Bug #83968 Server crashes when a value from a stored funtion is inserted into a JSON field
Submitted: 25 Nov 2016 13:26 Modified: 28 Nov 2016 13:21
Reporter: Yura Sorokin (OCA) Email Updates:
Status: Duplicate Impact on me:
None 
Category:MySQL Server: JSON Severity:S2 (Serious)
Version:5.7.16 OS:Any
Assigned to: CPU Architecture:Any

[25 Nov 2016 13:26] Yura Sorokin 
Description:
Server crashes with the following stack trace

**************************************
#0 0x00007f653d300741 in pthread_kill () from /lib64/libpthread.so.0
#1 0x0000000001822840 in my_write_core (sig=6) at /home/yura/ws/mysql-server/mysys/stacktrace.c:247
#2 0x0000000000e747dc in handle_fatal_signal (sig=6) at /home/yura/ws/mysql-server/sql/signal_handler.cc:220
#3 <signal handler called>
#4 0x00007f653b8ad5f7 in raise () from /lib64/libc.so.6
#5 0x00007f653b8aece8 in abort () from /lib64/libc.so.6
#6 0x0000000000f94c96 in Item_func_sp::val_json (this=0x7f64ec0137d0, result=0x7f6534fc8e10) at /home/yura/ws/mysql-server/sql/item_func.cc:8491
#7 0x0000000000f7bafe in Item_func::save_possibly_as_json (this=0x7f64ec0137d0, field=0x7f64ece6b460, no_conversions=false) at /home/yura/ws/mysql-server/sql/item_func.cc:607
#8 0x0000000000f94cce in Item_func_sp::save_in_field_inner (this=0x7f64ec0137d0, field=0x7f64ece6b460, no_conversions=false) at /home/yura/ws/mysql-server/sql/item_func.cc:8501
#9 0x0000000000f18166 in Item::save_in_field (this=0x7f64ec0137d0, field=0x7f64ece6b460, no_conversions=false) at /home/yura/ws/mysql-server/sql/item.cc:6761
#10 0x000000000147a432 in fill_record (thd=0x7f64ec122860, table=0x7f64ec0cf3f0, ptr=0x7f64ece6ce10, values=..., bitmap=0x0, insert_into_fields_bitmap=0x0) at /home/yura/ws/mysql-server/sql/sql_base.cc:9548
#11 0x000000000147a707 in fill_record_n_invoke_before_triggers (thd=0x7f64ec122860, ptr=0x7f64ece6ce00, values=..., table=0x7f64ec0cf3f0, event=TRG_EVENT_INSERT, num_fields=2) at /home/yura/ws/mysql-server/sql/sql_base.cc:9630
#12 0x0000000001711d50 in Sql_cmd_insert::mysql_insert (this=0x7f64ec013b30, thd=0x7f64ec122860, table_list=0x7f64ec013240) at /home/yura/ws/mysql-server/sql/sql_insert.cc:762
#13 0x0000000001718567 in Sql_cmd_insert::execute (this=0x7f64ec013b30, thd=0x7f64ec122860) at /home/yura/ws/mysql-server/sql/sql_insert.cc:3092
#14 0x00000000014f3c26 in mysql_execute_command (thd=0x7f64ec122860, first_level=true) at /home/yura/ws/mysql-server/sql/sql_parse.cc:3554
#15 0x00000000014f9418 in mysql_parse (thd=0x7f64ec122860, parser_state=0x7f6534fca5a0) at /home/yura/ws/mysql-server/sql/sql_parse.cc:5559
#16 0x00000000014eed2a in dispatch_command (thd=0x7f64ec122860, com_data=0x7f6534fcacf0, command=COM_QUERY) at /home/yura/ws/mysql-server/sql/sql_parse.cc:1427
#17 0x00000000014edcbf in do_command (thd=0x7f64ec122860) at /home/yura/ws/mysql-server/sql/sql_parse.cc:995
#18 0x000000000161ce7c in handle_connection (arg=0x3f6fba0) at /home/yura/ws/mysql-server/sql/conn_handler/connection_handler_per_thread.cc:300
#19 0x0000000001c88984 in pfs_spawn_thread (arg=0x3edb6a0) at /home/yura/ws/mysql-server/storage/perfschema/pfs.cc:2188
#20 0x00007f653d2fbdc5 in start_thread () from /lib64/libpthread.so.0
#21 0x00007f653b96eced in clone () from /lib64/libc.so.6

**************************************

How to repeat:
Run the following code fragment

CREATE FUNCTION simple_udf() RETURNS VARCHAR(32) DETERMINISTIC NO SQL
  RETURN '""';

CREATE TABLE t1(
  id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
  value JSON NOT NULL
) ENGINE=InnoDB;

INSERT INTO t1 VALUES(DEFAULT, simple_udf());
[25 Nov 2016 13:39] MySQL Verification Team 
Hello Yura,

Thank you for the report and test case.
Observed that 5.7.16 debug build is affected.

Thanks,
Umesh
[25 Nov 2016 13:40] MySQL Verification Team 
-- 5.7.16 debug build

(gdb) bt
#0  0x00007f1fc4571771 in pthread_kill () from /lib64/libpthread.so.0
#1  0x00000000018bb821 in my_write_core (sig=6) at /export/home/pb2/build/sb_0-20577873-1475085368.25/mysql-5.7.16/mysys/stacktrace.c:247
#2  0x0000000000eca870 in handle_fatal_signal (sig=6) at /export/home/pb2/build/sb_0-20577873-1475085368.25/mysql-5.7.16/sql/signal_handler.cc:220
#3  <signal handler called>
#4  0x00007f1fc31775d7 in raise () from /lib64/libc.so.6
#5  0x00007f1fc3178cc8 in abort () from /lib64/libc.so.6
#6  0x0000000000fec242 in Item_func_sp::val_json (this=0x7f1f640067d0, result=0x7f1fb8100840) at /export/home/pb2/build/sb_0-20577873-1475085368.25/mysql-5.7.16/sql/item_func.cc:8491
#7  0x0000000000fd3224 in Item_func::save_possibly_as_json (this=0x7f1f640067d0, field=0x7f1f6401b120, no_conversions=false)
    at /export/home/pb2/build/sb_0-20577873-1475085368.25/mysql-5.7.16/sql/item_func.cc:607
#8  0x0000000000fec27e in Item_func_sp::save_in_field_inner (this=0x7f1f640067d0, field=0x7f1f6401b120, no_conversions=false)
    at /export/home/pb2/build/sb_0-20577873-1475085368.25/mysql-5.7.16/sql/item_func.cc:8501
#9  0x0000000000f6cb6c in Item::save_in_field (this=0x7f1f640067d0, field=0x7f1f6401b120, no_conversions=false)
    at /export/home/pb2/build/sb_0-20577873-1475085368.25/mysql-5.7.16/sql/item.cc:6761
#10 0x00000000014fdecf in fill_record (thd=0x7f1f64000b70, table=0x7f1f6401a360, ptr=0x7f1f6401b040, values=..., bitmap=0x0, insert_into_fields_bitmap=0x0)
    at /export/home/pb2/build/sb_0-20577873-1475085368.25/mysql-5.7.16/sql/sql_base.cc:9548
#11 0x00000000014fe1b7 in fill_record_n_invoke_before_triggers (thd=0x7f1f64000b70, ptr=0x7f1f6401b030, values=..., table=0x7f1f6401a360, event=TRG_EVENT_INSERT, num_fields=2)
    at /export/home/pb2/build/sb_0-20577873-1475085368.25/mysql-5.7.16/sql/sql_base.cc:9630
#12 0x00000000017a7720 in Sql_cmd_insert::mysql_insert (this=0x7f1f64006b30, thd=0x7f1f64000b70, table_list=0x7f1f64006240)
    at /export/home/pb2/build/sb_0-20577873-1475085368.25/mysql-5.7.16/sql/sql_insert.cc:762
#13 0x00000000017ae19d in Sql_cmd_insert::execute (this=0x7f1f64006b30, thd=0x7f1f64000b70) at /export/home/pb2/build/sb_0-20577873-1475085368.25/mysql-5.7.16/sql/sql_insert.cc:3092
#14 0x000000000157a721 in mysql_execute_command (thd=0x7f1f64000b70, first_level=true) at /export/home/pb2/build/sb_0-20577873-1475085368.25/mysql-5.7.16/sql/sql_parse.cc:3554
#15 0x0000000001580767 in mysql_parse (thd=0x7f1f64000b70, parser_state=0x7f1fb8102690) at /export/home/pb2/build/sb_0-20577873-1475085368.25/mysql-5.7.16/sql/sql_parse.cc:5559
#16 0x000000000157515d in dispatch_command (thd=0x7f1f64000b70, com_data=0x7f1fb8102e00, command=COM_QUERY)
    at /export/home/pb2/build/sb_0-20577873-1475085368.25/mysql-5.7.16/sql/sql_parse.cc:1427
#17 0x0000000001574015 in do_command (thd=0x7f1f64000b70) at /export/home/pb2/build/sb_0-20577873-1475085368.25/mysql-5.7.16/sql/sql_parse.cc:995
#18 0x00000000016a92a4 in handle_connection (arg=0x5796470) at /export/home/pb2/build/sb_0-20577873-1475085368.25/mysql-5.7.16/sql/conn_handler/connection_handler_per_thread.cc:300
#19 0x0000000001947e30 in pfs_spawn_thread (arg=0x5769360) at /export/home/pb2/build/sb_0-20577873-1475085368.25/mysql-5.7.16/storage/perfschema/pfs.cc:2188
#20 0x00007f1fc456cdf5 in start_thread () from /lib64/libpthread.so.0
#21 0x00007f1fc323860d in clone () from /lib64/libc.so.6
(gdb)

-- release build error out

root@localhost [test]> INSERT INTO t1 VALUES(DEFAULT, simple_udf());
ERROR 3147 (22032): Cannot CAST value to JSON.
root@localhost [test]> \q
[25 Nov 2016 15:21] MySQL Verification Team 
just a note, this isn't a UDF. It's a stored function or stored routine.
[28 Nov 2016 13:21] Knut Anders Hatlen 
This is a duplicate of bug#79801, which was fixed in 8.0.0.