SELECT JSON_MERGE_PATCH(NULL,1,JSON_MERGE('{"foo":"bar"}','{"baz":"qux"}'));

==3702799==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d00003abf0 at pc 0x5562e4212450 bp 0x7fab5c437450 sp 0x7fab5c437440

READ of size 1 at 0x60d00003abf0 thread T5

    #0 0x5562e421244f in my_mb_wc_latin1 /data/src/10.3/strings/ctype-latin1.c:372

    #1 0x5562e4290976 in get_first_nonspace /data/src/10.3/strings/json_lib.c:687

    #2 0x5562e4292239 in json_read_value /data/src/10.3/strings/json_lib.c:944

    #3 0x5562e3316338 in do_merge_patch /data/src/10.3/sql/item_jsonfunc.cc:2254

    #4 0x5562e331896e in Item_func_json_merge_patch::val_str(String*) /data/src/10.3/sql/item_jsonfunc.cc:2471

    #5 0x5562e2ba84c9 in Type_handler::Item_send_str(Item*, Protocol*, st_value*) const /data/src/10.3/sql/sql_type.cc:5408

    #6 0x5562e2bb1a17 in Type_handler_string_result::Item_send(Item*, Protocol*, st_value*) const (/data/bld/10.3-asan-nightly/bin/mysqld+0x155ea17)

    #7 0x5562e2409131 in Item::send(Protocol*, st_value*) /data/src/10.3/sql/item.h:884

    #8 0x5562e23fb852 in Protocol::send_result_set_row(List<Item>*) /data/src/10.3/sql/protocol.cc:999

    #9 0x5562e2595318 in select_send::send_data(List<Item>&) /data/src/10.3/sql/sql_class.cc:2966

    #10 0x5562e275d8b9 in JOIN::exec_inner() /data/src/10.3/sql/sql_select.cc:3995

    #11 0x5562e275c647 in JOIN::exec() /data/src/10.3/sql/sql_select.cc:3914

    #12 0x5562e27600b8 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.3/sql/sql_select.cc:4319

    #13 0x5562e2736d2e in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.3/sql/sql_select.cc:370

    #14 0x5562e26a8d0e in execute_sqlcom_select /data/src/10.3/sql/sql_parse.cc:6316

    #15 0x5562e2696818 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3847

    #16 0x5562e26b2a81 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7840

    #17 0x5562e26898c5 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852

    #18 0x5562e26863fc in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398

    #19 0x5562e2a50ceb in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403

    #20 0x5562e2a505a5 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308

    #21 0x5562e406a274 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869

    #22 0x7fab672e9608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477

    #23 0x7fab66ec3292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

0x60d00003abf0 is located 112 bytes inside of 140-byte region [0x60d00003ab80,0x60d00003ac0c)

freed by thread T5 here:

    #0 0x7fab678507cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)

    #1 0x5562e41b5aa5 in free_memory /data/src/10.3/mysys/safemalloc.c:279

    #2 0x5562e41b5021 in sf_realloc /data/src/10.3/mysys/safemalloc.c:187

    #3 0x5562e4182eb7 in my_realloc /data/src/10.3/mysys/my_malloc.c:166

    #4 0x5562e28a5d71 in String::realloc_raw(unsigned long) /data/src/10.3/sql/sql_string.cc:95

    #5 0x5562e240375a in String::realloc_with_extra(unsigned long) /data/src/10.3/sql/sql_string.h:394

    #6 0x5562e28ac99c in String::realloc_with_extra_if_needed(unsigned long) /data/src/10.3/sql/sql_string.h:406

    #7 0x5562e3303036 in append_simple /data/src/10.3/sql/item_jsonfunc.cc:53

    #8 0x5562e330308d in append_simple /data/src/10.3/sql/item_jsonfunc.cc:65

    #9 0x5562e331498a in do_merge /data/src/10.3/sql/item_jsonfunc.cc:2048

    #10 0x5562e3315922 in Item_func_json_merge::val_str(String*) /data/src/10.3/sql/item_jsonfunc.cc:2151

    #11 0x5562e24097ac in Item::val_json(String*) /data/src/10.3/sql/item.h:1190

    #12 0x5562e33186cf in Item_func_json_merge_patch::val_str(String*) /data/src/10.3/sql/item_jsonfunc.cc:2440

    #13 0x5562e2ba84c9 in Type_handler::Item_send_str(Item*, Protocol*, st_value*) const /data/src/10.3/sql/sql_type.cc:5408

    #14 0x5562e2bb1a17 in Type_handler_string_result::Item_send(Item*, Protocol*, st_value*) const (/data/bld/10.3-asan-nightly/bin/mysqld+0x155ea17)

    #15 0x5562e2409131 in Item::send(Protocol*, st_value*) /data/src/10.3/sql/item.h:884

    #16 0x5562e23fb852 in Protocol::send_result_set_row(List<Item>*) /data/src/10.3/sql/protocol.cc:999

    #17 0x5562e2595318 in select_send::send_data(List<Item>&) /data/src/10.3/sql/sql_class.cc:2966

    #18 0x5562e275d8b9 in JOIN::exec_inner() /data/src/10.3/sql/sql_select.cc:3995

    #19 0x5562e275c647 in JOIN::exec() /data/src/10.3/sql/sql_select.cc:3914

    #20 0x5562e27600b8 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.3/sql/sql_select.cc:4319

    #21 0x5562e2736d2e in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.3/sql/sql_select.cc:370

    #22 0x5562e26a8d0e in execute_sqlcom_select /data/src/10.3/sql/sql_parse.cc:6316

    #23 0x5562e2696818 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3847

    #24 0x5562e26b2a81 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7840

    #25 0x5562e26898c5 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852

    #26 0x5562e26863fc in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398

    #27 0x5562e2a50ceb in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403

    #28 0x5562e2a505a5 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308

    #29 0x5562e406a274 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869

previously allocated by thread T5 here:

    #0 0x7fab67850bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)

    #1 0x5562e41b4a15 in sf_malloc /data/src/10.3/mysys/safemalloc.c:118

    #2 0x5562e418287d in my_malloc /data/src/10.3/mysys/my_malloc.c:101

    #3 0x5562e28a5a03 in String::real_alloc(unsigned long) /data/src/10.3/sql/sql_string.cc:44

    #4 0x5562e240369b in String::alloc(unsigned long) /data/src/10.3/sql/sql_string.h:379

    #5 0x5562e28a6118 in String::set_int(long long, bool, charset_info_st const*) /data/src/10.3/sql/sql_string.cc:127

    #6 0x5562e2e68c59 in Item_int::val_str(String*) /data/src/10.3/sql/item.cc:3690

    #7 0x5562e24097ac in Item::val_json(String*) /data/src/10.3/sql/item.h:1190

    #8 0x5562e33186cf in Item_func_json_merge_patch::val_str(String*) /data/src/10.3/sql/item_jsonfunc.cc:2440

    #9 0x5562e2ba84c9 in Type_handler::Item_send_str(Item*, Protocol*, st_value*) const /data/src/10.3/sql/sql_type.cc:5408

    #10 0x5562e2bb1a17 in Type_handler_string_result::Item_send(Item*, Protocol*, st_value*) const (/data/bld/10.3-asan-nightly/bin/mysqld+0x155ea17)

    #11 0x5562e2409131 in Item::send(Protocol*, st_value*) /data/src/10.3/sql/item.h:884

    #12 0x5562e23fb852 in Protocol::send_result_set_row(List<Item>*) /data/src/10.3/sql/protocol.cc:999

    #13 0x5562e2595318 in select_send::send_data(List<Item>&) /data/src/10.3/sql/sql_class.cc:2966

    #14 0x5562e275d8b9 in JOIN::exec_inner() /data/src/10.3/sql/sql_select.cc:3995

    #15 0x5562e275c647 in JOIN::exec() /data/src/10.3/sql/sql_select.cc:3914

    #16 0x5562e27600b8 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.3/sql/sql_select.cc:4319

    #17 0x5562e2736d2e in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.3/sql/sql_select.cc:370

    #18 0x5562e26a8d0e in execute_sqlcom_select /data/src/10.3/sql/sql_parse.cc:6316

    #19 0x5562e2696818 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3847

    #20 0x5562e26b2a81 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7840

    #21 0x5562e26898c5 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852

    #22 0x5562e26863fc in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398

    #23 0x5562e2a50ceb in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403

    #24 0x5562e2a505a5 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308

    #25 0x5562e406a274 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869

    #26 0x7fab672e9608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477

Thread T5 created by T0 here:

    #0 0x7fab6777d805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)

    #1 0x5562e406a665 in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1919

    #2 0x5562e23b115e in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1275

    #3 0x5562e23c9b2d in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6658

    #4 0x5562e23ca2c8 in create_new_thread /data/src/10.3/sql/mysqld.cc:6728

    #5 0x5562e23cb45a in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6986

    #6 0x5562e23c8e1e in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6280

    #7 0x5562e23af95c in main /data/src/10.3/sql/main.cc:25

    #8 0x7fab66dc80b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.3/strings/ctype-latin1.c:372 in my_mb_wc_latin1

Shadow bytes around the buggy address:

  0x0c1a7ffff520: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c1a7ffff530: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd

  0x0c1a7ffff540: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa

  0x0c1a7ffff550: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd

  0x0c1a7ffff560: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa

=>0x0c1a7ffff570: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd

  0x0c1a7ffff580: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c1a7ffff590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c1a7ffff5a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c1a7ffff5b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c1a7ffff5c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07 

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

==3702799==ABORTING

SELECT JSON_MERGE_PATCH(NULL,1,JSON_MERGE('{"foo":"bar"}','{"baz":"qux"}'));

JSON_MERGE_PATCH(NULL,1,JSON_MERGE('{"foo":"bar"}','{"baz":"qux"}'))

NULL

Warnings:

Warning	4038	Syntax error in JSON text in argument 1 to function 'json_merge_patch' at position 1

SELECT JSON_MERGE_PATCH(NULL,JSON_MERGE('{"foo":"bar"}','{"baz":"qux"}'));

JSON_MERGE_PATCH(NULL,JSON_MERGE('{"foo":"bar"}','{"baz":"qux"}'))

NULL