Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-39049

Server crashes when selecting JSON key from an invalid JSON value after setting the character set name and connection to utf8 and utf32, respectively

    XMLWordPrintable

Details

    • Can result in hang or crash

    Description

      --source include/have_log_bin.inc
      		 
       
      		 
      SET NAMES utf8,character_set_connection=utf32;
      		 
      SELECT JSON_KEYS ('{"S":-1.0,"D": {"o":,"a": }}');

      Leads to:

      CS 10.11.17 b127c8cf33cda918b51e390b4f3630fe85cdf0a1 (Debug, Clang 18.1.3-11) Build 11/03/2026

      		 
      Core was generated by `/test/MD110326-mariadb-10.11.17-linux-x86_64-dbg/bin/mariadbd --no-defaults --m'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  0x0000571c41c8c2cf in check_key_in_list (res=0x68d6e76fa4c0, key=0x68c76c013a20 "", key_len=4)at /test/10.11_dbg/sql/item_jsonfunc.cc:3801
      		 
       
      		 
      [Current thread is 1 (LWP 592628)]
      		 
      (gdb) bt
      		 
      #0  0x0000571c41c8c2cf in check_key_in_list (res=0x68d6e76fa4c0, key=0x68c76c013a20 "", key_len=4)at /test/10.11_dbg/sql/item_jsonfunc.cc:3801
      		 
      #1  0x0000571c41c8c042 in Item_func_json_keys::val_str (this=0x68c76c013c88, str=0x68d6e76fa4c0) at /test/10.11_dbg/sql/item_jsonfunc.cc:3881
      		 
      #2  0x0000571c41cd56ad in Type_handler::Item_send_str (this=0x571c43597618 <type_handler_varchar>, item=0x68c76c013c88, protocol=0x68c76c001378, buf=0x68d6e76fa490)at /test/10.11_dbg/sql/sql_type.cc:7699
      		 
      #3  0x0000571c41be80ad in Type_handler_string_result::Item_send (this=0x571c43597618 <type_handler_varchar>, item=0x68c76c013c88, protocol=0x68c76c001378, buf=0x68d6e76fa490)at /test/10.11_dbg/sql/sql_type.h:5552
      		 
      #4  0x0000571c418933ed in Item::send (this=0x68c76c013c88, protocol=0x68c76c001378, buffer=0x68d6e76fa490)at /test/10.11_dbg/sql/item.h:1272
      		 
      #5  0x0000571c418db602 in Protocol::send_result_set_row (this=0x68c76c001378, row_items=0x68c76c0137d8) at /test/10.11_dbg/sql/protocol.cc:1333
      		 
      #6  0x0000571c4199c65e in select_send::send_data (this=0x68c76c014b28, items=@0x68c76c0137d8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x68c76c0141c0, last = 0x68c76c0141c0, elements = 1}, <No data fields>})at /test/10.11_dbg/sql/sql_class.cc:3213
      		 
      #7  0x0000571c41af0260 in select_result_sink::send_data_with_check (this=0x68c76c014b28, items=@0x68c76c0137d8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x68c76c0141c0, last = 0x68c76c0141c0, elements = 1}, <No data fields>}, u=0x68c76c005028, sent=0) at /test/10.11_dbg/sql/sql_class.h:6065
      		 
      #8  0x0000571c41ab3582 in JOIN::exec_inner (this=0x68c76c014b50)at /test/10.11_dbg/sql/sql_select.cc:4890
      		 
      #9  0x0000571c41ab2fb0 in JOIN::exec (this=0x68c76c014b50)at /test/10.11_dbg/sql/sql_select.cc:4807
      		 
      #10 0x0000571c41a8eef6 in mysql_select (thd=0x68c76c000d58, tables=0x0, fields=@0x68c76c0137d8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x68c76c0141c0, last = 0x68c76c0141c0, elements = 1}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2164525824, result=0x68c76c014b28, unit=0x68c76c005028, select_lex=0x68c76c013520) at /test/10.11_dbg/sql/sql_select.cc:5285
      		 
      #11 0x0000571c41a8e985 in handle_select (thd=0x68c76c000d58, lex=0x68c76c004f50, result=0x68c76c014b28, setup_tables_done_option=0)at /test/10.11_dbg/sql/sql_select.cc:601
      		 
      #12 0x0000571c41a36011 in execute_sqlcom_select (thd=0x68c76c000d58, all_tables=0x0) at /test/10.11_dbg/sql/sql_parse.cc:6463
      		 
      #13 0x0000571c41a29aea in mysql_execute_command (thd=0x68c76c000d58, is_called_from_prepared_stmt=false)at /test/10.11_dbg/sql/sql_parse.cc:4042
      		 
      #14 0x0000571c41a21c14 in mysql_parse (thd=0x68c76c000d58, rawbuf=0x68c76c013460 "SELECT JSON_KEYS ('{\"S\":-1.0,\"D\": {\"o\":,\"a\": }}')", length=49, parser_state=0x68d6e76fca20)at /test/10.11_dbg/sql/sql_parse.cc:8223
      		 
      #15 0x0000571c41a1f0b9 in dispatch_command (command=COM_QUERY, thd=0x68c76c000d58, packet=0x68c76c00aee9 "", packet_length=49, blocking=true) at /test/10.11_dbg/sql/sql_parse.cc:1924
      		 
      #16 0x0000571c41a227c3 in do_command (thd=0x68c76c000d58, blocking=true)at /test/10.11_dbg/sql/sql_parse.cc:1434
      		 
      #17 0x0000571c41c00209 in do_handle_one_connection (connect=0x571c82533808, put_in_cache=true) at /test/10.11_dbg/sql/sql_connect.cc:1475
      		 
      #18 0x0000571c41bfffa2 in handle_one_connection (arg=0x571c826196e8)at /test/10.11_dbg/sql/sql_connect.cc:1387
      		 
      #19 0x000070de99e9caa4 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
      		 
      #20 0x000070de99f29c6c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

      Bug Detection Matrix

      		 
          Rel    o/d  Build   Commit                                    UniqueID observed             
      CS  10.6   dbg  110226  1758b2578a8cc7e193bb35de0d8dc9a5e517c89c  No bug found                  
      CS  10.6   opt  110226  1758b2578a8cc7e193bb35de0d8dc9a5e517c89c  No bug found                  
      CS  10.11  dbg  110326  b127c8cf33cda918b51e390b4f3630fe85cdf0a1  SIGSEGV|check_key_in_list|Item_func_json_keys::val_str|Type_handler::Item_send_str|Type_handler_string_result::Item_send
      		 
      CS  10.11  opt  110326  b127c8cf33cda918b51e390b4f3630fe85cdf0a1  No bug found                  
      CS  11.4   dbg  110326  d1cbc72785abbe1b0955ba6fc0d5f87e5b3e9ef7  No bug found                  
      CS  11.4   opt  110326  d1cbc72785abbe1b0955ba6fc0d5f87e5b3e9ef7  No bug found                  
      CS  11.8   dbg  110326  d477356e5b3365a18340ba17ea138eda14014687  No bug found                  
      CS  11.8   opt  110326  d477356e5b3365a18340ba17ea138eda14014687  No bug found                  
      CS  12.2   dbg  110226  d26a6f44c1f2119377e79a9540886c6d8c01472f  No bug found                  
      CS  12.2   opt  110226  d26a6f44c1f2119377e79a9540886c6d8c01472f  No bug found                  
      CS  12.3   dbg  110326  620733d35db2108dc34ad74f35f6b4cb2722b594  No bug found                  
      CS  12.3   opt  110326  620733d35db2108dc34ad74f35f6b4cb2722b594  No bug found                  
      CS  13.0   dbg  110326  ef4be39bfcbae1b0090a3098e511d14457d6139f  No bug found                  
      CS  13.0   opt  110326  ef4be39bfcbae1b0090a3098e511d14457d6139f  No bug found                  
      ES  10.5   dbg  040825  70586522eacf09d04d49962072e14325a75d8155  No bug found                  
      ES  10.5   opt  040825  70586522eacf09d04d49962072e14325a75d8155  No bug found                  
      ES  10.6   dbg  040825  9b794f34b48fb7eee490b6da44edc0f33a947447  No bug found                  
      ES  10.6   opt  040825  9b794f34b48fb7eee490b6da44edc0f33a947447  No bug found                  
      ES  11.4   dbg  040825  a1c03ccd54b582e75506687ee19b273ca897f261  No bug found                  
      ES  11.4   opt  040825  a1c03ccd54b582e75506687ee19b273ca897f261  No bug found                  
      ES  11.8   dbg  151025  780565c207e9ce0ebf7d8e3d59f223801447b619  No bug found                  
      ES  11.8   opt  151025  780565c207e9ce0ebf7d8e3d59f223801447b619  No bug found

      Attachments

        Activity

          People

            rucha174 Rucha Deodhar
            ramesh Ramesh Sivaraman
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.