Details
-
Bug
-
Status: Confirmed (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL), 11.1(EOL), 11.4, 11.7(EOL), 11.8
Description
CREATE TABLE t (a INT) ENGINE=Aria; |
INSERT INTO t VALUES(); |
ALTER TABLE t ADD b GEOMETRY NOT NULL,ALGORITHM=copy; |
ALTER TABLE t ADD INDEX i (b(1)); |
Leads to:
|
10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized) |
/test/10.7_opt_san/storage/maria/ma_key.c:279:7: runtime error: null pointer passed as argument 2, which is declared to never be null
|
|
10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized) |
#0 0x55fc8247b895 in _ma_make_key /test/10.7_opt_san/storage/maria/ma_key.c:279
|
#1 0x55fc85714360 in maria_write /test/10.7_opt_san/storage/maria/ma_write.c:189
|
#2 0x55fc84500414 in handler::ha_write_row(unsigned char const*) /test/10.7_opt_san/sql/handler.cc:7519
|
#3 0x55fc835f94ea in copy_data_between_tables /test/10.7_opt_san/sql/sql_table.cc:11081
|
#4 0x55fc836695c7 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool, bool) /test/10.7_opt_san/sql/sql_table.cc:10356
|
#5 0x55fc83983423 in Sql_cmd_alter_table::execute(THD*) /test/10.7_opt_san/sql/sql_alter.cc:550
|
#6 0x55fc830c2e75 in mysql_execute_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:5989
|
#7 0x55fc8304cfe8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_opt_san/sql/sql_parse.cc:8028
|
#8 0x55fc830a2655 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_opt_san/sql/sql_parse.cc:1894
|
#9 0x55fc830ade52 in do_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:1402
|
#10 0x55fc839597bd in do_handle_one_connection(CONNECT*, bool) /test/10.7_opt_san/sql/sql_connect.cc:1418
|
#11 0x55fc8395c2b4 in handle_one_connection /test/10.7_opt_san/sql/sql_connect.cc:1312
|
#12 0x55fc85924ce1 in pfs_spawn_thread /test/10.7_opt_san/storage/perfschema/pfs.cc:2201
|
#13 0x149631c47608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
|
#14 0x149630ebd292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
|
|
10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Debug) |
#0 0x55b47550c333 in _ma_make_key /test/10.7_dbg_san/storage/maria/ma_key.c:279
|
#1 0x55b47558c582 in maria_write /test/10.7_dbg_san/storage/maria/ma_write.c:189
|
#2 0x55b4753a7015 in ha_maria::write_row(unsigned char const*) /test/10.7_dbg_san/storage/maria/ha_maria.cc:1266
|
#3 0x55b4740d2e4a in handler::ha_write_row(unsigned char const*) /test/10.7_dbg_san/sql/handler.cc:7519
|
#4 0x55b472f520d9 in copy_data_between_tables /test/10.7_dbg_san/sql/sql_table.cc:11081
|
#5 0x55b472fbc27c in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool, bool) /test/10.7_dbg_san/sql/sql_table.cc:10356
|
#6 0x55b473381b19 in Sql_cmd_alter_table::execute(THD*) /test/10.7_dbg_san/sql/sql_alter.cc:550
|
#7 0x55b4728f7b1f in mysql_execute_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:5989
|
#8 0x55b472834c94 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_dbg_san/sql/sql_parse.cc:8028
|
#9 0x55b4728a967a in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1894
|
#10 0x55b4728c00c2 in do_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1402
|
#11 0x55b47334b2aa in do_handle_one_connection(CONNECT*, bool) /test/10.7_dbg_san/sql/sql_connect.cc:1418
|
#12 0x55b47334e143 in handle_one_connection /test/10.7_dbg_san/sql/sql_connect.cc:1312
|
#13 0x55b47576e4ee in pfs_spawn_thread /test/10.7_dbg_san/storage/perfschema/pfs.cc:2201
|
#14 0x145b39153608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
|
#15 0x145b383c9292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
|
Setup:
Compiled with GCC >=7.5.0 (I use GCC 9.3.0) and:
|
-DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON
|
Set before execution:
|
export UBSAN_OPTIONS=print_stacktrace=1
|
Bug confirmed present in:
MariaDB: 10.2.41 (dbg), 10.2.41 (opt), 10.3.32 (dbg), 10.3.32 (opt), 10.4.22 (dbg), 10.4.22 (opt), 10.5.13 (dbg), 10.5.13 (opt), 10.6.5 (dbg), 10.6.5 (opt), 10.7.1 (dbg), 10.7.1 (opt)
Attachments
Issue Links
- relates to
-
-
- Closed
-
-
MDEV-25454 Make MariaDB server UBSAN safe
-
- Confirmed
-
Activity
| Field | Original Value | New Value |
|---|---|---|
| Summary | UBSAN: null pointer passed as argument 2, which is declared to never be null in maria/ma_key.c on ALTER and runtime error: load of value 3200171710, which is not a valid value for type 'geometry_type' | UBSAN: null pointer passed as argument 2, which is declared to never be null in maria/ma_key.c on ALTER |
| Component/s | GIS [ 10105 ] |
| Assignee | Alexey Botchkov [ holyfoot ] | Vladislav Lesin [ vlad.lesin ] |
| Link | This issue relates to MDEV-25454 [ MDEV-25454 ] |
| Workflow | MariaDB v3 [ 126266 ] | MariaDB v4 [ 143256 ] |
| Fix Version/s | 10.7 [ 24805 ] |
| Assignee | Vladislav Lesin [ vlad.lesin ] | Michael Widenius [ monty ] |
| Fix Version/s | 10.2 [ 14601 ] |
| Fix Version/s | 10.7 [ 24805 ] |
| Fix Version/s | 10.3 [ 22126 ] |
This additional testcase:
SET sql_mode=''; |
CREATE TABLE t (c BLOB, PRIMARY KEY(c(1))) ENGINE=Aria; |
INSERT INTO t VALUES (0); |
UPDATE t SET c=NULL; |
Produces these additional stacks/UniqueID's:
UBSAN|null pointer passed as argument 2, which is declared to never be null|storage/maria/ma_key.c|_ma_make_key|maria_update|ha_maria::update_row|handler::ha_update_row
|
UBSAN|null pointer passed as argument 2, which is declared to never be null|storage/maria/ma_key.c|_ma_make_key|maria_update|handler::ha_update_row|Sql_cmd_update::update_single_table
|
UBSAN|null pointer passed as argument 2, which is declared to never be null|storage/maria/ma_key.c|_ma_make_key|maria_update|handler::ha_update_row|mysql_update
|
Note that without the sql_mode we get ERROR 1048 (23000): Column 'c' cannot be null.
Also, this testcase:
CREATE TABLE t (c BLOB, PRIMARY KEY(c(1))) ENGINE=Aria; |
INSERT INTO t VALUES (0); |
UPDATE t SET c=(1+DEGREES (-1) MOD LOG2 (-1))%NULL; |
Leads to:
|
11.1.2 3883eb63dc5e663558571c33d086c9fd3aa0cf8f (Debug) |
11.1.2-dbg>CREATE TABLE t (c BLOB, PRIMARY KEY(c(1))) ENGINE=Aria;
|
Query OK, 0 rows affected (0.016 sec)
|
|
|
11.1.2-dbg>INSERT INTO t VALUES (0);
|
Query OK, 1 row affected (0.002 sec)
|
|
|
11.1.2-dbg>UPDATE t SET c=(1+DEGREES (-1) MOD LOG2 (-1))%NULL;
|
ERROR 1365 (22012): Division by 0
|
Which seems to be an additional rounding bug of some sort (as NULL%NULL or 0%NULL results in ERROR 1048 (23000): Column 'c' cannot be null error instead.
| Status | Open [ 1 ] | Confirmed [ 10101 ] |
| Affects Version/s | 10.9 [ 26905 ] | |
| Affects Version/s | 10.10 [ 27530 ] | |
| Affects Version/s | 10.11 [ 27614 ] | |
| Affects Version/s | 11.0 [ 28320 ] | |
| Affects Version/s | 11.1 [ 28549 ] |
| Fix Version/s | 10.9 [ 26905 ] | |
| Fix Version/s | 10.10 [ 27530 ] | |
| Fix Version/s | 10.11 [ 27614 ] | |
| Fix Version/s | 11.0 [ 28320 ] | |
| Fix Version/s | 11.1 [ 28549 ] |
| Fix Version/s | 10.9 [ 26905 ] |
| Fix Version/s | 10.10 [ 27530 ] |
| Fix Version/s | 11.0 [ 28320 ] |
| Fix Version/s | 10.4 [ 22408 ] |
| Fix Version/s | 11.1 [ 28549 ] |
Please also test any fixes with
SET sql_mode=''; |
CREATE TABLE t1 (a INT,b BLOB NOT NULL,INDEX sk (b)) ROW_FORMAT=compact ENGINE=Aria; |
INSERT INTO t1 SELECT @p,@p FROM seq_0_to_0; |
Additional testcase, info and one additional stack variation from Clang (replays for both MyISAM and InnoDB):
CREATE TABLE t AS SELECT 0 AS c; |
ALTER TABLE t ADD b GEOMETRY NOT NULL; |
SELECT * FROM t UNION SELECT * FROM t; |
Leads to:
|
CS 11.8.0 7734c85c31c9e292ef1133115fba2f7edd71dd51 (Optimized, UBASAN, Clang) |
/test/11.8_opt_san/storage/maria/ma_unique.c:145:13: runtime error: applying zero offset to null pointer
|
#0 0x559962aaaca2 in _ma_unique_hash /test/11.8_opt_san/storage/maria/ma_unique.c:145:13
|
#1 0x559962c509f9 in maria_write /test/11.8_opt_san/storage/maria/ma_write.c:134:32
|
#2 0x55996113c989 in handler::ha_write_tmp_row(unsigned char*) /test/11.8_opt_san/sql/sql_class.h:8031:3
|
#3 0x55996143acfb in select_unit::write_record() /test/11.8_opt_san/sql/sql_union.cc:417:7
|
#4 0x55996143a2d5 in select_unit::send_data(List<Item>&) /test/11.8_opt_san/sql/sql_union.cc:161:9
|
#5 0x5599610ca1f2 in end_send(JOIN*, st_join_table*, bool) /test/11.8_opt_san/sql/sql_select.cc:25427:9
|
#6 0x5599611a925f in evaluate_join_record(JOIN*, st_join_table*, int) /test/11.8_opt_san/sql/sql_select.cc:24329:11
|
#7 0x559961039cfe in sub_select(JOIN*, st_join_table*, bool) /test/11.8_opt_san/sql/sql_select.cc:24096:9
|
#8 0x5599610e94e4 in do_select(JOIN*, Procedure*) /test/11.8_opt_san/sql/sql_select.cc:23607:14
|
#9 0x5599610e412c in JOIN::exec_inner() /test/11.8_opt_san/sql/sql_select.cc:5037:50
|
#10 0x5599610e1e21 in JOIN::exec() /test/11.8_opt_san/sql/sql_select.cc:4820:8
|
#11 0x55996145b23e in st_select_lex_unit::exec_inner() /test/11.8_opt_san/sql/sql_union.cc:2437:27
|
#12 0x55996142c5e1 in mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long long) /test/11.8_opt_san/sql/sql_union.cc:45:16
|
#13 0x55996103c5d8 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.8_opt_san/sql/sql_select.cc:623:10
|
#14 0x559960ef0dac in execute_sqlcom_select(THD*, TABLE_LIST*) /test/11.8_opt_san/sql/sql_parse.cc:6177:12
|
#15 0x559960ed5fc7 in mysql_execute_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:3966:12
|
#16 0x559960e9ec92 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.8_opt_san/sql/sql_parse.cc:7901:18
|
#17 0x559960e93b9e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.8_opt_san/sql/sql_parse.cc:1903:7
|
#18 0x559960ea1a6e in do_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:1416:17
|
#19 0x559961682e38 in do_handle_one_connection(CONNECT*, bool) /test/11.8_opt_san/sql/sql_connect.cc:1415:11
|
#20 0x559961682280 in handle_one_connection /test/11.8_opt_san/sql/sql_connect.cc:1327:5
|
#21 0x5599607cab0c in asan_thread_start(void*) asan_interceptors.cpp.o
|
#22 0x14971709ca93 in start_thread nptl/pthread_create.c:447:8
|
#23 0x149717129c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
|
|
SUMMARY: UndefinedBehaviorSanitizer: nullptr-with-offset /test/11.8_opt_san/storage/maria/ma_unique.c:145:13
|
|
CS 11.8.0 7734c85c31c9e292ef1133115fba2f7edd71dd51 (Optimized, UBASAN, Clang) |
/test/11.8_opt_san/strings/ctype-bin.c:280:26: runtime error: applying zero offset to null pointer
|
#0 0x559963a6b5a4 in my_hash_sort_bin /test/11.8_opt_san/strings/ctype-bin.c:280:26
|
#1 0x559962aaacd3 in _ma_unique_hash /test/11.8_opt_san/storage/maria/ma_unique.c:156:7
|
#2 0x559962c509f9 in maria_write /test/11.8_opt_san/storage/maria/ma_write.c:134:32
|
#3 0x55996113c989 in handler::ha_write_tmp_row(unsigned char*) /test/11.8_opt_san/sql/sql_class.h:8031:3
|
#4 0x55996143acfb in select_unit::write_record() /test/11.8_opt_san/sql/sql_union.cc:417:7
|
#5 0x55996143a2d5 in select_unit::send_data(List<Item>&) /test/11.8_opt_san/sql/sql_union.cc:161:9
|
#6 0x5599610ca1f2 in end_send(JOIN*, st_join_table*, bool) /test/11.8_opt_san/sql/sql_select.cc:25427:9
|
#7 0x5599611a925f in evaluate_join_record(JOIN*, st_join_table*, int) /test/11.8_opt_san/sql/sql_select.cc:24329:11
|
#8 0x559961039cfe in sub_select(JOIN*, st_join_table*, bool) /test/11.8_opt_san/sql/sql_select.cc:24096:9
|
#9 0x5599610e94e4 in do_select(JOIN*, Procedure*) /test/11.8_opt_san/sql/sql_select.cc:23607:14
|
#10 0x5599610e412c in JOIN::exec_inner() /test/11.8_opt_san/sql/sql_select.cc:5037:50
|
#11 0x5599610e1e21 in JOIN::exec() /test/11.8_opt_san/sql/sql_select.cc:4820:8
|
#12 0x55996145b23e in st_select_lex_unit::exec_inner() /test/11.8_opt_san/sql/sql_union.cc:2437:27
|
#13 0x55996142c5e1 in mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long long) /test/11.8_opt_san/sql/sql_union.cc:45:16
|
#14 0x55996103c5d8 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.8_opt_san/sql/sql_select.cc:623:10
|
#15 0x559960ef0dac in execute_sqlcom_select(THD*, TABLE_LIST*) /test/11.8_opt_san/sql/sql_parse.cc:6177:12
|
#16 0x559960ed5fc7 in mysql_execute_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:3966:12
|
#17 0x559960e9ec92 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.8_opt_san/sql/sql_parse.cc:7901:18
|
#18 0x559960e93b9e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.8_opt_san/sql/sql_parse.cc:1903:7
|
#19 0x559960ea1a6e in do_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:1416:17
|
#20 0x559961682e38 in do_handle_one_connection(CONNECT*, bool) /test/11.8_opt_san/sql/sql_connect.cc:1415:11
|
#21 0x559961682280 in handle_one_connection /test/11.8_opt_san/sql/sql_connect.cc:1327:5
|
#22 0x5599607cab0c in asan_thread_start(void*) asan_interceptors.cpp.o
|
#23 0x14971709ca93 in start_thread nptl/pthread_create.c:447:8
|
#24 0x149717129c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
|
|
SUMMARY: UndefinedBehaviorSanitizer: nullptr-with-offset /test/11.8_opt_san/strings/ctype-bin.c:280:26
|
|
CS 11.8.0 7734c85c31c9e292ef1133115fba2f7edd71dd51 (Optimized, UBASAN, Clang) |
/test/11.8_opt_san/storage/maria/ma_unique.c:262:17: runtime error: applying zero offset to null pointer
|
#0 0x559962aacbde in _ma_unique_comp /test/11.8_opt_san/storage/maria/ma_unique.c:262:17
|
#1 0x559962aa63e3 in _ma_cmp_dynamic_unique /test/11.8_opt_san/storage/maria/ma_dynrec.c:1623:11
|
#2 0x559962aa974d in _ma_check_unique /test/11.8_opt_san/storage/maria/ma_unique.c:69:3
|
#3 0x559962c50913 in maria_write /test/11.8_opt_san/storage/maria/ma_write.c:137:13
|
#4 0x55996113c989 in handler::ha_write_tmp_row(unsigned char*) /test/11.8_opt_san/sql/sql_class.h:8031:3
|
#5 0x55996143acfb in select_unit::write_record() /test/11.8_opt_san/sql/sql_union.cc:417:7
|
#6 0x55996143a2d5 in select_unit::send_data(List<Item>&) /test/11.8_opt_san/sql/sql_union.cc:161:9
|
#7 0x5599610ca1f2 in end_send(JOIN*, st_join_table*, bool) /test/11.8_opt_san/sql/sql_select.cc:25427:9
|
#8 0x5599611a925f in evaluate_join_record(JOIN*, st_join_table*, int) /test/11.8_opt_san/sql/sql_select.cc:24329:11
|
#9 0x559961039cfe in sub_select(JOIN*, st_join_table*, bool) /test/11.8_opt_san/sql/sql_select.cc:24096:9
|
#10 0x5599610e94e4 in do_select(JOIN*, Procedure*) /test/11.8_opt_san/sql/sql_select.cc:23607:14
|
#11 0x5599610e412c in JOIN::exec_inner() /test/11.8_opt_san/sql/sql_select.cc:5037:50
|
#12 0x5599610e1e21 in JOIN::exec() /test/11.8_opt_san/sql/sql_select.cc:4820:8
|
#13 0x55996145b23e in st_select_lex_unit::exec_inner() /test/11.8_opt_san/sql/sql_union.cc:2437:27
|
#14 0x55996142c5e1 in mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long long) /test/11.8_opt_san/sql/sql_union.cc:45:16
|
#15 0x55996103c5d8 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.8_opt_san/sql/sql_select.cc:623:10
|
#16 0x559960ef0dac in execute_sqlcom_select(THD*, TABLE_LIST*) /test/11.8_opt_san/sql/sql_parse.cc:6177:12
|
#17 0x559960ed5fc7 in mysql_execute_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:3966:12
|
#18 0x559960e9ec92 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.8_opt_san/sql/sql_parse.cc:7901:18
|
#19 0x559960e93b9e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.8_opt_san/sql/sql_parse.cc:1903:7
|
#20 0x559960ea1a6e in do_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:1416:17
|
#21 0x559961682e38 in do_handle_one_connection(CONNECT*, bool) /test/11.8_opt_san/sql/sql_connect.cc:1415:11
|
#22 0x559961682280 in handle_one_connection /test/11.8_opt_san/sql/sql_connect.cc:1327:5
|
#23 0x5599607cab0c in asan_thread_start(void*) asan_interceptors.cpp.o
|
#24 0x14971709ca93 in start_thread nptl/pthread_create.c:447:8
|
#25 0x149717129c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
|
|
SUMMARY: UndefinedBehaviorSanitizer: nullptr-with-offset /test/11.8_opt_san/storage/maria/ma_unique.c:262:17
|
|
CS 11.8.0 7734c85c31c9e292ef1133115fba2f7edd71dd51 (Debug, UBASAN, Clang) |
/test/11.8_dbg_san/storage/maria/ma_unique.c:145:13: runtime error: applying zero offset to null pointer
|
#0 0x5654f1bebbce in _ma_unique_hash /test/11.8_dbg_san/storage/maria/ma_unique.c:145:13
|
#1 0x5654f1f9a965 in maria_write /test/11.8_dbg_san/storage/maria/ma_write.c:134:32
|
#2 0x5654f1c273b6 in ha_maria::write_row(unsigned char const*) /test/11.8_dbg_san/storage/maria/ha_maria.cc:1235:10
|
#3 0x5654ee74bbd4 in handler::ha_write_tmp_row(unsigned char*) /test/11.8_dbg_san/sql/sql_class.h:8031:3
|
#4 0x5654eedc287b in select_unit::write_record() /test/11.8_dbg_san/sql/sql_union.cc:417:7
|
#5 0x5654eedc0142 in select_unit::send_data(List<Item>&) /test/11.8_dbg_san/sql/sql_union.cc:161:9
|
#6 0x5654ee69dfd0 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.8_dbg_san/sql/sql_class.h:6244:12
|
#7 0x5654ee661b96 in end_send(JOIN*, st_join_table*, bool) /test/11.8_dbg_san/sql/sql_select.cc:25427:9
|
#8 0x5654ee82d098 in evaluate_join_record(JOIN*, st_join_table*, int) /test/11.8_dbg_san/sql/sql_select.cc:24329:11
|
#9 0x5654ee52a5b1 in sub_select(JOIN*, st_join_table*, bool) /test/11.8_dbg_san/sql/sql_select.cc:24096:9
|
#10 0x5654ee6a5a95 in do_select(JOIN*, Procedure*) /test/11.8_dbg_san/sql/sql_select.cc:23607:14
|
#11 0x5654ee69be79 in JOIN::exec_inner() /test/11.8_dbg_san/sql/sql_select.cc:5037:50
|
#12 0x5654ee69456a in JOIN::exec() /test/11.8_dbg_san/sql/sql_select.cc:4820:8
|
#13 0x5654eee05448 in st_select_lex_unit::exec_inner() /test/11.8_dbg_san/sql/sql_union.cc:2437:27
|
#14 0x5654eedb8db3 in st_select_lex_unit::exec() /test/11.8_dbg_san/sql/sql_union.cc:2341:3
|
#15 0x5654eeda3ce2 in mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long long) /test/11.8_dbg_san/sql/sql_union.cc:45:16
|
#16 0x5654ee52d066 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.8_dbg_san/sql/sql_select.cc:623:10
|
#17 0x5654ee219ee0 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/11.8_dbg_san/sql/sql_parse.cc:6177:12
|
#18 0x5654ee1b9dcc in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:3966:12
|
#19 0x5654ee15fef9 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.8_dbg_san/sql/sql_parse.cc:7901:18
|
#20 0x5654ee140db8 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1903:7
|
#21 0x5654ee169e56 in do_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1416:17
|
#22 0x5654ef2cc556 in do_handle_one_connection(CONNECT*, bool) /test/11.8_dbg_san/sql/sql_connect.cc:1415:11
|
#23 0x5654ef2cad19 in handle_one_connection /test/11.8_dbg_san/sql/sql_connect.cc:1327:5
|
#24 0x5654ed3135fc in asan_thread_start(void*) asan_interceptors.cpp.o
|
#25 0x148af1a9ca93 in start_thread nptl/pthread_create.c:447:8
|
#26 0x148af1b29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
|
|
SUMMARY: UndefinedBehaviorSanitizer: nullptr-with-offset /test/11.8_dbg_san/storage/maria/ma_unique.c:145:13
|
|
CS 11.8.0 7734c85c31c9e292ef1133115fba2f7edd71dd51 (Debug, UBASAN, Clang) |
/test/11.8_dbg_san/strings/ctype-bin.c:280:26: runtime error: applying zero offset to null pointer
|
#0 0x5654f4430b10 in my_hash_sort_bin /test/11.8_dbg_san/strings/ctype-bin.c:280:26
|
#1 0x5654f1bebcd7 in _ma_unique_hash /test/11.8_dbg_san/storage/maria/ma_unique.c:156:7
|
#2 0x5654f1f9a965 in maria_write /test/11.8_dbg_san/storage/maria/ma_write.c:134:32
|
#3 0x5654f1c273b6 in ha_maria::write_row(unsigned char const*) /test/11.8_dbg_san/storage/maria/ha_maria.cc:1235:10
|
#4 0x5654ee74bbd4 in handler::ha_write_tmp_row(unsigned char*) /test/11.8_dbg_san/sql/sql_class.h:8031:3
|
#5 0x5654eedc287b in select_unit::write_record() /test/11.8_dbg_san/sql/sql_union.cc:417:7
|
#6 0x5654eedc0142 in select_unit::send_data(List<Item>&) /test/11.8_dbg_san/sql/sql_union.cc:161:9
|
#7 0x5654ee69dfd0 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.8_dbg_san/sql/sql_class.h:6244:12
|
#8 0x5654ee661b96 in end_send(JOIN*, st_join_table*, bool) /test/11.8_dbg_san/sql/sql_select.cc:25427:9
|
#9 0x5654ee82d098 in evaluate_join_record(JOIN*, st_join_table*, int) /test/11.8_dbg_san/sql/sql_select.cc:24329:11
|
#10 0x5654ee52a5b1 in sub_select(JOIN*, st_join_table*, bool) /test/11.8_dbg_san/sql/sql_select.cc:24096:9
|
#11 0x5654ee6a5a95 in do_select(JOIN*, Procedure*) /test/11.8_dbg_san/sql/sql_select.cc:23607:14
|
#12 0x5654ee69be79 in JOIN::exec_inner() /test/11.8_dbg_san/sql/sql_select.cc:5037:50
|
#13 0x5654ee69456a in JOIN::exec() /test/11.8_dbg_san/sql/sql_select.cc:4820:8
|
#14 0x5654eee05448 in st_select_lex_unit::exec_inner() /test/11.8_dbg_san/sql/sql_union.cc:2437:27
|
#15 0x5654eedb8db3 in st_select_lex_unit::exec() /test/11.8_dbg_san/sql/sql_union.cc:2341:3
|
#16 0x5654eeda3ce2 in mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long long) /test/11.8_dbg_san/sql/sql_union.cc:45:16
|
#17 0x5654ee52d066 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.8_dbg_san/sql/sql_select.cc:623:10
|
#18 0x5654ee219ee0 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/11.8_dbg_san/sql/sql_parse.cc:6177:12
|
#19 0x5654ee1b9dcc in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:3966:12
|
#20 0x5654ee15fef9 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.8_dbg_san/sql/sql_parse.cc:7901:18
|
#21 0x5654ee140db8 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1903:7
|
#22 0x5654ee169e56 in do_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1416:17
|
#23 0x5654ef2cc556 in do_handle_one_connection(CONNECT*, bool) /test/11.8_dbg_san/sql/sql_connect.cc:1415:11
|
#24 0x5654ef2cad19 in handle_one_connection /test/11.8_dbg_san/sql/sql_connect.cc:1327:5
|
#25 0x5654ed3135fc in asan_thread_start(void*) asan_interceptors.cpp.o
|
#26 0x148af1a9ca93 in start_thread nptl/pthread_create.c:447:8
|
#27 0x148af1b29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
|
|
SUMMARY: UndefinedBehaviorSanitizer: nullptr-with-offset /test/11.8_dbg_san/strings/ctype-bin.c:280:26
|
|
CS 11.8.0 7734c85c31c9e292ef1133115fba2f7edd71dd51 (Debug, UBASAN, Clang) |
/test/11.8_dbg_san/storage/maria/ma_unique.c:262:17: runtime error: applying zero offset to null pointer
|
#0 0x5654f1bee217 in _ma_unique_comp /test/11.8_dbg_san/storage/maria/ma_unique.c:262:17
|
#1 0x5654f1be2b45 in _ma_cmp_dynamic_unique /test/11.8_dbg_san/storage/maria/ma_dynrec.c:1623:11
|
#2 0x5654f1be9e27 in _ma_check_unique /test/11.8_dbg_san/storage/maria/ma_unique.c:69:3
|
#3 0x5654f1f9ab66 in maria_write /test/11.8_dbg_san/storage/maria/ma_write.c:137:13
|
#4 0x5654f1c273b6 in ha_maria::write_row(unsigned char const*) /test/11.8_dbg_san/storage/maria/ha_maria.cc:1235:10
|
#5 0x5654ee74bbd4 in handler::ha_write_tmp_row(unsigned char*) /test/11.8_dbg_san/sql/sql_class.h:8031:3
|
#6 0x5654eedc287b in select_unit::write_record() /test/11.8_dbg_san/sql/sql_union.cc:417:7
|
#7 0x5654eedc0142 in select_unit::send_data(List<Item>&) /test/11.8_dbg_san/sql/sql_union.cc:161:9
|
#8 0x5654ee69dfd0 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.8_dbg_san/sql/sql_class.h:6244:12
|
#9 0x5654ee661b96 in end_send(JOIN*, st_join_table*, bool) /test/11.8_dbg_san/sql/sql_select.cc:25427:9
|
#10 0x5654ee82d098 in evaluate_join_record(JOIN*, st_join_table*, int) /test/11.8_dbg_san/sql/sql_select.cc:24329:11
|
#11 0x5654ee52a5b1 in sub_select(JOIN*, st_join_table*, bool) /test/11.8_dbg_san/sql/sql_select.cc:24096:9
|
#12 0x5654ee6a5a95 in do_select(JOIN*, Procedure*) /test/11.8_dbg_san/sql/sql_select.cc:23607:14
|
#13 0x5654ee69be79 in JOIN::exec_inner() /test/11.8_dbg_san/sql/sql_select.cc:5037:50
|
#14 0x5654ee69456a in JOIN::exec() /test/11.8_dbg_san/sql/sql_select.cc:4820:8
|
#15 0x5654eee05448 in st_select_lex_unit::exec_inner() /test/11.8_dbg_san/sql/sql_union.cc:2437:27
|
#16 0x5654eedb8db3 in st_select_lex_unit::exec() /test/11.8_dbg_san/sql/sql_union.cc:2341:3
|
#17 0x5654eeda3ce2 in mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long long) /test/11.8_dbg_san/sql/sql_union.cc:45:16
|
#18 0x5654ee52d066 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.8_dbg_san/sql/sql_select.cc:623:10
|
#19 0x5654ee219ee0 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/11.8_dbg_san/sql/sql_parse.cc:6177:12
|
#20 0x5654ee1b9dcc in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:3966:12
|
#21 0x5654ee15fef9 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.8_dbg_san/sql/sql_parse.cc:7901:18
|
#22 0x5654ee140db8 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1903:7
|
#23 0x5654ee169e56 in do_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1416:17
|
#24 0x5654ef2cc556 in do_handle_one_connection(CONNECT*, bool) /test/11.8_dbg_san/sql/sql_connect.cc:1415:11
|
#25 0x5654ef2cad19 in handle_one_connection /test/11.8_dbg_san/sql/sql_connect.cc:1327:5
|
#26 0x5654ed3135fc in asan_thread_start(void*) asan_interceptors.cpp.o
|
#27 0x148af1a9ca93 in start_thread nptl/pthread_create.c:447:8
|
#28 0x148af1b29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
|
|
SUMMARY: UndefinedBehaviorSanitizer: nullptr-with-offset /test/11.8_dbg_san/storage/maria/ma_unique.c:262:17
|
Setup:
Compiled with a recent version of Clang (I used Clang 18.1.3) with LLVM 18. Ubuntu instructions:
|
# Note: llvm-17-linker-tools installs /usr/lib/llvm-17/lib/LLVMgold.so, which is needed for compilation, and LLVMgold.so is no longer included in LLVM 18
|
sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev llvm-17-linker-tools
|
sudo ln -s /usr/lib/llvm-17/lib/LLVMgold.so /usr/lib/llvm-18/lib/LLVMgold.so
|
Compiled with: '-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++' and:
|
-DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON
|
Set before execution:
|
export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1 # And you may also want to supress UBSAN startup issues using 'suppressions=UBSAN.filter'. For an example of UBSAN.filter, which includes current startup issues see: https://github.com/mariadb-corporation/mariadb-qa/blob/master/UBSAN.filter
|
Bug confirmed present in:
MariaDB: 10.5.28 (dbg), 10.5.28 (opt), 10.6.21 (dbg), 10.6.21 (opt), 10.11.11 (dbg), 10.11.11 (opt), 11.4.5 (dbg), 11.4.5 (opt), 11.7.1 (dbg), 11.7.1 (opt), 11.8.0 (dbg), 11.8.0 (opt)
| Labels | nullptr-with-offset |
| Fix Version/s | 11.4 [ 29301 ] | |
| Fix Version/s | 11.7 [ 29815 ] | |
| Affects Version/s | 11.4 [ 29301 ] | |
| Affects Version/s | 11.7 [ 29815 ] | |
| Affects Version/s | 11.8 [ 29921 ] |
| Summary | UBSAN: null pointer passed as argument 2, which is declared to never be null in maria/ma_key.c on ALTER | UBSAN: null pointer passed as argument 2, which is declared to never be null in maria/ma_key.c on ALTER, and and runtime error: applying zero offset to null pointer in _ma_unique_hash, my_hash_sort_bin and _ma_unique_comp |
| Labels | nullptr-with-offset | UBSAN nullptr-with-offset |
| Summary | UBSAN: null pointer passed as argument 2, which is declared to never be null in maria/ma_key.c on ALTER, and and runtime error: applying zero offset to null pointer in _ma_unique_hash, my_hash_sort_bin and _ma_unique_comp | UBSAN: runtime error: null pointer passed as argument 2, which is declared to never be null in maria/ma_key.c on ALTER, and applying zero offset to null pointer in _ma_unique_hash, my_hash_sort_bin and _ma_unique_comp |
| Link |
This issue relates to |
| Labels | UBSAN nullptr-with-offset | UBSAN invalid-null-argument nullptr-with-offset |
Clang summary/stack for the original testcase:
|
CS 11.8.0 7734c85c31c9e292ef1133115fba2f7edd71dd51 (Debug, UBASAN, Clang) |
/test/11.8_dbg_san/storage/maria/ma_key.c:279:19: runtime error: null pointer passed as argument 2, which is declared to never be null
|
/usr/include/string.h:44:28: note: nonnull attribute specified here
|
#0 0x55a191fc42ae in _ma_make_key /test/11.8_dbg_san/storage/maria/ma_key.c:279:7
|
#1 0x55a1920cdabd in maria_write /test/11.8_dbg_san/storage/maria/ma_write.c:191:35
|
#2 0x55a191d583b6 in ha_maria::write_row(unsigned char const*) /test/11.8_dbg_san/storage/maria/ha_maria.cc:1235:10
|
#3 0x55a190939afa in handler::ha_write_row(unsigned char const*) /test/11.8_dbg_san/sql/handler.cc:8182:3
|
#4 0x55a18ee06588 in copy_data_between_tables(THD*, TABLE*, TABLE*, bool, unsigned int, st_order*, unsigned long long*, unsigned long long*, Alter_info*, Alter_table_ctx*, bool, unsigned long long) /test/11.8_dbg_san/sql/sql_table.cc:12586:24
|
#5 0x55a18eda44e4 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, TABLE_LIST*, Recreate_info*, Alter_info*, unsigned int, st_order*, bool, bool) /test/11.8_dbg_san/sql/sql_table.cc:11680:9
|
#6 0x55a18f464ed3 in Sql_cmd_alter_table::execute(THD*) /test/11.8_dbg_san/sql/sql_alter.cc:701:11
|
#7 0x55a18e333d67 in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:5872:26
|
#8 0x55a18e290ef9 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.8_dbg_san/sql/sql_parse.cc:7901:18
|
#9 0x55a18e271db8 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1903:7
|
#10 0x55a18e29ae56 in do_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1416:17
|
#11 0x55a18f3fd556 in do_handle_one_connection(CONNECT*, bool) /test/11.8_dbg_san/sql/sql_connect.cc:1415:11
|
#12 0x55a18f3fbd19 in handle_one_connection /test/11.8_dbg_san/sql/sql_connect.cc:1327:5
|
#13 0x55a18d4445fc in asan_thread_start(void*) asan_interceptors.cpp.o
|
#14 0x1545e049ca93 in start_thread nptl/pthread_create.c:447:8
|
#15 0x1545e0529c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
|
|
SUMMARY: UndefinedBehaviorSanitizer: invalid-null-argument /test/11.8_dbg_san/storage/maria/ma_key.c:279:19
|
| Fix Version/s | 11.7(EOL) [ 29815 ] |
Additional testcase leading to similar but slightly different stack
Leads to:
11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Debug, UBASAN)
/test/11.0_dbg_san/storage/maria/ma_key.c:279:7: runtime error: null pointer passed as argument 2, which is declared to never be null11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Debug, UBASAN)
#0 0x558073758037 in _ma_make_key /test/11.0_dbg_san/storage/maria/ma_key.c:279#1 0x5580737c2ee8 in maria_write /test/11.0_dbg_san/storage/maria/ma_write.c:189#2 0x5580736458ab in ha_maria::write_row(unsigned char const*) /test/11.0_dbg_san/storage/maria/ha_maria.cc:1304#3 0x558072442943 in handler::ha_write_row(unsigned char const*) /test/11.0_dbg_san/sql/handler.cc:7798#4 0x558070a67f8c in write_record(THD*, TABLE*, st_copy_info*, select_result*) /test/11.0_dbg_san/sql/sql_insert.cc:2204#5 0x558070acc88c in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /test/11.0_dbg_san/sql/sql_insert.cc:1154#6 0x558070cd700f in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:4569#7 0x558070cfc973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014#8 0x558070d0c707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894#9 0x558070d1a542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407#10 0x5580716ef8b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416#11 0x5580716f0dd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318#12 0x149e95a94b42 in start_thread nptl/pthread_create.c:442#13 0x149e95b269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)Bug confirmed present in 10.2-11.1 (opt+dbg).