Bug#21383284: ASSERTION IN SELECT_LEX::SETUP_CONDS

JSON_SEARCH evaluates the escape expression at resolve time in
Item_func_json_search::fix_fields(), but it doesn't check if the
evaluation is successful, and it could end up returning false
(indicating success) even though an error has been raised.

SELECT_LEX::setup_conds() has an assert which checks that no error has
been raised if fix_fields() returns false. This assert gets hit if a
JSON_SEARCH call is in a WHERE clause and the evaluation of the escape
expression fails.

Errors could be raised either when fix_fields() calls val_str() on the
item representing the escape expression, or when it calls fix_fields()
on its synthetic Item_func_like object.

Item_func_json_search::fix_fields() also allocates some objects
without checking if the allocation was successful.

This patch makes fix_fields() check for all of the above error
conditions and return true to indicate that an error has happened.

Author: kahatlen

mysql-test/r/json.result

@@ -7738,6 +7738,8 @@ select json_search( '{ "a": "foo" }', 'one', 'foo', null, '$a' );
 ERROR 42000: Invalid JSON path expression. The error is around character position 1 in '$a'.
 select json_search( '{ "a": "foo" }', 'all', 'foo', null, '$.a', '$b' );
 ERROR 42000: Invalid JSON path expression. The error is around character position 1 in '$b'.
+select json_search(a, b, c);
+ERROR 42S22: Unknown column 'a' in 'field list'
 select json_search( '{ "a": "foobar" }', 'one', 'foo%' );
 json_search( '{ "a": "foobar" }', 'one', 'foo%' )
 "$.a"
@@ -12814,3 +12816,10 @@ SELECT JSON_EXTRACT('1E+36181012216111515851075235238', '$');
 ERROR 22032: Invalid JSON text in argument 1 to function json_extract: "Number too big to be stored in double." at position 6 in '1E+36181012216111515851075235238'.
 SELECT JSON_EXTRACT('-1E+36181012216111515851075235238', '$');
 ERROR 22032: Invalid JSON text in argument 1 to function json_extract: "Number too big to be stored in double." at position 7 in '-1E+36181012216111515851075235238'.
+#
+# Bug#21383284: ASSERTION IN SELECT_LEX::SETUP_CONDS
+#
+SELECT 1 FROM dual WHERE JSON_SEARCH('{}', 'one', 'foo', 'too-long-escape');
+ERROR HY000: Incorrect arguments to ESCAPE
+SELECT 1 FROM dual WHERE JSON_SEARCH('{}', 'one', 'foo', JSON_EXTRACT('', '$'));
+ERROR 22032: Invalid JSON text in argument 1 to function json_extract: "The document is empty." at position 0 in ''.

mysql-test/t/json.test

@@ -2588,6 +2588,9 @@ select json_search( '{ "a": "foo" }', 'one', 'foo', null, '$a' );
 --error ER_INVALID_JSON_PATH
 select json_search( '{ "a": "foo" }', 'all', 'foo', null, '$.a', '$b' );
 
+--error ER_BAD_FIELD_ERROR
+select json_search(a, b, c);
+
 # simple tests for search without path arguments
 select json_search( '{ "a": "foobar" }', 'one', 'foo%' );
 select json_search( '{ "a": "foobar", "b": "focus", "c": [ "arm", "foot", "shoulder" ] }', 'one', 'foo%' );
@@ -5754,6 +5757,14 @@ SELECT JSON_EXTRACT('1E+36181012216111515851075235238', '$');
 --error ER_INVALID_JSON_TEXT_IN_PARAM
 SELECT JSON_EXTRACT('-1E+36181012216111515851075235238', '$');
 
+--echo #
+--echo # Bug#21383284: ASSERTION IN SELECT_LEX::SETUP_CONDS
+--echo #
+--error ER_WRONG_ARGUMENTS
+SELECT 1 FROM dual WHERE JSON_SEARCH('{}', 'one', 'foo', 'too-long-escape');
+--error ER_INVALID_JSON_TEXT_IN_PARAM
+SELECT 1 FROM dual WHERE JSON_SEARCH('{}', 'one', 'foo', JSON_EXTRACT('', '$'));
+
 
 # Local Variables:
 # mode: sql

sql/item_json_func.cc

@@ -2590,67 +2590,72 @@ bool Item_func_json_row_object::val_json(Json_wrapper *wr)
 
 bool Item_func_json_search::fix_fields(THD *thd, Item **items)
 {
-  bool retval= Item_json_func::fix_fields(thd, items);
+  if (Item_json_func::fix_fields(thd, items))
+    return true;
 
-  if (!retval)
-  {
-    // Fabricate a LIKE node
+  // Fabricate a LIKE node
 
-    m_source_string_item= new Item_string(&my_charset_utf8mb4_bin);
-    Item *like_string_item= args[2];
+  m_source_string_item= new Item_string(&my_charset_utf8mb4_bin);
+  Item_string *default_escape= new Item_string(&my_charset_utf8mb4_bin);
+  if (m_source_string_item == NULL || default_escape == NULL)
+    return true;                              /* purecov: inspected */
 
-    Item_string *default_escape= new Item_string(&my_charset_utf8mb4_bin);
-    bool escape_initialized= false;
+  Item *like_string_item= args[2];
+  bool escape_initialized= false;
 
-    // Get the escape character, if any
-    if (arg_count > 3)
-    {
-      Item *orig_escape= args[3];
-
-      /*
-       Evaluate the escape clause. For a standalone LIKE expression,
-       the escape clause only has to be constant during execution.
-       However, we require a stronger condition: it must be constant.
-       That means that we can evaluate the escape clause at resolution time
-       and copy the results from the JSON_SEARCH() args into the arguments
-       for the LIKE node which we're fabricating.
-      */
-      if (!orig_escape->const_item())
-      {
-        my_error(ER_WRONG_ARGUMENTS,MYF(0),"ESCAPE");
-        return true;
-      }
+  // Get the escape character, if any
+  if (arg_count > 3)
+  {
+    Item *orig_escape= args[3];
 
-      String *escape_str= orig_escape->val_str(&m_escape);
-      if (!orig_escape->null_value)
-      {
-        uint escape_length= static_cast<uint>(escape_str->length());
-        default_escape->set_str_with_copy(escape_str->ptr(), escape_length);
-        escape_initialized= true;
-      }
+    /*
+      Evaluate the escape clause. For a standalone LIKE expression,
+      the escape clause only has to be constant during execution.
+      However, we require a stronger condition: it must be constant.
+      That means that we can evaluate the escape clause at resolution time
+      and copy the results from the JSON_SEARCH() args into the arguments
+      for the LIKE node which we're fabricating.
+    */
+    if (!orig_escape->const_item())
+    {
+      my_error(ER_WRONG_ARGUMENTS, MYF(0), "ESCAPE");
+      return true;
     }
-    if (!escape_initialized)
+
+    String *escape_str= orig_escape->val_str(&m_escape);
+    if (thd->is_error())
+      return true;
+    if (escape_str)
     {
-      default_escape->set_str_with_copy("\\", 1);
+      uint escape_length= static_cast<uint>(escape_str->length());
+      default_escape->set_str_with_copy(escape_str->ptr(), escape_length);
+      escape_initialized= true;
     }
+  }
 
-    m_like_node= new Item_func_like(m_source_string_item,
-                                    like_string_item,
-                                    default_escape, true);
+  if (!escape_initialized)
+  {
+    default_escape->set_str_with_copy("\\", 1);
+  }
 
-    Item *like_args[3];
-    like_args[0]= m_source_string_item;
-    like_args[1]= like_string_item;
-    like_args[2]= default_escape;
+  m_like_node= new Item_func_like(m_source_string_item, like_string_item,
+                                  default_escape, true);
+  if (m_like_node == NULL)
+    return true;                              /* purecov: inspected */
 
-    m_like_node->fix_fields(thd, like_args);
+  Item *like_args[3];
+  like_args[0]= m_source_string_item;
+  like_args[1]= like_string_item;
+  like_args[2]= default_escape;
 
-    // resolving the LIKE node may overwrite its arguments
-    Item **resolved_like_args= m_like_node->arguments();
-    m_source_string_item= down_cast<Item_string *>(resolved_like_args[0]);
-  }
+  if (m_like_node->fix_fields(thd, like_args))
+    return true;
+
+  // resolving the LIKE node may overwrite its arguments
+  Item **resolved_like_args= m_like_node->arguments();
+  m_source_string_item= down_cast<Item_string *>(resolved_like_args[0]);
 
-  return retval;
+  return false;
 }