[MDEV-30691] Assertion `strlen(Ptr) == str_length' failed in void Binary_string::chop() Created: 2023-02-21  Updated: 2023-11-28

Status: Open
Project: MariaDB Server
Component/s: JSON
Affects Version/s: 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10, 10.11, 11.0
Fix Version/s: 10.4, 10.5, 10.6, 10.11

Type: Bug Priority: Major
Reporter: Ramesh Sivaraman Assignee: Alexander Barkov
Resolution: Unresolved Votes: 0
Labels: debug


 Description    

SET @@collation_connection=utf32_czech_ci;
 
SET @arr=CONCAT_WS('','[',REPEAT ('1234567,',1250000/2),'2345678]');
 
SELECT JSON_DETAILED (@arr);

Leads to

11.0.1 f2dc4d4c10ac36a73b5c1eb765352d3aee808d66 (Debug)

 
mariadbd: /test/11.0_dbg/sql/sql_string.h:327: void Binary_string::chop(): Assertion `strlen(Ptr) == str_length' failed.

11.0.1 f2dc4d4c10ac36a73b5c1eb765352d3aee808d66 (Debug)

 
Core was generated by `/test/GAL_MD200223-mariadb-11.0.1-linux-x86_64-dbg/bin/mariadbd --no-defaults -'.
 
Program terminated with signal SIGABRT, Aborted.
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=6)
 
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
 
[Current thread is 1 (Thread 0x147e8dcfa700 (LWP 645034))]
 
(gdb) bt
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
 
#1  0x000055635bb9c960 in my_write_core (sig=sig@entry=6) at /test/11.0_dbg/mysys/stacktrace.c:424
 
#2  0x000055635b4981df in handle_fatal_signal (sig=6) at /test/11.0_dbg/sql/signal_handler.cc:357
 
#3  <signal handler called>
 
#4  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
 
#5  0x0000147eab2b8859 in __GI_abort () at abort.c:79
 
#6  0x0000147eab2b8729 in __assert_fail_base (fmt=0x147eab44e588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x55635bd451e2 "strlen(Ptr) == str_length", file=0x55635bd41380 "/test/11.0_dbg/sql/sql_string.h", line=327, function=<optimized out>) at assert.c:92
 
#7  0x0000147eab2c9fd6 in __GI___assert_fail (assertion=assertion@entry=0x55635bd451e2 "strlen(Ptr) == str_length", file=file@entry=0x55635bd41380 "/test/11.0_dbg/sql/sql_string.h", line=line@entry=327, function=function@entry=0x55635bd451fc "void Binary_string::chop()") at assert.c:101
 
#8  0x000055635b37ee15 in Binary_string::chop (this=0x147e8dcf8058) at /test/11.0_dbg/sql/sql_string.h:327
 
#9  json_nice (je=je@entry=0x147e8dcf7e70, nice_js=nice_js@entry=0x147e8dcf8050, mode=Item_func_json_format::DETAILED, tab_size=tab_size@entry=4) at /test/11.0_dbg/sql/item_jsonfunc.cc:400
 
#10 0x000055635b38274d in Item_func_json_format::val_str (this=0x147e340137a0, str=0x147e8dcf8050) at /test/11.0_dbg/sql/item_jsonfunc.cc:3994
 
#11 0x000055635b3c7be2 in Type_handler::Item_send_str (this=<optimized out>, item=0x147e340137a0, protocol=0x147e34001358, buf=<optimized out>) at /test/11.0_dbg/sql/sql_type.cc:7454
 
#12 0x000055635b30129f in Type_handler_string_result::Item_send (this=<optimized out>, item=<optimized out>, protocol=<optimized out>, buf=<optimized out>) at /test/11.0_dbg/sql/sql_type.h:5460
 
#13 0x000055635b089c4c in Item::send (this=0x147e340137a0, protocol=0x147e34001358, buffer=0x147e8dcf8020) at /test/11.0_dbg/sql/item.h:1235
 
#14 0x000055635b0c17d7 in Protocol::send_result_set_row (this=this@entry=0x147e34001358, row_items=row_items@entry=0x147e34013480) at /test/11.0_dbg/sql/protocol.cc:1332
 
#15 0x000055635b149b83 in select_send::send_data (this=0x147e34014198, items=@0x147e34013480: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x147e34013878, last = 0x147e34013878, elements = 1}, <No data fields>}) at /test/11.0_dbg/sql/sql_class.cc:3102
 
#16 0x000055635b240b01 in select_result_sink::send_data_with_check (sent=0, u=<optimized out>, items=<optimized out>, this=<optimized out>) at /test/11.0_dbg/sql/sql_class.h:5748
 
#17 JOIN::exec_inner (this=this@entry=0x147e340141c0) at /test/11.0_dbg/sql/sql_select.cc:4754
 
#18 0x000055635b241a89 in JOIN::exec (this=this@entry=0x147e340141c0) at /test/11.0_dbg/sql/sql_select.cc:4666
 
#19 0x000055635b23fa48 in mysql_select (thd=thd@entry=0x147e34000d48, tables=0x0, fields=@0x147e34013480: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x147e34013878, last = 0x147e34013878, elements = 1}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2164525824, result=0x147e34014198, unit=0x147e34004f90, select_lex=0x147e340131c8) at /test/11.0_dbg/sql/sql_select.cc:5146
 
#20 0x000055635b2401b9 in handle_select (thd=thd@entry=0x147e34000d48, lex=lex@entry=0x147e34004eb8, result=result@entry=0x147e34014198, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/11.0_dbg/sql/sql_select.cc:608
 
#21 0x000055635b1a628c in execute_sqlcom_select (thd=thd@entry=0x147e34000d48, all_tables=0x0) at /test/11.0_dbg/sql/sql_parse.cc:6267
 
#22 0x000055635b1b258c in mysql_execute_command (thd=thd@entry=0x147e34000d48, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/11.0_dbg/sql/sql_parse.cc:3949
 
#23 0x000055635b1a05f6 in mysql_parse (thd=thd@entry=0x147e34000d48, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x147e8dcf9300) at /test/11.0_dbg/sql/sql_parse.cc:8002
 
#24 0x000055635b1add11 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x147e34000d48, packet=packet@entry=0x147e3400ae09 "", packet_length=packet_length@entry=27, blocking=blocking@entry=true) at /test/11.0_dbg/sql/sql_class.h:1370
 
#25 0x000055635b1b0154 in do_command (thd=0x147e34000d48, blocking=blocking@entry=true) at /test/11.0_dbg/sql/sql_parse.cc:1407
 
#26 0x000055635b31449a in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55635dc6d608, put_in_cache=put_in_cache@entry=true) at /test/11.0_dbg/sql/sql_connect.cc:1416
 
#27 0x000055635b31496c in handle_one_connection (arg=0x55635dc6d608) at /test/11.0_dbg/sql/sql_connect.cc:1318
 
#28 0x0000147eab7c9609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#29 0x0000147eab3b5133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.4.28 (dbg), 10.5.19 (dbg), 10.6.12 (dbg),10.7.8 (dbg), 10.8.7 (dbg), 10.9.5 (dbg), 10.10.3 (dbg), 10.11.2 (dbg), 11.0.1 (dbg)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.4.28 (opt), 10.5.19 (opt), 10.6.12 (opt), 10.7.8 (opt), 10.8.7 (opt), 10.9.5 (opt), 10.10.3 (opt), 10.11.2 (opt), 11.0.1 (opt)

 Comments   
Comment by Ramesh Sivaraman [ 2023-06-26 ]

Another testcase with a slightly different stack

SET character_set_database=ucs2;
 
SET CHARACTER SET DEFAULT;
 
SET @json2='[[1,2,3],[4,5,6],[1,3,2]]';
 
SET @json1='[[1,2,3],[4,5,6],[1,3,2]]';
 
SELECT JSON_ARRAY_INTERSECT (@json1,@json2);

Leads to

11.2.0 acb02f646ebbd8b100c30621b92dcc0e2e4db7b3 (Debug)

 
mariadbd: /test/mtest/MDEV-5816/11.1_dbg/sql/sql_string.h:404: void Binary_string::chop(): Assertion `strlen(Ptr) == str_length' failed.

11.2.0 acb02f646ebbd8b100c30621b92dcc0e2e4db7b3 (Debug)

 
Core was generated by `/test/mtest/MDEV-5816/MD190623-mariadb-11.2.0-linux-x86_64-dbg/bin/mariadbd --n'.
 
Program terminated with signal SIGABRT, Aborted.
 
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
 
[Current thread is 1 (Thread 0x153012cdf700 (LWP 3178010))]
 
(gdb) bt
 
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
 
#1  0x000015305c6c5859 in __GI_abort () at abort.c:79
 
#2  0x000015305c6c5729 in __assert_fail_base (fmt=0x15305c85b588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x55b6538b5482 "strlen(Ptr) == str_length", file=0x55b6538b1518 "/test/mtest/MDEV-5816/11.1_dbg/sql/sql_string.h", line=404, function=<optimized out>) at assert.c:92
 
#3  0x000015305c6d6fd6 in __GI___assert_fail (assertion=assertion@entry=0x55b6538b5482 "strlen(Ptr) == str_length", file=file@entry=0x55b6538b1518 "/test/mtest/MDEV-5816/11.1_dbg/sql/sql_string.h", line=line@entry=404, function=function@entry=0x55b6538b549c "void Binary_string::chop()") at assert.c:101
 
#4  0x000055b652ebbf1e in Binary_string::chop (this=0x153012cdcd18) at /test/mtest/MDEV-5816/11.1_dbg/sql/sql_string.h:404
 
#5  get_intersect_between_arrays (items={key_offset = 0, key_length = 0, blength = 1, records = 0, flags = 0, array = {buffer = 0x152fe001d738 "\377\377\377\377\241t\204\250\060\226\001\340/\025", elements = 0, max_element = 511, alloc_increment = 511, size_of_element = 16, m_psi_key = 0, malloc_flags = 0}, get_key = 0x55b652edb19b <get_key_name(char const*, unsigned long*, char)>, hash_function = 0x55b6536eb2c6 <my_hash_sort>, free = 0x0, charset = 0x55b65429a6e0 <my_charset_ucs2_general_ci>}, value=0x153012cdcd50, str=0x153012cdd020) at /test/mtest/MDEV-5816/11.1_dbg/sql/item_jsonfunc.cc:5144
 
#6  Item_func_json_array_intersect::val_str (this=0x152fe0013970, str=0x153012cdd020) at /test/mtest/MDEV-5816/11.1_dbg/sql/item_jsonfunc.cc:5173
 
#7  0x000055b652f18abe in Type_handler::Item_send_str (this=<optimized out>, item=0x152fe0013970, protocol=0x152fe0001358, buf=<optimized out>) at /test/mtest/MDEV-5816/11.1_dbg/sql/sql_type.cc:7446
 
#8  0x000055b652e39f25 in Type_handler_string_result::Item_send (this=<optimized out>, item=<optimized out>, protocol=<optimized out>, buf=<optimized out>) at /test/mtest/MDEV-5816/11.1_dbg/sql/sql_type.h:5455
 
#9  0x000055b652bc5b6e in Item::send (this=0x152fe0013970, protocol=0x152fe0001358, buffer=0x153012cdcff0) at /test/mtest/MDEV-5816/11.1_dbg/sql/item.h:1235
 
#10 0x000055b652bfd387 in Protocol::send_result_set_row (this=this@entry=0x152fe0001358, row_items=row_items@entry=0x152fe0013530) at /test/mtest/MDEV-5816/11.1_dbg/sql/protocol.cc:1332
 
#11 0x000055b652c7ffe9 in select_send::send_data (this=0x152fe0014480, items=@0x152fe0013530: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x152fe0013b28, last = 0x152fe0013b28, elements = 1}, <No data fields>}) at /test/mtest/MDEV-5816/11.1_dbg/sql/sql_class.cc:3125
 
#12 0x000055b652d786de in select_result_sink::send_data_with_check (sent=0, u=<optimized out>, items=<optimized out>, this=<optimized out>) at /test/mtest/MDEV-5816/11.1_dbg/sql/sql_class.h:5756
 
#13 JOIN::exec_inner (this=this@entry=0x152fe00144a8) at /test/mtest/MDEV-5816/11.1_dbg/sql/sql_select.cc:4799
 
#14 0x000055b652d7968c in JOIN::exec (this=this@entry=0x152fe00144a8) at /test/mtest/MDEV-5816/11.1_dbg/sql/sql_select.cc:4710
 
#15 0x000055b652d77523 in mysql_select (thd=thd@entry=0x152fe0000d48, tables=<optimized out>, fields=@0x152fe0013530: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x152fe0013b28, last = 0x152fe0013b28, elements = 1}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2164525824, result=0x152fe0014480, unit=0x152fe0004fa0, select_lex=0x152fe0013278) at /test/mtest/MDEV-5816/11.1_dbg/sql/sql_select.cc:5239
 
#16 0x000055b652d77ca9 in handle_select (thd=thd@entry=0x152fe0000d48, lex=lex@entry=0x152fe0004ec0, result=result@entry=0x152fe0014480, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/mtest/MDEV-5816/11.1_dbg/sql/sql_select.cc:627
 
#17 0x000055b652cdcaa7 in execute_sqlcom_select (thd=thd@entry=0x152fe0000d48, all_tables=0x0) at /test/mtest/MDEV-5816/11.1_dbg/sql/sql_parse.cc:6030
 
#18 0x000055b652ce8e30 in mysql_execute_command (thd=thd@entry=0x152fe0000d48, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/mtest/MDEV-5816/11.1_dbg/sql/sql_parse.cc:3944
 
#19 0x000055b652cd6f0b in mysql_parse (thd=thd@entry=0x152fe0000d48, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x153012cde300) at /test/mtest/MDEV-5816/11.1_dbg/sql/sql_parse.cc:7769
 
#20 0x000055b652ce45d6 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x152fe0000d48, packet=packet@entry=0x152fe000ae89 "", packet_length=packet_length@entry=43, blocking=blocking@entry=true) at /test/mtest/MDEV-5816/11.1_dbg/sql/sql_class.h:1371
 
#21 0x000055b652ce6aad in do_command (thd=0x152fe0000d48, blocking=blocking@entry=true) at /test/mtest/MDEV-5816/11.1_dbg/sql/sql_parse.cc:1405
 
#22 0x000055b652e4d3df in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55b656137238, put_in_cache=put_in_cache@entry=true) at /test/mtest/MDEV-5816/11.1_dbg/sql/sql_connect.cc:1416
 
#23 0x000055b652e4d8ae in handle_one_connection (arg=0x55b656137238) at /test/mtest/MDEV-5816/11.1_dbg/sql/sql_connect.cc:1318
 
#24 0x000015305cbd6609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#25 0x000015305c7c2133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Comment by Ramesh Sivaraman [ 2023-08-04 ]

Another reduced test case

SET collation_connection='utf16le_general_ci';
 
SELECT JSON_KEY_VALUE('{"key1":"val1"}', '$');

11.2.0 e81fa345020ec6a067583db6a7019d6404b26f93 (Debug)

 
mariadbd: /test/11.2_dbg/sql/sql_string.h:404: void Binary_string::chop(): Assertion `strlen(Ptr) == str_length' failed.

11.2.0 e81fa345020ec6a067583db6a7019d6404b26f93 (Debug)

 
Core was generated by `/test/MD270723-mariadb-11.2.0-linux-x86_64-dbg/bin/mariadbd --no-defaults --cor'.
 
Program terminated with signal SIGABRT, Aborted.
 
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
 
[Current thread is 1 (Thread 0x14677657f700 (LWP 893839))]
 
(gdb) bt
 
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
 
#1  0x0000146793315859 in __GI_abort () at abort.c:79
 
#2  0x0000146793315729 in __assert_fail_base (fmt=0x1467934ab588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x561209fda402 "strlen(Ptr) == str_length", file=0x561209fd6588 "/test/11.2_dbg/sql/sql_string.h", line=404, function=<optimized out>) at assert.c:92
 
#3  0x0000146793326fd6 in __GI___assert_fail (assertion=assertion@entry=0x561209fda402 "strlen(Ptr) == str_length", file=file@entry=0x561209fd6588 "/test/11.2_dbg/sql/sql_string.h", line=line@entry=404, function=function@entry=0x561209fda41c "void Binary_string::chop()") at assert.c:101
 
#4  0x00005612095f1051 in Binary_string::chop (this=0x14677657cff8) at /test/11.2_dbg/sql/sql_string.h:404
 
#5  Item_func_json_key_value::get_key_value (this=this@entry=0x14672c013a58, je=je@entry=0x14677657ce20, str=str@entry=0x14677657cff0) at /test/11.2_dbg/sql/item_jsonfunc.cc:4920
 
#6  0x00005612095f1168 in Item_func_json_key_value::val_str (this=0x14672c013a58, str=0x14677657cff0) at /test/11.2_dbg/sql/item_jsonfunc.cc:4959
 
#7  0x0000561209646442 in Type_handler::Item_send_str (this=<optimized out>, item=0x14672c013a58, protocol=0x14672c001358, buf=<optimized out>) at /test/11.2_dbg/sql/sql_type.cc:7448
 
#8  0x0000561209567fb5 in Type_handler_string_result::Item_send (this=<optimized out>, item=<optimized out>, protocol=<optimized out>, buf=<optimized out>) at /test/11.2_dbg/sql/sql_type.h:5450
 
#9  0x00005612092f5de0 in Item::send (this=0x14672c013a58, protocol=0x14672c001358, buffer=0x14677657cfc0) at /test/11.2_dbg/sql/item.h:1235
 
#10 0x000056120932d3f7 in Protocol::send_result_set_row (this=this@entry=0x14672c001358, row_items=row_items@entry=0x14672c0135f0) at /test/11.2_dbg/sql/protocol.cc:1332
 
#11 0x00005612093afcfb in select_send::send_data (this=0x14672c014920, items=@0x14672c0135f0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14672c013fc0, last = 0x14672c013fc0, elements = 1}, <No data fields>}) at /test/11.2_dbg/sql/sql_class.cc:3125
 
#12 0x00005612094a7d04 in select_result_sink::send_data_with_check (sent=0, u=<optimized out>, items=<optimized out>, this=<optimized out>) at /test/11.2_dbg/sql/sql_class.h:5762
 
#13 JOIN::exec_inner (this=this@entry=0x14672c014948) at /test/11.2_dbg/sql/sql_select.cc:4801
 
#14 0x00005612094a8cb2 in JOIN::exec (this=this@entry=0x14672c014948) at /test/11.2_dbg/sql/sql_select.cc:4712
 
#15 0x00005612094a6b30 in mysql_select (thd=thd@entry=0x14672c000d48, tables=0x0, fields=@0x14672c0135f0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14672c013fc0, last = 0x14672c013fc0, elements = 1}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2164525824, result=0x14672c014920, unit=0x14672c005058, select_lex=0x14672c013338) at /test/11.2_dbg/sql/sql_select.cc:5243
 
#16 0x00005612094a72ce in handle_select (thd=thd@entry=0x14672c000d48, lex=lex@entry=0x14672c004f78, result=result@entry=0x14672c014920, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/11.2_dbg/sql/sql_select.cc:628
 
#17 0x000056120940c0da in execute_sqlcom_select (thd=thd@entry=0x14672c000d48, all_tables=0x0) at /test/11.2_dbg/sql/sql_parse.cc:6056
 
#18 0x000056120941843b in mysql_execute_command (thd=thd@entry=0x14672c000d48, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/11.2_dbg/sql/sql_parse.cc:3944
 
#19 0x000056120940673b in mysql_parse (thd=thd@entry=0x14672c000d48, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14677657e2c0) at /test/11.2_dbg/sql/sql_parse.cc:7800
 
#20 0x0000561209413c00 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14672c000d48, packet=packet@entry=0x14672c00af49 "", packet_length=packet_length@entry=45, blocking=blocking@entry=true) at /test/11.2_dbg/sql/sql_class.h:1374
 
#21 0x00005612094160b8 in do_command (thd=0x14672c000d48, blocking=blocking@entry=true) at /test/11.2_dbg/sql/sql_parse.cc:1405
 
#22 0x000056120957b717 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x56120d273c18, put_in_cache=put_in_cache@entry=true) at /test/11.2_dbg/sql/sql_connect.cc:1445
 
#23 0x000056120957bbe6 in handle_one_connection (arg=0x56120d273c18) at /test/11.2_dbg/sql/sql_connect.cc:1347
 
#24 0x0000146793826609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#25 0x0000146793412133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Generated at Thu Feb 08 10:18:10 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.