[MDEV-33369] ASAN errors in Item_func_json_schema_valid::cleanup upon using JSON_SCHEMA_VALID with a view - Jira

XML

Word

Printable

Details

Type: Bug
Status: Open (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 11.1, 11.2, 11.3, 11.4
Fix Version/s: 11.1, 11.2
Component/s: JSON, Views
Labels:
- bp-fix

Description

CREATE TABLE t (f VARCHAR(255));

INSERT INTO t VALUES ('{}'),('{}');

CREATE ALGORITHM=TEMPTABLE VIEW v AS SELECT * FROM t;

SELECT * FROM v WHERE JSON_SCHEMA_VALID('{"baz":"qux"}', f);

# Cleanup

DROP VIEW v;

DROP TABLE t;

11.1 3b32110ac4fd3e7e06eddb0189f78cba84c94b6f
==2560519==ERROR: AddressSanitizer: use-after-poison on address 0x62900025fdf8 at pc 0x55f71df8d738 bp 0x7f4ad12d8320 sp 0x7f4ad12d8318
READ of size 8 at 0x62900025fdf8 thread T5
#0 0x55f71df8d737 in Item_func_json_schema_valid::cleanup() /data/bld/11.1-asan/sql/item_jsonfunc.cc:4892
#1 0x55f71d84e931 in Item::delete_self() /data/bld/11.1-asan/sql/item.h:2555
#2 0x55f71d82f90e in Query_arena::free_items() /data/bld/11.1-asan/sql/sql_class.cc:3944
#3 0x55f71d820521 in THD::cleanup_after_query() /data/bld/11.1-asan/sql/sql_class.cc:2317
#4 0x55f71d9844ac in mysql_parse(THD, char, unsigned int, Parser_state*) /data/bld/11.1-asan/sql/sql_parse.cc:7856
#5 0x55f71d95c215 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/bld/11.1-asan/sql/sql_parse.cc:1892
#6 0x55f71d958f52 in do_command(THD*, bool) /data/bld/11.1-asan/sql/sql_parse.cc:1405
#7 0x55f71de1f846 in do_handle_one_connection(CONNECT*, bool) /data/bld/11.1-asan/sql/sql_connect.cc:1415
#8 0x55f71de1f207 in handle_one_connection /data/bld/11.1-asan/sql/sql_connect.cc:1317
#9 0x55f71ea19903 in pfs_spawn_thread /data/bld/11.1-asan/storage/perfschema/pfs.cc:2201
#10 0x7f4ad9ea8043 in start_thread nptl/pthread_create.c:442
#11 0x7f4ad9f2861b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x62900025fdf8 is located 11256 bytes inside of 16400-byte region [0x62900025d200,0x629000261210)
allocated by thread T5 here:
#0 0x7f4adaab89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x55f71f5fe95f in my_malloc /data/bld/11.1-asan/mysys/my_malloc.c:93
#2 0x55f71f5da157 in root_alloc /data/bld/11.1-asan/mysys/my_alloc.c:66
#3 0x55f71f5dbab0 in alloc_root /data/bld/11.1-asan/mysys/my_alloc.c:332
#4 0x55f71d5bcc4d in Item::operator new(unsigned long, st_mem_root*) /data/bld/11.1-asan/sql/item.h:861
#5 0x55f71d90b5aa in LEX::create_item_ident_field(THD*, Lex_ident_sys_st const&, Lex_ident_sys_st const&, Lex_ident_sys_st const&) /data/bld/11.1-asan/sql/sql_lex.cc:8471
#6 0x55f71d90a24e in LEX::create_item_ident(THD, Lex_ident_sys_st const, Lex_ident_sys_st const, Lex_ident_sys_st const) /data/bld/11.1-asan/sql/sql_lex.cc:8373
#7 0x55f71e151e80 in LEX::create_item_ident(THD, Lex_ident_cli_st const, Lex_ident_cli_st const, Lex_ident_cli_st const) /data/bld/11.1-asan/sql/sql_lex.h:4158
#8 0x55f71e130658 in MYSQLparse(THD*) /data/bld/11.1-asan/sql/sql_yacc.yy:15321
#9 0x55f71d992a45 in parse_sql(THD, Parser_state, Object_creation_ctx*, bool) /data/bld/11.1-asan/sql/sql_parse.cc:10190
#10 0x55f71dd0adc5 in mysql_make_view(THD, TABLE_SHARE, TABLE_LIST*, bool) /data/bld/11.1-asan/sql/sql_view.cc:1498
#11 0x55f71d7ae3f6 in open_table(THD, TABLE_LIST, Open_table_context*) /data/bld/11.1-asan/sql/sql_base.cc:2144
#12 0x55f71d7ba1b1 in open_and_process_table /data/bld/11.1-asan/sql/sql_base.cc:4168
#13 0x55f71d7bcd08 in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /data/bld/11.1-asan/sql/sql_base.cc:4656
#14 0x55f71d7c1d33 in open_and_lock_tables(THD, DDL_options_st const&, TABLE_LIST, bool, unsigned int, Prelocking_strategy*) /data/bld/11.1-asan/sql/sql_base.cc:5630
#15 0x55f71d717103 in open_and_lock_tables(THD, TABLE_LIST, bool, unsigned int) /data/bld/11.1-asan/sql/sql_base.h:528
#16 0x55f71d9789d6 in execute_sqlcom_select /data/bld/11.1-asan/sql/sql_parse.cc:6010
#17 0x55f71d969e3d in mysql_execute_command(THD*, bool) /data/bld/11.1-asan/sql/sql_parse.cc:3958
#18 0x55f71d984080 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/bld/11.1-asan/sql/sql_parse.cc:7832
#19 0x55f71d95c215 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/bld/11.1-asan/sql/sql_parse.cc:1892
#20 0x55f71d958f52 in do_command(THD*, bool) /data/bld/11.1-asan/sql/sql_parse.cc:1405
#21 0x55f71de1f846 in do_handle_one_connection(CONNECT*, bool) /data/bld/11.1-asan/sql/sql_connect.cc:1415
#22 0x55f71de1f207 in handle_one_connection /data/bld/11.1-asan/sql/sql_connect.cc:1317
#23 0x55f71ea19903 in pfs_spawn_thread /data/bld/11.1-asan/storage/perfschema/pfs.cc:2201
#24 0x7f4ad9ea8043 in start_thread nptl/pthread_create.c:442

Thread T5 created by T0 here:
#0 0x7f4adaa49726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
#1 0x55f71ea1563e in my_thread_create /data/bld/11.1-asan/storage/perfschema/my_thread.h:52
#2 0x55f71ea19cf2 in pfs_spawn_thread_v1 /data/bld/11.1-asan/storage/perfschema/pfs.cc:2252
#3 0x55f71d59488b in inline_mysql_thread_create /data/bld/11.1-asan/include/mysql/psi/mysql_thread.h:1139
#4 0x55f71d5ac84e in create_thread_to_handle_connection(CONNECT*) /data/bld/11.1-asan/sql/mysqld.cc:6155
#5 0x55f71d5ace73 in create_new_thread(CONNECT*) /data/bld/11.1-asan/sql/mysqld.cc:6217
#6 0x55f71d5ad15e in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/11.1-asan/sql/mysqld.cc:6279
#7 0x55f71d5adae2 in handle_connections_sockets() /data/bld/11.1-asan/sql/mysqld.cc:6403
#8 0x55f71d5ac0cb in mysqld_main(int, char**) /data/bld/11.1-asan/sql/mysqld.cc:6050
#9 0x55f71d593998 in main /data/bld/11.1-asan/sql/main.cc:34
#10 0x7f4ad9e461c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: use-after-poison /data/bld/11.1-asan/sql/item_jsonfunc.cc:4892 in Item_func_json_schema_valid::cleanup()
Shadow bytes around the buggy address:
0x0c5280043f60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5280043f70: 00 00 00 f7 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5280043f80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5280043f90: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 01 f7 02 f7
0x0c5280043fa0: 02 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5280043fb0: 00 00 00 00 00 00 00 00 00 00 00 f7 00 00 f7[f7]
0x0c5280043fc0: f7 f7 f7 f7 f7 00 00 f7 00 00 f7 00 00 f7 00 00
0x0c5280043fd0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5280043fe0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5280043ff0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5280044000: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2560519==ABORTING

Unlike ~~MDEV-33015~~ (which is already fixed anyway), this one is also reproducible on previous releases of 11.1.
The test case is not applicable to earlier versions due to the use of JSON_SCHEMA_VALID.

Attachments

Activity

People

Assignee:: Rucha Deodhar

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2024-02-02 14:09

Updated:: 3 days ago 14:32

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.