[MDEV-21530] json_extract STILL crashes in Item_func_json_extract::read_json Created: 2020-01-19  Updated: 2023-11-28

Status: Confirmed
Project: MariaDB Server
Component/s: JSON
Affects Version/s: 10.2, 10.3, 10.4, 10.5, 10.6, 10.9, 10.10, 10.11, 11.1, 11.2
Fix Version/s: 10.4, 10.5, 10.6, 10.11, 11.0, 11.1, 11.2

Type: Bug Priority: Major
Reporter: sbester1 Assignee: Rucha Deodhar
Resolution: Unresolved Votes: 0
Labels: crash
Environment:

Linux x64

Issue Links:
Relates
relates to MDEV-16209 JSON_EXTRACT in query crashes server Closed

 Description    

Version: '10.5.0-MariaDB'  MariaDB Server
 
 
 
Thread 26 "mysqld" received signal SIGSEGV, Segmentation fault.
 
[Switching to Thread 0x7ffff44af700 (LWP 23029)]
 
Item_func_json_extract::read_json at ./sql/item_jsonfunc.cc:757
 
757	in ./sql/item_jsonfunc.cc
 
(gdb) bt
 
#0  Item_func_json_extract::read_json at ./sql/item_jsonfunc.cc:757
 
#1  in Arg_comparator::compare_e_json_str_basic at ./sql/item_jsonfunc.cc:3603
 
#2  in Item_func_equal::val_int at ./sql/item_cmpfunc.cc:1795
 
#3  in Type_handler::Item_send_long at ./sql/sql_type.cc:7171
 
#4  in Protocol::send_result_set_row at ./sql/protocol.cc:1035
 
#5  in select_send::send_data at ./sql/sql_class.cc:3021
 
#6  in JOIN::exec_inner at ./sql/sql_select.cc:4259
 
#7  in JOIN::exec at ./sql/sql_select.cc:4172
 
#8  in mysql_select at ./sql/sql_select.cc:4596
 
#9  in handle_select at ./sql/sql_select.cc:428
 
#10 in execute_sqlcom_select at ./sql/sql_parse.cc:6217
 
#11 in mysql_execute_command at ./sql/sql_parse.cc:3905
 
#12 in mysql_parse at ./sql/sql_parse.cc:7986
 
#13 in dispatch_command at ./sql/sql_parse.cc:1846
 
#14 in do_command at ./sql/sql_parse.cc:1364
 
#15 in do_handle_one_connection at ./sql/sql_connect.cc:1422
 
#16 in handle_one_connection at ./sql/sql_connect.cc:1319
 
#17 in start_thread at pthread_create.c:479

How to Repeat:

select null<=>json_extract('1',json_object(null,'{ }',null,null),'{}');



 Comments   
Comment by Alice Sherepa [ 2020-01-20 ]

sbester1 Thanks!

10.2 c4195305b2a8431f39a4c75cc1c

 
=================================================================
 
==28787==ERROR: AddressSanitizer: use-after-poison on address 0x62b0000005b0 at pc 0x00000127a455 bp 0x7f7350f07320 sp 0x7f7350f07310
 
READ of size 8 at 0x62b0000005b0 thread T5
 
    #0 0x127a454 in Item_func_json_extract::read_json(String*, json_value_types*, char**, int*) /10.2/sql/item_jsonfunc.cc:768
 
    #1 0x12908cf in Arg_comparator::compare_e_json_str_basic(Item*, Item*) /10.2/sql/item_jsonfunc.cc:3611
 
    #2 0xe92b2e in Arg_comparator::compare_e_json_str() /10.2/sql/item_cmpfunc.cc:1169
 
    #3 0xec9a80 in Arg_comparator::compare() /10.2/sql/item_cmpfunc.h:87
 
    #4 0xe991b3 in Item_func_equal::val_int() /10.2/sql/item_cmpfunc.cc:1814
 
    #5 0xe4ff24 in Item::send(Protocol*, String*) /10.2/sql/item.cc:6958
 
    #6 0x63ebd3 in Protocol::send_result_set_row(List<Item>*) /10.2/sql/protocol.cc:990
 
    #7 0x75de98 in select_send::send_data(List<Item>&) /10.2/sql/sql_class.cc:2725
 
    #8 0x8b68fe in JOIN::exec_inner() /10.2/sql/sql_select.cc:3505
 
    #9 0x8b581d in JOIN::exec() /10.2/sql/sql_select.cc:3424
 
    #10 0x8b8c32 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.2/sql/sql_select.cc:3824
 
    #11 0x897d8f in handle_select(THD*, LEX*, select_result*, unsigned long) /10.2/sql/sql_select.cc:373
 
    #12 0x81c264 in execute_sqlcom_select /10.2/sql/sql_parse.cc:6225
 
    #13 0x80aa77 in mysql_execute_command(THD*) /10.2/sql/sql_parse.cc:3532
 
    #14 0x824d1a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.2/sql/sql_parse.cc:7740
 
    #15 0x801381 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.2/sql/sql_parse.cc:1831
 
    #16 0x7fe477 in do_command(THD*) /10.2/sql/sql_parse.cc:1385
 
    #17 0xb3809c in do_handle_one_connection(CONNECT*) /10.2/sql/sql_connect.cc:1336
 
    #18 0xb37a80 in handle_one_connection /10.2/sql/sql_connect.cc:1241
 
    #19 0x1d27d11 in pfs_spawn_thread /10.2/storage/perfschema/pfs.cc:1862
 
    #20 0x7f735c5196b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
 
    #21 0x7f735b9ae41c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

Generated at Thu Feb 08 09:07:50 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.