[MDEV-31032] UBSAN|downcast of address X which does not point to an object of type 'Item_string' in sql/json_schema.cc - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 11.1(EOL)
Fix Version/s: 11.1.1
Component/s: JSON
Labels:
None

Description

SET @schema='{ "type":"object","patternProperties": { "^I_": {"type":"number"},"^S_" : {"type":"string"} } }';

SET SESSION sql_mode='empty_string_is_null';

SELECT JSON_SCHEMA_VALID (@schema,'{"key1":"val0","key2":0,"I_int":0,"S_":"abc","prop0":"str0"}');

Leads to

11.1.0 83a4449ab98b5b6f08e18833bf9dd3e61e96c680 (Debug, UBASAN)
/test/JSON/11.1_dbg_san/sql/json_schema.cc:2200:86: runtime error: downcast of address 0x6290000d9128 which does not point to an object of type 'Item_string'
0x6290000d9128: note: object is of type 'Item_null'
00 00 00 00 88 ad 93 07 50 56 00 00 00 00 00 00 00 00 00 00 20 be bb 0f 50 56 00 00 06 00 00 00
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'Item_null'
#0 0x56500309d6a7 in Json_schema_pattern_properties::handle_keyword(THD, st_json_engine_t, char const, char const, List<Json_schema_keyword>*) /test/JSON/11.1_dbg_san/sql/json_schema.cc:2200
#1 0x56500309ac6b in create_object_and_handle_keyword(THD, st_json_engine_t, List<Json_schema_keyword>, List<Json_schema_keyword>) /test/JSON/11.1_dbg_san/sql/json_schema.cc:2759

Setup

Compiled with GCC 9.4.0

-DWITH_UBSAN=ON -DCMAKE_CXX_FLAGS=-static-libasan

Attachments

Issue Links

is caused by

MDEV-27128 Implement JSON Schema Validation FUNCTION

Closed

Activity

Ascending order - Click to sort in descending order

Ramesh Sivaraman added a comment - 2023-04-10 10:55 - edited

Runtime error is also present when using simple pattern in JSON schema with sql_mode change.

SET @property_names='{ "PropertyNames":{ "pattern": "^I_" } }';

SET GLOBAL sql_mode=17179869183;

SET @@sql_mode=DEFAULT;

SELECT JSON_SCHEMA_VALID(@property_names, '{"I_int1":3, "I_ob1":{"key1":"val1"}}');

Leads to

11.1.0 83a4449ab98b5b6f08e18833bf9dd3e61e96c680 (Debug, UBASAN)
2023-04-10 13:44:01 0 [Note] /test/JSON/UBASAN_MD060423-mariadb-11.1.0-linux-x86_64-dbg/bin/mariadbd: ready for connections.
Version: '11.1.0-MariaDB-debug' socket: '/test/JSON/UBASAN_MD060423-mariadb-11.1.0-linux-x86_64-dbg/socket.sock' port: 12126 MariaDB Server
/test/JSON/11.1_dbg_san/sql/json_schema.cc:912:61: runtime error: downcast of address 0x6290000d91a0 which does not point to an object of type 'Item_string'
0x6290000d91a0: note: object is of type 'Item_null'
00 00 00 00 88 ed 5f 4b 20 56 00 00 00 00 00 00 00 00 00 00 20 fe 87 53 20 56 00 00 06 00 00 00
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'Item_null'
#0 0x562046d31297 in Json_schema_pattern::handle_keyword(THD, st_json_engine_t, char const, char const, List<Json_schema_keyword>*) /test/JSON/11.1_dbg_san/sql/json_schema.cc:912
#1 0x562046d5ec6b in create_object_and_handle_keyword(THD, st_json_engine_t, List<Json_schema_keyword>, List<Json_schema_keyword>) /test/JSON/11.1_dbg_san/sql/json_schema.cc:2759

Ramesh Sivaraman added a comment - 2023-04-10 10:55 - edited Runtime error is also present when using simple pattern in JSON schema with sql_mode change. SET @property_names= '{ "PropertyNames":{ "pattern": "^I_" } }' ; SET GLOBAL sql_mode=17179869183; SET @@sql_mode= DEFAULT ; SELECT JSON_SCHEMA_VALID(@property_names, '{"I_int1":3, "I_ob1":{"key1":"val1"}}' ); Leads to 11.1.0 83a4449ab98b5b6f08e18833bf9dd3e61e96c680 (Debug, UBASAN) 2023-04-10 13:44:01 0 [Note] /test/JSON/UBASAN_MD060423-mariadb-11.1.0-linux-x86_64-dbg/bin/mariadbd: ready for connections. Version: '11.1.0-MariaDB-debug' socket: '/test/JSON/UBASAN_MD060423-mariadb-11.1.0-linux-x86_64-dbg/socket.sock' port: 12126 MariaDB Server /test/JSON/11.1_dbg_san/sql/json_schema.cc:912:61: runtime error: downcast of address 0x6290000d91a0 which does not point to an object of type 'Item_string' 0x6290000d91a0: note: object is of type 'Item_null' 00 00 00 00 88 ed 5f 4b 20 56 00 00 00 00 00 00 00 00 00 00 20 fe 87 53 20 56 00 00 06 00 00 00 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'Item_null' #0 0x562046d31297 in Json_schema_pattern::handle_keyword(THD*, st_json_engine_t*, char const*, char const*, List<Json_schema_keyword>*) /test/JSON/11.1_dbg_san/sql/json_schema.cc:912 #1 0x562046d5ec6b in create_object_and_handle_keyword(THD*, st_json_engine_t*, List<Json_schema_keyword>*, List<Json_schema_keyword>*) /test/JSON/11.1_dbg_san/sql/json_schema.cc:2759

Rucha Deodhar added a comment - 2023-04-17 12:29

Patch: https://github.com/MariaDB/server/tree/bb-MDEV-31032-json_schema

Rucha Deodhar added a comment - 2023-04-17 12:29 Patch: https://github.com/MariaDB/server/tree/bb-MDEV-31032-json_schema

Alexey Botchkov added a comment - 2023-04-20 11:01

ok to push.

Alexey Botchkov added a comment - 2023-04-20 11:01 ok to push.

Rucha Deodhar added a comment - 2023-04-21 08:58

pushed to https://github.com/MariaDB/server/tree/bb-10.12-MDEV-27128

Rucha Deodhar added a comment - 2023-04-21 08:58 pushed to https://github.com/MariaDB/server/tree/bb-10.12-MDEV-27128