Johannes Kloos created SOLR-13200:
-------------------------------------
Summary: Parsing of invalid query yields NPE
Key: SOLR-13200
URL: https://issues.apache.org/jira/browse/SOLR-13200
Project: Solr
Issue Type: Bug
Security Level: Public (Default Security Level. Issues are Public)
Components: search
Affects Versions: master (9.0)
Environment: h1. Steps to reproduce
* Use a Linux machine.
* Build commit \{{ea2c8ba}} of Solr as described in the section below.
* Build the films collection as described below.
* Start the server using the command \{{./bin/solr start -f -p 8983 -s
/tmp/home}}
* Request the URL given in the bug description.
h1. Compiling the server
{noformat}
git clone https://github.com/apache/lucene-solr
cd lucene-solr
git checkout ea2c8ba
ant compile
cd solr
ant server
{noformat}
h1. Building the collection
We followed [Exercise
2|http://lucene.apache.org/solr/guide/7_5/solr-tutorial.html#exercise-2] from
the [Solr Tutorial|http://lucene.apache.org/solr/guide/7_5/solr-tutorial.html].
The attached file (\{{home.zip}}) gives the contents of folder \{{/tmp/home}}
that you will obtain by following the steps below:
{noformat}
mkdir -p /tmp/home
echo '<?xml version="1.0" encoding="UTF-8" ?><solr></solr>' > /tmp/home/solr.xml
{noformat}
In one terminal start a Solr instance in foreground:
{noformat}
./bin/solr start -f -p 8983 -s /tmp/home
{noformat}
In another terminal, create a collection of movies, with no shards and no
replication, and initialize it:
{noformat}
bin/solr create -c films
curl -X POST -H 'Content-type:application/json' --data-binary '\{"add-field":
{"name":"name", "type":"text_general", "multiValued":false, "stored":true}}'
http://localhost:8983/solr/films/schema
curl -X POST -H 'Content-type:application/json' --data-binary
'\{"add-copy-field" : {"source":"*","dest":"_text_"}}'
http://localhost:8983/solr/films/schema
./bin/post -c films example/films/films.json
{noformat}
Reporter: Johannes Kloos
Attachments: home.zip
Requesting the following URL causes Solr to return an HTTP 500 error response:
{noformat}
http://localhost:8983/solr/films/select?fq={!frange%20l=1%20u=1}map(1)
{noformat}
The error response seems to be caused by the following uncaught exception:
{noformat}
java.lang.NullPointerException
at sun.misc.FloatingDecimal.readJavaFormatString(FloatingDecimal.java:1838)
at sun.misc.FloatingDecimal.parseFloat(FloatingDecimal.java:122)
at java.lang.Float.parseFloat(Float.java:451)
at org.apache.solr.search.FunctionQParser.parseFloat(FunctionQParser.java:145)
at org.apache.solr.search.ValueSourceParser$13.parse(ValueSourceParser.java:242)
at
org.apache.solr.search.FunctionQParser.parseValueSource(FunctionQParser.java:370)
at org.apache.solr.search.FunctionQParser.parse(FunctionQParser.java:82)
at org.apache.solr.search.QParser.getQuery(QParser.java:173)
at
org.apache.solr.search.FunctionRangeQParserPlugin$1.parse(FunctionRangeQParserPlugin.java:51)
at org.apache.solr.search.QParser.getQuery(QParser.java:173)
at
org.apache.solr.handler.component.QueryComponent.prepare(QueryComponent.java:205)
{noformat}
The FunctionQParser.parseFloat function reads as follows:
{noformat}
String str = parseArg();
if (argWasQuoted()) throw new SyntaxError("Expected float instead of quoted
string:" + str);
float value = Float.parseFloat(str);
return value;
{noformat}
But parseArg() is permitted to return null (this is the case when there are no
more function arguments), which crashes Float.parseFloat. It may be worth
handling the null case explicitly.
We found this bug using [Diffblue Microservices
Testing|https://www.diffblue.com/labs/?utm_source=solr-br]. Find more
information on this [fuzz testing
campaign|https://www.diffblue.com/blog/2018/12/19/diffblue-microservice-testing-a-sneak-peek-at-our-early-product-and-results?utm_source=solr-br],
where we found ~70 more issues like this one.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
