Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-33422

Server crashes when calling JSON_SET function with invalid text after setting max_statement_time=0.000001

    XMLWordPrintable

Details

    • Bug
    • Status: Open (View Workflow)
    • Major
    • Resolution: Unresolved
    • 10.6, 10.11, 11.0(EOL), 11.1(EOL), 11.2(EOL), 11.3(EOL), 11.4
    • 10.6, 10.11, 11.4
    • JSON
    • None

    Description

      Non-ASAN build backtrace was not generated correctly. Full back trace bt.txt

      SET max_statement_time=0.000001;
      SELECT JSON_SET ('[','$[0]',0);
      

      11.3.2 e71aecfd308d6093fd693044253518a872994394 (Optimized)

      Core was generated by `/test/MD010224-mariadb-11.3.2-linux-x86_64-opt/bin/mariadbd --no-defaults --max'.
      Program terminated with signal SIGSEGV, Segmentation fault.
      #0  __memmove_avx_unaligned_erms ()
          at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:535
      [Current thread is 1 (Thread 0x14acb014b700 (LWP 389404))]
      (gdb) bt
      #0  __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:535
      #1  0x0014ac60010d1000 in ?? ()
      #2  0x0000000000000000 in ?? ()
      

      ASAN build stack trace

      11.4.0 b0e77c08e55c433e443a2cfbcb7315dd6f006b3e (Optimized)

      ==1697400==ERROR: AddressSanitizer: use-after-poison on address 0x6290000877e2 at pc 0x560fcdd3c040 bp 0x146bfeecfd50 sp 0x146bfeecf4f8
      READ of size 102 at 0x6290000877e2 thread T12
          #0 0x560fcdd3c03f in __interceptor_memcpy.part.0 (/test/UBASAN_MD010224-mariadb-11.4.0-linux-x86_64-opt/bin/mariadbd+0x7da003f)
          #1 0x560fcf26b2a4 in Binary_string::q_append(char const*, unsigned long) /test/11.4_opt_san/sql/sql_string.h:466
          #2 0x560fcf26b2a4 in append_simple /test/11.4_opt_san/sql/item_jsonfunc.cc:60
          #3 0x560fcf2a9156 in Item_func_json_insert::val_str(String*) /test/11.4_opt_san/sql/item_jsonfunc.cc:3302
          #4 0x560fcf52ee9d in Type_handler::Item_send_str(Item*, Protocol*, st_value*) const /test/11.4_opt_san/sql/sql_type.cc:7468
          #5 0x560fcdfa5f81 in Protocol::send_result_set_row(List<Item>*) /test/11.4_opt_san/sql/protocol.cc:1333
          #6 0x560fce29ec19 in select_send::send_data(List<Item>&) /test/11.4_opt_san/sql/sql_class.cc:3136
          #7 0x560fcea4a1b4 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.4_opt_san/sql/sql_class.h:5978
          #8 0x560fcea4a1b4 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.4_opt_san/sql/sql_class.h:5968
          #9 0x560fcea4a1b4 in JOIN::exec_inner() /test/11.4_opt_san/sql/sql_select.cc:4862
          #10 0x560fcea4e899 in JOIN::exec() /test/11.4_opt_san/sql/sql_select.cc:4774
          #11 0x560fcea3bd5c in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.4_opt_san/sql/sql_select.cc:5304
          #12 0x560fcea3f9f3 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.4_opt_san/sql/sql_select.cc:630
          #13 0x560fce60da2f in execute_sqlcom_select /test/11.4_opt_san/sql/sql_parse.cc:6077
          #14 0x560fce65d355 in mysql_execute_command(THD*, bool) /test/11.4_opt_san/sql/sql_parse.cc:3926
          #15 0x560fce5dd0a0 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.4_opt_san/sql/sql_parse.cc:7798
          #16 0x560fce633730 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.4_opt_san/sql/sql_parse.cc:1893
          #17 0x560fce63eefd in do_command(THD*, bool) /test/11.4_opt_san/sql/sql_parse.cc:1406
          #18 0x560fcefa007d in do_handle_one_connection(CONNECT*, bool) /test/11.4_opt_san/sql/sql_connect.cc:1417
          #19 0x560fcefa26ec in handle_one_connection /test/11.4_opt_san/sql/sql_connect.cc:1319
          #20 0x146c22fbd608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
          #21 0x146c22232132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
       
      0x6290000877e2 is located 1506 bytes inside of 16400-byte region [0x629000087200,0x62900008b210)
      allocated by thread T12 here:
          #0 0x560fcddae388 in __interceptor_malloc (/test/UBASAN_MD010224-mariadb-11.4.0-linux-x86_64-opt/bin/mariadbd+0x7e12388)
          #1 0x560fd2349fd4 in my_malloc /test/11.4_opt_san/mysys/my_malloc.c:93
          #2 0x560fd2324820 in root_alloc /test/11.4_opt_san/mysys/my_alloc.c:66
          #3 0x560fd2324820 in reset_root_defaults /test/11.4_opt_san/mysys/my_alloc.c:244
          #4 0x560fce2c1e2c in THD::init_for_queries() /test/11.4_opt_san/sql/sql_class.cc:1394
          #5 0x560fcef998e3 in prepare_new_connection_state(THD*) /test/11.4_opt_san/sql/sql_connect.cc:1246
          #6 0x560fcef9bd37 in thd_prepare_connection(THD*) /test/11.4_opt_san/sql/sql_connect.cc:1340
          #7 0x560fcef9bd37 in thd_prepare_connection(THD*) /test/11.4_opt_san/sql/sql_connect.cc:1329
          #8 0x560fcef9f0b9 in do_handle_one_connection(CONNECT*, bool) /test/11.4_opt_san/sql/sql_connect.cc:1407
          #9 0x560fcefa26ec in handle_one_connection /test/11.4_opt_san/sql/sql_connect.cc:1319
          #10 0x146c22fbd608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
       
      Thread T12 created by T0 here:
          #0 0x560fcdcdb3c5 in pthread_create (/test/UBASAN_MD010224-mariadb-11.4.0-linux-x86_64-opt/bin/mariadbd+0x7d3f3c5)
          #1 0x560fcddff363 in create_thread_to_handle_connection(CONNECT*) /test/11.4_opt_san/sql/mysqld.cc:6116
          #2 0x560fcde10a0f in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.4_opt_san/sql/mysqld.cc:6240
          #3 0x560fcde11a97 in handle_connections_sockets() /test/11.4_opt_san/sql/mysqld.cc:6376
          #4 0x560fcde14a24 in mysqld_main(int, char**) /test/11.4_opt_san/sql/mysqld.cc:6011
          #5 0x146c22137082 in __libc_start_main ../csu/libc-start.c:308
       
      SUMMARY: AddressSanitizer: use-after-poison (/test/UBASAN_MD010224-mariadb-11.4.0-linux-x86_64-opt/bin/mariadbd+0x7da003f) in __interceptor_memcpy.part.0
      

      Bug confirmed present in:
      MariaDB: 10.6.17 (dbg), 10.6.17 (opt),10.11.7 (dbg), 10.11.7 (opt), 11.0.5 (dbg), 11.0.5 (opt), 11.1.4 (dbg), 11.1.4 (opt), 11.2.3 (opt),11.2.3 (dbg), 11.3.2 (dbg), 11.3.2 (opt), 11.4.0 (dbg), 11.4.0 (opt)

      Bug (or feature/syntax) confirmed not present in:
      MariaDB: 10.4.33 (dbg), 10.4.33 (opt), 10.5.24 (dbg), 10.5.24 (opt)

      Attachments

        1. bt.txt
          7 kB
          Ramesh Sivaraman

        Activity

          People

            rucha174 Rucha Deodhar
            ramesh Ramesh Sivaraman
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.