[MDEV-37640] Crash at String::append - Jira

XML

Word

Printable

Details

Type: Bug
Status: Confirmed (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.11, 11.4, 11.8, 12.1, 12.1.1
Fix Version/s: 10.11, 11.4, 11.8, 12.1
Component/s: JSON, Server
Labels:
- crash
Environment:
Ubuntu 20.04 x86-64, docker image mariadb:12.1.1

Description

PoC:

SELECT ( WITH x AS ( WITH x AS ( SELECT 1.000000 ) SELECT ( REPEAT ( ( json_normalize ( ' \t-1' ) ) , 357 ) ) x ) SELECT x FROM x WHERE x IN ( x , x ) )

docker log:

#0 0x645d6ed31ac2 (_ZN6String6appendEPKcm+0x42)

#1 0x645d6eec7b32 (_ZN24Item_func_json_normalize7val_strEP6String+0x152)

#2 0x645d6f1e2bd1 (_ZN16Item_func_repeat7val_strEP6String+0x61)

#3 0x645d6f12ac96 (_ZN9in_string3setEjP4Item+0x56)

#4 0x645d6f12f8de (_ZN12Item_func_in13fix_in_vectorEv+0x5e)

#5 0x645d6ef42760 (_ZNK26Type_handler_string_result44Item_func_in_fix_comparator_compatible_typesEP3THDP12Item_func_in+0x1f0)

#6 0x645d6f12f44f (_ZN12Item_func_in18fix_length_and_decEP3THD+0xcf)

#7 0x645d6f172a68 (_ZN9Item_func10fix_fieldsEP3THDPP4Item+0x1d8)

#8 0x645d6ec7879b (_ZN4JOIN14optimize_innerEv+0x14eb)

#9 0x645d6ec6af8b (_ZN4JOIN8optimizeEv+0x13b)

#10 0x645d6ed845ab (_ZN18st_select_lex_unit8optimizeEv+0x74b)

#11 0x645d6eb7bed3 (_ZL22mysql_derived_optimizeP3THDP3LEXP10TABLE_LIST+0x183)

#12 0x645d6eb7e418 (_Z27mysql_handle_single_derivedP3LEXP10TABLE_LISTj+0x158)

#13 0x645d6ec79687 (_ZN4JOIN14optimize_innerEv+0x23d7)

#14 0x645d6ec6af8b (_ZN4JOIN8optimizeEv+0x13b)

#15 0x645d6ed845ab (_ZN18st_select_lex_unit8optimizeEv+0x74b)

#16 0x645d6eb7bed3 (_ZL22mysql_derived_optimizeP3THDP3LEXP10TABLE_LIST+0x183)

#17 0x645d6eb7e418 (_Z27mysql_handle_single_derivedP3LEXP10TABLE_LISTj+0x158)

#18 0x645d6ec79687 (_ZN4JOIN14optimize_innerEv+0x23d7)

#19 0x645d6ec6af8b (_ZN4JOIN8optimizeEv+0x13b)

#20 0x645d6ebafeac (_ZN13st_select_lex31optimize_unflattened_subqueriesEb+0x69c)

#21 0x645d6eea4987 (_ZN4JOIN28optimize_constant_subqueriesEv+0x47)

#22 0x645d6ec7808e (_ZN4JOIN14optimize_innerEv+0xdde)

#23 0x645d6ec6af8b (_ZN4JOIN8optimizeEv+0x13b)

#24 0x645d6ec60c04 (_Z12mysql_selectP3THDP10TABLE_LISTR4ListI4ItemEPS4_jP8st_orderS9_S7_S9_yP13select_resultP18st_select_lex_unitP13st_select_lex+0x514)

#25 0x645d6ec60635 (_Z13handle_selectP3THDP3LEXP13select_resulty+0x265)

#26 0x645d6ec00fc8 (_ZL21execute_sqlcom_selectP3THDP10TABLE_LIST+0x698)

#27 0x645d6ebf7095 (_Z21mysql_execute_commandP3THDb+0x3f65)

#28 0x645d6ebec485 (_Z11mysql_parseP3THDPcjP12Parser_state+0x345)

#29 0x645d6ebe89d1 (_Z16dispatch_command19enum_server_commandP3THDPcjb+0x16b1)

#30 0x645d6ebeccd1 (_Z10do_commandP3THDb+0x4b1)

#31 0x645d6ee22b74 (_Z24do_handle_one_connectionP7CONNECTb+0x2a4)

#32 0x645d6ee227a3 (handle_one_connection+0xd3)

#33 0x645d6f4eb0b4 (pfs_spawn_thread+0x104)

#34 0x76e401a36609 (start_thread+0xd9)

#35 0x76e401758353 (clone+0x43)

Attachments

Issue Links

duplicates

MDEV-33984 Server crashes at Item_func_json_keys::val_str

Confirmed

Activity

People

Assignee:: Rucha Deodhar

Reporter:: Yuxiao Guo

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2025-09-11 11:02

Updated:: 2025-09-15 11:00

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.