[MDEV-34143] Server crashes when executing JSON_EXTRACT after setting non-default collation_connection - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.5, 10.6, 10.11, 11.1(EOL), 11.2(EOL), 11.4, 11.5(EOL)
Fix Version/s: 10.5.26, 10.6.19, 10.11.9, 11.1.6, 11.2.5, 11.4.3, 11.5.2
Component/s: JSON
Labels:

Description

Test cases

# 1

SET collation_connection='utf16_bin';

SELECT JSON_EXTRACT('{"a": 1,"b": 2}','$.a');

# 2

SET collation_connection=utf32_unicode_ci;

SELECT JSON_EXTRACT('[["A",2]]','$[0]');

# 3

SET collation_connection=ucs2_general_ci;

SELECT JSON_EXTRACT(JSON_COMPACT ('{"abc": "foo"}'),'$.abc');

Leads to:

10.5.25 1e5b0ff9778b16801d5afa08b6433070948f0910 (Debug)
mariadbd: /test/10.5_dbg/sql/sql_string.h:359: void Static_binary_string::chop(): Assertion `strlen(Ptr) == str_length' failed.

10.5.25 1e5b0ff9778b16801d5afa08b6433070948f0910 (Debug)
Core was generated by `/test/MD130524-mariadb-10.5.25-linux-x86_64-dbg/bin/mariadbd --no-defaults --ma'.
Program terminated with signal SIGABRT, Aborted.
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
[Current thread is 1 (Thread 0x1482a008f700 (LWP 2028144))]
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00001482a9f89859 in __GI_abort () at abort.c:79
#2 0x00001482a9f89729 in __assert_fail_base (fmt=0x1482aa11f588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x56336ef8b868 "strlen(Ptr) == str_length", file=0x56336ef8a1d8 "/test/10.5_dbg/sql/sql_string.h", line=359, function=<optimized out>) at assert.c:92
#3 0x00001482a9f9afd6 in __GI___assert_fail (assertion=assertion@entry=0x56336ef8b868 "strlen(Ptr) == str_length", file=file@entry=0x56336ef8a1d8 "/test/10.5_dbg/sql/sql_string.h", line=line@entry=359, function=function@entry=0x56336ef8b8e0 "void Static_binary_string::chop()") at assert.c:101
#4 0x000056336e4328da in Static_binary_string::chop (this=0x1482a008d308) at /test/10.5_dbg/sql/sql_string.h:359
#5 Item_func_json_extract::read_json (this=0x1482500135f0, str=0x1482a008d300, type=type@entry=0x1482a008d210, out_val=out_val@entry=0x1482a008d218, value_len=value_len@entry=0x1482a008d214) at /test/10.5_dbg/sql/item_jsonfunc.cc:1034
#6 0x000056336e4329b7 in Item_func_json_extract::val_str (this=<optimized out>, str=<optimized out>) at /test/10.5_dbg/sql/item_jsonfunc.cc:1064
#7 0x000056336e474ff8 in Type_handler::Item_send_str (this=<optimized out>, item=0x1482500135f0, protocol=0x148250001348, buf=<optimized out>) at /test/10.5_dbg/sql/sql_type.cc:7565
#8 0x000056336e3b0ce1 in Type_handler_string_result::Item_send (this=<optimized out>, item=<optimized out>, protocol=<optimized out>, buf=<optimized out>) at /test/10.5_dbg/sql/sql_type.h:5494
#9 0x000056336e187dae in Item::send (this=0x1482500135f0, protocol=0x148250001348, buffer=0x1482a008d2d0) at /test/10.5_dbg/sql/item.h:1082
#10 0x000056336e185420 in Protocol::send_result_set_row (this=this@entry=0x148250001348, row_items=row_items@entry=0x148250012fe0) at /test/10.5_dbg/sql/protocol.cc:1086
#11 0x000056336e214ad3 in select_send::send_data (this=0x148250014060, items=@0x148250012fe0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1482500136f0, last = 0x1482500136f0, elements = 1}, <No data fields>}) at /test/10.5_dbg/sql/sql_class.cc:3160
#12 0x000056336e2f7dd9 in select_result_sink::send_data_with_check (sent=0, u=<optimized out>, items=<optimized out>, this=<optimized out>) at /test/10.5_dbg/sql/sql_class.h:5564
#13 JOIN::exec_inner (this=this@entry=0x148250014088) at /test/10.5_dbg/sql/sql_select.cc:4513
#14 0x000056336e2f8b40 in JOIN::exec (this=this@entry=0x148250014088) at /test/10.5_dbg/sql/sql_select.cc:4425
#15 0x000056336e2f6986 in mysql_select (thd=thd@entry=0x148250000d48, tables=0x0, fields=@0x148250012fe0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1482500136f0, last = 0x1482500136f0, elements = 1}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x148250014060, unit=0x148250004ef8, select_lex=0x148250012e78) at /test/10.5_dbg/sql/sql_select.cc:4902
#16 0x000056336e2f7489 in handle_select (thd=thd@entry=0x148250000d48, lex=lex@entry=0x148250004e30, result=result@entry=0x148250014060, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.5_dbg/sql/sql_select.cc:449
#17 0x000056336e26fc69 in execute_sqlcom_select (thd=thd@entry=0x148250000d48, all_tables=0x0) at /test/10.5_dbg/sql/sql_parse.cc:6424
#18 0x000056336e27ccd6 in mysql_execute_command (thd=thd@entry=0x148250000d48) at /test/10.5_dbg/sql/sql_parse.cc:4029
#19 0x000056336e26952a in mysql_parse (thd=thd@entry=0x148250000d48, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1482a008e2c0, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:8203
#20 0x000056336e277ce7 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x148250000d48, packet=packet@entry=0x14825000aa19 "", packet_length=packet_length@entry=44, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_class.h:1328
#21 0x000056336e27aa20 in do_command (thd=0x148250000d48) at /test/10.5_dbg/sql/sql_parse.cc:1375
#22 0x000056336e3c6b9e in do_handle_one_connection (connect=<optimized out>, connect@entry=0x563371911548, put_in_cache=put_in_cache@entry=true) at /test/10.5_dbg/sql/sql_connect.cc:1415
#23 0x000056336e3c723c in handle_one_connection (arg=arg@entry=0x563371911548) at /test/10.5_dbg/sql/sql_connect.cc:1317
#24 0x000056336e843f0d in pfs_spawn_thread (arg=0x563370dd9778) at /test/10.5_dbg/storage/perfschema/pfs.cc:2201
#25 0x00001482aa49a609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#26 0x00001482aa086133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.5.25 (dbg), 10.6.18 (dbg)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.4.34 (dbg), 10.4.34 (opt), 10.5.25 (opt), 10.6.18 (opt), 10.11.8 (dbg), 10.11.8 (opt), 11.0.6 (dbg), 11.0.6 (opt), 11.1.5 (dbg), 11.1.5 (opt), 11.2.4 (dbg), 11.2.4 (opt), 11.3.3 (dbg), 11.3.3 (opt), 11.4.2 (dbg), 11.4.2 (opt), 11.5.0 (dbg), 11.5.0 (opt)

Attachments

Issue Links

relates to

MDEV-34173 Some JSON functions print the output as NULL/incorrect when character-sets is set with mbminlen > 1

Open

Activity

Ascending order - Click to sort in descending order

Roel Van de Paar added a comment - 2024-05-14 05:40

A related but different stack with

SET character_set_database=ucs2;

SET CHARACTER SET cp1251_koi8;

SELECT JSON_EXTRACT('{ "\\"a\\"": 1}','$."\\"a\\""');

strlen(Ptr) == str_length|SIGABRT|Binary_string::chop|Item_func_json_extract::read_json|Item_func_json_extract::val_str|Type_handler::Item_send_str

All UniqueID's seen previously/with testcases above:

strlen(Ptr) == str_length|SIGABRT|Static_binary_string::chop|Item_func_json_extract::read_json|Item_func_json_extract::val_str|Item_func_conv_charset::Item_func_conv_charset

strlen(Ptr) == str_length|SIGABRT|Static_binary_string::chop|Item_func_json_extract::read_json|Item_func_json_extract::val_str|Arg_comparator::compare_json_str_basic

strlen(Ptr) == str_length|SIGABRT|Static_binary_string::chop|Item_func_json_extract::read_json|Item_func_json_extract::val_str|Item_char_typecast::val_str_generic

strlen(Ptr) == str_length|SIGABRT|Static_binary_string::chop|Item_func_json_extract::read_json|Item_func_json_extract::val_str|Item::val_json

strlen(Ptr) == str_length|SIGABRT|Static_binary_string::chop|Item_func_json_extract::read_json|Item_func_json_extract::val_str|Type_handler::Item_send_str

Roel Van de Paar added a comment - 2024-05-14 05:40 A related but different stack with SET character_set_database=ucs2; SET CHARACTER SET cp1251_koi8; SELECT JSON_EXTRACT( '{ "\\"a\\"": 1}' , '$."\\"a\\""' ); strlen(Ptr) == str_length|SIGABRT|Binary_string::chop|Item_func_json_extract::read_json|Item_func_json_extract::val_str|Type_handler::Item_send_str All UniqueID's seen previously/with testcases above: strlen(Ptr) == str_length|SIGABRT|Static_binary_string::chop|Item_func_json_extract::read_json|Item_func_json_extract::val_str|Item_func_conv_charset::Item_func_conv_charset strlen(Ptr) == str_length|SIGABRT|Static_binary_string::chop|Item_func_json_extract::read_json|Item_func_json_extract::val_str|Arg_comparator::compare_json_str_basic strlen(Ptr) == str_length|SIGABRT|Static_binary_string::chop|Item_func_json_extract::read_json|Item_func_json_extract::val_str|Item_char_typecast::val_str_generic strlen(Ptr) == str_length|SIGABRT|Static_binary_string::chop|Item_func_json_extract::read_json|Item_func_json_extract::val_str|Item::val_json strlen(Ptr) == str_length|SIGABRT|Static_binary_string::chop|Item_func_json_extract::read_json|Item_func_json_extract::val_str|Type_handler::Item_send_str

Rucha Deodhar added a comment - 2024-05-15 11:47

patch: https://github.com/MariaDB/server/commit/af30d23cbd43b1de1e046a6aeb8d47c11b069f91

Rucha Deodhar added a comment - 2024-05-15 11:47 patch: https://github.com/MariaDB/server/commit/af30d23cbd43b1de1e046a6aeb8d47c11b069f91

Roel Van de Paar added a comment - 2024-05-16 07:31

Also:

SET NAMES utf8,character_set_connection=utf32;

SELECT CAST(JSON_EXTRACT('{ "USERName" : "fred" }','$.USERName') AS CHAR)=0;

10.11.8 3a069644682e336e445039e48baae9693f9a08ee (Debug)
strlen(Ptr) == str_length\|SIGABRT\|Binary_string::chop\|Item_func_json_extract::read_json\|Item_func_json_extract::val_str\|Item_char_typecast::val_str_generic

Roel Van de Paar added a comment - 2024-05-16 07:31 Also: SET NAMES utf8,character_set_connection=utf32; SELECT CAST (JSON_EXTRACT( '{ "USERName" : "fred" }' , '$.USERName' ) AS CHAR )=0; 10.11.8 3a069644682e336e445039e48baae9693f9a08ee (Debug) strlen(Ptr) == str_length|SIGABRT|Binary_string::chop|Item_func_json_extract::read_json|Item_func_json_extract::val_str|Item_char_typecast::val_str_generic

Alexey Botchkov added a comment - 2024-05-20 10:51

ok to push.

Alexey Botchkov added a comment - 2024-05-20 10:51 ok to push.

Roel Van de Paar added a comment - 2024-06-06 05:26 - edited

There are some additional high-frequency UiqueID's/stacks observed:

strlen(Ptr) == str_length|SIGABRT|Binary_string::chop|Item_func_json_extract::read_json|Item_func_json_extract::val_str|Arg_comparator::compare_json_str_basic

strlen(Ptr) == str_length|SIGABRT|Binary_string::chop|Item_func_json_extract::read_json|Item_func_json_extract::val_str|Item::val_json

strlen(Ptr) == str_length|SIGABRT|Binary_string::chop|Item_func_json_extract::read_json|Item_func_json_extract::val_str|Item::val_str_from_item

Rather than reduce these, once the current fix is pushed, we will watch for re-occurrences of these and earlier stacks. Also note some corruptions were observed:

strlen(Ptr) == str_length|SIGABRT|Backtrace stopped: Cannot access memory at address|

Roel Van de Paar added a comment - 2024-06-06 05:26 - edited There are some additional high-frequency UiqueID's/stacks observed: strlen(Ptr) == str_length|SIGABRT|Binary_string::chop|Item_func_json_extract::read_json|Item_func_json_extract::val_str|Arg_comparator::compare_json_str_basic strlen(Ptr) == str_length|SIGABRT|Binary_string::chop|Item_func_json_extract::read_json|Item_func_json_extract::val_str|Item::val_json strlen(Ptr) == str_length|SIGABRT|Binary_string::chop|Item_func_json_extract::read_json|Item_func_json_extract::val_str|Item::val_str_from_item Rather than reduce these, once the current fix is pushed, we will watch for re-occurrences of these and earlier stacks. Also note some corruptions were observed: strlen(Ptr) == str_length|SIGABRT|Backtrace stopped: Cannot access memory at address|

Roel Van de Paar added a comment - 2024-06-06 05:31

rucha174 Hi! Could this be pushed please (looks like holyfoot approved it?)

Roel Van de Paar added a comment - 2024-06-06 05:31 rucha174 Hi! Could this be pushed please (looks like holyfoot approved it?)

People

Assignee:: Rucha Deodhar

Reporter:: Ramesh Sivaraman

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2024-05-13 06:57

Updated:: 2024-06-07 12:50

Resolved:: 2024-06-06 12:55

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server