[MDEV-31599] Assertion `0' failed in Item_param::can_return_value from Item::val_json, UBSAN: member access within null pointer of type 'struct String' in sql/item_jsonfunc.cc - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 11.1(EOL)
Fix Version/s: 11.1.4, 11.2.2
Component/s: JSON, Prepared Statements
Labels:
- UBSAN
- regression-11.1

Description

PREPARE s FROM 'SELECT JSON_SCHEMA_VALID (?,''{}'') FROM DUAL';

Leads to:

11.1.2 3883eb63dc5e663558571c33d086c9fd3aa0cf8f (Debug)
mariadbd: /test/11.1_dbg/sql/item.cc:4554: bool Item_param::can_return_value() const: Assertion `0' failed.

11.1.2 3883eb63dc5e663558571c33d086c9fd3aa0cf8f (Debug)
Core was generated by `/test/MD220623-mariadb-11.1.2-linux-x86_64-dbg/bin/mariadbd --no-defaults --cor'.
Program terminated with signal SIGABRT, Aborted.
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=22369733826112)
at ./nptl/pthread_kill.c:44
[Current thread is 1 (Thread 0x14585c09d640 (LWP 2896294))]
(gdb) bt
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=22369733826112) at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=22369733826112) at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=22369733826112, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3 0x0000145879642476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4 0x00001458796287f3 in __GI_abort () at ./stdlib/abort.c:79
#5 0x000014587962871b in __assert_fail_base (fmt=0x1458797dd150 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x5576162e7e66 "0", file=0x5576162cfd72 "/test/11.1_dbg/sql/item.cc", line=4554, function=<optimized out>) at ./assert/assert.c:92
#6 0x0000145879639e96 in __GI___assert_fail (assertion=0x5576162e7e66 "0", file=0x5576162cfd72 "/test/11.1_dbg/sql/item.cc", line=4554, function=0x5576162cf338 "bool Item_param::can_return_value() const") at ./assert/assert.c:101
#7 0x000055761590db0a in Item_param::can_return_value (this=this@entry=0x1457dc01d930) at /test/11.1_dbg/sql/item.cc:4554
#8 0x0000557615920b36 in Item_param::val_str (this=0x1457dc01d930, str=0x1457dc01dc68) at /test/11.1_dbg/sql/item.h:4234
#9 0x00005576154e8709 in Item::val_json (this=<optimized out>, str=<optimized out>) at /test/11.1_dbg/sql/item.h:1672
#10 0x00005576157cd775 in Item_func_json_schema_valid::fix_length_and_dec (this=0x1457dc01dbb0, thd=0x1457dc000d58) at /test/11.1_dbg/sql/item_jsonfunc.cc:4803
#11 0x00005576159695af in Item_func::fix_fields (this=0x1457dc01dbb0, thd=0x1457dc000d58, ref=<optimized out>) at /test/11.1_dbg/sql/item_func.cc:361
#12 0x000055761558a9a8 in Item::fix_fields_if_needed (ref=0x1457dc01dcf0, thd=0x1457dc000d58, this=0x1457dc01dbb0) at /test/11.1_dbg/sql/item.h:1147
#13 Item::fix_fields_if_needed_for_scalar (ref=0x1457dc01dcf0, thd=0x1457dc000d58, this=0x1457dc01dbb0) at /test/11.1_dbg/sql/item.h:1156
#14 setup_fields (thd=0x1457dc000d58, ref_pointer_array=<optimized out>, fields=<optimized out>, column_usage=<optimized out>, sum_func_list=sum_func_list@entry=0x1457dc0138e0, pre_fix=0x1457dc01d730, allow_sum_func=true) at /test/11.1_dbg/sql/sql_base.cc:8056
#15 0x0000557615679bc3 in JOIN::prepare (this=this@entry=0x1457dc013530, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=<optimized out>, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x1457dc01d460, unit_arg=0x1457dc01b808) at /test/11.1_dbg/sql/sql_select.cc:1525
#16 0x00005576156f7d96 in st_select_lex_unit::prepare_join (this=this@entry=0x1457dc01b808, thd_arg=0x1457dc000d58, sl=sl@entry=0x1457dc01d460, tmp_result=tmp_result@entry=0x0, additional_options=additional_options@entry=0, is_union_select=is_union_select@entry=false) at /test/11.1_dbg/sql/sql_union.cc:1103
#17 0x00005576156fb8e5 in st_select_lex_unit::prepare (this=this@entry=0x1457dc01b808, derived_arg=0x0, sel_result=sel_result@entry=0x0, additional_options=additional_options@entry=0) at /test/11.1_dbg/sql/sql_union.cc:1583
#18 0x000055761562b57b in mysql_test_select (tables=0x0, stmt=0x1457dc019268) at /test/11.1_dbg/sql/sql_prepare.cc:1456
#19 check_prepared_statement (stmt=0x1457dc019268) at /test/11.1_dbg/sql/sql_prepare.cc:2289
#20 Prepared_statement::prepare (this=this@entry=0x1457dc019268, packet=<optimized out>, packet_len=<optimized out>) at /test/11.1_dbg/sql/sql_prepare.cc:4199
#21 0x000055761562ff1e in mysql_sql_stmt_prepare (thd=thd@entry=0x1457dc000d58) at /test/11.1_dbg/sql/sql_prepare.cc:2793
#22 0x00005576156012d6 in mysql_execute_command (thd=thd@entry=0x1457dc000d58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/11.1_dbg/sql/sql_parse.cc:3955
#23 0x0000557615607849 in mysql_parse (thd=thd@entry=0x1457dc000d58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14585c09c240) at /test/11.1_dbg/sql/sql_parse.cc:7769
#24 0x00005576156099dd in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1457dc000d58, packet=packet@entry=0x1457dc00ae69 "PREPARE s FROM 'SELECT JSON_SCHEMA_VALID (?,''{}'') FROM DUAL'", packet_length=packet_length@entry=62, blocking=blocking@entry=true) at /test/11.1_dbg/sql/sql_class.h:242
#25 0x000055761560b8bc in do_command (thd=0x1457dc000d58, blocking=blocking@entry=true) at /test/11.1_dbg/sql/sql_parse.cc:1405
#26 0x0000557615761010 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x557618faba18, put_in_cache=put_in_cache@entry=true) at /test/11.1_dbg/sql/sql_connect.cc:1416
#27 0x000055761576126f in handle_one_connection (arg=0x557618faba18) at /test/11.1_dbg/sql/sql_connect.cc:1318
#28 0x0000145879694b43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#29 0x0000145879726a00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

11.1.0 4e5b771e980edfdad5c5414aa62c81d409d585a4 (Optimized, UBASAN)
/test/11.1_opt_san/sql/item_jsonfunc.cc:4811:42: runtime error: member access within null pointer of type 'struct String'
#0 0x5600a26c62c5 in Item_func_json_schema_valid::fix_length_and_dec(THD*) /test/11.1_opt_san/sql/item_jsonfunc.cc:4811
#1 0x5600a34cb542 in Item_func::fix_fields(THD, Item*) /test/11.1_opt_san/sql/item_func.cc:361
#2 0x5600a16bf668 in Item::fix_fields_if_needed(THD, Item*) /test/11.1_opt_san/sql/item.h:1147
#3 0x5600a16bf668 in Item::fix_fields_if_needed_for_scalar(THD, Item*) /test/11.1_opt_san/sql/item.h:1156
#4 0x5600a16bf668 in setup_fields(THD, Bounds_checked_array<Item>, List<Item>&, enum_column_usage, List<Item>, List<Item>, bool) /test/11.1_opt_san/sql/sql_base.cc:8034
#5 0x5600a1de7756 in JOIN::prepare(TABLE_LIST, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit) /test/11.1_opt_san/sql/sql_select.cc:1489
#6 0x5600a2166e1c in st_select_lex_unit::prepare_join(THD, st_select_lex, select_result*, unsigned long long, bool) /test/11.1_opt_san/sql/sql_union.cc:1100
#7 0x5600a217fc36 in st_select_lex_unit::prepare(TABLE_LIST, select_result, unsigned long long) /test/11.1_opt_san/sql/sql_union.cc:1496
#8 0x5600a1babb9a in mysql_test_select /test/11.1_opt_san/sql/sql_prepare.cc:1456
#9 0x5600a1babb9a in check_prepared_statement /test/11.1_opt_san/sql/sql_prepare.cc:2289
#10 0x5600a1babb9a in Prepared_statement::prepare(char const*, unsigned int) /test/11.1_opt_san/sql/sql_prepare.cc:4199
#11 0x5600a1bd87cd in mysql_sql_stmt_prepare(THD*) /test/11.1_opt_san/sql/sql_prepare.cc:2793
#12 0x5600a1abe71f in mysql_execute_command(THD*, bool) /test/11.1_opt_san/sql/sql_parse.cc:3955
#13 0x5600a1ad0de2 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.1_opt_san/sql/sql_parse.cc:7760
#14 0x5600a1adf715 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.1_opt_san/sql/sql_parse.cc:1892
#15 0x5600a1ae8028 in do_command(THD*, bool) /test/11.1_opt_san/sql/sql_parse.cc:1405
#16 0x5600a23f4a5c in do_handle_one_connection(CONNECT*, bool) /test/11.1_opt_san/sql/sql_connect.cc:1416
#17 0x5600a23f705c in handle_one_connection /test/11.1_opt_san/sql/sql_connect.cc:1318
#18 0x14d199294b42 in start_thread nptl/pthread_create.c:442
#19 0x14d1993269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)

230701 15:27:30 [ERROR] mysqld got signal 11 ;

Crash confirmed present in:
MariaDB: 11.1.2 (dbg), 11.1.2 (opt)

UBSAN issue confirmed present in:
MariaDB: 11.1.2 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.4.31 (dbg), 10.4.31 (opt), 10.5.22 (dbg), 10.5.22 (opt), 10.6.15 (dbg), 10.6.15 (opt), 10.9.8 (dbg), 10.9.8 (opt), 10.10.6 (dbg), 10.10.6 (opt), 10.11.5 (dbg), 10.11.5 (opt), 11.0.3 (dbg), 11.0.3 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.40 (dbg), 8.0.33 (dbg), 8.0.33 (opt)

Attachments

Issue Links

is caused by

MDEV-27128 Implement JSON Schema Validation FUNCTION

Closed

is duplicated by

MDEV-32074 SIGSEGV in Binary_string::ptr on PREPARE, UBSAN: member access within null pointer in Item_func_json_schema_valid::fix_length_and_dec

Closed

Activity

Ascending order - Click to sort in descending order

Roel Van de Paar added a comment - 2023-09-02 04:49

Additional testcase from ~~MDEV-32074~~ (marked as duplicate):

PREPARE s FROM 'SELECT JSON_SCHEMA_VALID (?,''{}'')';

Repeat till it crashes. Deemed to be lightly sporadic. Leads to:

11.3.0 7ba9c7fb84b5f28e4736656b57d9508b70ca6369 (Optimized)
Core was generated by `/test/MD020923-mariadb-11.3.0-linux-x86_64-opt/bin/mariadbd --no-defaults --cor'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 Binary_string::ptr (this=0x8)
at /test/git-bisect/11.3_opt/sql/sql_string.h:359
359 inline const char *ptr() const { return Ptr; }
[Current thread is 1 (Thread 0x14c3d1f35640 (LWP 3182442))]
(gdb) bt
#0 Binary_string::ptr (this=0x8) at /test/git-bisect/11.3_opt/sql/sql_string.h:359
#1 Item_func_json_schema_valid::fix_length_and_dec (this=0x14c38001b280, thd=0x14c380000c68) at /test/git-bisect/11.3_opt/sql/item_jsonfunc.cc:4825
#2 0x000056315170ab44 in Item_func::fix_fields (ref=<optimized out>, thd=0x14c380000c68, this=0x14c38001b280) at /test/git-bisect/11.3_opt/sql/item_func.cc:361
#3 Item_func::fix_fields (this=0x14c38001b280, thd=0x14c380000c68, ref=<optimized out>) at /test/git-bisect/11.3_opt/sql/item_func.cc:316
#4 0x00005631513c276f in Item::fix_fields_if_needed (ref=0x14c38001b3c0, thd=0x14c380000c68, this=0x14c38001b280) at /test/git-bisect/11.3_opt/sql/item.h:1147
#5 Item::fix_fields_if_needed (ref=0x14c38001b3c0, thd=0x14c380000c68, this=0x14c38001b280) at /test/git-bisect/11.3_opt/sql/item.h:1145
#6 Item::fix_fields_if_needed_for_scalar (ref=0x14c38001b3c0, thd=0x14c380000c68, this=0x14c38001b280) at /test/git-bisect/11.3_opt/sql/item.h:1156
#7 setup_fields (thd=thd@entry=0x14c380000c68, ref_pointer_array=<optimized out>, fields=<optimized out>, column_usage=<optimized out>, sum_func_list=sum_func_list@entry=0x14c380010fa0, pre_fix=0x14c38001ae08, allow_sum_func=true) at /test/git-bisect/11.3_opt/sql/sql_base.cc:8061
#8 0x0000563151496087 in JOIN::prepare (this=this@entry=0x14c380010bf8, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=<optimized out>, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x14c38001ab38, unit_arg=0x14c380018ec8) at /test/git-bisect/11.3_opt/sql/sql_select.cc:1526
#9 0x00005631514faea4 in st_select_lex_unit::prepare_join (this=0x14c380018ec8, thd_arg=0x14c380000c68, sl=0x14c38001ab38, tmp_result=0x0, additional_options=<optimized out>, is_union_select=<optimized out>) at /test/git-bisect/11.3_opt/sql/sql_union.cc:1103
#10 0x00005631514fdc5c in st_select_lex_unit::prepare (this=this@entry=0x14c380018ec8, derived_arg=0x0, sel_result=sel_result@entry=0x0, additional_options=additional_options@entry=0) at /test/git-bisect/11.3_opt/sql/sql_union.cc:1583
#11 0x0000563151450499 in mysql_test_select (tables=0x0, stmt=0x14c380016948) at /test/git-bisect/11.3_opt/sql/sql_prepare.cc:1470
#12 check_prepared_statement (stmt=0x14c380016948) at /test/git-bisect/11.3_opt/sql/sql_prepare.cc:2303
#13 Prepared_statement::prepare (this=0x14c380016948, packet=<optimized out>, packet_len=<optimized out>) at /test/git-bisect/11.3_opt/sql/sql_prepare.cc:4216
#14 0x00005631514546e4 in mysql_sql_stmt_prepare (thd=thd@entry=0x14c380000c68) at /test/git-bisect/11.3_opt/sql/sql_prepare.cc:2807
#15 0x000056315142fa64 in mysql_execute_command (thd=0x14c380000c68, is_called_from_prepared_stmt=<optimized out>) at /test/git-bisect/11.3_opt/sql/sql_parse.cc:3933
#16 0x0000563151431994 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x14c380000c68) at /test/git-bisect/11.3_opt/sql/sql_parse.cc:7760
#17 mysql_parse (thd=0x14c380000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/git-bisect/11.3_opt/sql/sql_parse.cc:7682
#18 0x0000563151433fe2 in dispatch_command (command=COM_QUERY, thd=0x14c380000c68, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/git-bisect/11.3_opt/sql/sql_parse.cc:1990
#19 0x0000563151435850 in do_command (thd=0x14c380000c68, blocking=blocking@entry=true) at /test/git-bisect/11.3_opt/sql/sql_parse.cc:1406
#20 0x0000563151552a37 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x563155126b68, put_in_cache=put_in_cache@entry=true) at /test/git-bisect/11.3_opt/sql/sql_connect.cc:1445
#21 0x0000563151552d0d in handle_one_connection (arg=0x563155126b68) at /test/git-bisect/11.3_opt/sql/sql_connect.cc:1347
#22 0x000014c3ef894b43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#23 0x000014c3ef926a00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Bug confirmed present in:
MariaDB: 11.1.2 (dbg), 11.1.2 (opt), 11.2.0 (dbg), 11.2.0 (opt), 11.3.0 (dbg), 11.3.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.4.31 (dbg), 10.4.31 (opt), 10.5.22 (dbg), 10.5.22 (opt), 10.6.15 (dbg), 10.6.15 (opt), 10.9.8 (dbg), 10.9.8 (opt), 10.10.6 (dbg), 10.10.6 (opt), 10.11.5 (dbg), 10.11.5 (opt), 11.0.3 (dbg), 11.0.3 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.40 (dbg), 8.0.33 (dbg), 8.0.33 (opt)

UBSAN sees a member access within null pointer of type 'struct String' in Item_func_json_schema_valid::fix_length_and_dec

11.2.0 e81fa345020ec6a067583db6a7019d6404b26f93 (Optimized, UBASAN)
Version: '11.2.0-MariaDB' socket: '/test/UBASAN_MD030823-mariadb-11.2.0-linux-x86_64-opt/socket.sock' port: 12392 MariaDB Server
/data/11.2_opt_san/sql/item_jsonfunc.cc:4819:42: runtime error: member access within null pointer of type 'struct String'
#0 0x55b19e443575 in Item_func_json_schema_valid::fix_length_and_dec(THD*) /data/11.2_opt_san/sql/item_jsonfunc.cc:4819
#1 0x55b19f2cbc02 in Item_func::fix_fields(THD, Item*) /data/11.2_opt_san/sql/item_func.cc:361
#2 0x55b19d427ee0 in Item::fix_fields_if_needed(THD, Item*) /data/11.2_opt_san/sql/item.h:1147
#3 0x55b19d427ee0 in Item::fix_fields_if_needed_for_scalar(THD, Item*) /data/11.2_opt_san/sql/item.h:1156
#4 0x55b19d427ee0 in setup_fields(THD, Bounds_checked_array<Item>, List<Item>&, enum_column_usage, List<Item>, List<Item>, bool) /data/11.2_opt_san/sql/sql_base.cc:8064
#5 0x55b19db46375 in JOIN::prepare(TABLE_LIST, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit) /data/11.2_opt_san/sql/sql_select.cc:1526
#6 0x55b19ded563c in st_select_lex_unit::prepare_join(THD, st_select_lex, select_result*, unsigned long long, bool) /data/11.2_opt_san/sql/sql_union.cc:1103
#7 0x55b19deefa66 in st_select_lex_unit::prepare(TABLE_LIST, select_result, unsigned long long) /data/11.2_opt_san/sql/sql_union.cc:1583
#8 0x55b19d909043 in mysql_test_select /data/11.2_opt_san/sql/sql_prepare.cc:1470
#9 0x55b19d909043 in check_prepared_statement /data/11.2_opt_san/sql/sql_prepare.cc:2303
#10 0x55b19d909043 in Prepared_statement::prepare(char const*, unsigned int) /data/11.2_opt_san/sql/sql_prepare.cc:4216
#11 0x55b19d93710d in mysql_sql_stmt_prepare(THD*) /data/11.2_opt_san/sql/sql_prepare.cc:2807
#12 0x55b19d81cd59 in mysql_execute_command(THD*, bool) /data/11.2_opt_san/sql/sql_parse.cc:3955
#13 0x55b19d82dfc2 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/11.2_opt_san/sql/sql_parse.cc:7800
#14 0x55b19d8395e5 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/11.2_opt_san/sql/sql_parse.cc:1892
#15 0x55b19d8451f8 in do_command(THD*, bool) /data/11.2_opt_san/sql/sql_parse.cc:1405
#16 0x55b19e1664ac in do_handle_one_connection(CONNECT*, bool) /data/11.2_opt_san/sql/sql_connect.cc:1445
#17 0x55b19e168aac in handle_one_connection /data/11.2_opt_san/sql/sql_connect.cc:1347
#18 0x147d42c94b42 in start_thread nptl/pthread_create.c:442
#19 0x147d42d269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)

230902 14:39:04 [ERROR] mysqld got signal 11 ;

Roel Van de Paar added a comment - 2023-09-02 04:49 Additional testcase from MDEV-32074 (marked as duplicate): PREPARE s FROM 'SELECT JSON_SCHEMA_VALID (?,' '{}' ')' ; Repeat till it crashes. Deemed to be lightly sporadic. Leads to: 11.3.0 7ba9c7fb84b5f28e4736656b57d9508b70ca6369 (Optimized) Core was generated by `/test/MD020923-mariadb-11.3.0-linux-x86_64-opt/bin/mariadbd --no-defaults --cor'. Program terminated with signal SIGSEGV, Segmentation fault. #0 Binary_string::ptr (this=0x8) at /test/git-bisect/11.3_opt/sql/sql_string.h:359 359 inline const char *ptr() const { return Ptr; } [Current thread is 1 (Thread 0x14c3d1f35640 (LWP 3182442))] (gdb) bt #0 Binary_string::ptr (this=0x8) at /test/git-bisect/11.3_opt/sql/sql_string.h:359 #1 Item_func_json_schema_valid::fix_length_and_dec (this=0x14c38001b280, thd=0x14c380000c68) at /test/git-bisect/11.3_opt/sql/item_jsonfunc.cc:4825 #2 0x000056315170ab44 in Item_func::fix_fields (ref=<optimized out>, thd=0x14c380000c68, this=0x14c38001b280) at /test/git-bisect/11.3_opt/sql/item_func.cc:361 #3 Item_func::fix_fields (this=0x14c38001b280, thd=0x14c380000c68, ref=<optimized out>) at /test/git-bisect/11.3_opt/sql/item_func.cc:316 #4 0x00005631513c276f in Item::fix_fields_if_needed (ref=0x14c38001b3c0, thd=0x14c380000c68, this=0x14c38001b280) at /test/git-bisect/11.3_opt/sql/item.h:1147 #5 Item::fix_fields_if_needed (ref=0x14c38001b3c0, thd=0x14c380000c68, this=0x14c38001b280) at /test/git-bisect/11.3_opt/sql/item.h:1145 #6 Item::fix_fields_if_needed_for_scalar (ref=0x14c38001b3c0, thd=0x14c380000c68, this=0x14c38001b280) at /test/git-bisect/11.3_opt/sql/item.h:1156 #7 setup_fields (thd=thd@entry=0x14c380000c68, ref_pointer_array=<optimized out>, fields=<optimized out>, column_usage=<optimized out>, sum_func_list=sum_func_list@entry=0x14c380010fa0, pre_fix=0x14c38001ae08, allow_sum_func=true) at /test/git-bisect/11.3_opt/sql/sql_base.cc:8061 #8 0x0000563151496087 in JOIN::prepare (this=this@entry=0x14c380010bf8, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=<optimized out>, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x14c38001ab38, unit_arg=0x14c380018ec8) at /test/git-bisect/11.3_opt/sql/sql_select.cc:1526 #9 0x00005631514faea4 in st_select_lex_unit::prepare_join (this=0x14c380018ec8, thd_arg=0x14c380000c68, sl=0x14c38001ab38, tmp_result=0x0, additional_options=<optimized out>, is_union_select=<optimized out>) at /test/git-bisect/11.3_opt/sql/sql_union.cc:1103 #10 0x00005631514fdc5c in st_select_lex_unit::prepare (this=this@entry=0x14c380018ec8, derived_arg=0x0, sel_result=sel_result@entry=0x0, additional_options=additional_options@entry=0) at /test/git-bisect/11.3_opt/sql/sql_union.cc:1583 #11 0x0000563151450499 in mysql_test_select (tables=0x0, stmt=0x14c380016948) at /test/git-bisect/11.3_opt/sql/sql_prepare.cc:1470 #12 check_prepared_statement (stmt=0x14c380016948) at /test/git-bisect/11.3_opt/sql/sql_prepare.cc:2303 #13 Prepared_statement::prepare (this=0x14c380016948, packet=<optimized out>, packet_len=<optimized out>) at /test/git-bisect/11.3_opt/sql/sql_prepare.cc:4216 #14 0x00005631514546e4 in mysql_sql_stmt_prepare (thd=thd@entry=0x14c380000c68) at /test/git-bisect/11.3_opt/sql/sql_prepare.cc:2807 #15 0x000056315142fa64 in mysql_execute_command (thd=0x14c380000c68, is_called_from_prepared_stmt=<optimized out>) at /test/git-bisect/11.3_opt/sql/sql_parse.cc:3933 #16 0x0000563151431994 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x14c380000c68) at /test/git-bisect/11.3_opt/sql/sql_parse.cc:7760 #17 mysql_parse (thd=0x14c380000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/git-bisect/11.3_opt/sql/sql_parse.cc:7682 #18 0x0000563151433fe2 in dispatch_command (command=COM_QUERY, thd=0x14c380000c68, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/git-bisect/11.3_opt/sql/sql_parse.cc:1990 #19 0x0000563151435850 in do_command (thd=0x14c380000c68, blocking=blocking@entry=true) at /test/git-bisect/11.3_opt/sql/sql_parse.cc:1406 #20 0x0000563151552a37 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x563155126b68, put_in_cache=put_in_cache@entry=true) at /test/git-bisect/11.3_opt/sql/sql_connect.cc:1445 #21 0x0000563151552d0d in handle_one_connection (arg=0x563155126b68) at /test/git-bisect/11.3_opt/sql/sql_connect.cc:1347 #22 0x000014c3ef894b43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442 #23 0x000014c3ef926a00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81 Bug confirmed present in: MariaDB: 11.1.2 (dbg), 11.1.2 (opt), 11.2.0 (dbg), 11.2.0 (opt), 11.3.0 (dbg), 11.3.0 (opt) Bug (or feature/syntax) confirmed not present in: MariaDB: 10.4.31 (dbg), 10.4.31 (opt), 10.5.22 (dbg), 10.5.22 (opt), 10.6.15 (dbg), 10.6.15 (opt), 10.9.8 (dbg), 10.9.8 (opt), 10.10.6 (dbg), 10.10.6 (opt), 10.11.5 (dbg), 10.11.5 (opt), 11.0.3 (dbg), 11.0.3 (opt) MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.40 (dbg), 8.0.33 (dbg), 8.0.33 (opt) UBSAN sees a member access within null pointer of type 'struct String' in Item_func_json_schema_valid::fix_length_and_dec 11.2.0 e81fa345020ec6a067583db6a7019d6404b26f93 (Optimized, UBASAN) Version: '11.2.0-MariaDB' socket: '/test/UBASAN_MD030823-mariadb-11.2.0-linux-x86_64-opt/socket.sock' port: 12392 MariaDB Server /data/11.2_opt_san/sql/item_jsonfunc.cc:4819:42: runtime error: member access within null pointer of type 'struct String' #0 0x55b19e443575 in Item_func_json_schema_valid::fix_length_and_dec(THD*) /data/11.2_opt_san/sql/item_jsonfunc.cc:4819 #1 0x55b19f2cbc02 in Item_func::fix_fields(THD*, Item**) /data/11.2_opt_san/sql/item_func.cc:361 #2 0x55b19d427ee0 in Item::fix_fields_if_needed(THD*, Item**) /data/11.2_opt_san/sql/item.h:1147 #3 0x55b19d427ee0 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /data/11.2_opt_san/sql/item.h:1156 #4 0x55b19d427ee0 in setup_fields(THD*, Bounds_checked_array<Item*>, List<Item>&, enum_column_usage, List<Item>*, List<Item>*, bool) /data/11.2_opt_san/sql/sql_base.cc:8064 #5 0x55b19db46375 in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /data/11.2_opt_san/sql/sql_select.cc:1526 #6 0x55b19ded563c in st_select_lex_unit::prepare_join(THD*, st_select_lex*, select_result*, unsigned long long, bool) /data/11.2_opt_san/sql/sql_union.cc:1103 #7 0x55b19deefa66 in st_select_lex_unit::prepare(TABLE_LIST*, select_result*, unsigned long long) /data/11.2_opt_san/sql/sql_union.cc:1583 #8 0x55b19d909043 in mysql_test_select /data/11.2_opt_san/sql/sql_prepare.cc:1470 #9 0x55b19d909043 in check_prepared_statement /data/11.2_opt_san/sql/sql_prepare.cc:2303 #10 0x55b19d909043 in Prepared_statement::prepare(char const*, unsigned int) /data/11.2_opt_san/sql/sql_prepare.cc:4216 #11 0x55b19d93710d in mysql_sql_stmt_prepare(THD*) /data/11.2_opt_san/sql/sql_prepare.cc:2807 #12 0x55b19d81cd59 in mysql_execute_command(THD*, bool) /data/11.2_opt_san/sql/sql_parse.cc:3955 #13 0x55b19d82dfc2 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/11.2_opt_san/sql/sql_parse.cc:7800 #14 0x55b19d8395e5 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/11.2_opt_san/sql/sql_parse.cc:1892 #15 0x55b19d8451f8 in do_command(THD*, bool) /data/11.2_opt_san/sql/sql_parse.cc:1405 #16 0x55b19e1664ac in do_handle_one_connection(CONNECT*, bool) /data/11.2_opt_san/sql/sql_connect.cc:1445 #17 0x55b19e168aac in handle_one_connection /data/11.2_opt_san/sql/sql_connect.cc:1347 #18 0x147d42c94b42 in start_thread nptl/pthread_create.c:442 #19 0x147d42d269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff) 230902 14:39:04 [ERROR] mysqld got signal 11 ;

Rucha Deodhar added a comment - 2023-09-18 19:29 - edited

Patch: https://github.com/MariaDB/server/commit/5d3e14d780a227d87ea2831481958ac4d5bbd905

Rucha Deodhar added a comment - 2023-09-18 19:29 - edited Patch: https://github.com/MariaDB/server/commit/5d3e14d780a227d87ea2831481958ac4d5bbd905

Alexey Botchkov added a comment - 2023-10-08 17:22

The fix looks correct.
But i'd really like to see a warning that we don't support the variable schema.

Alexey Botchkov added a comment - 2023-10-08 17:22 The fix looks correct. But i'd really like to see a warning that we don't support the variable schema.

Alexey Botchkov added a comment - 2023-11-06 13:23

ok to push.

Alexey Botchkov added a comment - 2023-11-06 13:23 ok to push.

MariaDB Server

Assertion `0' failed in Item_param::can_return_value from Item::val_json, UBSAN: member access within null pointer of type 'struct String' in sql/item_jsonfunc.cc

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration