json_array_intersect crashs when unused table ref provided

select json_array_intersect('[["1", "7"], ["2", "6"], ["4", "5"], ["3", "8"]]', '[["2","6"],["3","8"],["4","5"],["1","7"]]') from mysql.user

Program terminated with signal SIGSEGV, Segmentation fault.

#0  movelink (array=0x7f6f4c1c4718, find=3, next_link=4294967295, newlink=1) at /home/dan/repos/mariadb-server-11.4/mysys/hash.c:348

348	  while ((next_link=old_link->next) != find);

[Current thread is 1 (Thread 0x7f6f8c0cb6c0 (LWP 180296))]

(gdb) info locals

old_link = <optimized out>

(gdb) up

#1  my_hash_delete (hash=0x7f6f8c0c8b70, record=0x7f6f4c010980 "[\"4\",\"5\"]") at /home/dan/repos/mariadb-server-11.4/mysys/hash.c:627

627	      movelink(data,(uint) (lastpos-data),(uint) (pos-data),empty_index);

(gdb) p *hash

$1 = {key_offset = 0, key_length = 0, blength = 4, records = 3, flags = 0, array = {buffer = 0x7f6f4c1c4718 "\377\377\377\377\374,\323\005`\t\001Lo\177", elements = 4, max_element = 510, 

    alloc_increment = 510, size_of_element = 16, m_psi_key = 0, malloc_flags = 0}, get_key = 0x8d1e50 <get_key_name(void const*, unsigned long*, char)>, hash_function = 0xdf2180 <my_hash_sort>, 

  free = 0x0, charset = 0x17d4c80 <my_charset_utf8mb3_general_ci>}

(gdb) up

#2  0x00000000008c1878 in get_intersect_between_arrays (str=0x7f6f8c0c8e60, value=0x7f6f8c0c8c68, 

    items={key_offset = 0, key_length = 0, blength = 4, records = 3, flags = 0, array = {buffer = 0x7f6f4c1c4718 "\377\377\377\377\374,\323\005`\t\001Lo\177", elements = 4, max_element = 510, alloc_increment = 510, size_of_element = 16, m_psi_key = 0, malloc_flags = 0}, get_key = 0x8d1e50 <get_key_name(void const*, unsigned long*, char)>, hash_function = 0xdf2180 <my_hash_sort>, free = 0x0, charset = 0x17d4c80 <my_charset_utf8mb3_general_ci>}) at /home/dan/repos/mariadb-server-11.4/sql/item_jsonfunc.cc:5319

5319	      if (my_hash_delete(&items, found))

(gdb) p found

$2 = (uchar *) 0x7f6f4c010980 "[\"4\",\"5\"]"

(gdb) bt full

#0  movelink (array=0x7f6f4c1c4718, find=3, next_link=4294967295, newlink=1) at /home/dan/repos/mariadb-server-11.4/mysys/hash.c:348

        old_link = <optimized out>

#1  my_hash_delete (hash=0x7f6f8c0c8b70, record=0x7f6f4c010980 "[\"4\",\"5\"]") at /home/dan/repos/mariadb-server-11.4/mysys/hash.c:627

        blength = <optimized out>

        data = 0x7f6f4c1c4718

        pos = <optimized out>

        gpos = <optimized out>

        lastpos = 0x7f6f4c1c4748

        empty = 0x7f6f4c1c4728

        empty_index = 1

        lastpos_hashnr = <optimized out>

        pos_hashnr = <optimized out>

        pos3 = <optimized out>

        pos2 = 0

        idx = <optimized out>

#2  0x00000000008c1878 in get_intersect_between_arrays (str=0x7f6f8c0c8e60, value=0x7f6f8c0c8c68, 

    items={key_offset = 0, key_length = 0, blength = 4, records = 3, flags = 0, array = {buffer = 0x7f6f4c1c4718 "\377\377\377\377\374,\323\005`\t\001Lo\177", elements = 4, max_element = 510, alloc_increment = 510, size_of_element = 16, m_psi_key = 0, malloc_flags = 0}, get_key = 0x8d1e50 <get_key_name(void const*, unsigned long*, char)>, hash_function = 0xdf2180 <my_hash_sort>, free = 0x0, charset = 0x17d4c80 <my_charset_utf8mb3_general_ci>}) at /home/dan/repos/mariadb-server-11.4/sql/item_jsonfunc.cc:5319

        norm_val = {str = 0x0, length = 9, max_length = 128, alloc_increment = 128}

        new_entry = 0x7f6f4c013bd0 "[\"4\",\"5\"]"

        value_len = <optimized out>

        value_start = 0x7f6f4c02fc35 "[\"4\",\"5\"],[\"1\",\"7\"]]"

        found = 0x7f6f4c010980 "[\"4\",\"5\"]"

        temp_str = <optimized out>

        res = true

        has_value = true

        level = 1

        norm_val = <optimized out>

        value_start = <optimized out>

        new_entry = <optimized out>

        found = <optimized out>

        value_len = <optimized out>

#3  Item_func_json_array_intersect::val_str (this=0x7f6f4c02fde0, str=0x7f6f8c0c8e60) at /home/dan/repos/mariadb-server-11.4/sql/item_jsonfunc.cc:5374

        je2 = {s = {c_str = 0x7f6f4c02fc3e ",[\"1\",\"7\"]]", str_end = 0x7f6f4c02fc49 "", c_next = 93, c_next_len = 1, error = 0, cs = 0x17d4c80 <my_charset_utf8mb3_general_ci>, 

            wc = 0xe529f0 <my_utf8mb3_uni>}, sav_c_len = 1, state = 5, value_type = JSON_VALUE_ARRAY, value = 0x7f6f4c02fc35 "[\"4\",\"5\"],[\"1\",\"7\"]]", 

          value_begin = 0x7f6f4c02fc35 "[\"4\",\"5\"],[\"1\",\"7\"]]", value_escaped = 1276807169, num_flags = 2, value_end = 0x7f6f4c02fc36 "\"4\",\"5\"],[\"1\",\"7\"]]", value_len = 0, stack = {6, 

            8, 8, 1275071489, 32623, 16246176, 0, 0, 0, 0, 0, 15125248, 0, 809451520, -1817069062, 1276855936, 32623, 1276856272, 32623, 1276855232, 32623, 1276856272, 32623, 1276853608, 32623, 

            -1945334272, 32623, 0, 0, 0, 0, 1276856272}, stack_p = 1, killed_ptr = 0x154bfdc <json_scan_start.no_time_to_die> ""}

        res_je = {s = {c_str = 0x0, str_end = 0x0, c_next = 4, c_next_len = 3, error = 0, cs = 0x3dff0000000000, wc = 0x7f6f4c1c4718}, sav_c_len = 4, state = 0, value_type = 510, 

          value = 0x1fe <error: Cannot access memory at address 0x1fe>, value_begin = 0x10 <error: Cannot access memory at address 0x10>, value_escaped = 0, num_flags = 0, value_end = 0x0, 

          value_len = 9248336, stack = {0, 14623104, 0, 0, 0, 24988800, 0, 0, 0, 6, 0, 1, 0, 0, 0, 0, 0, 10168395, 0, 0, 1075314688, 0, 0, -1945334688, 32623, 325307656, 0, 16443032, 0, 0, 0, 

            1276807368}, stack_p = 0, killed_ptr = 0x154bfdc <json_scan_start.no_time_to_die> ""}

        je1 = {s = {c_str = 0xfae698 <vtable for Item_func_json_value+16> "\020<\214", str_end = 0x7f6f4c1a7508 "\002", c_next = 140115994905368, c_next_len = 1276807960, error = 32623, cs = 0x0, 

            wc = 0x7f6f4c1a76e0}, sav_c_len = 4, state = 0, value_type = 1276801984, value = 0x7f6f4c1a7408 "mysql", value_begin = 0x1 <error: Cannot access memory at address 0x1>, value_escaped = 0, 

          num_flags = 1075314688, value_end = 0x0, value_len = 0, stack = {1075314688, 0, 0, 0, 0, 0, 1075314688, 0, 0, 0, 0, -1945334928, 2, 0, 0, 1730954560, 1065163665, 0, 0, 1276800696, 4, 0, 

            1075314688, 809451520, -1817069062, -1945334784, 32623, 1730954560, 1065163665, 0, 0, 0}, stack_p = 1075314688, killed_ptr = 0x0}

        js2 = 0x7f6f4c02fc78

        js1 = <optimized out>

#4  0x00000000008ff96e in Type_handler::Item_send_str (this=<optimized out>, item=0x0, protocol=0xffffffff0, buf=0x3) at /home/dan/repos/mariadb-server-11.4/sql/sql_type.cc:7680

        res = <optimized out>

#5  0x00000000006a020b in Protocol::send_result_set_row (this=0x7f6f4c0011f0, row_items=<optimized out>) at /home/dan/repos/mariadb-server-11.4/sql/protocol.cc:1339

        item = 0x7f6f4c02fde0

        value_buffer = {<Value> = {<st_value> = {m_type = 8192, value = {m_longlong = 8192, m_double = 4.0473857707314917e-320, m_time = {year = 8192, month = 0, day = 2379419648, hour = 32623, 

                  minute = 8192, second = 0, second_part = 140117067730624, neg = -98 '\236', time_type = MYSQL_TIMESTAMP_DATE}}, m_string = {<Charset> = {

                  m_charset = 0x17d4c80 <my_charset_utf8mb3_general_ci>}, <Binary_string> = {<Sql_alloc> = {<No data fields>}, Ptr = 0x7f6f8c0c8ec0 "[[\"1\",\"7\"]]", str_length = 0, 

                  Alloced_length = 766, extra_alloc = 0, alloced = false, thread_specific = false}, <No data fields>}, m_decimal = {<st_decimal_t> = {intg = 0, frac = 0, len = 9, sign = 0 '\000', 

                  buf = 0x7f6f8c0c8e98}, buffer = {-1599134120, 32623, -1945334080, 32623, 11754607, 0, -1599134120, 32623, 11707910}}}, <No data fields>}, 

          buffer = "[[\"1\",\"7\"]]\000\"3\",\"8\"],[\"4\",\"5\"],[\"1\",\"7\"]]", '\000' <repeats 13 times>, "\030@", '\000' <repeats 16 times>, "8ǂ\001\000\000\000\000\360Wd\023\000\000\000\000\000Ȃ\001\000\000\000\000X&\257\240o\177\000\000\001\000\000\000\000\000\000\000\200\217\f\214o\177\000\000%\250\262\000\000\000\000\000\360\\\263\000\000\000\000\000\020]\263\000\000\000\000\000\230\001d\023\000\000\000\000X&\257\240o\177\000\000\360Wd\023\000\000\000\000\000Ȃ\001\000\000\000\0008ǂ\001\000\000\000\000\001\000\000\000\000\000\000\000\260\220\f\214o\177\000\000N\273\262\000"...}

        it = {<base_list_iterator> = {list = <optimized out>, el = 0x7f6f4c02ffa0, prev = 0x0, current = 0x0}, <No data fields>}

#6  0x0000000000707a2f in select_send::send_data (this=0x7f6f4c1aa9e0, 

    items=@0x7f6f4c02f7f0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x7f6f4c02ffa0, last = 0x7f6f4c02ffa0, elements = 1}, <No data fields>})

    at /home/dan/repos/mariadb-server-11.4/sql/sql_class.cc:3264

        protocol = 0x7f6f4c0011f0

#7  0x00000000007a3851 in select_result_sink::send_data_with_check (this=0x0, 

    items=@0x7f6f4c02f7f0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x7f6f4c02ffa0, last = 0x7f6f4c02ffa0, elements = 1}, <No data fields>}, u=<optimized out>, sent=<optimized out>)

    at /home/dan/repos/mariadb-server-11.4/sql/sql_class.h:6099

No locals.

#8  end_send (join=0x7f6f4c1aaa08, join_tab=0x7f6f4c1b5030, end_of_records=<optimized out>) at /home/dan/repos/mariadb-server-11.4/sql/sql_select.cc:25545

        error = <optimized out>

        fields = 0x7f6f4c02f7f0

#9  0x00000000007c2394 in evaluate_join_record (join=join@entry=0x7f6f4c1aaa08, join_tab=join_tab@entry=0x7f6f4c1b4bc0, error=error@entry=0)

    at /home/dan/repos/mariadb-server-11.4/sql/sql_select.cc:24471

        rc = <optimized out>

        found = true

        return_tab = 0x7f6f4c1b4bc0

        shortcut_for_distinct = false

        found_records = 0

        select_cond = <optimized out>

        select_cond_result = <optimized out>

#10 0x000000000078dd7e in sub_select (join=0x7f6f4c1aaa08, join_tab=0x7f6f4c1b4bc0, end_of_records=<optimized out>) at /home/dan/repos/mariadb-server-11.4/sql/sql_select.cc:24275

        rc = <optimized out>

        error = 0

        skip_over = <optimized out>

        info = 0x7f6f4c1b4c90

        last_inner_tab = <optimized out>

        jt = <optimized out>

        nls = <optimized out>

        tab_map = <optimized out>

        i = <optimized out>

        flush_dups_table = <optimized out>

        key = <optimized out>

#11 0x00000000007a7a84 in do_select (join=join@entry=0x7f6f4c1aaa08, procedure=<optimized out>) at /home/dan/repos/mariadb-server-11.4/sql/sql_select.cc:23749

        join_tab = 0x7f6f4c1b4bc0

        rc = 0

        error = NESTED_LOOP_OK

        top_level_tables = <optimized out>

#12 0x00000000007a73d8 in JOIN::exec_inner (this=this@entry=0x7f6f4c1aaa08) at /home/dan/repos/mariadb-server-11.4/sql/sql_select.cc:5052

        trace_steps = {<Json_writer_struct> = {_vptr$Json_writer_struct = 0xf7e528 <vtable for Json_writer_array+16>, my_writer = 0x0, context = {writer = 0x0}, closed = false}, <No data fields>}

        trace_wrapper = {<Json_writer_struct> = {_vptr$Json_writer_struct = 0xf7e5a0 <vtable for Json_writer_object+16>, my_writer = 0x0, context = {writer = 0x0}, closed = false}, <No data fields>}

        trace_exec = {<Json_writer_struct> = {_vptr$Json_writer_struct = 0xf7e5a0 <vtable for Json_writer_object+16>, my_writer = 0x0, context = {writer = 0x0}, closed = false}, <No data fields>}

        columns_list = <optimized out>

#13 0x000000000078e558 in JOIN::exec (this=0x7f6f4c1aaa08) at /home/dan/repos/mariadb-server-11.4/sql/sql_select.cc:4838

        res = <optimized out>

#14 mysql_select (thd=thd@entry=0x7f6f4c000c68, tables=<optimized out>, 

    fields=@0x7f6f4c02f7f0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x7f6f4c02ffa0, last = 0x7f6f4c02ffa0, elements = 1}, <No data fields>}, conds=<optimized out>, 

    og_num=<optimized out>, order=<optimized out>, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x7f6f4c1aa9e0, unit=0x7f6f4c004f40, select_lex=0x7f6f4c02f538)

    at /home/dan/repos/mariadb-server-11.4/sql/sql_select.cc:5368

        err = <optimized out>

        free_join = <optimized out>

        exec_error = false

        join = 0x7f6f4c1aaa08

#15 0x000000000078e21c in handle_select (thd=thd@entry=0x7f6f4c000c68, lex=lex@entry=0x7f6f4c004e60, result=result@entry=0x7f6f4c1aa9e0, setup_tables_done_option=setup_tables_done_option@entry=0)

    at /home/dan/repos/mariadb-server-11.4/sql/sql_select.cc:642

        unit = 0x7f6f4c004f40

        select_lex = 0x7f6f4c02f538

        res = <optimized out>

#16 0x000000000075e15d in execute_sqlcom_select (thd=thd@entry=0x7f6f4c000c68, all_tables=0x7f6f4c0300f0) at /home/dan/repos/mariadb-server-11.4/sql/sql_parse.cc:6183

        save_protocol = 0x0

        lex = 0x7f6f4c004e60

        result = 0x7f6f4c1aa9e0

        res = <optimized out>

#17 0x000000000075968f in mysql_execute_command (thd=thd@entry=0x7f6f4c000c68, is_called_from_prepared_stmt=false) at /home/dan/repos/mariadb-server-11.4/sql/sql_parse.cc:3975

        privileges_requested = <optimized out>

        all_tables = 0x7f6f4c0300f0

        ots = {ctx = 0x7f6f4c004bc8, traceable = false}

        res = 1

        lex = 0x7f6f4c004e60

        select_lex = 0x7f6f4c02f538

        first_table = 0x7f6f4c0300f0

        unit = 0x7f6f4c004f40

        orig_binlog_format = BINLOG_FORMAT_MIXED

        orig_current_stmt_binlog_format = BINLOG_FORMAT_STMT

        error = <optimized out>

        wsrep_error_label = <optimized out>

#18 0x0000000000755064 in mysql_parse (thd=thd@entry=0x7f6f4c000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x7f6f8c0ca320)

    at /home/dan/repos/mariadb-server-11.4/sql/sql_parse.cc:7898

        found_semicolon = <optimized out>

        error = <optimized out>

        lex = 0x7f6f4c004e60

        err = <optimized out>

#19 0x0000000000753709 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7f6f4c000c68, packet=packet@entry=0x7f6f4c0087e9 "", packet_length=packet_length@entry=140, blocking=true)

    at /home/dan/repos/mariadb-server-11.4/sql/sql_parse.cc:1904

        parser_state = {m_lip = {lookahead_token = -1, lookahead_yylval = 0x0, m_thd = 0x7f6f4c000c68, m_ptr = 0x7f6f4c02f44d "\004", m_tok_start = 0x7f6f4c02f44d "\004", 

            m_tok_end = 0x7f6f4c02f44d "\004", m_end_of_query = 0x7f6f4c02f44c "", m_tok_start_prev = 0x7f6f4c02f44c "", 

            m_buf = 0x7f6f4c02f3c0 "select json_array_intersect('[[\"1\", \"7\"], [\"2\", \"6\"], [\"4\", \"5\"], [\"3\", \"8\"]]', '[[\"2\",\"6\"],[\"3\",\"8\"],[\"4\",\"5\"],[\"1\",\"7\"]]') from mysql.user", m_buf_length = 140, m_echo = true, m_echo_saved = true, 

            m_cpp_buf = 0x7f6f4c02f4a8 "select json_array_intersect('[[\"1\", \"7\"], [\"2\", \"6\"], [\"4\", \"5\"], [\"3\", \"8\"]]', '[[\"2\",\"6\"],[\"3\",\"8\"],[\"4\",\"5\"],[\"1\",\"7\"]]') from mysql.user", m_cpp_ptr = 0x7f6f4c02f534 "", m_cpp_tok_start = 0x7f6f4c02f534 "", m_cpp_tok_start_prev = 0x7f6f4c02f534 "", m_cpp_tok_end = 0x7f6f4c02f534 "", m_body_utf8 = 0x0, 

            m_body_utf8_ptr = 0x0, m_cpp_utf8_processed_ptr = 0x0, next_state = MY_LEX_END, found_semicolon = 0x0, ignore_space = false, stmt_prepare_mode = false, multi_statements = true, 

            yylineno = 1, m_digest = 0x0, in_comment = NO_COMMENT, in_comment_saved = (PRESERVE_COMMENT | DISCARD_COMMENT | unknown: 0x7f6c), m_cpp_text_start = 0x7f6f4c02f530 "user", 

            m_cpp_text_end = 0x7f6f4c02f534 "", m_underscore_cs = 0x0}, m_yacc = {yacc_yyss = 0x0, yacc_yyvs = 0x0, m_set_signal_info = {m_item = {0x0 <repeats 13 times>}}, 

            m_lock_type = TL_READ_DEFAULT, m_mdl_type = MDL_SHARED_READ}, m_digest_psi = 0x0}

        packet_end = <optimized out>

        net = <optimized out>

        error = false

        do_end_of_statement = true

        drop_more_results = false

#20 0x00000000007554c2 in do_command (thd=thd@entry=0x7f6f4c000c68, blocking=true) at /home/dan/repos/mariadb-server-11.4/sql/sql_parse.cc:1417

        packet = 0x7f6f4c0087e8 "\002"

        net = <optimized out>

        command = COM_QUERY

        packet_length = 141

        return_value = <optimized out>

#21 0x000000000086ec1d in do_handle_one_connection (connect=<optimized out>, connect@entry=0x1367fad8, put_in_cache=<optimized out>) at /home/dan/repos/mariadb-server-11.4/sql/sql_connect.cc:1408

        create_user = true

        thr_create_utime = <optimized out>

        thd = 0x7f6f4c000c68

#22 0x000000000086ea50 in handle_one_connection (arg=arg@entry=0x1367fad8) at /home/dan/repos/mariadb-server-11.4/sql/sql_connect.cc:1320

        connect = 0x1367fad8

#23 0x0000000000b9196e in pfs_spawn_thread (arg=0x13571e38) at /home/dan/repos/mariadb-server-11.4/storage/perfschema/pfs.cc:2201

        typed_arg = 0x13571e38

        klass = <optimized out>

        pfs = <optimized out>

        user_start_routine = 0x86e9d0 <handle_one_connection(void*)>

        user_arg = 0x1367fad8

#24 0x00007f6fa287dfa8 in start_thread () from /lib64/libc.so.6

No symbol table info available.

#25 0x00007f6fa2901fcc in __clone3 () from /lib64/libc.so.6

No symbol table info available.

(gdb)