
#6 0x559ca7bbd1c3 in Type_handler::Item_send_str(Item*, Protocol*, st_value*) const /10.7/src/sql/sql_type.cc:7467
|
#7 0x559ca79b04a5 in Type_handler_string_result::Item_send(Item*, Protocol*, st_value*) const /10.7/src/sql/sql_type.h:5454
|
#8 0x559ca71c2203 in Item::send(Protocol*, st_value*) /10.7/src/sql/item.h:1227
|
#9 0x559ca727afee in Protocol::send_result_set_row(List<Item>*) /10.7/src/sql/protocol.cc:1328
|
#10 0x559ca7424d07 in select_send::send_data(List<Item>&) /10.7/src/sql/sql_class.cc:3103
|
#11 0x559ca77424b8 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /10.7/src/sql/sql_class.h:5653
|
#12 0x559ca76fd6a9 in end_send /10.7/src/sql/sql_select.cc:22490
|
#13 0x559ca76f56f1 in evaluate_join_record /10.7/src/sql/sql_select.cc:21484
|
#14 0x559ca76f3fb6 in sub_select(JOIN*, st_join_table*, bool) /10.7/src/sql/sql_select.cc:21254
|
#15 0x559ca76f1fc9 in do_select /10.7/src/sql/sql_select.cc:20799
|
#16 0x559ca767deb7 in JOIN::exec_inner() /10.7/src/sql/sql_select.cc:4762
|
#17 0x559ca767b3b7 in JOIN::exec() /10.7/src/sql/sql_select.cc:4540
|
#18 0x559ca767f926 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.7/src/sql/sql_select.cc:5020
|
#19 0x559ca764fbda in handle_select(THD*, LEX*, select_result*, unsigned long) /10.7/src/sql/sql_select.cc:554
|
#20 0x559ca7575712 in execute_sqlcom_select /10.7/src/sql/sql_parse.cc:6252
|
#21 0x559ca7564335 in mysql_execute_command(THD*, bool) /10.7/src/sql/sql_parse.cc:3943
|
#22 0x559ca7580996 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /10.7/src/sql/sql_parse.cc:8027
|
#23 0x559ca7556c38 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /10.7/src/sql/sql_parse.cc:1894
|
#24 0x559ca75539ad in do_command(THD*, bool) /10.7/src/sql/sql_parse.cc:1407
|
#25 0x559ca79f84cf in do_handle_one_connection(CONNECT*, bool) /10.7/src/sql/sql_connect.cc:1418
|
#26 0x559ca79f7d5b in handle_one_connection /10.7/src/sql/sql_connect.cc:1312
|
#27 0x559ca85f5283 in pfs_spawn_thread /10.7/src/storage/perfschema/pfs.cc:2201
|
#28 0x7f6a6398a608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
|
#29 0x7f6a6355b132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
|
|
|
0x6290002ee2a1 is located 161 bytes inside of 16536-byte region [0x6290002ee200,0x6290002f2298)
|
allocated by thread T11 here:
|
#0 0x7f6a63f16808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
|
#1 0x559ca884cb12 in ut_allocator<unsigned char, true>::allocate(unsigned long, unsigned char const*, unsigned int, bool, bool) /10.7/src/storage/innobase/include/ut0new.h:375
|
#2 0x559ca8a30209 in mem_heap_create_block_func(mem_block_info_t*, unsigned long, char const*, unsigned int, unsigned long) /10.7/src/storage/innobase/mem/mem0mem.cc:277
|
#3 0x559ca8c09e58 in mem_heap_create_func /10.7/src/storage/innobase/include/mem0mem.inl:377
|
#4 0x559ca8c20591 in row_sel_store_mysql_field /10.7/src/storage/innobase/row/row0sel.cc:3060
|
#5 0x559ca8c216ac in row_sel_store_mysql_rec /10.7/src/storage/innobase/row/row0sel.cc:3206
|
#6 0x559ca8c31257 in row_search_mvcc(unsigned char*, page_cur_mode_t, row_prebuilt_t*, unsigned long, unsigned long) /10.7/src/storage/innobase/row/row0sel.cc:5673
|
#7 0x559ca87f64d7 in ha_innobase::index_read(unsigned char*, unsigned char const*, unsigned int, ha_rkey_function) /10.7/src/storage/innobase/handler/ha_innodb.cc:9057
|
#8 0x559ca87f9819 in ha_innobase::index_first(unsigned char*) /10.7/src/storage/innobase/handler/ha_innodb.cc:9426
|
#9 0x559ca87f9da9 in ha_innobase::rnd_next(unsigned char*) /10.7/src/storage/innobase/handler/ha_innodb.cc:9519
|
#10 0x559ca7e27030 in handler::ha_rnd_next(unsigned char*) /10.7/src/sql/handler.cc:3414
|
#11 0x559ca7288a9f in rr_sequential(READ_RECORD*) /10.7/src/sql/records.cc:519
|
#12 0x559ca7255823 in READ_RECORD::read_record() /10.7/src/sql/records.h:81
|
#13 0x559ca76faf66 in join_init_read_record(st_join_table*) /10.7/src/sql/sql_select.cc:22248
|
#14 0x559ca76f3dfa in sub_select(JOIN*, st_join_table*, bool) /10.7/src/sql/sql_select.cc:21251
|
#15 0x559ca76f1fc9 in do_select /10.7/src/sql/sql_select.cc:20799
|
#16 0x559ca767deb7 in JOIN::exec_inner() /10.7/src/sql/sql_select.cc:4762
|
#17 0x559ca767b3b7 in JOIN::exec() /10.7/src/sql/sql_select.cc:4540
|
#18 0x559ca767f926 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.7/src/sql/sql_select.cc:5020
|
#19 0x559ca764fbda in handle_select(THD*, LEX*, select_result*, unsigned long) /10.7/src/sql/sql_select.cc:554
|
#20 0x559ca7575712 in execute_sqlcom_select /10.7/src/sql/sql_parse.cc:6252
|
#21 0x559ca7564335 in mysql_execute_command(THD*, bool) /10.7/src/sql/sql_parse.cc:3943
|
#22 0x559ca7580996 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /10.7/src/sql/sql_parse.cc:8027
|
#23 0x559ca7556c38 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /10.7/src/sql/sql_parse.cc:1894
|
#24 0x559ca75539ad in do_command(THD*, bool) /10.7/src/sql/sql_parse.cc:1407
|
#25 0x559ca79f84cf in do_handle_one_connection(CONNECT*, bool) /10.7/src/sql/sql_connect.cc:1418
|
#26 0x559ca79f7d5b in handle_one_connection /10.7/src/sql/sql_connect.cc:1312
|
#27 0x559ca85f5283 in pfs_spawn_thread /10.7/src/storage/perfschema/pfs.cc:2201
|
#28 0x7f6a6398a608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
|
|
|
Thread T11 created by T0 here:
|
#0 0x7f6a63e43815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
|
#1 0x559ca85f0e60 in my_thread_create /10.7/src/storage/perfschema/my_thread.h:52
|
#2 0x559ca85f5676 in pfs_spawn_thread_v1 /10.7/src/storage/perfschema/pfs.cc:2252
|
#3 0x559ca7198c48 in inline_mysql_thread_create /10.7/src/include/mysql/psi/mysql_thread.h:1139
|
#4 0x559ca71b0c2f in create_thread_to_handle_connection(CONNECT*) /10.7/src/sql/mysqld.cc:6008
|
#5 0x559ca71b12ab in create_new_thread(CONNECT*) /10.7/src/sql/mysqld.cc:6067
|
#6 0x559ca71b1618 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.7/src/sql/mysqld.cc:6129
|
#7 0x559ca71b1fed in handle_connections_sockets() /10.7/src/sql/mysqld.cc:6253
|
#8 0x559ca71b043c in mysqld_main(int, char**) /10.7/src/sql/mysqld.cc:5903
|
#9 0x559ca7197f6c in main /10.7/src/sql/main.cc:34
|
#10 0x7f6a63460082 in __libc_start_main ../csu/libc-start.c:308
|
|
|
SUMMARY: AddressSanitizer: use-after-poison /10.7/src/strings/json_normalize.c:151 in json_normalize_number
|
Shadow bytes around the buggy address:
|
0x0c5280055c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c5280055c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c5280055c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c5280055c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c5280055c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
=>0x0c5280055c50: 00 00 00 f7[01]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c5280055c60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c5280055c70: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c5280055c80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c5280055c90: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
0x0c5280055ca0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==338114==ABORTING
|
Attachments
Issue Links
- is duplicated by
-
-
- Closed
-
- relates to
-
MDEV-16375 Add JSON_NORMALIZE function to normalize JSON values
-
- Closed
-