[MDEV-25784] Server crashes in Table_function_json_table::print upon SHOW FUNCTION CODE/SHOW CREATE VIEW, UBSAN: member access within null pointer Created: 2021-05-26  Updated: 2023-11-28

Status: Confirmed
Project: MariaDB Server
Component/s: JSON, Stored routines
Affects Version/s: 10.6, 10.7, 10.8, 10.9, 10.10, 10.11, 11.0, 11.1, 11.2
Fix Version/s: 10.6, 10.11, 11.0, 11.1

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Rucha Deodhar
Resolution: Unresolved Votes: 0
Labels: UBSAN

Issue Links:
Relates
relates to MDEV-23208 SIGSEGV in TABLE_LIST::print on SHOW ... Open

 Description    

CREATE FUNCTION f() RETURNS INT RETURN(SELECT c FROM JSON_TABLE('{}', '$' COLUMNS(c FOR ORDINALITY)) AS jt);
 
SHOW FUNCTION CODE f;
 
 
 
# Cleanup
 
DROP FUNCTION f;

10.6 71e1ddda

 
#3  <signal handler called>
 
#4  Table_function_json_table::print (this=0x7fcc900fa6a0, thd=0x7fcc90000db8, sql_table=0x7fcc900fb088, str=0x7fcca2b884a0, query_type=QT_ITEM_ORIGINAL_FUNC_NULLIF) at /data/src/10.6/sql/json_table.cc:1239
 
#5  0x000055bfc8d8f0a7 in TABLE_LIST::print (this=0x7fcc900fb088, thd=0x7fcc90000db8, eliminated_tables=0, str=0x7fcca2b884a0, query_type=QT_ITEM_ORIGINAL_FUNC_NULLIF) at /data/src/10.6/sql/sql_select.cc:27976
 
#6  0x000055bfc8d8e426 in print_table_array (thd=0x7fcc90000db8, eliminated_tables=0, str=0x7fcca2b884a0, table=0x7fcc90015a60, end=0x7fcc90015a68, query_type=QT_ITEM_ORIGINAL_FUNC_NULLIF) at /data/src/10.6/sql/sql_select.cc:27701
 
#7  0x000055bfc8d8eb25 in print_join (thd=0x7fcc90000db8, eliminated_tables=0, str=0x7fcca2b884a0, tables=0x7fcc901a0eb8, query_type=QT_ITEM_ORIGINAL_FUNC_NULLIF) at /data/src/10.6/sql/sql_select.cc:27857
 
#8  0x000055bfc8d8fb30 in st_select_lex::print (this=0x7fcc901a0d00, thd=0x7fcc90000db8, str=0x7fcca2b884a0, query_type=QT_ITEM_ORIGINAL_FUNC_NULLIF) at /data/src/10.6/sql/sql_select.cc:28164
 
#9  0x000055bfc91766a6 in subselect_single_select_engine::print (this=0x7fcc901a1b48, str=0x7fcca2b884a0, query_type=QT_ITEM_ORIGINAL_FUNC_NULLIF) at /data/src/10.6/sql/item_subselect.cc:4609
 
#10 0x000055bfc916899f in Item_subselect::print (this=0x7fcc901a19c0, str=0x7fcca2b884a0, query_type=QT_ITEM_ORIGINAL_FUNC_NULLIF) at /data/src/10.6/sql/item_subselect.cc:1114
 
#11 0x000055bfc8bf96e6 in sp_instr_freturn::print (this=0x7fcc901a1b88, str=0x7fcca2b884a0) at /data/src/10.6/sql/sp_head.cc:4212
 
#12 0x000055bfc8bf6f8c in sp_head::show_routine_code (this=0x7fcc9019fd40, thd=0x7fcc90000db8) at /data/src/10.6/sql/sp_head.cc:3393
 
#13 0x000055bfc8cfd5a0 in mysql_execute_command (thd=0x7fcc90000db8) at /data/src/10.6/sql/sql_parse.cc:5757
 
#14 0x000055bfc8d043ea in mysql_parse (thd=0x7fcc90000db8, rawbuf=0x7fcc900155b0 "SHOW FUNCTION CODE f", length=20, parser_state=0x7fcca2b89490) at /data/src/10.6/sql/sql_parse.cc:8019
 
#15 0x000055bfc8cf084e in dispatch_command (command=COM_QUERY, thd=0x7fcc90000db8, packet=0x7fcc9000b869 "", packet_length=20, blocking=true) at /data/src/10.6/sql/sql_parse.cc:1897
 
#16 0x000055bfc8cef1f3 in do_command (thd=0x7fcc90000db8, blocking=true) at /data/src/10.6/sql/sql_parse.cc:1406
 
#17 0x000055bfc8eab8ca in do_handle_one_connection (connect=0x55bfcbe3fd08, put_in_cache=true) at /data/src/10.6/sql/sql_connect.cc:1410
 
#18 0x000055bfc8eab626 in handle_one_connection (arg=0x55bfcbe3d068) at /data/src/10.6/sql/sql_connect.cc:1312
 
#19 0x000055bfc9416ae7 in pfs_spawn_thread (arg=0x55bfcbe3f858) at /data/src/10.6/storage/perfschema/pfs.cc:2201
 
#20 0x00007fcca8846609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#21 0x00007fcca841a293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

The test case is not applicable to non-debug build due to the use of SHOW FUNCTION CODE and to earlier versions due to the use of JSON_TABLE.

 Comments   
Comment by Elena Stepanova [ 2022-07-30 ]

Probably a duplicate of MDEV-23208.

Comment by Roel Van de Paar [ 2023-04-27 ]

I ran into this particular one also, with a very similar looking testcase. This issue is 10.6+ only. Very lightly sporadic.

CREATE VIEW v AS SELECT * FROM JSON_TABLE ('[]','$' COLUMNS (c INT EXISTS PATH '$')) AS d;
 
PREPARE p FROM 'SHOW CREATE VIEW v';
 
DROP VIEW v;
 
EXECUTE p;

Leads to:

11.1.0 2b61ff8f2221745f0a96855a0feb0825c426f993 (Debug)

 
Core was generated by `/test/MD070423-mariadb-11.1.0-linux-x86_64-dbg/bin/mariadbd --no-defaults --cor'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  0x00005556dfff5dac in Table_function_json_table::print (
 
    this=0x1480a4021b10, thd=0x1480a4000d58, 
    sql_table=sql_table@entry=0x1480a4022b20, str=0x1481436e9600, 
    query_type=132) at /test/11.1_dbg/sql/json_table.cc:1317
 
[Current thread is 1 (Thread 0x1481436ec640 (LWP 3355628))]
 
(gdb) bt
 
#0  0x00005556dfff5dac in Table_function_json_table::print (this=0x1480a4021b10, thd=0x1480a4000d58, sql_table=sql_table@entry=0x1480a4022b20, str=0x1481436e9600, query_type=132) at /test/11.1_dbg/sql/json_table.cc:1317
 
#1  0x00005556dfe3cf11 in TABLE_LIST::print (this=0x1480a4022b20, thd=thd@entry=0x1480a4000d58, eliminated_tables=eliminated_tables@entry=0, str=str@entry=0x1481436e9600, query_type=query_type@entry=132) at /test/11.1_dbg/sql/sql_select.cc:30133
 
#2  0x00005556dfe3d556 in print_table_array (query_type=132, end=0x1480a4013200, table=0x1480a40131f8, str=0x1481436e9600, eliminated_tables=0, thd=0x1480a4000d58) at /test/11.1_dbg/sql/sql_select.cc:29858
 
#3  print_join (thd=thd@entry=0x1480a4000d58, eliminated_tables=0, str=str@entry=0x1481436e9600, tables=0x1480a40215c0, query_type=query_type@entry=132) at /test/11.1_dbg/sql/sql_select.cc:30014
 
#4  0x00005556dfe3decd in st_select_lex::print (this=this@entry=0x1480a4021400, thd=0x1480a4000d58, str=str@entry=0x1481436e9600, query_type=query_type@entry=132) at /test/11.1_dbg/sql/sql_select.cc:30340
 
#5  0x00005556dfd8c57c in st_select_lex_unit::print (this=0x1480a401f810, str=str@entry=0x1481436e9600, query_type=query_type@entry=132) at /test/11.1_dbg/sql/sql_lex.cc:3671
 
#6  0x00005556dfe63780 in show_create_view (buff=0x1481436e9600, table=0x1480a401ee78, thd=0x1480a4000d58) at /test/11.1_dbg/sql/sql_show.cc:2661
 
#7  mysqld_show_create_get_fields (thd=thd@entry=0x1480a4000d58, table_list=<optimized out>, table_list@entry=0x1480a401ee78, field_list=field_list@entry=0x1481436e95e0, buffer=buffer@entry=0x1481436e9600) at /test/11.1_dbg/sql/sql_show.cc:1251
 
#8  0x00005556dfe64746 in mysqld_show_create (thd=thd@entry=0x1480a4000d58, table_list=table_list@entry=0x1480a401ee78) at /test/11.1_dbg/sql/sql_show.cc:1328
 
#9  0x00005556dfdbd9fc in mysql_execute_command (thd=0x1480a4000d58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=true) at /test/11.1_dbg/sql/sql_parse.cc:4369
 
#10 0x00005556dfde8eb8 in Prepared_statement::execute (this=this@entry=0x1480a4019248, expanded_query=expanded_query@entry=0x1481436eac90, open_cursor=open_cursor@entry=false) at /test/11.1_dbg/sql/sql_prepare.cc:4992
 
#11 0x00005556dfde9254 in Prepared_statement::execute_loop (this=this@entry=0x1480a4019248, expanded_query=expanded_query@entry=0x1481436eac90, open_cursor=open_cursor@entry=false, packet=packet@entry=0x0, packet_end=packet_end@entry=0x0) at /test/11.1_dbg/sql/sql_prepare.cc:4415
 
#12 0x00005556dfde9891 in mysql_sql_stmt_execute (thd=thd@entry=0x1480a4000d58) at /test/11.1_dbg/sql/sql_prepare.cc:3456
 
#13 0x00005556dfdbc9d1 in mysql_execute_command (thd=thd@entry=0x1480a4000d58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/11.1_dbg/sql/sql_parse.cc:3960
 
#14 0x00005556dfdc2f05 in mysql_parse (thd=thd@entry=0x1480a4000d58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1481436eb230) at /test/11.1_dbg/sql/sql_parse.cc:7760
 
#15 0x00005556dfdc5099 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1480a4000d58, packet=packet@entry=0x1480a400ae49 "EXECUTE p", packet_length=packet_length@entry=9, blocking=blocking@entry=true) at /test/11.1_dbg/sql/sql_class.h:242
 
#16 0x00005556dfdc6ef5 in do_command (thd=0x1480a4000d58, blocking=blocking@entry=true) at /test/11.1_dbg/sql/sql_parse.cc:1405
 
#17 0x00005556dff18cfc in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5556e3109188, put_in_cache=put_in_cache@entry=true) at /test/11.1_dbg/sql/sql_connect.cc:1416
 
#18 0x00005556dff18f5b in handle_one_connection (arg=0x5556e3109188) at /test/11.1_dbg/sql/sql_connect.cc:1318
 
#19 0x0000148166aadb43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
 
#20 0x0000148166b3fa00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Bug confirmed present in:
MariaDB: 10.6.13 (dbg), 10.6.13 (opt), 10.7.8 (dbg), 10.7.8 (opt), 10.8.8 (dbg), 10.8.8 (opt), 10.9.6 (dbg), 10.9.6 (opt), 10.10.4 (dbg), 10.10.4 (opt), 10.11.3 (dbg), 10.11.3 (opt), 11.0.2 (dbg), 11.0.2 (opt), 11.1.0 (dbg), 11.1.0 (opt), 11.2.0 (dbg), 11.2.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.4.29 (dbg), 10.4.29 (opt), 10.5.20 (dbg), 10.5.20 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.40 (dbg), 5.7.40 (opt), 8.0.31 (dbg), 8.0.31 (opt)

Comment by Roel Van de Paar [ 2023-04-27 ]

UBSAN: member access within null pointer:

11.0.2 8e55d7ea4a2f94ae3f38fdd8785778612d4b1203 (Optimized, UBASAN)

 
2023-04-27 12:34:20 0 [Note] /test/UBASAN_MD070423-mariadb-11.0.2-linux-x86_64-opt/bin/mariadbd: ready for connections.
 
Version: '11.0.2-MariaDB'  socket: '/test/UBASAN_MD070423-mariadb-11.0.2-linux-x86_64-opt/socket.sock'  port: 11181  MariaDB Server
 
/test/11.0_opt_san/sql/json_table.cc:1317:37: runtime error: member access within null pointer of type 'struct TABLE'
 
    #0 0x5642fafff515 in Table_function_json_table::print(THD*, TABLE_LIST*, String*, enum_query_type) /test/11.0_opt_san/sql/json_table.cc:1317
 
    #1 0x5642fa3dd917 in TABLE_LIST::print(THD*, unsigned long long, String*, enum_query_type) /test/11.0_opt_san/sql/sql_select.cc:30132
 
    #2 0x5642fa3e203a in print_table_array /test/11.0_opt_san/sql/sql_select.cc:29857
 
    #3 0x5642fa3e203a in print_join /test/11.0_opt_san/sql/sql_select.cc:30013
 
    #4 0x5642fa3e46d7 in st_select_lex::print(THD*, String*, enum_query_type) /test/11.0_opt_san/sql/sql_select.cc:30339
 
    #5 0x5642f9ec5663 in st_select_lex_unit::print(String*, enum_query_type) /test/11.0_opt_san/sql/sql_lex.cc:3694
 
    #6 0x5642fa4e4978 in show_create_view /test/11.0_opt_san/sql/sql_show.cc:2661
 
    #7 0x5642fa4e4978 in mysqld_show_create_get_fields(THD*, TABLE_LIST*, List<Item>*, String*) /test/11.0_opt_san/sql/sql_show.cc:1251
 
    #8 0x5642fa4e7b45 in mysqld_show_create(THD*, TABLE_LIST*) /test/11.0_opt_san/sql/sql_show.cc:1328
 
    #9 0x5642fa06dc71 in mysql_execute_command(THD*, bool) /test/11.0_opt_san/sql/sql_parse.cc:4374
 
    #10 0x5642fa1772b7 in Prepared_statement::execute(String*, bool) /test/11.0_opt_san/sql/sql_prepare.cc:5223
 
    #11 0x5642fa179b85 in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /test/11.0_opt_san/sql/sql_prepare.cc:4646
 
    #12 0x5642fa17bce4 in mysql_sql_stmt_execute(THD*) /test/11.0_opt_san/sql/sql_prepare.cc:3690
 
    #13 0x5642fa06db2c in mysql_execute_command(THD*, bool) /test/11.0_opt_san/sql/sql_parse.cc:3965
 
    #14 0x5642fa081b02 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_opt_san/sql/sql_parse.cc:7999
 
    #15 0x5642fa090445 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_opt_san/sql/sql_parse.cc:1894
 
    #16 0x5642fa098d58 in do_command(THD*, bool) /test/11.0_opt_san/sql/sql_parse.cc:1407
 
    #17 0x5642fa999f7c in do_handle_one_connection(CONNECT*, bool) /test/11.0_opt_san/sql/sql_connect.cc:1416
 
    #18 0x5642fa99c57c in handle_one_connection /test/11.0_opt_san/sql/sql_connect.cc:1318
 
    #19 0x14f503320b42 in start_thread nptl/pthread_create.c:442
 
    #20 0x14f5033b29ff  (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)
 
 
 
230427 12:34:35 [ERROR] mysqld got signal 11 ;

Comment by Roel Van de Paar [ 2023-04-27 ]

JSON_TABLE is available as of 10.6+ so this is not a regression https://mariadb.com/kb/en/json_table/

Generated at Thu Feb 08 09:40:20 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.