Server crashes when a value returned from a stored function is inserted directly into JSON field

Bug #1644831 reported by Yura Sorokin on 2016-11-25
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MySQL Server
Unknown
Unknown
Percona Server moved to https://jira.percona.com/projects/PS
Status tracked in 5.7
5.5
New
Undecided
Unassigned
5.6
New
Undecided
Unassigned
5.7
Triaged
High
Unassigned

Bug Description

The following code fragment results in a server crash

CREATE FUNCTION simple_udf() RETURNS VARCHAR(32) DETERMINISTIC NO SQL
  RETURN '""';

CREATE TABLE t1(
  id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
  value JSON NOT NULL
) ENGINE=InnoDB;

INSERT INTO t1 VALUES(DEFAULT, simple_udf());

**************************************
#0 0x00007f653d300741 in pthread_kill () from /lib64/libpthread.so.0
#1 0x0000000001822840 in my_write_core (sig=6) at /home/yura/ws/mysql-server/mysys/stacktrace.c:247
#2 0x0000000000e747dc in handle_fatal_signal (sig=6) at /home/yura/ws/mysql-server/sql/signal_handler.cc:220
#3 <signal handler called>
#4 0x00007f653b8ad5f7 in raise () from /lib64/libc.so.6
#5 0x00007f653b8aece8 in abort () from /lib64/libc.so.6
#6 0x0000000000f94c96 in Item_func_sp::val_json (this=0x7f64ec0137d0, result=0x7f6534fc8e10) at /home/yura/ws/mysql-server/sql/item_func.cc:8491
#7 0x0000000000f7bafe in Item_func::save_possibly_as_json (this=0x7f64ec0137d0, field=0x7f64ece6b460, no_conversions=false) at /home/yura/ws/mysql-server/sql/item_func.cc:607
#8 0x0000000000f94cce in Item_func_sp::save_in_field_inner (this=0x7f64ec0137d0, field=0x7f64ece6b460, no_conversions=false) at /home/yura/ws/mysql-server/sql/item_func.cc:8501
#9 0x0000000000f18166 in Item::save_in_field (this=0x7f64ec0137d0, field=0x7f64ece6b460, no_conversions=false) at /home/yura/ws/mysql-server/sql/item.cc:6761
#10 0x000000000147a432 in fill_record (thd=0x7f64ec122860, table=0x7f64ec0cf3f0, ptr=0x7f64ece6ce10, values=..., bitmap=0x0, insert_into_fields_bitmap=0x0) at /home/yura/ws/mysql-server/sql/sql_base.cc:9548
#11 0x000000000147a707 in fill_record_n_invoke_before_triggers (thd=0x7f64ec122860, ptr=0x7f64ece6ce00, values=..., table=0x7f64ec0cf3f0, event=TRG_EVENT_INSERT, num_fields=2) at /home/yura/ws/mysql-server/sql/sql_base.cc:9630
#12 0x0000000001711d50 in Sql_cmd_insert::mysql_insert (this=0x7f64ec013b30, thd=0x7f64ec122860, table_list=0x7f64ec013240) at /home/yura/ws/mysql-server/sql/sql_insert.cc:762
#13 0x0000000001718567 in Sql_cmd_insert::execute (this=0x7f64ec013b30, thd=0x7f64ec122860) at /home/yura/ws/mysql-server/sql/sql_insert.cc:3092
#14 0x00000000014f3c26 in mysql_execute_command (thd=0x7f64ec122860, first_level=true) at /home/yura/ws/mysql-server/sql/sql_parse.cc:3554
#15 0x00000000014f9418 in mysql_parse (thd=0x7f64ec122860, parser_state=0x7f6534fca5a0) at /home/yura/ws/mysql-server/sql/sql_parse.cc:5559
#16 0x00000000014eed2a in dispatch_command (thd=0x7f64ec122860, com_data=0x7f6534fcacf0, command=COM_QUERY) at /home/yura/ws/mysql-server/sql/sql_parse.cc:1427
#17 0x00000000014edcbf in do_command (thd=0x7f64ec122860) at /home/yura/ws/mysql-server/sql/sql_parse.cc:995
#18 0x000000000161ce7c in handle_connection (arg=0x3f6fba0) at /home/yura/ws/mysql-server/sql/conn_handler/connection_handler_per_thread.cc:300
#19 0x0000000001c88984 in pfs_spawn_thread (arg=0x3edb6a0) at /home/yura/ws/mysql-server/storage/perfschema/pfs.cc:2188
#20 0x00007f653d2fbdc5 in start_thread () from /lib64/libpthread.so.0
#21 0x00007f653b96eced in clone () from /lib64/libc.so.6

**************************************

Tested on Percona Server 5.7.16

tags: added: upstream
summary: - Server crashes when a value returned from a user-defined function is
- inserted directly into JSON field
+ Server crashes when a value returned from a stored function is inserted
+ directly into JSON field

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-1033

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.