[MDEV-29188] Crash in JSON_EXTRACT Created: 2022-07-28  Updated: 2022-07-29  Resolved: 2022-07-29

Status: Closed
Project: MariaDB Server
Component/s: JSON
Affects Version/s: 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10
Fix Version/s: 10.3.36, 10.4.26, 10.5.17, 10.6.9, 10.7.5, 10.8.4, 10.9.2

Type: Bug Priority: Blocker
Reporter: Marko Mäkelä Assignee: Oleksandr Byelkin
Resolution: Fixed Votes: 0
Labels: crash, not-10.3, regression-10.4


 Description   

The following test will crash 10.4 but not 10.3:

CREATE TABLE t1 (j JSON);
 
 
 
INSERT INTO t1 VALUES
 
  ('{"ID": "4", "Name": "Betty", "Age": 19}'),
 
  ('[10, 20, [30, 40]]');
 
 
 
SELECT * FROM t1 WHERE JSON_EXTRACT(j, '$.Age')=19;

This was reduced from the crash in the test spider/bugfix.mdev_24517 after a merge from 10.3 to 10.4 in on a CI builder:

10.4 3bb36e949534fc4a24d68d4297663ae8b80ba336

 
CURRENT_TEST: spider/bugfix.mdev_24517
 
mysqltest: At line 57: query 'SELECT * FROM tbl_a WHERE JSON_EXTRACT(j, '$.Age')=19' failed: 1158: Got an error reading communication packets

The following would fix it, but cause an inconsistent result in the test main.func_json:

diff --git a/sql/item_jsonfunc.cc b/sql/item_jsonfunc.cc
 
index 93ebb520ffc..5794ac952bf 100644
 
--- a/sql/item_jsonfunc.cc
 
+++ b/sql/item_jsonfunc.cc
 
@@ -1107,7 +1107,8 @@ my_decimal *Item_func_json_extract::val_decimal(my_decimal *to)
 
     };
 
   }
 
   int2my_decimal(E_DEC_FATAL_ERROR, 0, false/*unsigned_flag*/, to);
 
-  return to;
 
+  null_value= 1;
 
+  return 0;
 
 }

The result difference is as follows:

CURRENT_TEST: main.func_json
 
--- /mariadb/10.4/mysql-test/main/func_json.result	2022-02-10 16:53:33.683230501 +0200
 
+++ /mariadb/10.4/mysql-test/main/func_json.reject	2022-07-28 09:13:13.375261554 +0300
 
@@ -932,7 +932,7 @@
 
 CAST(JSON_EXTRACT('{"x":false}', '$.x') AS DOUBLE) AS cf,
 
 CAST(JSON_EXTRACT('{"x":false}', '$.x') AS DECIMAL) AS cd;
 
 cf	cd
 
-0	0
 
+0	NULL
 
 #
 
 # MDEV-24585 Assertion `je->s.cs == nice_js->charset()' failed in json_nice.
 
 #

I think that it would be consistent to return NULL on any error (including the conversion to DOUBLE).
Generated at Thu Feb 08 10:06:35 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.