[MDEV-16054] simple json functions flatline cpu on garbage input Created: 2018-04-27  Updated: 2018-07-31  Resolved: 2018-07-31

Status: Closed
Project: MariaDB Server
Component/s: JSON
Affects Version/s: 10.3.6, 10.2, 10.3
Fix Version/s: 10.2.17

Type: Bug Priority: Major
Reporter: sbester1 Assignee: Alexey Botchkov
Resolution: Fixed Votes: 0
Labels: None
Environment:

Win x64


 Description    

MariaDB [(none)]> select * from information_schema.processlist where user<>'system user' and id<>connection_id()\G
 
*************************** 1. row ***************************
 
             ID: 8
 
           USER: root
 
           HOST:
 
             DB: test
 
        COMMAND: Query
 
           TIME: 121
 
          STATE: NULL
 
           INFO: do json_array(1,uuid(),compress(5.140264e+307))
 
        TIME_MS: 121143.104
 
          STAGE: 0
 
      MAX_STAGE: 0
 
       PROGRESS: 0.000
 
    MEMORY_USED: 76104
 
MAX_MEMORY_USED: 76104
 
  EXAMINED_ROWS: 0
 
       QUERY_ID: 1
 
    INFO_BINARY: do json_array(1,uuid(),compress(5.140264e+307))
 
            TID: 0
 
1 row in set (0.002 sec)

How to Repeat:

do json_array(1,uuid(),compress(5.140264e+307));



 Comments   
Comment by Elena Stepanova [ 2018-04-27 ]

Thanks for the report and test case.

10.3 6c5e60f1b1

 
Thread 2 (Thread 0x7f90c24d8700 (LWP 28367)):
 
#0  json_escape (str_cs=0x557d71c8b1c0 <my_charset_utf8_general_ci>, str=0x7f90b0037fc5 "\234\063\325\063\064\061\060\062\063I560\a", str_end=0x7f90b0037fd8 "f0038c3", json_cs=0x557d71ad9000 <my_charset_bin>, json=0x7f90c24d60d2 "\001\260\003", json_end=0x7f90c24d61dd "\031") at /data/src/10.3/strings/json_lib.c:1582
 
#1  0x0000557d70a1a274 in st_append_escaped (s=0x7f90c24d6070, a=0x7f90b0015448) at /data/src/10.3/sql/item_jsonfunc.cc:102
 
#2  0x0000557d70a1e0eb in append_json_value (str=0x7f90c24d6070, item=0x7f90b0015250, tmp_val=0x7f90b0015448) at /data/src/10.3/sql/item_jsonfunc.cc:1432
 
#3  0x0000557d70a1e484 in Item_func_json_array::val_str (this=0x7f90b0015388, str=0x7f90c24d6070) at /data/src/10.3/sql/item_jsonfunc.cc:1500
 
#4  0x0000557d70541652 in Item_str_func::update_null_value (this=0x7f90b0015388) at /data/src/10.3/sql/item_strfunc.h:73
 
#5  0x0000557d705059bf in Item_func::is_null (this=0x7f90b0015388) at /data/src/10.3/sql/item_func.h:172
 
#6  0x0000557d709df9dc in mysql_do (thd=0x7f90b0000b00, values=...) at /data/src/10.3/sql/sql_do.cc:35
 
#7  0x0000557d7055853d in mysql_execute_command (thd=0x7f90b0000b00) at /data/src/10.3/sql/sql_parse.cc:3797
 
#8  0x0000557d70565706 in mysql_parse (thd=0x7f90b0000b00, rawbuf=0x7f90b0014eb0 "do json_array(1,uuid(),compress(5.140264e+307))", length=47, parser_state=0x7f90c24d75d0, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:8001
 
#9  0x0000557d70552ee9 in dispatch_command (command=COM_QUERY, thd=0x7f90b0000b00, packet=0x7f90b008ff91 "do json_array(1,uuid(),compress(5.140264e+307))", packet_length=47, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1846
 
#10 0x0000557d70551928 in do_command (thd=0x7f90b0000b00) at /data/src/10.3/sql/sql_parse.cc:1391
 
#11 0x0000557d706b488d in do_handle_one_connection (connect=0x557d73338270) at /data/src/10.3/sql/sql_connect.cc:1402
 
#12 0x0000557d706b461a in handle_one_connection (arg=0x557d73338270) at /data/src/10.3/sql/sql_connect.cc:1308
 
#13 0x0000557d70b38f55 in pfs_spawn_thread (arg=0x557d733fa6e0) at /data/src/10.3/storage/perfschema/pfs.cc:1862
 
#14 0x00007f90ca007494 in start_thread (arg=0x7f90c24d8700) at pthread_create.c:333
 
#15 0x00007f90c83ed93f in clone () from /lib/x86_64-linux-gnu/libc.so.6

Comment by Alexey Botchkov [ 2018-07-31 ]

http://lists.askmonty.org/pipermail/commits/2018-July/012745.html

Generated at Thu Feb 08 08:26:01 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.