[MDEV-32074] SIGSEGV in Binary_string::ptr on PREPARE, UBSAN: member access within null pointer in Item_func_json_schema_valid::fix_length_and_dec - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Duplicate
Affects Version/s: 11.1, 11.2, 11.3
Fix Version/s: N/A
Component/s: Character Sets, JSON
Labels:
- UBSAN
- regression-11.1

Description

PREPARE s FROM 'SELECT JSON_SCHEMA_VALID (?,''{}'')';

Repeat till it crashes. Deemed to be lightly sporadic. Leads to:

11.3.0 7ba9c7fb84b5f28e4736656b57d9508b70ca6369 (Optimized)
Core was generated by `/test/MD020923-mariadb-11.3.0-linux-x86_64-opt/bin/mariadbd --no-defaults --cor'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 Binary_string::ptr (this=0x8)
at /test/git-bisect/11.3_opt/sql/sql_string.h:359
359 inline const char *ptr() const { return Ptr; }
[Current thread is 1 (Thread 0x14c3d1f35640 (LWP 3182442))]
(gdb) bt
#0 Binary_string::ptr (this=0x8) at /test/git-bisect/11.3_opt/sql/sql_string.h:359
#1 Item_func_json_schema_valid::fix_length_and_dec (this=0x14c38001b280, thd=0x14c380000c68) at /test/git-bisect/11.3_opt/sql/item_jsonfunc.cc:4825
#2 0x000056315170ab44 in Item_func::fix_fields (ref=<optimized out>, thd=0x14c380000c68, this=0x14c38001b280) at /test/git-bisect/11.3_opt/sql/item_func.cc:361
#3 Item_func::fix_fields (this=0x14c38001b280, thd=0x14c380000c68, ref=<optimized out>) at /test/git-bisect/11.3_opt/sql/item_func.cc:316
#4 0x00005631513c276f in Item::fix_fields_if_needed (ref=0x14c38001b3c0, thd=0x14c380000c68, this=0x14c38001b280) at /test/git-bisect/11.3_opt/sql/item.h:1147
#5 Item::fix_fields_if_needed (ref=0x14c38001b3c0, thd=0x14c380000c68, this=0x14c38001b280) at /test/git-bisect/11.3_opt/sql/item.h:1145
#6 Item::fix_fields_if_needed_for_scalar (ref=0x14c38001b3c0, thd=0x14c380000c68, this=0x14c38001b280) at /test/git-bisect/11.3_opt/sql/item.h:1156
#7 setup_fields (thd=thd@entry=0x14c380000c68, ref_pointer_array=<optimized out>, fields=<optimized out>, column_usage=<optimized out>, sum_func_list=sum_func_list@entry=0x14c380010fa0, pre_fix=0x14c38001ae08, allow_sum_func=true) at /test/git-bisect/11.3_opt/sql/sql_base.cc:8061
#8 0x0000563151496087 in JOIN::prepare (this=this@entry=0x14c380010bf8, tables_init=<optimized out>, conds_init=<optimized out>, og_num=<optimized out>, order_init=<optimized out>, skip_order_by=<optimized out>, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x14c38001ab38, unit_arg=0x14c380018ec8) at /test/git-bisect/11.3_opt/sql/sql_select.cc:1526
#9 0x00005631514faea4 in st_select_lex_unit::prepare_join (this=0x14c380018ec8, thd_arg=0x14c380000c68, sl=0x14c38001ab38, tmp_result=0x0, additional_options=<optimized out>, is_union_select=<optimized out>) at /test/git-bisect/11.3_opt/sql/sql_union.cc:1103
#10 0x00005631514fdc5c in st_select_lex_unit::prepare (this=this@entry=0x14c380018ec8, derived_arg=0x0, sel_result=sel_result@entry=0x0, additional_options=additional_options@entry=0) at /test/git-bisect/11.3_opt/sql/sql_union.cc:1583
#11 0x0000563151450499 in mysql_test_select (tables=0x0, stmt=0x14c380016948) at /test/git-bisect/11.3_opt/sql/sql_prepare.cc:1470
#12 check_prepared_statement (stmt=0x14c380016948) at /test/git-bisect/11.3_opt/sql/sql_prepare.cc:2303
#13 Prepared_statement::prepare (this=0x14c380016948, packet=<optimized out>, packet_len=<optimized out>) at /test/git-bisect/11.3_opt/sql/sql_prepare.cc:4216
#14 0x00005631514546e4 in mysql_sql_stmt_prepare (thd=thd@entry=0x14c380000c68) at /test/git-bisect/11.3_opt/sql/sql_prepare.cc:2807
#15 0x000056315142fa64 in mysql_execute_command (thd=0x14c380000c68, is_called_from_prepared_stmt=<optimized out>) at /test/git-bisect/11.3_opt/sql/sql_parse.cc:3933
#16 0x0000563151431994 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x14c380000c68) at /test/git-bisect/11.3_opt/sql/sql_parse.cc:7760
#17 mysql_parse (thd=0x14c380000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/git-bisect/11.3_opt/sql/sql_parse.cc:7682
#18 0x0000563151433fe2 in dispatch_command (command=COM_QUERY, thd=0x14c380000c68, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/git-bisect/11.3_opt/sql/sql_parse.cc:1990
#19 0x0000563151435850 in do_command (thd=0x14c380000c68, blocking=blocking@entry=true) at /test/git-bisect/11.3_opt/sql/sql_parse.cc:1406
#20 0x0000563151552a37 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x563155126b68, put_in_cache=put_in_cache@entry=true) at /test/git-bisect/11.3_opt/sql/sql_connect.cc:1445
#21 0x0000563151552d0d in handle_one_connection (arg=0x563155126b68) at /test/git-bisect/11.3_opt/sql/sql_connect.cc:1347
#22 0x000014c3ef894b43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#23 0x000014c3ef926a00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Bug confirmed present in:
MariaDB: 11.1.2 (dbg), 11.1.2 (opt), 11.2.0 (dbg), 11.2.0 (opt), 11.3.0 (dbg), 11.3.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.4.31 (dbg), 10.4.31 (opt), 10.5.22 (dbg), 10.5.22 (opt), 10.6.15 (dbg), 10.6.15 (opt), 10.9.8 (dbg), 10.9.8 (opt), 10.10.6 (dbg), 10.10.6 (opt), 10.11.5 (dbg), 10.11.5 (opt), 11.0.3 (dbg), 11.0.3 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.40 (dbg), 8.0.33 (dbg), 8.0.33 (opt)

Attachments

Issue Links

duplicates

MDEV-31599 Assertion `0' failed in Item_param::can_return_value from Item::val_json, UBSAN: member access within null pointer of type 'struct String' in sql/item_jsonfunc.cc

Closed

Activity

People

Assignee:: Rucha Deodhar

Reporter:: Roel Van de Paar

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2023-09-02 04:42

Updated:: 2023-09-02 05:49

Resolved:: 2023-09-02 04:48

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.