Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-39877

Crash in JSON_SCHEMA_VALID on nested multipleOf: 0

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Duplicate
    • 12.3.1
    • N/A
    • JSON
    • None
    • ubuntu22.04
    • Not for Release Notes

    Description

      Summary

      A nested invocation of JSON_SCHEMA_VALID can crash the server with SIGFPE when the schema contains:

      { "multipleOf" : 0 }

      The direct form correctly reports:

      ERROR 4193 (HY000): Invalid value for keyword multipleOf

      but the nested form:

      SELECT JSON_SCHEMA_VALID(JSON_SCHEMA_VALID(@schema, '2'), '2');

      terminates mysqld with signal 8.

      This appears related to MDEV-30704 (same multipleOf handling area), but the symptom here is a server crash rather than an incorrect validation result.

      Version

      MariaDB 12.3.1-MariaDB-asan

      Minimal Reproducer

      SET @schema = '{ "multipleOf" : 0}';
      		 
       
      		 
      -- expected user error
      		 
      SELECT JSON_SCHEMA_VALID(@schema, '2');
      		 
       
      		 
      -- server crash
      		 
      SELECT JSON_SCHEMA_VALID(JSON_SCHEMA_VALID(@schema, '2'), '2');

      Actual Result

      Direct form:

      ERROR 4193 (HY000): Invalid value for keyword multipleOf

      Nested form:

      got signal 8

      Representative stack frames:

      Json_schema_multiple_of::validate(...)
      		 
      Item_func_json_schema_valid::val_bool()
      		 
      Item_func_json_schema_valid::fix_length_and_dec(...)

      Example query recorded in mysqld.err:

      SELECT JSON_SCHEMA_VALID(JSON_SCHEMA_VALID(@schema, '2'), '2');

      Expected Result

      The nested statement should not crash the server.

      Possible acceptable outcomes include:

      • propagating ERROR 4193
      • returning NULL
      • returning FALSE

      Any user-visible error is preferable to terminating mysqld.

      Notes

      The issue appears specific to nested evaluation of JSON_SCHEMA_VALID.

      The direct call path correctly rejects:

      { "multipleOf" : 0 }

      without crashing.

      The nested form reaches a different execution path during preparation/evaluation and results in SIGFPE.

      Possible Cause

      Based on the stack trace, the crash appears to originate from Json_schema_multiple_of::validate() when handling a schema whose multipleOf value is zero.

      The implementation may continue processing after reporting an invalid multipleOf value, allowing a later modulo operation to execute with a zero divisor.

      Environment

      Item Value
      ---------- -------------------
      Version 12.3.1-MariaDB-asan
      Platform Linux x86_64
      Build ASAN
      Reproduced 2026-06-06

      Related

      • MDEV-30704 (same JSON_SCHEMA_VALID / multipleOf area, different symptom)

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. MDEV-37806 SIGFPE in Json_schema_multiple_of::validate|Item_func_json_schema_valid::val_bool

          • Major - Major loss of function.
          • Confirmed

          Activity

            People

              Unassigned Unassigned
              mu mu
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.