[MDEV-31032] UBSAN|downcast of address X which does not point to an object of type 'Item_string' in sql/json_schema.cc Created: 2023-04-10  Updated: 2023-11-27  Resolved: 2023-04-21

Status: Closed
Project: MariaDB Server
Component/s: JSON
Affects Version/s: 11.1
Fix Version/s: 11.1.1

Type: Bug Priority: Major
Reporter: Ramesh Sivaraman Assignee: Rucha Deodhar
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Problem/Incident
is caused by MDEV-27128 Implement JSON Schema Validation FUNC... Closed

 Description    

SET @schema='{ "type":"object","patternProperties": { "^I_": {"type":"number"},"^S_" : {"type":"string"} } }';
 
SET SESSION sql_mode='empty_string_is_null';
 
SELECT JSON_SCHEMA_VALID (@schema,'{"key1":"val0","key2":0,"I_int":0,"S_":"abc","prop0":"str0"}');

Leads to

11.1.0 83a4449ab98b5b6f08e18833bf9dd3e61e96c680 (Debug, UBASAN)

 
/test/JSON/11.1_dbg_san/sql/json_schema.cc:2200:86: runtime error: downcast of address 0x6290000d9128 which does not point to an object of type 'Item_string'
 
0x6290000d9128: note: object is of type 'Item_null'
 
 00 00 00 00  88 ad 93 07 50 56 00 00  00 00 00 00 00 00 00 00  20 be bb 0f 50 56 00 00  06 00 00 00
 
              ^~~~~~~~~~~~~~~~~~~~~~~
 
              vptr for 'Item_null'
 
    #0 0x56500309d6a7 in Json_schema_pattern_properties::handle_keyword(THD*, st_json_engine_t*, char const*, char const*, List<Json_schema_keyword>*) /test/JSON/11.1_dbg_san/sql/json_schema.cc:2200
 
    #1 0x56500309ac6b in create_object_and_handle_keyword(THD*, st_json_engine_t*, List<Json_schema_keyword>*, List<Json_schema_keyword>*) /test/JSON/11.1_dbg_san/sql/json_schema.cc:2759

Setup

Compiled with GCC 9.4.0
 
-DWITH_UBSAN=ON -DCMAKE_CXX_FLAGS=-static-libasan



 Comments   
Comment by Ramesh Sivaraman [ 2023-04-10 ]

Runtime error is also present when using simple pattern in JSON schema with sql_mode change.

SET @property_names='{ "PropertyNames":{ "pattern": "^I_" } }';
 
SET GLOBAL sql_mode=17179869183;
 
SET @@sql_mode=DEFAULT;
 
SELECT JSON_SCHEMA_VALID(@property_names, '{"I_int1":3, "I_ob1":{"key1":"val1"}}');

Leads to

11.1.0 83a4449ab98b5b6f08e18833bf9dd3e61e96c680 (Debug, UBASAN)

 
2023-04-10 13:44:01 0 [Note] /test/JSON/UBASAN_MD060423-mariadb-11.1.0-linux-x86_64-dbg/bin/mariadbd: ready for connections.
 
Version: '11.1.0-MariaDB-debug'  socket: '/test/JSON/UBASAN_MD060423-mariadb-11.1.0-linux-x86_64-dbg/socket.sock'  port: 12126  MariaDB Server
 
/test/JSON/11.1_dbg_san/sql/json_schema.cc:912:61: runtime error: downcast of address 0x6290000d91a0 which does not point to an object of type 'Item_string'
 
0x6290000d91a0: note: object is of type 'Item_null'
 
 00 00 00 00  88 ed 5f 4b 20 56 00 00  00 00 00 00 00 00 00 00  20 fe 87 53 20 56 00 00  06 00 00 00
 
              ^~~~~~~~~~~~~~~~~~~~~~~
 
              vptr for 'Item_null'
 
    #0 0x562046d31297 in Json_schema_pattern::handle_keyword(THD*, st_json_engine_t*, char const*, char const*, List<Json_schema_keyword>*) /test/JSON/11.1_dbg_san/sql/json_schema.cc:912
 
    #1 0x562046d5ec6b in create_object_and_handle_keyword(THD*, st_json_engine_t*, List<Json_schema_keyword>*, List<Json_schema_keyword>*) /test/JSON/11.1_dbg_san/sql/json_schema.cc:2759

Comment by Rucha Deodhar [ 2023-04-17 ]

Patch: https://github.com/MariaDB/server/tree/bb-MDEV-31032-json_schema

Comment by Alexey Botchkov [ 2023-04-20 ]

ok to push.

Comment by Rucha Deodhar [ 2023-04-21 ]

pushed to https://github.com/MariaDB/server/tree/bb-10.12-MDEV-27128

Generated at Thu Feb 08 10:20:46 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.