[MDEV-21528] json_arrayagg crashes in Item_func_group_concat::add, Assertion `(ptr != __null && end >= ptr) || (ptr == __null && end == __null)' failed in copy_fields Created: 2020-01-19  Updated: 2020-06-04  Resolved: 2020-06-04

Status: Closed
Project: MariaDB Server
Component/s: JSON
Affects Version/s: 10.5.0, 10.5
Fix Version/s: 10.5.4

Type: Bug Priority: Major
Reporter: sbester1 Assignee: Alexey Botchkov
Resolution: Fixed Votes: 0
Labels: None
Environment:

Linux x64

Issue Links:
Duplicate
is duplicated by MDEV-21912 JSON_ARRAYAGG(NULL) crashes the server Closed
Relates
relates to MDEV-16620 Add support for JSON_ARRAYAGG and JSO... Closed

 Description   

Version: '10.5.0-MariaDB' MariaDB Server

Thread 20 "mysqld" received signal SIGSEGV, Segmentation fault.
 
[Switching to Thread 0x7ffff44af700 (LWP 21758)]
 
in Item_func_group_concat::add at ./sql/item_sum.cc:4019
 
4019	in ./sql/item_sum.cc
 
(gdb) bt
 
#0  in Item_func_group_concat::add at ./sql/item_sum.cc:4019
 
#1  in Item_sum::aggregator_add at ./sql/item_sum.h:559
 
#2  in Item_sum::reset_and_add at ./sql/item_sum.h:444
 
#3  in init_sum_functions at ./sql/sql_select.cc:25309
 
#4  in end_send_group at ./sql/sql_select.cc:21689
 
#5  in do_select at ./sql/sql_select.cc:19789
 
#6  in JOIN::exec_inner at ./sql/sql_select.cc:4391
 
#7  in JOIN::exec at ./sql/sql_select.cc:4172
 
#8  in mysql_select at ./sql/sql_select.cc:4596
 
#9  in handle_select at ./sql/sql_select.cc:428
 
#10 in execute_sqlcom_select at ./sql/sql_parse.cc:6217
 
#11 in mysql_execute_command at ./sql/sql_parse.cc:3905
 
#12 in mysql_parse at ./sql/sql_parse.cc:7986
 
#13 in dispatch_command at ./sql/sql_parse.cc:1846
 
#14 in do_command at ./sql/sql_parse.cc:1364
 
#15 in do_handle_one_connection at ./sql/sql_connect.cc:1422
 
#16 in handle_one_connection at ./sql/sql_connect.cc:1319
 
#17 in start_thread at pthread_create.c:479

How to Repeat
select json_arrayagg(null);

 Comments   
Comment by Alice Sherepa [ 2020-03-11 ]

10.5 574d8b29402f9826f73e

 
#7  0x00007f7f2b581102 in __GI___assert_fail (assertion=0x56274942f620 "(ptr != __null && end >= ptr) || (ptr == __null && end == __null)", file=0x56274942ca38 "/10.5/sql/sql_select.cc", line=25197, function=0x562749432f00 <copy_fields(TMP_TABLE_PARAM*)::__PRETTY_FUNCTION__> "void copy_fields(TMP_TABLE_PARAM*)") at assert.c:101
 
#8  0x0000562748730585 in copy_fields (param=0x7f7f140156f8) at /10.5/sql/sql_select.cc:25197
 
#9  0x0000562748af04f7 in Item_func_group_concat::add (this=0x7f7f14014168, exclude_nulls=false) at /10.5/sql/item_sum.cc:3998
 
#10 0x0000562748c0a183 in Item_func_json_arrayagg::add (this=0x7f7f14014168) at /10.5/sql/item_jsonfunc.h:561
 
#11 0x0000562748af2603 in Aggregator_simple::add (this=0x7f7f140156e8) at /10.5/sql/item_sum.h:717
 
#12 0x000056274873e85f in Item_sum::aggregator_add (this=0x7f7f14014168) at /10.5/sql/item_sum.h:559
 
#13 0x000056274873e74a in Item_sum::reset_and_add (this=0x7f7f14014168) at /10.5/sql/item_sum.h:444
 
#14 0x00005627487316f8 in init_sum_functions (func_ptr=0x7f7f14015540, end_ptr=0x7f7f14015548) at /10.5/sql/sql_select.cc:25564
 
#15 0x0000562748727fab in end_send_group (join=0x7f7f14014f18, join_tab=0x0, end_of_records=false) at /10.5/sql/sql_select.cc:21930
 
#16 0x000056274872364c in do_select (join=0x7f7f14014f18, procedure=0x0) at /10.5/sql/sql_select.cc:20019
 
#17 0x00005627486f7ea7 in JOIN::exec_inner (this=0x7f7f14014f18) at /10.5/sql/sql_select.cc:4456
 
#18 0x00005627486f6fd3 in JOIN::exec (this=0x7f7f14014f18) at /10.5/sql/sql_select.cc:4237
 
#19 0x00005627486f86f4 in mysql_select (thd=0x7f7f14000d78, tables=0x0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f7f14014ef0, unit=0x7f7f14004d80, select_lex=0x7f7f14013c20) at /10.5/sql/sql_select.cc:4661
 
#20 0x00005627486e8432 in handle_select (thd=0x7f7f14000d78, lex=0x7f7f14004cb8, result=0x7f7f14014ef0, setup_tables_done_option=0) at /10.5/sql/sql_select.cc:415
 
#21 0x00005627486ae04f in execute_sqlcom_select (thd=0x7f7f14000d78, all_tables=0x0) at /10.5/sql/sql_parse.cc:6147
 
#22 0x00005627486a4d32 in mysql_execute_command (thd=0x7f7f14000d78) at /10.5/sql/sql_parse.cc:3899
 
#23 0x00005627486b2ee0 in mysql_parse (thd=0x7f7f14000d78, rawbuf=0x7f7f14013b80 "select json_arrayagg(null)", length=26, parser_state=0x7f7f25f32510, is_com_multi=false, is_next_command=false) at /10.5/sql/sql_parse.cc:7926
 
#24 0x000056274869eb2e in dispatch_command (command=COM_QUERY, thd=0x7f7f14000d78, packet=0x7f7f14008cf9 "", packet_length=26, is_com_multi=false, is_next_command=false) at /10.5/sql/sql_parse.cc:1839
 
#25 0x000056274869d26c in do_command (thd=0x7f7f14000d78) at /10.5/sql/sql_parse.cc:1358
 
#26 0x000056274883c32e in do_handle_one_connection (connect=0x56274b308c38, put_in_cache=true) at /10.5/sql/sql_connect.cc:1422
 
#27 0x000056274883c05e in handle_one_connection (arg=0x56274b371718) at /10.5/sql/sql_connect.cc:1319
 
#28 0x0000562748d618a1 in pfs_spawn_thread (arg=0x56274b3e9a88) at /10.5/storage/perfschema/pfs.cc:2201
 
#29 0x00007f7f2c019fa3 in start_thread (arg=<optimized out>) at pthread_create.c:486
 
#30 0x00007f7f2b64a4cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Comment by Alexey Botchkov [ 2020-06-04 ]

https://github.com/MariaDB/server/commit/bb47050e1fdc49aa56fb55c8c55ff81ba24d355b

Generated at Thu Feb 08 09:07:49 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.