[MDEV-26392] Crash with json_get_path_next and 10.5.12 Created: 2021-08-18  Updated: 2023-01-18  Resolved: 2023-01-18

Status: Closed
Project: MariaDB Server
Component/s: JSON
Affects Version/s: 10.5.12
Fix Version/s: 10.5.19

Type: Bug Priority: Critical
Reporter: Johan Wikman Assignee: Rucha Deodhar
Resolution: Fixed Votes: 0
Labels: affects-tests, crash
Environment:

Ubuntu 18.04

Issue Links:
Blocks
blocks MXS-3583 Take actual MongoDB test-suite into use Closed

 Description   

The table is created like:

 CREATE TABLE `test`.`arrNestTest` (
 
    id VARCHAR(80) AS (JSON_COMPACT(JSON_EXTRACT(doc, "$._id"))) UNIQUE KEY,
 
    doc JSON, 
    CONSTRAINT id_not_null CHECK(id IS NOT NULL));

Stacktrace:

bin/mariadbd(json_get_path_next+0x45)[0x55ba30fb8a25]
 
bin/mariadbd(_ZN22Item_func_json_extract9read_jsonEP6StringP16json_value_typesPPcPi+0x492)[0x55ba30ab7cd2]
 
bin/mariadbd(_ZN22Item_func_json_extract7val_strEP6String+0x19)[0x55ba30ab7da9]
 
bin/mariadbd(_ZN21Item_func_json_format7val_strEP6String+0x3b)[0x55ba30ab6e4b]
 
bin/mariadbd(_ZN4Item17save_str_in_fieldEP5Fieldb+0x61)[0x55ba3094b5d1]
 
bin/mariadbd(_ZN4Item13save_in_fieldEP5Fieldb+0x36)[0x55ba3093cb16]
 
bin/mariadbd(_ZN5TABLE21update_virtual_fieldsEP7handler21enum_vcol_update_mode+0x327)[0x55ba307de067]
 
bin/mariadbd(_Z11fill_recordP3THDP5TABLER4ListI4ItemES6_bb+0x346)[0x55ba306b5526]
 
bin/mariadbd(_Z36fill_record_n_invoke_before_triggersP3THDP5TABLER4ListI4ItemES6_b14trg_event_type+0x39)[0x55ba306b5769]
 
bin/mariadbd(_Z12mysql_insertP3THDP10TABLE_LISTR4ListI4ItemERS3_IS5_ES6_S6_15enum_duplicatesbP13select_result+0x17f4)[0x55ba306e94c4]
 
bin/mariadbd(_Z21mysql_execute_commandP3THD+0x2a70)[0x55ba3071fff0]
 
bin/mariadbd(_ZN13sp_instr_stmt9exec_coreEP3THDPj+0x15)[0x55ba30675545]
 
bin/mariadbd(_ZN13sp_lex_keeper23reset_lex_and_exec_coreEP3THDPjbP8sp_instr+0x164)[0x55ba3067dbc4]
 
bin/mariadbd(_ZN13sp_instr_stmt7executeEP3THDPj+0x5b3)[0x55ba3067e5b3]
 
bin/mariadbd(_ZN7sp_head7executeEP3THDb+0xad4)[0x55ba306795a4]
 
bin/mariadbd(_ZN7sp_head17execute_procedureEP3THDP4ListI4ItemE+0x7ef)[0x55ba3067ab2f]
 
bin/mariadbd(+0x78c7aa)[0x55ba307127aa]
 
bin/mariadbd(_Z21mysql_execute_commandP3THD+0x11a7)[0x55ba3071e727]
 
bin/mariadbd(_Z11mysql_parseP3THDPcjP12Parser_statebb+0x21c)[0x55ba30722e3c]
 
bin/mariadbd(_Z16dispatch_command19enum_server_commandP3THDPcjbb+0x199a)[0x55ba3072583a]
 
bin/mariadbd(_Z10do_commandP3THD+0xff)[0x55ba30726b5f]
 
bin/mariadbd(_Z24do_handle_one_connectionP7CONNECTb+0x1b2)[0x55ba308125a2]
 
bin/mariadbd(handle_one_connection+0x34)[0x55ba30812874]
 
bin/mariadbd(+0xc1731d)[0x55ba30b9d31d]
 
nptl/pthread_create.c:463(start_thread)[0x7f73ffbc66db]
 
x86_64/clone.S:97(clone)[0x7f73fefc471f]

Full crash output:

210817 22:13:10 [ERROR] mysqld got signal 11 ;
 
This could be because you hit a bug. It is also possible that this binary
 
or one of the libraries it was linked against is corrupt, improperly built,
 
or misconfigured. This error can also be caused by malfunctioning hardware.
 
 
 
To report this bug, see https://mariadb.com/kb/en/reporting-bugs
 
 
 
We will try our best to scrape up some info that will hopefully help
 
diagnose the problem, but since we have already crashed, 
something is definitely wrong and this may fail.
 
 
 
Server version: 10.5.12-MariaDB
 
key_buffer_size=16777216
 
read_buffer_size=131072
 
max_used_connections=2
 
max_threads=153
 
thread_count=2
 
It is possible that mysqld could use up to 
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 353183 K  bytes of memory
 
Hope that's ok; if not, decrease some variables in the equation.
 
 
 
Thread pointer: 0x7f7370000c18
 
Attempting backtrace. You can use the following information to find out
 
where mysqld died. If you see no messages after this, something went
 
terribly wrong...
 
stack_bottom = 0x7f73fc264db0 thread_stack 0x30000
 
addr2line: 'bin/mariadbd': No such file
 
bin/mariadbd(my_print_stacktrace+0x2e)[0x55ba30f5787e]
 
Printing to addr2line failed
 
bin/mariadbd(handle_fatal_signal+0x307)[0x55ba309246f7]
 
??:0(__restore_rt)[0x7f73ffbd1980]
 
addr2line: 'bin/mariadbd': No such file
 
bin/mariadbd(json_get_path_next+0x45)[0x55ba30fb8a25]
 
bin/mariadbd(_ZN22Item_func_json_extract9read_jsonEP6StringP16json_value_typesPPcPi+0x492)[0x55ba30ab7cd2]
 
bin/mariadbd(_ZN22Item_func_json_extract7val_strEP6String+0x19)[0x55ba30ab7da9]
 
bin/mariadbd(_ZN21Item_func_json_format7val_strEP6String+0x3b)[0x55ba30ab6e4b]
 
bin/mariadbd(_ZN4Item17save_str_in_fieldEP5Fieldb+0x61)[0x55ba3094b5d1]
 
bin/mariadbd(_ZN4Item13save_in_fieldEP5Fieldb+0x36)[0x55ba3093cb16]
 
bin/mariadbd(_ZN5TABLE21update_virtual_fieldsEP7handler21enum_vcol_update_mode+0x327)[0x55ba307de067]
 
bin/mariadbd(_Z11fill_recordP3THDP5TABLER4ListI4ItemES6_bb+0x346)[0x55ba306b5526]
 
bin/mariadbd(_Z36fill_record_n_invoke_before_triggersP3THDP5TABLER4ListI4ItemES6_b14trg_event_type+0x39)[0x55ba306b5769]
 
bin/mariadbd(_Z12mysql_insertP3THDP10TABLE_LISTR4ListI4ItemERS3_IS5_ES6_S6_15enum_duplicatesbP13select_result+0x17f4)[0x55ba306e94c4]
 
bin/mariadbd(_Z21mysql_execute_commandP3THD+0x2a70)[0x55ba3071fff0]
 
bin/mariadbd(_ZN13sp_instr_stmt9exec_coreEP3THDPj+0x15)[0x55ba30675545]
 
bin/mariadbd(_ZN13sp_lex_keeper23reset_lex_and_exec_coreEP3THDPjbP8sp_instr+0x164)[0x55ba3067dbc4]
 
bin/mariadbd(_ZN13sp_instr_stmt7executeEP3THDPj+0x5b3)[0x55ba3067e5b3]
 
bin/mariadbd(_ZN7sp_head7executeEP3THDb+0xad4)[0x55ba306795a4]
 
bin/mariadbd(_ZN7sp_head17execute_procedureEP3THDP4ListI4ItemE+0x7ef)[0x55ba3067ab2f]
 
bin/mariadbd(+0x78c7aa)[0x55ba307127aa]
 
bin/mariadbd(_Z21mysql_execute_commandP3THD+0x11a7)[0x55ba3071e727]
 
bin/mariadbd(_Z11mysql_parseP3THDPcjP12Parser_statebb+0x21c)[0x55ba30722e3c]
 
bin/mariadbd(_Z16dispatch_command19enum_server_commandP3THDPcjbb+0x199a)[0x55ba3072583a]
 
bin/mariadbd(_Z10do_commandP3THD+0xff)[0x55ba30726b5f]
 
bin/mariadbd(_Z24do_handle_one_connectionP7CONNECTb+0x1b2)[0x55ba308125a2]
 
bin/mariadbd(handle_one_connection+0x34)[0x55ba30812874]
 
bin/mariadbd(+0xc1731d)[0x55ba30b9d31d]
 
nptl/pthread_create.c:463(start_thread)[0x7f73ffbc66db]
 
x86_64/clone.S:97(clone)[0x7f73fefc471f]
 
 
 
Trying to get some variables.
 
Some pointers may be invalid and cause the dump to abort.
 
Query (0x7f737110ef20): INSERT INTO `test`.`arrNestTest` (doc) VALUES ('{ "_id" : { "$oid" : "611c0a463b150154132f6636" }, "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : 1.0 } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] }')
 
 
 
Connection ID (thread ID): 585
 
Status: NOT_KILLED
 
 
 
Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off
 
 
 
The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains
 
information that should help you find out what is causing the crash.
 
Writing a core file...
 
Working directory at /var/lib/mysql
 
Resource Limits:
 
Limit                     Soft Limit           Hard Limit           Units     
Max cpu time              unlimited            unlimited            seconds   
Max file size             unlimited            unlimited            bytes     
Max data size             unlimited            unlimited            bytes     
Max stack size            8388608              unlimited            bytes     
Max core file size        0                    unlimited            bytes     
Max resident set          unlimited            unlimited            bytes     
Max processes             158854               158854               processes 
Max open files            32190                32190                files     
Max locked memory         67108864             67108864             bytes     
Max address space         unlimited            unlimited            bytes     
Max file locks            unlimited            unlimited            locks     
Max pending signals       158854               158854               signals   
Max msgqueue size         819200               819200               bytes     
Max nice priority         0                    0                    
Max realtime priority     0                    0                    
Max realtime timeout      unlimited            unlimited            us        
Core pattern: |/usr/share/apport/apport %p %s %c %d %P %E

Executing the reported statement manually does not result in a crash but in a syntax error.

 Comments   
Comment by markus makela [ 2021-08-18 ]

Ran into the same problem when executing it with a direct connection. I was using the 10.5.12 docker image.

210818  7:04:32 [ERROR] mysqld got signal 11 ;
 
This could be because you hit a bug. It is also possible that this binary
 
or one of the libraries it was linked against is corrupt, improperly built,
 
or misconfigured. This error can also be caused by malfunctioning hardware.
 
To report this bug, see https://mariadb.com/kb/en/reporting-bugs
 
We will try our best to scrape up some info that will hopefully help
 
diagnose the problem, but since we have already crashed, 
something is definitely wrong and this may fail.
 
Server version: 10.5.12-MariaDB-1:10.5.12+maria~focal-log
 
key_buffer_size=134217728
 
read_buffer_size=131072
 
max_used_connections=203
 
max_threads=153
 
thread_count=4
 
It is possible that mysqld could use up to 
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 489494 K  bytes of memory
 
Hope that's ok; if not, decrease some variables in the equation.
 
Thread pointer: 0x7f88a002c598
 
Attempting backtrace. You can use the following information to find out
 
where mysqld died. If you see no messages after this, something went
 
terribly wrong...
 
stack_bottom = 0x7f87e26b4d58 thread_stack 0x49000
 
mysqld(my_print_stacktrace+0x32)[0x55afd8a833a2]
 
Printing to addr2line failed
 
mysqld(handle_fatal_signal+0x485)[0x55afd84d60b5]
 
/lib/x86_64-linux-gnu/libpthread.so.0(+0x153c0)[0x7f88ffcaa3c0]
 
mysqld(json_get_path_next+0x49)[0x55afd8ae50f9]
 
mysqld(_ZN22Item_func_json_extract9read_jsonEP6StringP16json_value_typesPPcPi+0x343)[0x55afd867a133]
 
mysqld(_ZN22Item_func_json_extract7val_strEP6String+0x1d)[0x55afd867a56d]
 
mysqld(_ZN21Item_func_json_format7val_strEP6String+0x39)[0x55afd8679699]
 
mysqld(_ZN4Item17save_str_in_fieldEP5Fieldb+0x65)[0x55afd84fc915]
 
mysqld(_ZN4Item13save_in_fieldEP5Fieldb+0x37)[0x55afd84ee4a7]
 
mysqld(_ZN5TABLE21update_virtual_fieldsEP7handler21enum_vcol_update_mode+0x110)[0x55afd839e880]
 
mysqld(_Z11fill_recordP3THDP5TABLER4ListI4ItemES6_bb+0x375)[0x55afd8260105]
 
mysqld(_Z36fill_record_n_invoke_before_triggersP3THDP5TABLER4ListI4ItemES6_b14trg_event_type+0x41)[0x55afd8260351]
 
mysqld(_Z12mysql_insertP3THDP10TABLE_LISTR4ListI4ItemERS3_IS5_ES6_S6_15enum_duplicatesbP13select_result+0x114f)[0x55afd828e67f]
 
mysqld(_Z21mysql_execute_commandP3THD+0x1338)[0x55afd82c8338]
 
mysqld(_Z11mysql_parseP3THDPcjP12Parser_statebb+0x21f)[0x55afd82b742f]
 
mysqld(_Z16dispatch_command19enum_server_commandP3THDPcjbb+0x1395)[0x55afd82c3d45]
 
mysqld(_Z10do_commandP3THD+0x11c)[0x55afd82c630c]
 
mysqld(_Z24do_handle_one_connectionP7CONNECTb+0x421)[0x55afd83cca61]
 
mysqld(handle_one_connection+0x5d)[0x55afd83ccedd]
 
mysqld(+0xbd0a36)[0x55afd872ea36]
 
/lib/x86_64-linux-gnu/libpthread.so.0(+0x9609)[0x7f88ffc9e609]
 
/lib/x86_64-linux-gnu/libc.so.6(clone+0x43)[0x7f88ff88c293]
 
Trying to get some variables.
 
Some pointers may be invalid and cause the dump to abort.
 
Query (0x7f88a00684a0): INSERT INTO `test`.`arrNestTest` (doc) VALUES ('{ "_id" : { "$oid" : "611c0a463b150154132f6636" }, "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : [ { "a" : 1.0 } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] } ] }')
 
Connection ID (thread ID): 3789
 
Status: NOT_KILLED
 
Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off
 
The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains
 
information that should help you find out what is causing the crash.
 
Writing a core file...
 
Working directory at /var/lib/mysql
 
Resource Limits:
 
Limit                     Soft Limit           Hard Limit           Units     
Max cpu time              unlimited            unlimited            seconds   
Max file size             unlimited            unlimited            bytes     
Max data size             unlimited            unlimited            bytes     
Max stack size            8388608              unlimited            bytes     
Max core file size        unlimited            unlimited            bytes     
Max resident set          unlimited            unlimited            bytes     
Max processes             unlimited            unlimited            processes 
Max open files            1024                 1024                 files     
Max locked memory         65536                65536                bytes     
Max address space         unlimited            unlimited            bytes     
Max file locks            unlimited            unlimited            locks     
Max pending signals       127158               127158               signals   
Max msgqueue size         819200               819200               bytes     
Max nice priority         0                    0                    
Max realtime priority     0                    0                    
Max realtime timeout      unlimited            unlimited            us        
Core pattern: |/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h

Comment by Johan Wikman [ 2021-08-18 ]

The INSERT in the crash report results in a syntax error. However, if the two deepest nested documents are removed, that is,

INSERT ... [ { "a" : [ { "a" : [ { "a" : 1.0 } ] } ] ...

is replaced with

INSERT ... [ { "a" : 1.0 } ] ...

the INSERT succeeds.

Comment by Rucha Deodhar [ 2022-12-29 ]

Patch: https://github.com/MariaDB/server/commit/1758876d71ec117d57bad32e9c098297ee25b365

Comment by Alexey Botchkov [ 2023-01-17 ]

ok to push.

Generated at Thu Feb 08 09:44:58 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.