[MDEV-22387] 3x WITH_UBSAN runtime error: null pointer passed on 10.5 normal startup in ctype-mb.c, mf_iocache.c (sporadic), and protocol.cc (on optimized builds) - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.1(EOL), 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5
Fix Version/s: 10.2.37, 10.3.28, 10.4.18, 10.5.9
Component/s: Protocol
Labels:
- UBSAN
- affects-tests

Description

2020-04-28  6:06:55 0 [Note] /test/ASAN_MD210420-mariadb-10.5.3-linux-x86_64-dbg/bin/mysqld: ready for connections.

Version: '10.5.3-MariaDB-debug'  socket: '/test/ASAN_MD210420-mariadb-10.5.3-linux-x86_64-dbg/socket.sock'  port: 13195  MariaDB Server

/test/10.5_dbg/strings/ctype-mb.c:409:3: runtime error: null pointer passed as argument 2, which is declared to never be null

/test/10.5_dbg/mysys/mf_iocache.c:825:3: runtime error: null pointer passed as argument 1, which is declared to never be null

/test/10.5_dbg/sql/protocol.cc:61:9: runtime error: null pointer passed as argument 2, which is declared to never be null

2020-04-28  6:07:05 0 [Note] /test/ASAN_MD210420-mariadb-10.5.3-linux-x86_64-dbg/bin/mysqld (initiated by: root[root] @ localhost []): Normal shutdown

No other information returned. Same output on optimized build. The mf_iocache issue does not always show.

Setup:

Compiled with GCC >=7.5.0 and:

    -DWITH_ASAN=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF

Set before execution:

    export ASAN_OPTIONS=quarantine_size_mb=512:atexit=true:detect_invalid_pointer_pairs=1:dump_instruction_bytes=true:abort_on_error=1

Bug (used 'ctype-mb.c.* runtime error: null pointer passed as argument' as a generic search string) confirmed present in:
MariaDB: 10.1.46 (dbg), 10.1.46 (opt), 10.2.33 (dbg), 10.2.33 (opt), 10.3.24 (dbg), 10.3.24 (opt), 10.4.14 (dbg), 10.4.14 (opt), 10.5.4 (dbg), 10.5.4 (opt)

Attachments

Activity

Descending order - Click to sort in ascending order

Marko Mäkelä added a comment - 2020-11-02 15:31

I have pushed this to 10.2 and 10.3. The merges to 10.4 and 10.5 are in progress and will hopefully be pushed tomorrow. There are still numerous other runtime error that cmake -DWITH_UBSAN=ON builds are reporting.

Marko Mäkelä added a comment - 2020-11-02 15:31 I have pushed this to 10.2 and 10.3. The merges to 10.4 and 10.5 are in progress and will hopefully be pushed tomorrow. There are still numerous other runtime error that cmake -DWITH_UBSAN=ON builds are reporting.

Marko Mäkelä added a comment - 2020-10-30 14:55

I tried to fix all null pointer violations that were found by big-test, except one that would cause a failure of main.events_restart:

diff --git a/sql/events.cc b/sql/events.cc

index 33ddcdac3cb..5b029b7c54b 100644

--- a/sql/events.cc

+++ b/sql/events.cc

@@ -662,7 +662,8 @@ Events::drop_schema_events(THD *thd, const char *db)

*/

   if (event_queue)

     event_queue->drop_schema_events(thd, &db_lex);

-  db_repository->drop_schema_events(thd, &db_lex);

+  if (db_repository)

+    db_repository->drop_schema_events(thd, &db_lex);

   DBUG_VOID_RETURN;

I intend to port those fixes to the earliest applicable versions in the near future. There are plenty of other WITH_UBSAN failures, but with those fixes, the test suite actually completed (with Failed 1883/5458 tests), instead of being aborted abruptly somewhere.

Marko Mäkelä added a comment - 2020-10-30 14:55 I tried to fix all null pointer violations that were found by big-test, except one that would cause a failure of main.events_restart : diff --git a/sql/events.cc b/sql/events.cc index 33ddcdac3cb..5b029b7c54b 100644 --- a/sql/events.cc +++ b/sql/events.cc @@ -662,7 +662,8 @@ Events::drop_schema_events(THD *thd, const char *db) */ if (event_queue) event_queue->drop_schema_events(thd, &db_lex); - db_repository->drop_schema_events(thd, &db_lex); + if (db_repository) + db_repository->drop_schema_events(thd, &db_lex); DBUG_VOID_RETURN; } I intend to port those fixes to the earliest applicable versions in the near future. There are plenty of other WITH_UBSAN failures, but with those fixes, the test suite actually completed (with Failed 1883/5458 tests ), instead of being aborted abruptly somewhere.

Marko Mäkelä added a comment - 2020-09-03 06:13

I fixed this type of warnings for running the main.view test in 10.1, except those that occur in extra/yassl/taocrypt/include/block.hpp:108, by skipping memcpy() calls when the length parameter is 0.

Marko Mäkelä added a comment - 2020-09-03 06:13 I fixed this type of warnings for running the main.view test in 10.1 , except those that occur in extra/yassl/taocrypt/include/block.hpp:108 , by skipping memcpy() calls when the length parameter is 0.

Roel Van de Paar added a comment - 2020-08-25 04:46

Some more specific stacks

10.5.4 c2a929185c147fc85bbf91e2c537bcdd98f2e680 (Optimized) my_copy_fix_md
Version: '10.5.4-MariaDB' socket: '/test/ASAN_MD280520-mariadb-10.5.4-linux-x86_64-opt/socket.sock' port: 13693 MariaDB Server
/test/10.5_opt/strings/ctype-mb.c:409:3: runtime error: null pointer passed as argument 2, which is declared to never be null
#0 0x5643e4e21118 in my_copy_fix_mb /test/10.5_opt/strings/ctype-mb.c:409
#1 0x5643e1c88da4 in charset_info_st::copy_fix(char, unsigned long, char const, unsigned long, unsigned long, MY_STRCOPY_STATUS*) const /test/10.5_opt/include/m_ctype.h:757
#2 0x5643e1c88da4 in String_copier::well_formed_copy(charset_info_st const, char, unsigned long, charset_info_st const, char const, unsigned long, unsigned long) /test/10.5_opt/sql/sql_string.cc:1101
#3 0x5643e1650a02 in THD::copy_fix(charset_info_st const, st_mysql_lex_string, charset_info_st const, char const, unsigned long, String_copier*) /test/10.5_opt/sql/sql_class.cc:2386
#4 0x5643e1650ff7 in THD::copy_with_error(charset_info_st const, st_mysql_lex_string, charset_info_st const, char const, unsigned long) /test/10.5_opt/sql/sql_class.cc:2424
#5 0x5643e15567db in parse_client_handshake_packet /test/10.5_opt/sql/sql_acl.cc:13491
#6 0x5643e1559581 in server_mpvio_read_packet /test/10.5_opt/sql/sql_acl.cc:13736
#7 0x5643e14e1dfb in native_password_authenticate /test/10.5_opt/sql/sql_acl.cc:14428
#8 0x5643e14f4338 in do_auth_once /test/10.5_opt/sql/sql_acl.cc:13918
#9 0x5643e15646dd in acl_authenticate(THD*, unsigned int) /test/10.5_opt/sql/sql_acl.cc:14061
#10 0x5643e1f38eb2 in check_connection /test/10.5_opt/sql/sql_connect.cc:1081
#11 0x5643e1f39462 in login_connection(THD*) /test/10.5_opt/sql/sql_connect.cc:1142
#12 0x5643e1f3d28e in thd_prepare_connection(THD*) /test/10.5_opt/sql/sql_connect.cc:1327
#13 0x5643e1f403e6 in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt/sql/sql_connect.cc:1401
#14 0x5643e1f43495 in handle_one_connection /test/10.5_opt/sql/sql_connect.cc:1313
#15 0x5643e38d9050 in pfs_spawn_thread /test/10.5_opt/storage/perfschema/pfs.cc:2201
#16 0x148de07916da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
#17 0x148dde61ca3e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x121a3e)

10.5.4 c2a929185c147fc85bbf91e2c537bcdd98f2e680 (Optimized) mf_iocache.c
/test/10.5_opt/mysys/mf_iocache.c:828:3: runtime error: null pointer passed as argument 1, which is declared to never be null
#0 0x5643e4d1ad9d in _my_b_cache_read /test/10.5_opt/mysys/mf_iocache.c:828
#1 0x5643e4d1eaab in _my_b_read /test/10.5_opt/mysys/mf_iocache.c:588
#2 0x5643e4d25a36 in my_b_fill /test/10.5_opt/include/my_sys.h:572
#3 0x5643e4d25a36 in my_b_gets /test/10.5_opt/mysys/mf_iocache2.c:217
#4 0x5643e16bc9fb in load_db_opt(THD, char const, Schema_specification_st*) /test/10.5_opt/sql/sql_db.cc:455
#5 0x5643e16c1146 in load_db_opt_by_name(THD, char const, Schema_specification_st*) /test/10.5_opt/sql/sql_db.cc:556
#6 0x5643e16c137a in get_default_db_collation(THD, char const) /test/10.5_opt/sql/sql_db.cc:577
#7 0x5643e16c3e4f in mysql_change_db(THD, st_mysql_const_lex_string const, bool) /test/10.5_opt/sql/sql_db.cc:1647
#8 0x5643e1565f27 in acl_authenticate(THD*, unsigned int) /test/10.5_opt/sql/sql_acl.cc:14322
#9 0x5643e1f38eb2 in check_connection /test/10.5_opt/sql/sql_connect.cc:1081
#10 0x5643e1f39462 in login_connection(THD*) /test/10.5_opt/sql/sql_connect.cc:1142
#11 0x5643e1f3d28e in thd_prepare_connection(THD*) /test/10.5_opt/sql/sql_connect.cc:1327
#12 0x5643e1f403e6 in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt/sql/sql_connect.cc:1401
#13 0x5643e1f43495 in handle_one_connection /test/10.5_opt/sql/sql_connect.cc:1313
#14 0x5643e38d9050 in pfs_spawn_thread /test/10.5_opt/storage/perfschema/pfs.cc:2201
#15 0x148de07916da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
#16 0x148dde61ca3e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x121a3e)

10.5.4 c2a929185c147fc85bbf91e2c537bcdd98f2e680 (Optimized) protocol.cc
/test/10.5_opt/sql/protocol.cc:61:9: runtime error: null pointer passed as argument 2, which is declared to never be null
#0 0x5643e138b22c in Protocol::net_store_data(unsigned char const*, unsigned long) /test/10.5_opt/sql/protocol.cc:61
#1 0x5643e13930cc in Protocol::store_str(st_mysql_const_lex_string const&, charset_info_st const, charset_info_st const) /test/10.5_opt/sql/protocol.h:128
#2 0x5643e13930cc in Protocol_text::store_field_metadata(THD const, Send_field const&, charset_info_st const, unsigned int) /test/10.5_opt/sql/protocol.cc:864
#3 0x5643e1395836 in Protocol_text::store_field_metadata(THD, Item, unsigned int) /test/10.5_opt/sql/protocol.cc:1041
#4 0x5643e13961b4 in Protocol::send_result_set_metadata(List<Item>*, unsigned int) /test/10.5_opt/sql/protocol.cc:958
#5 0x5643e162d7d1 in select_send::send_result_set_metadata(List<Item>&, unsigned int) /test/10.5_opt/sql/sql_class.cc:2957
#6 0x5643e1b49b3e in JOIN::exec_inner() /test/10.5_opt/sql/sql_select.cc:4307
#7 0x5643e1b4db41 in JOIN::exec() /test/10.5_opt/sql/sql_select.cc:4245
#8 0x5643e1b4178a in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/10.5_opt/sql/sql_select.cc:4669
#9 0x5643e1b4588b in handle_select(THD, LEX, select_result*, unsigned long) /test/10.5_opt/sql/sql_select.cc:417
#10 0x5643e18db09e in execute_sqlcom_select /test/10.5_opt/sql/sql_parse.cc:6207
#11 0x5643e18b73a0 in mysql_execute_command(THD*) /test/10.5_opt/sql/sql_parse.cc:3939
#12 0x5643e18f21f5 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /test/10.5_opt/sql/sql_parse.cc:7991
#13 0x5643e18a055d in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /test/10.5_opt/sql/sql_parse.cc:1874
#14 0x5643e1898fd8 in do_command(THD*) /test/10.5_opt/sql/sql_parse.cc:1355
#15 0x5643e1f4043e in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt/sql/sql_connect.cc:1411
#16 0x5643e1f43495 in handle_one_connection /test/10.5_opt/sql/sql_connect.cc:1313
#17 0x5643e38d9050 in pfs_spawn_thread /test/10.5_opt/storage/perfschema/pfs.cc:2201
#18 0x148de07916da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
#19 0x148dde61ca3e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x121a3e)

Roel Van de Paar added a comment - 2020-08-25 04:46 Some more specific stacks 10.5.4 c2a929185c147fc85bbf91e2c537bcdd98f2e680 (Optimized) my_copy_fix_md Version: '10.5.4-MariaDB' socket: '/test/ASAN_MD280520-mariadb-10.5.4-linux-x86_64-opt/socket.sock' port: 13693 MariaDB Server /test/10.5_opt/strings/ctype-mb.c:409:3: runtime error: null pointer passed as argument 2, which is declared to never be null #0 0x5643e4e21118 in my_copy_fix_mb /test/10.5_opt/strings/ctype-mb.c:409 #1 0x5643e1c88da4 in charset_info_st::copy_fix(char*, unsigned long, char const*, unsigned long, unsigned long, MY_STRCOPY_STATUS*) const /test/10.5_opt/include/m_ctype.h:757 #2 0x5643e1c88da4 in String_copier::well_formed_copy(charset_info_st const*, char*, unsigned long, charset_info_st const*, char const*, unsigned long, unsigned long) /test/10.5_opt/sql/sql_string.cc:1101 #3 0x5643e1650a02 in THD::copy_fix(charset_info_st const*, st_mysql_lex_string*, charset_info_st const*, char const*, unsigned long, String_copier*) /test/10.5_opt/sql/sql_class.cc:2386 #4 0x5643e1650ff7 in THD::copy_with_error(charset_info_st const*, st_mysql_lex_string*, charset_info_st const*, char const*, unsigned long) /test/10.5_opt/sql/sql_class.cc:2424 #5 0x5643e15567db in parse_client_handshake_packet /test/10.5_opt/sql/sql_acl.cc:13491 #6 0x5643e1559581 in server_mpvio_read_packet /test/10.5_opt/sql/sql_acl.cc:13736 #7 0x5643e14e1dfb in native_password_authenticate /test/10.5_opt/sql/sql_acl.cc:14428 #8 0x5643e14f4338 in do_auth_once /test/10.5_opt/sql/sql_acl.cc:13918 #9 0x5643e15646dd in acl_authenticate(THD*, unsigned int) /test/10.5_opt/sql/sql_acl.cc:14061 #10 0x5643e1f38eb2 in check_connection /test/10.5_opt/sql/sql_connect.cc:1081 #11 0x5643e1f39462 in login_connection(THD*) /test/10.5_opt/sql/sql_connect.cc:1142 #12 0x5643e1f3d28e in thd_prepare_connection(THD*) /test/10.5_opt/sql/sql_connect.cc:1327 #13 0x5643e1f403e6 in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt/sql/sql_connect.cc:1401 #14 0x5643e1f43495 in handle_one_connection /test/10.5_opt/sql/sql_connect.cc:1313 #15 0x5643e38d9050 in pfs_spawn_thread /test/10.5_opt/storage/perfschema/pfs.cc:2201 #16 0x148de07916da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da) #17 0x148dde61ca3e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x121a3e) 10.5.4 c2a929185c147fc85bbf91e2c537bcdd98f2e680 (Optimized) mf_iocache.c /test/10.5_opt/mysys/mf_iocache.c:828:3: runtime error: null pointer passed as argument 1, which is declared to never be null #0 0x5643e4d1ad9d in _my_b_cache_read /test/10.5_opt/mysys/mf_iocache.c:828 #1 0x5643e4d1eaab in _my_b_read /test/10.5_opt/mysys/mf_iocache.c:588 #2 0x5643e4d25a36 in my_b_fill /test/10.5_opt/include/my_sys.h:572 #3 0x5643e4d25a36 in my_b_gets /test/10.5_opt/mysys/mf_iocache2.c:217 #4 0x5643e16bc9fb in load_db_opt(THD*, char const*, Schema_specification_st*) /test/10.5_opt/sql/sql_db.cc:455 #5 0x5643e16c1146 in load_db_opt_by_name(THD*, char const*, Schema_specification_st*) /test/10.5_opt/sql/sql_db.cc:556 #6 0x5643e16c137a in get_default_db_collation(THD*, char const*) /test/10.5_opt/sql/sql_db.cc:577 #7 0x5643e16c3e4f in mysql_change_db(THD*, st_mysql_const_lex_string const*, bool) /test/10.5_opt/sql/sql_db.cc:1647 #8 0x5643e1565f27 in acl_authenticate(THD*, unsigned int) /test/10.5_opt/sql/sql_acl.cc:14322 #9 0x5643e1f38eb2 in check_connection /test/10.5_opt/sql/sql_connect.cc:1081 #10 0x5643e1f39462 in login_connection(THD*) /test/10.5_opt/sql/sql_connect.cc:1142 #11 0x5643e1f3d28e in thd_prepare_connection(THD*) /test/10.5_opt/sql/sql_connect.cc:1327 #12 0x5643e1f403e6 in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt/sql/sql_connect.cc:1401 #13 0x5643e1f43495 in handle_one_connection /test/10.5_opt/sql/sql_connect.cc:1313 #14 0x5643e38d9050 in pfs_spawn_thread /test/10.5_opt/storage/perfschema/pfs.cc:2201 #15 0x148de07916da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da) #16 0x148dde61ca3e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x121a3e) 10.5.4 c2a929185c147fc85bbf91e2c537bcdd98f2e680 (Optimized) protocol.cc /test/10.5_opt/sql/protocol.cc:61:9: runtime error: null pointer passed as argument 2, which is declared to never be null #0 0x5643e138b22c in Protocol::net_store_data(unsigned char const*, unsigned long) /test/10.5_opt/sql/protocol.cc:61 #1 0x5643e13930cc in Protocol::store_str(st_mysql_const_lex_string const&, charset_info_st const*, charset_info_st const*) /test/10.5_opt/sql/protocol.h:128 #2 0x5643e13930cc in Protocol_text::store_field_metadata(THD const*, Send_field const&, charset_info_st const*, unsigned int) /test/10.5_opt/sql/protocol.cc:864 #3 0x5643e1395836 in Protocol_text::store_field_metadata(THD*, Item*, unsigned int) /test/10.5_opt/sql/protocol.cc:1041 #4 0x5643e13961b4 in Protocol::send_result_set_metadata(List<Item>*, unsigned int) /test/10.5_opt/sql/protocol.cc:958 #5 0x5643e162d7d1 in select_send::send_result_set_metadata(List<Item>&, unsigned int) /test/10.5_opt/sql/sql_class.cc:2957 #6 0x5643e1b49b3e in JOIN::exec_inner() /test/10.5_opt/sql/sql_select.cc:4307 #7 0x5643e1b4db41 in JOIN::exec() /test/10.5_opt/sql/sql_select.cc:4245 #8 0x5643e1b4178a in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.5_opt/sql/sql_select.cc:4669 #9 0x5643e1b4588b in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.5_opt/sql/sql_select.cc:417 #10 0x5643e18db09e in execute_sqlcom_select /test/10.5_opt/sql/sql_parse.cc:6207 #11 0x5643e18b73a0 in mysql_execute_command(THD*) /test/10.5_opt/sql/sql_parse.cc:3939 #12 0x5643e18f21f5 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.5_opt/sql/sql_parse.cc:7991 #13 0x5643e18a055d in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.5_opt/sql/sql_parse.cc:1874 #14 0x5643e1898fd8 in do_command(THD*) /test/10.5_opt/sql/sql_parse.cc:1355 #15 0x5643e1f4043e in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt/sql/sql_connect.cc:1411 #16 0x5643e1f43495 in handle_one_connection /test/10.5_opt/sql/sql_connect.cc:1313 #17 0x5643e38d9050 in pfs_spawn_thread /test/10.5_opt/storage/perfschema/pfs.cc:2201 #18 0x148de07916da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da) #19 0x148dde61ca3e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x121a3e)

Marko Mäkelä added a comment - 2020-07-31 09:05

These warnings that danblack mentioned are a permission for GCC 8 or later may optimize away checks for null pointers, similar to ~~MDEV-15587~~:

/home/dan/mariadb-server-not-worktree/sql/protocol.cc:61:9: runtime error: null pointer passed as argument 2, which is declared to never be null

/home/dan/mariadb-server-not-worktree/mysys/mf_iocache.c:772:3: runtime error: null pointer passed as argument 1, which is declared to never be null

/home/dan/mariadb-server-not-worktree/mysys/my_alloc.c:468:5: runtime error: null pointer passed as argument 2, which is declared to never be null

/home/dan/mariadb-server-not-worktree/sql/sql_string.h:329:11: runtime error: null pointer passed as argument 2, which is declared to never be null

In fact, today I built a 10.2 -DWITH_ASAN=ON debug build on GCC 10.1, using -O2 -march=native -mtune=native, and I got SIGSEGV in 3 tests. One of them was the following, extracted from main.view:

CREATE VIEW v1 AS SELECT ENCRYPT("dhgdhgd");

disable_result_log;

SELECT * FROM v1;

The following patch alone did not fix it:

--- sql/sql_string.h

+++ sql/sql_string.h

@@ -555,7 +555,8 @@

   void q_append(const char *data, size_t data_len)

-    memcpy(Ptr + str_length, data, data_len);

+    if (data_len)

+      memcpy(Ptr + str_length, data, data_len);

     DBUG_ASSERT(str_length <= UINT_MAX32 - data_len);

     str_length += (uint)data_len;

I think that the above is necessary, because we do not want GCC to infer that the data parameter is nonnull and allow unsafe optimizations. I saw more WITH_UBSAN warnings for the above 3-line test. Probably more of them should be fixed to fix that crash:

10.2 8a612314d0c9bc5b1db6f3998f26c28967915949
/mariadb/10.2o/mysys/mf_iocache.c:807:3: runtime error: null pointer passed as argument 1, which is declared to never be null
/mariadb/10.2o/mysys/my_alloc.c:452:5: runtime error: null pointer passed as argument 2, which is declared to never be null
/mariadb/10.2o/sql/debug_sync.cc:322:9: runtime error: null pointer passed as argument 2, which is declared to never be null
/mariadb/10.2o/sql/sql_string.h:558:11: runtime error: null pointer passed as argument 2, which is declared to never be null

The tests that crashed for me due to this on the WITH_ASAN build were: main.func_encrypt main.func_crypt main.view. Here is one stack trace:

10.2 8a612314d0c9bc5b1db6f3998f26c28967915949
CURRENT_TEST: main.func_encrypt
mysqltest: At line 103: query 'select encrypt(f1,f2) as a from t1,(select encrypt(f1,f2) as b from t1) a' failed: 2013: Lost connection to MySQL server during query
…
2020-07-31 11:07:32 140373456430016 [Note] /dev/shm/10.2o/sql/mysqld: ready for connections.
Version: '10.2.33-MariaDB-debug-log' socket: '/dev/shm/10.2o/mysql-test/var/tmp/18/mysqld.1.sock' port: 16320 Source distribution
200731 11:07:32 [ERROR] mysqld got signal 11 ;
…
#3 <signal handler called>
#4 0x0000000000000000 in ?? ()
#5 0x0000564d1c00bf9f in Item_func_encrypt::val_str (this=0x62b0000005d8, str=0x7fab33897b20) at /mariadb/10.2o/sql/sql_string.h:229
#6 0x0000564d1be00d61 in Item::send (this=0x62b0000005d8, protocol=0x62a0000607c0, buffer=<optimized out>) at /mariadb/10.2o/sql/item.cc:6900
#7 0x0000564d1b5bc52f in Protocol::send_result_set_row (this=this@entry=0x62a0000607c0, row_items=row_items@entry=0x62a000064668) at /mariadb/10.2o/sql/protocol.cc:990
#8 0x0000564d1b70c697 in select_send::send_data (this=0x62b000002ab8, items=<optimized out>) at /mariadb/10.2o/sql/sql_class.cc:2731
#9 0x0000564d1b8e21ff in end_send (join=0x62b000002ae0, join_tab=0x62b000005358, end_of_records=<optimized out>) at /mariadb/10.2o/sql/sql_select.cc:20045
#10 0x0000564d1bbaca6c in JOIN_CACHE::generate_full_extensions (this=0x62b000005cc8, rec_ptr=0x7fab3350a819 "\374\066\302\r") at /mariadb/10.2o/sql/sql_join_cache.cc:2401
#11 0x0000564d1bbad358 in JOIN_CACHE::join_matching_records (this=0x62b000005cc8, skip_last=<optimized out>) at /mariadb/10.2o/sql/sql_join_cache.cc:2293
#12 0x0000564d1bbac284 in JOIN_CACHE::join_records (this=this@entry=0x62b000005cc8, skip_last=skip_last@entry=false) at /mariadb/10.2o/sql/sql_join_cache.cc:2087
#13 0x0000564d1b88e65a in sub_select_cache (join=0x62b000002ae0, join_tab=0x62b000004fa8, end_of_records=<optimized out>) at /mariadb/10.2o/sql/sql_select.cc:18652
#14 0x0000564d1b88d460 in sub_select (join=0x62b000002ae0, join_tab=0x62b000004bf8, end_of_records=<optimized out>) at /mariadb/10.2o/sql/sql_select.cc:18823
#15 0x0000564d1b929ab2 in do_select (procedure=<optimized out>, join=0x62b000002ae0) at /mariadb/10.2o/sql/sql_select.cc:18419
#16 JOIN::exec_inner (this=0x62b000002ae0) at /mariadb/10.2o/sql/sql_select.cc:3638
#17 0x0000564d1b92b57a in JOIN::exec (this=this@entry=0x62b000002ae0) at /mariadb/10.2o/sql/sql_select.cc:3433
#18 0x0000564d1b9232fc in mysql_select (thd=0x62a000060208, tables=<optimized out>, wild_num=<optimized out>, fields=<optimized out>, conds=<optimized out>, og_num=<optimized out>, order=<optimized out>, group=<optimized out>, having=<optimized out>, proc_param=<optimized out>, select_options=<optimized out>, result=<optimized out>, unit=<optimized out>, select_lex=<optimized out>) at /mariadb/10.2o/sql/sql_select.cc:3833
#19 0x0000564d1b9262c1 in handle_select (thd=thd@entry=0x62a000060208, lex=lex@entry=0x62a000063d40, result=result@entry=0x62b000002ab8, setup_tables_done_option=setup_tables_done_option@entry=0) at /mariadb/10.2o/sql/sql_select.cc:361
#20 0x0000564d1b7a9e3f in execute_sqlcom_select (thd=0x62a000060208, all_tables=<optimized out>) at /mariadb/10.2o/sql/sql_parse.cc:6218
#21 0x0000564d1b7d3d64 in mysql_execute_command (thd=0x62a000060208) at /mariadb/10.2o/sql/sql_parse.cc:3524

Marko Mäkelä added a comment - 2020-07-31 09:05 These warnings that danblack mentioned are a permission for GCC 8 or later may optimize away checks for null pointers, similar to MDEV-15587 : /home/dan/mariadb-server-not-worktree/sql/protocol.cc:61:9: runtime error: null pointer passed as argument 2, which is declared to never be null /home/dan/mariadb-server-not-worktree/mysys/mf_iocache.c:772:3: runtime error: null pointer passed as argument 1, which is declared to never be null /home/dan/mariadb-server-not-worktree/mysys/my_alloc.c:468:5: runtime error: null pointer passed as argument 2, which is declared to never be null /home/dan/mariadb-server-not-worktree/sql/sql_string.h:329:11: runtime error: null pointer passed as argument 2, which is declared to never be null In fact, today I built a 10.2 -DWITH_ASAN=ON debug build on GCC 10.1, using -O2 -march=native -mtune=native , and I got SIGSEGV in 3 tests. One of them was the following, extracted from main.view : CREATE VIEW v1 AS SELECT ENCRYPT( "dhgdhgd" ); disable_result_log; SELECT * FROM v1; The following patch alone did not fix it: --- sql/sql_string.h +++ sql/sql_string.h @@ -555,7 +555,8 @@ } void q_append(const char *data, size_t data_len) { - memcpy(Ptr + str_length, data, data_len); + if (data_len) + memcpy(Ptr + str_length, data, data_len); DBUG_ASSERT(str_length <= UINT_MAX32 - data_len); str_length += (uint)data_len; } I think that the above is necessary, because we do not want GCC to infer that the data parameter is nonnull and allow unsafe optimizations. I saw more WITH_UBSAN warnings for the above 3-line test. Probably more of them should be fixed to fix that crash: 10.2 8a612314d0c9bc5b1db6f3998f26c28967915949 /mariadb/10.2o/mysys/mf_iocache.c:807:3: runtime error: null pointer passed as argument 1, which is declared to never be null /mariadb/10.2o/mysys/my_alloc.c:452:5: runtime error: null pointer passed as argument 2, which is declared to never be null /mariadb/10.2o/sql/debug_sync.cc:322:9: runtime error: null pointer passed as argument 2, which is declared to never be null /mariadb/10.2o/sql/sql_string.h:558:11: runtime error: null pointer passed as argument 2, which is declared to never be null The tests that crashed for me due to this on the WITH_ASAN build were: main.func_encrypt main.func_crypt main.view . Here is one stack trace: 10.2 8a612314d0c9bc5b1db6f3998f26c28967915949 CURRENT_TEST: main.func_encrypt mysqltest: At line 103: query 'select encrypt(f1,f2) as a from t1,(select encrypt(f1,f2) as b from t1) a' failed: 2013: Lost connection to MySQL server during query … 2020-07-31 11:07:32 140373456430016 [Note] /dev/shm/10.2o/sql/mysqld: ready for connections. Version: '10.2.33-MariaDB-debug-log' socket: '/dev/shm/10.2o/mysql-test/var/tmp/18/mysqld.1.sock' port: 16320 Source distribution 200731 11:07:32 [ERROR] mysqld got signal 11 ; … #3 <signal handler called> #4 0x0000000000000000 in ?? () #5 0x0000564d1c00bf9f in Item_func_encrypt::val_str (this=0x62b0000005d8, str=0x7fab33897b20) at /mariadb/10.2o/sql/sql_string.h:229 #6 0x0000564d1be00d61 in Item::send (this=0x62b0000005d8, protocol=0x62a0000607c0, buffer=<optimized out>) at /mariadb/10.2o/sql/item.cc:6900 #7 0x0000564d1b5bc52f in Protocol::send_result_set_row (this=this@entry=0x62a0000607c0, row_items=row_items@entry=0x62a000064668) at /mariadb/10.2o/sql/protocol.cc:990 #8 0x0000564d1b70c697 in select_send::send_data (this=0x62b000002ab8, items=<optimized out>) at /mariadb/10.2o/sql/sql_class.cc:2731 #9 0x0000564d1b8e21ff in end_send (join=0x62b000002ae0, join_tab=0x62b000005358, end_of_records=<optimized out>) at /mariadb/10.2o/sql/sql_select.cc:20045 #10 0x0000564d1bbaca6c in JOIN_CACHE::generate_full_extensions (this=0x62b000005cc8, rec_ptr=0x7fab3350a819 "\374\066\302\r") at /mariadb/10.2o/sql/sql_join_cache.cc:2401 #11 0x0000564d1bbad358 in JOIN_CACHE::join_matching_records (this=0x62b000005cc8, skip_last=<optimized out>) at /mariadb/10.2o/sql/sql_join_cache.cc:2293 #12 0x0000564d1bbac284 in JOIN_CACHE::join_records (this=this@entry=0x62b000005cc8, skip_last=skip_last@entry=false) at /mariadb/10.2o/sql/sql_join_cache.cc:2087 #13 0x0000564d1b88e65a in sub_select_cache (join=0x62b000002ae0, join_tab=0x62b000004fa8, end_of_records=<optimized out>) at /mariadb/10.2o/sql/sql_select.cc:18652 #14 0x0000564d1b88d460 in sub_select (join=0x62b000002ae0, join_tab=0x62b000004bf8, end_of_records=<optimized out>) at /mariadb/10.2o/sql/sql_select.cc:18823 #15 0x0000564d1b929ab2 in do_select (procedure=<optimized out>, join=0x62b000002ae0) at /mariadb/10.2o/sql/sql_select.cc:18419 #16 JOIN::exec_inner (this=0x62b000002ae0) at /mariadb/10.2o/sql/sql_select.cc:3638 #17 0x0000564d1b92b57a in JOIN::exec (this=this@entry=0x62b000002ae0) at /mariadb/10.2o/sql/sql_select.cc:3433 #18 0x0000564d1b9232fc in mysql_select (thd=0x62a000060208, tables=<optimized out>, wild_num=<optimized out>, fields=<optimized out>, conds=<optimized out>, og_num=<optimized out>, order=<optimized out>, group=<optimized out>, having=<optimized out>, proc_param=<optimized out>, select_options=<optimized out>, result=<optimized out>, unit=<optimized out>, select_lex=<optimized out>) at /mariadb/10.2o/sql/sql_select.cc:3833 #19 0x0000564d1b9262c1 in handle_select (thd=thd@entry=0x62a000060208, lex=lex@entry=0x62a000063d40, result=result@entry=0x62b000002ab8, setup_tables_done_option=setup_tables_done_option@entry=0) at /mariadb/10.2o/sql/sql_select.cc:361 #20 0x0000564d1b7a9e3f in execute_sqlcom_select (thd=0x62a000060208, all_tables=<optimized out>) at /mariadb/10.2o/sql/sql_parse.cc:6218 #21 0x0000564d1b7d3d64 in mysql_execute_command (thd=0x62a000060208) at /mariadb/10.2o/sql/sql_parse.cc:3524

View 6 older comments

People

Assignee:: Marko Mäkelä

Reporter:: Roel Van de Paar

Votes:: 1 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2020-04-28 06:09

Updated:: 2021-10-13 05:42

Resolved:: 2020-11-02 15:31

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.