Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-33369

ASAN errors in Item_func_json_schema_valid::cleanup upon using JSON_SCHEMA_VALID with a view

    XMLWordPrintable

Details

    • Bug
    • Status: Open (View Workflow)
    • Major
    • Resolution: Unresolved
    • 11.1(EOL), 11.2(EOL), 11.3(EOL), 11.4, 11.6(EOL)
    • 11.4
    • JSON, Views

    Description

      CREATE TABLE t (f VARCHAR(255));
      INSERT INTO t VALUES ('{}'),('{}');
      CREATE ALGORITHM=TEMPTABLE VIEW v AS SELECT * FROM t;
      SELECT * FROM v WHERE JSON_SCHEMA_VALID('{"baz":"qux"}', f);
       
      # Cleanup
      DROP VIEW v;
      DROP TABLE t;
      

      11.1 3b32110ac4fd3e7e06eddb0189f78cba84c94b6f

      ==2560519==ERROR: AddressSanitizer: use-after-poison on address 0x62900025fdf8 at pc 0x55f71df8d738 bp 0x7f4ad12d8320 sp 0x7f4ad12d8318
      READ of size 8 at 0x62900025fdf8 thread T5
          #0 0x55f71df8d737 in Item_func_json_schema_valid::cleanup() /data/bld/11.1-asan/sql/item_jsonfunc.cc:4892
          #1 0x55f71d84e931 in Item::delete_self() /data/bld/11.1-asan/sql/item.h:2555
          #2 0x55f71d82f90e in Query_arena::free_items() /data/bld/11.1-asan/sql/sql_class.cc:3944
          #3 0x55f71d820521 in THD::cleanup_after_query() /data/bld/11.1-asan/sql/sql_class.cc:2317
          #4 0x55f71d9844ac in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/bld/11.1-asan/sql/sql_parse.cc:7856
          #5 0x55f71d95c215 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/bld/11.1-asan/sql/sql_parse.cc:1892
          #6 0x55f71d958f52 in do_command(THD*, bool) /data/bld/11.1-asan/sql/sql_parse.cc:1405
          #7 0x55f71de1f846 in do_handle_one_connection(CONNECT*, bool) /data/bld/11.1-asan/sql/sql_connect.cc:1415
          #8 0x55f71de1f207 in handle_one_connection /data/bld/11.1-asan/sql/sql_connect.cc:1317
          #9 0x55f71ea19903 in pfs_spawn_thread /data/bld/11.1-asan/storage/perfschema/pfs.cc:2201
          #10 0x7f4ad9ea8043 in start_thread nptl/pthread_create.c:442
          #11 0x7f4ad9f2861b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
       
      0x62900025fdf8 is located 11256 bytes inside of 16400-byte region [0x62900025d200,0x629000261210)
      allocated by thread T5 here:
          #0 0x7f4adaab89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
          #1 0x55f71f5fe95f in my_malloc /data/bld/11.1-asan/mysys/my_malloc.c:93
          #2 0x55f71f5da157 in root_alloc /data/bld/11.1-asan/mysys/my_alloc.c:66
          #3 0x55f71f5dbab0 in alloc_root /data/bld/11.1-asan/mysys/my_alloc.c:332
          #4 0x55f71d5bcc4d in Item::operator new(unsigned long, st_mem_root*) /data/bld/11.1-asan/sql/item.h:861
          #5 0x55f71d90b5aa in LEX::create_item_ident_field(THD*, Lex_ident_sys_st const&, Lex_ident_sys_st const&, Lex_ident_sys_st const&) /data/bld/11.1-asan/sql/sql_lex.cc:8471
          #6 0x55f71d90a24e in LEX::create_item_ident(THD*, Lex_ident_sys_st const*, Lex_ident_sys_st const*, Lex_ident_sys_st const*) /data/bld/11.1-asan/sql/sql_lex.cc:8373
          #7 0x55f71e151e80 in LEX::create_item_ident(THD*, Lex_ident_cli_st const*, Lex_ident_cli_st const*, Lex_ident_cli_st const*) /data/bld/11.1-asan/sql/sql_lex.h:4158
          #8 0x55f71e130658 in MYSQLparse(THD*) /data/bld/11.1-asan/sql/sql_yacc.yy:15321
          #9 0x55f71d992a45 in parse_sql(THD*, Parser_state*, Object_creation_ctx*, bool) /data/bld/11.1-asan/sql/sql_parse.cc:10190
          #10 0x55f71dd0adc5 in mysql_make_view(THD*, TABLE_SHARE*, TABLE_LIST*, bool) /data/bld/11.1-asan/sql/sql_view.cc:1498
          #11 0x55f71d7ae3f6 in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/bld/11.1-asan/sql/sql_base.cc:2144
          #12 0x55f71d7ba1b1 in open_and_process_table /data/bld/11.1-asan/sql/sql_base.cc:4168
          #13 0x55f71d7bcd08 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/bld/11.1-asan/sql/sql_base.cc:4656
          #14 0x55f71d7c1d33 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/bld/11.1-asan/sql/sql_base.cc:5630
          #15 0x55f71d717103 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/bld/11.1-asan/sql/sql_base.h:528
          #16 0x55f71d9789d6 in execute_sqlcom_select /data/bld/11.1-asan/sql/sql_parse.cc:6010
          #17 0x55f71d969e3d in mysql_execute_command(THD*, bool) /data/bld/11.1-asan/sql/sql_parse.cc:3958
          #18 0x55f71d984080 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/bld/11.1-asan/sql/sql_parse.cc:7832
          #19 0x55f71d95c215 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/bld/11.1-asan/sql/sql_parse.cc:1892
          #20 0x55f71d958f52 in do_command(THD*, bool) /data/bld/11.1-asan/sql/sql_parse.cc:1405
          #21 0x55f71de1f846 in do_handle_one_connection(CONNECT*, bool) /data/bld/11.1-asan/sql/sql_connect.cc:1415
          #22 0x55f71de1f207 in handle_one_connection /data/bld/11.1-asan/sql/sql_connect.cc:1317
          #23 0x55f71ea19903 in pfs_spawn_thread /data/bld/11.1-asan/storage/perfschema/pfs.cc:2201
          #24 0x7f4ad9ea8043 in start_thread nptl/pthread_create.c:442
       
      Thread T5 created by T0 here:
          #0 0x7f4adaa49726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
          #1 0x55f71ea1563e in my_thread_create /data/bld/11.1-asan/storage/perfschema/my_thread.h:52
          #2 0x55f71ea19cf2 in pfs_spawn_thread_v1 /data/bld/11.1-asan/storage/perfschema/pfs.cc:2252
          #3 0x55f71d59488b in inline_mysql_thread_create /data/bld/11.1-asan/include/mysql/psi/mysql_thread.h:1139
          #4 0x55f71d5ac84e in create_thread_to_handle_connection(CONNECT*) /data/bld/11.1-asan/sql/mysqld.cc:6155
          #5 0x55f71d5ace73 in create_new_thread(CONNECT*) /data/bld/11.1-asan/sql/mysqld.cc:6217
          #6 0x55f71d5ad15e in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/11.1-asan/sql/mysqld.cc:6279
          #7 0x55f71d5adae2 in handle_connections_sockets() /data/bld/11.1-asan/sql/mysqld.cc:6403
          #8 0x55f71d5ac0cb in mysqld_main(int, char**) /data/bld/11.1-asan/sql/mysqld.cc:6050
          #9 0x55f71d593998 in main /data/bld/11.1-asan/sql/main.cc:34
          #10 0x7f4ad9e461c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
       
      SUMMARY: AddressSanitizer: use-after-poison /data/bld/11.1-asan/sql/item_jsonfunc.cc:4892 in Item_func_json_schema_valid::cleanup()
      Shadow bytes around the buggy address:
        0x0c5280043f60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c5280043f70: 00 00 00 f7 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c5280043f80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c5280043f90: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 01 f7 02 f7
        0x0c5280043fa0: 02 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      =>0x0c5280043fb0: 00 00 00 00 00 00 00 00 00 00 00 f7 00 00 f7[f7]
        0x0c5280043fc0: f7 f7 f7 f7 f7 00 00 f7 00 00 f7 00 00 f7 00 00
        0x0c5280043fd0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c5280043fe0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c5280043ff0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c5280044000: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
      ==2560519==ABORTING
      

      Unlike MDEV-33015 (which is already fixed anyway), this one is also reproducible on previous releases of 11.1.
      The test case is not applicable to earlier versions due to the use of JSON_SCHEMA_VALID.

      Attachments

        Activity

          People

            rucha174 Rucha Deodhar
            elenst Elena Stepanova
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.