Details
-
Bug
-
Status: Stalled (View Workflow)
-
Major
-
Resolution: Unresolved
-
12.3, 13.0
-
None
-
None
-
ubuntu22.04
-
Not for Release Notes
Description
Summary
JSON_ARRAY_INTERSECT crashes the server when the first argument is a table column and the second is a constant JSON array literal. Swapping the argument order (constant first, column second) returns the correct result and does not crash.
Reproducible on MariaDB 12.3.1 (including ASAN build). Likely root cause: Item_func_json_array_intersect::fix_length_and_dec() calls args [0]->val_json() before swapping a non-const first argument with a const second argument, then builds the intersection hash from the stale pre-swap buffer.
Minimal Reproducer
DROP TABLE IF EXISTS t; |
CREATE TABLE t ( |
c longtext CHARACTER SET utf8mb4 COLLATE utf8mb4_bin |
DEFAULT NULL CHECK (json_valid(c)) |
) ENGINE=InnoDB;
|
|
|
INSERT INTO t VALUES ('[2,3,4]'); |
|
|
-- CRASH (SIGSEGV)
|
SELECT JSON_ARRAY_INTERSECT(c, '[1,2,3]') FROM t; |
|
|
-- Control: same semantics after internal const/column normalization — OK
|
SELECT JSON_ARRAY_INTERSECT('[1,2,3]', c) FROM t; |
|
|
DROP TABLE t; |
Expected result
Both queries should return [2, 3] without crashing.
Representative crash log
Server version: 12.3.1-MariaDB-asan-log
|
source revision: 21a0714a118614982d20bfa504763d7247800091
|
|
|
Query: SELECT JSON_ARRAY_INTERSECT(c, '[1,2,3]') FROM t
|
got signal 11
|
Environment
| Item | Value |
|---|---|
| Version | 12.3.1-MariaDB-asan-log |
| Revision | 21a0714a118614982d20bfa504763d7247800091 |
| OS | Linux x86_64 (RHEL 8.10 kernel 4.18) |
Attachments
There are no Sub-Tasks for this issue.