Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL)
Description
CREATE TABLE t (c BLOB NOT NULL) ENGINE=InnoDB; |
INSERT IGNORE INTO t VALUES (0); |
SELECT COUNT(*) FROM t WHERE EXTRACTVALUE(c,'a')='a'; |
Leads to:
|
10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Optimized) |
/test/10.9_opt_san/strings/ctype-bin.c:89:12: runtime error: null pointer passed as argument 1, which is declared to never be null
|
|
10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Optimized) |
#0 0x5633c2674f25 in my_strnncoll_binary /test/10.9_opt_san/strings/ctype-bin.c:89
|
#1 0x5633c2674f25 in my_strnncollsp_binary /test/10.9_opt_san/strings/ctype-bin.c:128
|
#2 0x5633c493f6fb in Arg_comparator::compare() /test/10.9_opt_san/sql/item_cmpfunc.h:103
|
#3 0x5633c493f6fb in Item_func_eq::val_int() /test/10.9_opt_san/sql/item_cmpfunc.cc:1762
|
#4 0x5633c340c414 in evaluate_join_record /test/10.9_opt_san/sql/sql_select.cc:21193
|
#5 0x5633c3459933 in sub_select(JOIN*, st_join_table*, bool) /test/10.9_opt_san/sql/sql_select.cc:21095
|
#6 0x5633c3605123 in do_select /test/10.9_opt_san/sql/sql_select.cc:20640
|
#7 0x5633c3605123 in JOIN::exec_inner() /test/10.9_opt_san/sql/sql_select.cc:4749
|
#8 0x5633c36099f9 in JOIN::exec() /test/10.9_opt_san/sql/sql_select.cc:4527
|
#9 0x5633c35f7b61 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.9_opt_san/sql/sql_select.cc:5007
|
#10 0x5633c35fba73 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.9_opt_san/sql/sql_select.cc:543
|
#11 0x5633c3212cdf in execute_sqlcom_select /test/10.9_opt_san/sql/sql_parse.cc:6268
|
#12 0x5633c325288b in mysql_execute_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:3959
|
#13 0x5633c31e20a8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.9_opt_san/sql/sql_parse.cc:8043
|
#14 0x5633c3238439 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.9_opt_san/sql/sql_parse.cc:1910
|
#15 0x5633c3243c92 in do_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:1407
|
#16 0x5633c3b2ed3d in do_handle_one_connection(CONNECT*, bool) /test/10.9_opt_san/sql/sql_connect.cc:1418
|
#17 0x5633c3b31834 in handle_one_connection /test/10.9_opt_san/sql/sql_connect.cc:1312
|
#18 0x5633c5c2f1f9 in pfs_spawn_thread /test/10.9_opt_san/storage/perfschema/pfs.cc:2201
|
#19 0x14edd0d6b608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
|
#20 0x14edcffe0162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)
|
|
10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Debug) |
/test/10.9_dbg_san/strings/ctype-bin.c:89:12: runtime error: null pointer passed as argument 1, which is declared to never be null
|
|
10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Debug) |
#0 0x55f42cc16597 in my_strnncoll_binary /test/10.9_dbg_san/strings/ctype-bin.c:89
|
#1 0x55f42cc165dd in my_strnncollsp_binary /test/10.9_dbg_san/strings/ctype-bin.c:128
|
#2 0x55f428a406c5 in charset_info_st::strnncollsp(char const*, unsigned long, char const*, unsigned long) const /test/10.9_dbg_san/include/m_ctype.h:864
|
#3 0x55f428a406c5 in sortcmp(Binary_string const*, Binary_string const*, charset_info_st const*) /test/10.9_dbg_san/sql/sql_string.cc:853
|
#4 0x55f429f237bf in Arg_comparator::compare_string() /test/10.9_dbg_san/sql/item_cmpfunc.cc:765
|
#5 0x55f429f040f3 in Arg_comparator::compare() /test/10.9_dbg_san/sql/item_cmpfunc.h:103
|
#6 0x55f429f040f3 in Item_func_eq::val_int() /test/10.9_dbg_san/sql/item_cmpfunc.cc:1762
|
#7 0x55f4285b7d23 in evaluate_join_record /test/10.9_dbg_san/sql/sql_select.cc:21193
|
#8 0x55f42865bffe in sub_select(JOIN*, st_join_table*, bool) /test/10.9_dbg_san/sql/sql_select.cc:21095
|
#9 0x55f42882e362 in do_select /test/10.9_dbg_san/sql/sql_select.cc:20640
|
#10 0x55f42882e362 in JOIN::exec_inner() /test/10.9_dbg_san/sql/sql_select.cc:4749
|
#11 0x55f42882fc94 in JOIN::exec() /test/10.9_dbg_san/sql/sql_select.cc:4527
|
#12 0x55f42881f58b in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.9_dbg_san/sql/sql_select.cc:5007
|
#13 0x55f428820ef0 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.9_dbg_san/sql/sql_select.cc:543
|
#14 0x55f42838dfc2 in execute_sqlcom_select /test/10.9_dbg_san/sql/sql_parse.cc:6268
|
#15 0x55f4283f3216 in mysql_execute_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:3959
|
#16 0x55f428355728 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.9_dbg_san/sql/sql_parse.cc:8043
|
#17 0x55f4283cb44e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1910
|
#18 0x55f4283e1fa9 in do_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1407
|
#19 0x55f428eaec4b in do_handle_one_connection(CONNECT*, bool) /test/10.9_dbg_san/sql/sql_connect.cc:1418
|
#20 0x55f428eb1ae5 in handle_one_connection /test/10.9_dbg_san/sql/sql_connect.cc:1312
|
#21 0x55f42b40ac62 in pfs_spawn_thread /test/10.9_dbg_san/storage/perfschema/pfs.cc:2201
|
#22 0x15066de74608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
|
#23 0x15066d0e9162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)
|
Setup:
Compiled with GCC >=7.5.0 (I use GCC 9.4.0) and:
|
-DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON
|
Set before execution:
|
export UBSAN_OPTIONS=print_stacktrace=1
|
Bug confirmed present in:
MariaDB: 10.2.44 (dbg), 10.2.44 (opt), 10.3.35 (dbg), 10.3.35 (opt), 10.4.25 (dbg), 10.4.25 (opt), 10.5.16 (dbg), 10.5.16 (opt), 10.6.8 (dbg), 10.6.8 (opt), 10.7.4 (dbg), 10.7.4 (opt), 10.8.3 (dbg), 10.8.3 (opt), 10.9.0 (dbg), 10.9.0 (opt)
Attachments
Issue Links
- is duplicated by
-
-
- Closed
-
- relates to
-
-
- Closed
-
-
-
- Closed
-
-
-
- Confirmed
-
Activity
Additional different testcase with additional stacks:
SET sql_mode=''; |
CREATE TABLE t (c TEXT NOT NULL) ENGINE=InnoDB; |
INSERT INTO t VALUES(); |
INSERT IGNORE INTO t VALUES (@VALUE); |
SELECT GROUP_CONCAT(c ORDER BY BINARY c) FROM t GROUP BY c; |
Leads to:
|
10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Optimized, UBASAN) |
Version: '10.9.0-MariaDB' socket: '/test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-opt/socket.sock' port: 10345 MariaDB Server
|
/test/10.9_opt_san/strings/ctype-bin.c:89:12: runtime error: null pointer passed as argument 1, which is declared to never be null
|
#0 0x55ce82c6ff25 in my_strnncoll_binary /test/10.9_opt_san/strings/ctype-bin.c:89
|
#1 0x55ce82c6ff25 in my_strnncollsp_binary /test/10.9_opt_san/strings/ctype-bin.c:128
|
#2 0x55ce85764b0f in group_concat_key_cmp_with_order /test/10.9_opt_san/sql/item_sum.cc:3673
|
#3 0x55ce879f2ece in tree_insert /test/10.9_opt_san/mysys/tree.c:249
|
#4 0x55ce857d14cb in Item_func_group_concat::add(bool) /test/10.9_opt_san/sql/item_sum.cc:4208
|
#5 0x55ce83b1d693 in Aggregator_simple::add() /test/10.9_opt_san/sql/item_sum.h:720
|
#6 0x55ce83b1d693 in Item_sum::aggregator_add() /test/10.9_opt_san/sql/item_sum.h:564
|
#7 0x55ce83b1d693 in update_sum_func /test/10.9_opt_san/sql/sql_select.cc:26272
|
#8 0x55ce83b1d693 in end_send_group(JOIN*, st_join_table*, bool) /test/10.9_opt_san/sql/sql_select.cc:22560
|
#9 0x55ce83a07ca9 in evaluate_join_record /test/10.9_opt_san/sql/sql_select.cc:21325
|
#10 0x55ce83a54b31 in sub_select(JOIN*, st_join_table*, bool) /test/10.9_opt_san/sql/sql_select.cc:21134
|
#11 0x55ce83c00123 in do_select /test/10.9_opt_san/sql/sql_select.cc:20640
|
#12 0x55ce83c00123 in JOIN::exec_inner() /test/10.9_opt_san/sql/sql_select.cc:4749
|
#13 0x55ce83c049f9 in JOIN::exec() /test/10.9_opt_san/sql/sql_select.cc:4527
|
#14 0x55ce83bf2b61 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.9_opt_san/sql/sql_select.cc:5007
|
#15 0x55ce83bf6a73 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.9_opt_san/sql/sql_select.cc:543
|
#16 0x55ce8380dcdf in execute_sqlcom_select /test/10.9_opt_san/sql/sql_parse.cc:6268
|
#17 0x55ce8384d88b in mysql_execute_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:3959
|
#18 0x55ce837dd0a8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.9_opt_san/sql/sql_parse.cc:8043
|
#19 0x55ce83833439 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.9_opt_san/sql/sql_parse.cc:1910
|
#20 0x55ce8383ec92 in do_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:1407
|
#21 0x55ce84129d3d in do_handle_one_connection(CONNECT*, bool) /test/10.9_opt_san/sql/sql_connect.cc:1418
|
#22 0x55ce8412c834 in handle_one_connection /test/10.9_opt_san/sql/sql_connect.cc:1312
|
#23 0x55ce8622a1f9 in pfs_spawn_thread /test/10.9_opt_san/storage/perfschema/pfs.cc:2201
|
#24 0x1510429db608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
|
#25 0x151041c50162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)
|
|
|
/test/10.9_opt_san/strings/ctype-bin.c:89:12: runtime error: null pointer passed as argument 2, which is declared to never be null
|
#0 0x55ce82c6ff46 in my_strnncoll_binary /test/10.9_opt_san/strings/ctype-bin.c:89
|
#1 0x55ce82c6ff46 in my_strnncollsp_binary /test/10.9_opt_san/strings/ctype-bin.c:128
|
#2 0x55ce85764b0f in group_concat_key_cmp_with_order /test/10.9_opt_san/sql/item_sum.cc:3673
|
#3 0x55ce879f2ece in tree_insert /test/10.9_opt_san/mysys/tree.c:249
|
#4 0x55ce857d14cb in Item_func_group_concat::add(bool) /test/10.9_opt_san/sql/item_sum.cc:4208
|
#5 0x55ce83b1d693 in Aggregator_simple::add() /test/10.9_opt_san/sql/item_sum.h:720
|
#6 0x55ce83b1d693 in Item_sum::aggregator_add() /test/10.9_opt_san/sql/item_sum.h:564
|
#7 0x55ce83b1d693 in update_sum_func /test/10.9_opt_san/sql/sql_select.cc:26272
|
#8 0x55ce83b1d693 in end_send_group(JOIN*, st_join_table*, bool) /test/10.9_opt_san/sql/sql_select.cc:22560
|
#9 0x55ce83a07ca9 in evaluate_join_record /test/10.9_opt_san/sql/sql_select.cc:21325
|
#10 0x55ce83a54b31 in sub_select(JOIN*, st_join_table*, bool) /test/10.9_opt_san/sql/sql_select.cc:21134
|
#11 0x55ce83c00123 in do_select /test/10.9_opt_san/sql/sql_select.cc:20640
|
#12 0x55ce83c00123 in JOIN::exec_inner() /test/10.9_opt_san/sql/sql_select.cc:4749
|
#13 0x55ce83c049f9 in JOIN::exec() /test/10.9_opt_san/sql/sql_select.cc:4527
|
#14 0x55ce83bf2b61 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.9_opt_san/sql/sql_select.cc:5007
|
#15 0x55ce83bf6a73 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.9_opt_san/sql/sql_select.cc:543
|
#16 0x55ce8380dcdf in execute_sqlcom_select /test/10.9_opt_san/sql/sql_parse.cc:6268
|
#17 0x55ce8384d88b in mysql_execute_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:3959
|
#18 0x55ce837dd0a8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.9_opt_san/sql/sql_parse.cc:8043
|
#19 0x55ce83833439 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.9_opt_san/sql/sql_parse.cc:1910
|
#20 0x55ce8383ec92 in do_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:1407
|
#21 0x55ce84129d3d in do_handle_one_connection(CONNECT*, bool) /test/10.9_opt_san/sql/sql_connect.cc:1418
|
#22 0x55ce8412c834 in handle_one_connection /test/10.9_opt_san/sql/sql_connect.cc:1312
|
#23 0x55ce8622a1f9 in pfs_spawn_thread /test/10.9_opt_san/storage/perfschema/pfs.cc:2201
|
#24 0x1510429db608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
|
#25 0x151041c50162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)
|
|
10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Debug) |
Version: '10.9.0-MariaDB-debug' socket: '/test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-dbg/socket.sock' port: 11078 MariaDB Server
|
/test/10.9_dbg_san/strings/ctype-bin.c:89:12: runtime error: null pointer passed as argument 1, which is declared to never be null
|
#0 0x5629564a5597 in my_strnncoll_binary /test/10.9_dbg_san/strings/ctype-bin.c:89
|
#1 0x5629564a55dd in my_strnncollsp_binary /test/10.9_dbg_san/strings/ctype-bin.c:128
|
#2 0x5629533afd90 in charset_info_st::strnncollsp(unsigned char const*, unsigned long, unsigned char const*, unsigned long) const /test/10.9_dbg_san/include/m_ctype.h:859
|
#3 0x5629533afd90 in Field_blob::cmp(unsigned char const*, unsigned int, unsigned char const*, unsigned int) const /test/10.9_dbg_san/sql/field.cc:8761
|
#4 0x5629533b0160 in Field_blob::cmp(unsigned char const*, unsigned char const*) const /test/10.9_dbg_san/sql/field.cc:8771
|
#5 0x56295413f1bb in group_concat_key_cmp_with_order /test/10.9_dbg_san/sql/item_sum.cc:3673
|
#6 0x562956426586 in tree_insert /test/10.9_dbg_san/mysys/tree.c:249
|
#7 0x5629541bb96d in Item_func_group_concat::add(bool) /test/10.9_dbg_san/sql/item_sum.cc:4208
|
#8 0x562952ac1eac in Item_func_group_concat::add() /test/10.9_dbg_san/sql/item_sum.h:2043
|
#9 0x5629541c4262 in Aggregator_simple::add() /test/10.9_dbg_san/sql/item_sum.h:720
|
#10 0x562951e1ee72 in Item_sum::aggregator_add() /test/10.9_dbg_san/sql/item_sum.h:564
|
#11 0x562951e1ee72 in update_sum_func /test/10.9_dbg_san/sql/sql_select.cc:26272
|
#12 0x562951ff446f in end_send_group(JOIN*, st_join_table*, bool) /test/10.9_dbg_san/sql/sql_select.cc:22560
|
#13 0x562951e47e43 in evaluate_join_record /test/10.9_dbg_san/sql/sql_select.cc:21325
|
#14 0x562951eeb7dc in sub_select(JOIN*, st_join_table*, bool) /test/10.9_dbg_san/sql/sql_select.cc:21134
|
#15 0x5629520bd362 in do_select /test/10.9_dbg_san/sql/sql_select.cc:20640
|
#16 0x5629520bd362 in JOIN::exec_inner() /test/10.9_dbg_san/sql/sql_select.cc:4749
|
#17 0x5629520bec94 in JOIN::exec() /test/10.9_dbg_san/sql/sql_select.cc:4527
|
#18 0x5629520ae58b in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.9_dbg_san/sql/sql_select.cc:5007
|
#19 0x5629520afef0 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.9_dbg_san/sql/sql_select.cc:543
|
#20 0x562951c1cfc2 in execute_sqlcom_select /test/10.9_dbg_san/sql/sql_parse.cc:6268
|
#21 0x562951c82216 in mysql_execute_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:3959
|
#22 0x562951be4728 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.9_dbg_san/sql/sql_parse.cc:8043
|
#23 0x562951c5a44e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1910
|
#24 0x562951c70fa9 in do_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1407
|
#25 0x56295273dc4b in do_handle_one_connection(CONNECT*, bool) /test/10.9_dbg_san/sql/sql_connect.cc:1418
|
#26 0x562952740ae5 in handle_one_connection /test/10.9_dbg_san/sql/sql_connect.cc:1312
|
#27 0x562954c99c62 in pfs_spawn_thread /test/10.9_dbg_san/storage/perfschema/pfs.cc:2201
|
#28 0x14d8896f0608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
|
#29 0x14d888965162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)
|
|
|
/test/10.9_dbg_san/strings/ctype-bin.c:89:12: runtime error: null pointer passed as argument 2, which is declared to never be null
|
#0 0x5629564a55a5 in my_strnncoll_binary /test/10.9_dbg_san/strings/ctype-bin.c:89
|
#1 0x5629564a55dd in my_strnncollsp_binary /test/10.9_dbg_san/strings/ctype-bin.c:128
|
#2 0x5629533afd90 in charset_info_st::strnncollsp(unsigned char const*, unsigned long, unsigned char const*, unsigned long) const /test/10.9_dbg_san/include/m_ctype.h:859
|
#3 0x5629533afd90 in Field_blob::cmp(unsigned char const*, unsigned int, unsigned char const*, unsigned int) const /test/10.9_dbg_san/sql/field.cc:8761
|
#4 0x5629533b0160 in Field_blob::cmp(unsigned char const*, unsigned char const*) const /test/10.9_dbg_san/sql/field.cc:8771
|
#5 0x56295413f1bb in group_concat_key_cmp_with_order /test/10.9_dbg_san/sql/item_sum.cc:3673
|
#6 0x562956426586 in tree_insert /test/10.9_dbg_san/mysys/tree.c:249
|
#7 0x5629541bb96d in Item_func_group_concat::add(bool) /test/10.9_dbg_san/sql/item_sum.cc:4208
|
#8 0x562952ac1eac in Item_func_group_concat::add() /test/10.9_dbg_san/sql/item_sum.h:2043
|
#9 0x5629541c4262 in Aggregator_simple::add() /test/10.9_dbg_san/sql/item_sum.h:720
|
#10 0x562951e1ee72 in Item_sum::aggregator_add() /test/10.9_dbg_san/sql/item_sum.h:564
|
#11 0x562951e1ee72 in update_sum_func /test/10.9_dbg_san/sql/sql_select.cc:26272
|
#12 0x562951ff446f in end_send_group(JOIN*, st_join_table*, bool) /test/10.9_dbg_san/sql/sql_select.cc:22560
|
#13 0x562951e47e43 in evaluate_join_record /test/10.9_dbg_san/sql/sql_select.cc:21325
|
#14 0x562951eeb7dc in sub_select(JOIN*, st_join_table*, bool) /test/10.9_dbg_san/sql/sql_select.cc:21134
|
#15 0x5629520bd362 in do_select /test/10.9_dbg_san/sql/sql_select.cc:20640
|
#16 0x5629520bd362 in JOIN::exec_inner() /test/10.9_dbg_san/sql/sql_select.cc:4749
|
#17 0x5629520bec94 in JOIN::exec() /test/10.9_dbg_san/sql/sql_select.cc:4527
|
#18 0x5629520ae58b in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.9_dbg_san/sql/sql_select.cc:5007
|
#19 0x5629520afef0 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.9_dbg_san/sql/sql_select.cc:543
|
#20 0x562951c1cfc2 in execute_sqlcom_select /test/10.9_dbg_san/sql/sql_parse.cc:6268
|
#21 0x562951c82216 in mysql_execute_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:3959
|
#22 0x562951be4728 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.9_dbg_san/sql/sql_parse.cc:8043
|
#23 0x562951c5a44e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1910
|
#24 0x562951c70fa9 in do_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1407
|
#25 0x56295273dc4b in do_handle_one_connection(CONNECT*, bool) /test/10.9_dbg_san/sql/sql_connect.cc:1418
|
#26 0x562952740ae5 in handle_one_connection /test/10.9_dbg_san/sql/sql_connect.cc:1312
|
#27 0x562954c99c62 in pfs_spawn_thread /test/10.9_dbg_san/storage/perfschema/pfs.cc:2201
|
#28 0x14d8896f0608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
|
#29 0x14d888965162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)
|
Bug confirmed present in:
MariaDB: 10.2.44 (dbg), 10.2.44 (opt), 10.3.35 (dbg), 10.3.35 (opt), 10.4.25 (dbg), 10.4.25 (opt), 10.5.16 (dbg), 10.5.16 (opt), 10.6.8 (dbg), 10.6.8 (opt), 10.7.4 (dbg), 10.7.4 (opt), 10.8.3 (dbg), 10.8.3 (opt), 10.9.0 (dbg), 10.9.0 (opt)
UniqueID's/stacks seen for this one:
UBSAN|null pointer passed as argument 1, which is declared to never be null|strings/ctype-bin.c|my_strnncoll_binary|my_strnncollsp_binary|Field_blob::cmp|Field_blob::cmp
|
UBSAN|null pointer passed as argument 1, which is declared to never be null|strings/ctype-bin.c|my_strnncoll_binary|my_strnncollsp_binary|charset_info_st::strnncollsp|Field_blob::cmp
|
UBSAN|null pointer passed as argument 1, which is declared to never be null|strings/ctype-bin.c|my_strnncoll_binary|my_strnncollsp_binary|group_concat_key_cmp_with_order|tree_insert
|
with ASAN- heap-use-after-free
=================================================================
|
==652286==ERROR: AddressSanitizer: heap-use-after-free on address 0x6100000883c8 at pc 0x7f2b530ffd10 bp 0x7f2b2e3f83a0 sp 0x7f2b2e3f7b48
|
READ of size 45 at 0x6100000883c8 thread T23
|
#0 0x7f2b530ffd0f in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:825
|
#1 0x55f37a8a2db7 in my_strnncoll_binary /10.10/strings/ctype-bin.c:89
|
#2 0x55f37a8a2e42 in my_strnncollsp_binary /10.10/strings/ctype-bin.c:128
|
#3 0x55f3793e8be3 in charset_info_st::strnncollsp(unsigned char const*, unsigned long, unsigned char const*, unsigned long) const /10.10/include/m_ctype.h:859
|
#4 0x55f3793d19e6 in Field_blob::cmp(unsigned char const*, unsigned int, unsigned char const*, unsigned int) const /10.10/sql/field.cc:8793
|
#5 0x55f3793d1cef in Field_blob::cmp(unsigned char const*, unsigned char const*) const /10.10/sql/field.cc:8803
|
#6 0x55f379711f59 in group_concat_key_cmp_with_order /10.10/sql/item_sum.cc:3682
|
#7 0x55f37a83af69 in tree_insert /10.10/mysys/tree.c:249
|
#8 0x55f3797179a2 in Item_func_group_concat::add(bool) /10.10/sql/item_sum.cc:4217
|
#9 0x55f37914f37c in Item_func_group_concat::add() /10.10/sql/item_sum.h:2043
|
#10 0x55f37971ca5d in Aggregator_simple::add() /10.10/sql/item_sum.h:720
|
#11 0x55f3788251ab in Item_sum::aggregator_add() (/10.10/sql/mariadbd+0x18e21ab)
|
#12 0x55f378cfb8e3 in update_sum_func /10.10/sql/sql_select.cc:26860
|
#13 0x55f378ce0580 in end_send_group(JOIN*, st_join_table*, bool) /10.10/sql/sql_select.cc:23141
|
#14 0x55f378cd6263 in evaluate_join_record /10.10/sql/sql_select.cc:21906
|
#15 0x55f378cd519a in sub_select(JOIN*, st_join_table*, bool) /10.10/sql/sql_select.cc:21715
|
#16 0x55f378cd2b3b in do_select /10.10/sql/sql_select.cc:21221
|
#17 0x55f378c5b639 in JOIN::exec_inner() /10.10/sql/sql_select.cc:4794
|
#18 0x55f378c58b39 in JOIN::exec() /10.10/sql/sql_select.cc:4572
|
#19 0x55f378c5d0a8 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.10/sql/sql_select.cc:5052
|
#20 0x55f378c2d2da in handle_select(THD*, LEX*, select_result*, unsigned long) /10.10/sql/sql_select.cc:583
|
#21 0x55f378b51cda in execute_sqlcom_select /10.10/sql/sql_parse.cc:6260
|
#22 0x55f378b4070f in mysql_execute_command(THD*, bool) /10.10/sql/sql_parse.cc:3944
|
#23 0x55f378b5cfba in mysql_parse(THD*, char*, unsigned int, Parser_state*) /10.10/sql/sql_parse.cc:8036
|
#24 0x55f378b32f9f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /10.10/sql/sql_parse.cc:1894
|
#25 0x55f378b2fd20 in do_command(THD*, bool) /10.10/sql/sql_parse.cc:1407
|
#26 0x55f378fe68e9 in do_handle_one_connection(CONNECT*, bool) /10.10/sql/sql_connect.cc:1418
|
#27 0x55f378fe6175 in handle_one_connection /10.10/sql/sql_connect.cc:1312
|
#28 0x55f379c0c455 in pfs_spawn_thread /10.10/storage/perfschema/pfs.cc:2201
|
#29 0x7f2b52ba6608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
|
#30 0x7f2b52777132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
|
|
|
0x6100000883c8 is located 136 bytes inside of 188-byte region [0x610000088340,0x6100000883fc)
|
freed by thread T23 here:
|
#0 0x7f2b5313240f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
|
#1 0x55f37a849d64 in free_memory /10.10/mysys/safemalloc.c:297
|
#2 0x55f37a8491a1 in sf_free /10.10/mysys/safemalloc.c:203
|
#3 0x55f37a816ba2 in my_free /10.10/mysys/my_malloc.c:211
|
#4 0x55f378791c27 in Binary_string::free_buffer() /10.10/sql/sql_string.h:227
|
#5 0x55f378de58c5 in Binary_string::real_alloc(unsigned long) /10.10/sql/sql_string.cc:44
|
#6 0x55f378858348 in Binary_string::alloc(unsigned long) /10.10/sql/sql_string.h:703
|
#7 0x55f378de6fc1 in Binary_string::copy(char const*, unsigned long) /10.10/sql/sql_string.cc:258
|
#8 0x55f3787924ab in String::copy(char const*, unsigned long, charset_info_st const*) /10.10/sql/sql_string.h:890
|
#9 0x55f3792104b4 in Field_geom::store(char const*, unsigned long, charset_info_st const*) /10.10/sql/sql_type_geom.cc:891
|
#10 0x55f3793fb3d6 in do_save_blob /10.10/sql/field_conv.cc:359
|
#11 0x55f3793fa35a in do_copy_null /10.10/sql/field_conv.cc:246
|
#12 0x55f378cf8915 in copy_fields(TMP_TABLE_PARAM*) /10.10/sql/sql_select.cc:26470
|
#13 0x55f379716fb8 in Item_func_group_concat::add(bool) /10.10/sql/item_sum.cc:4162
|
#14 0x55f37914f37c in Item_func_group_concat::add() /10.10/sql/item_sum.h:2043
|
#15 0x55f37971ca5d in Aggregator_simple::add() /10.10/sql/item_sum.h:720
|
#16 0x55f3788251ab in Item_sum::aggregator_add() (/10.10/sql/mariadbd+0x18e21ab)
|
#17 0x55f378cfb8e3 in update_sum_func /10.10/sql/sql_select.cc:26860
|
#18 0x55f378ce0580 in end_send_group(JOIN*, st_join_table*, bool) /10.10/sql/sql_select.cc:23141
|
#19 0x55f378cd6263 in evaluate_join_record /10.10/sql/sql_select.cc:21906
|
#20 0x55f378cd519a in sub_select(JOIN*, st_join_table*, bool) /10.10/sql/sql_select.cc:21715
|
#21 0x55f378cd2b3b in do_select /10.10/sql/sql_select.cc:21221
|
#22 0x55f378c5b639 in JOIN::exec_inner() /10.10/sql/sql_select.cc:4794
|
#23 0x55f378c58b39 in JOIN::exec() /10.10/sql/sql_select.cc:4572
|
#24 0x55f378c5d0a8 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.10/sql/sql_select.cc:5052
|
#25 0x55f378c2d2da in handle_select(THD*, LEX*, select_result*, unsigned long) /10.10/sql/sql_select.cc:583
|
#26 0x55f378b51cda in execute_sqlcom_select /10.10/sql/sql_parse.cc:6260
|
#27 0x55f378b4070f in mysql_execute_command(THD*, bool) /10.10/sql/sql_parse.cc:3944
|
#28 0x55f378b5cfba in mysql_parse(THD*, char*, unsigned int, Parser_state*) /10.10/sql/sql_parse.cc:8036
|
#29 0x55f378b32f9f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /10.10/sql/sql_parse.cc:1894
|
|
|
previously allocated by thread T23 here:
|
#0 0x7f2b53132808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
|
#1 0x55f37a848b55 in sf_malloc /10.10/mysys/safemalloc.c:126
|
#2 0x55f37a815d7c in my_malloc /10.10/mysys/my_malloc.c:90
|
#3 0x55f378de5969 in Binary_string::real_alloc(unsigned long) /10.10/sql/sql_string.cc:45
|
#4 0x55f378858348 in Binary_string::alloc(unsigned long) /10.10/sql/sql_string.h:703
|
#5 0x55f378de6fc1 in Binary_string::copy(char const*, unsigned long) /10.10/sql/sql_string.cc:258
|
#6 0x55f3787924ab in String::copy(char const*, unsigned long, charset_info_st const*) /10.10/sql/sql_string.h:890
|
#7 0x55f3792104b4 in Field_geom::store(char const*, unsigned long, charset_info_st const*) /10.10/sql/sql_type_geom.cc:891
|
#8 0x55f3793fb3d6 in do_save_blob /10.10/sql/field_conv.cc:359
|
#9 0x55f3793fa35a in do_copy_null /10.10/sql/field_conv.cc:246
|
#10 0x55f378cf8915 in copy_fields(TMP_TABLE_PARAM*) /10.10/sql/sql_select.cc:26470
|
#11 0x55f379716fb8 in Item_func_group_concat::add(bool) /10.10/sql/item_sum.cc:4162
|
#12 0x55f37914f37c in Item_func_group_concat::add() /10.10/sql/item_sum.h:2043
|
#13 0x55f37971ca5d in Aggregator_simple::add() /10.10/sql/item_sum.h:720
|
#14 0x55f3788251ab in Item_sum::aggregator_add() (/10.10/sql/mariadbd+0x18e21ab)
|
#15 0x55f378824ff9 in Item_sum::reset_and_add() /10.10/sql/item_sum.h:445
|
#16 0x55f378cfb828 in init_sum_functions /10.10/sql/sql_select.cc:26842
|
#17 0x55f378ce0356 in end_send_group(JOIN*, st_join_table*, bool) /10.10/sql/sql_select.cc:23132
|
#18 0x55f378cd6263 in evaluate_join_record /10.10/sql/sql_select.cc:21906
|
#19 0x55f378cd4b28 in sub_select(JOIN*, st_join_table*, bool) /10.10/sql/sql_select.cc:21676
|
#20 0x55f378cd2b3b in do_select /10.10/sql/sql_select.cc:21221
|
#21 0x55f378c5b639 in JOIN::exec_inner() /10.10/sql/sql_select.cc:4794
|
#22 0x55f378c58b39 in JOIN::exec() /10.10/sql/sql_select.cc:4572
|
#23 0x55f378c5d0a8 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.10/sql/sql_select.cc:5052
|
#24 0x55f378c2d2da in handle_select(THD*, LEX*, select_result*, unsigned long) /10.10/sql/sql_select.cc:583
|
#25 0x55f378b51cda in execute_sqlcom_select /10.10/sql/sql_parse.cc:6260
|
#26 0x55f378b4070f in mysql_execute_command(THD*, bool) /10.10/sql/sql_parse.cc:3944
|
#27 0x55f378b5cfba in mysql_parse(THD*, char*, unsigned int, Parser_state*) /10.10/sql/sql_parse.cc:8036
|
#28 0x55f378b32f9f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /10.10/sql/sql_parse.cc:1894
|
#29 0x55f378b2fd20 in do_command(THD*, bool) /10.10/sql/sql_parse.cc:1407
|
|
|
Thread T23 created by T0 here:
|
#0 0x7f2b5305f815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
|
#1 0x55f379c08032 in my_thread_create /10.10/storage/perfschema/my_thread.h:52
|
#2 0x55f379c0c848 in pfs_spawn_thread_v1 /10.10/storage/perfschema/pfs.cc:2252
|
#3 0x55f37876cca8 in inline_mysql_thread_create /10.10/include/mysql/psi/mysql_thread.h:1139
|
#4 0x55f378784c83 in create_thread_to_handle_connection(CONNECT*) /10.10/sql/mysqld.cc:6015
|
#5 0x55f3787852ff in create_new_thread(CONNECT*) /10.10/sql/mysqld.cc:6074
|
#6 0x55f37878566c in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.10/sql/mysqld.cc:6136
|
#7 0x55f378786041 in handle_connections_sockets() /10.10/sql/mysqld.cc:6260
|
#8 0x55f378784490 in mysqld_main(int, char**) /10.10/sql/mysqld.cc:5910
|
#9 0x55f37876bfcc in main /10.10/sql/main.cc:34
|
#10 0x7f2b5267c082 in __libc_start_main ../csu/libc-start.c:308
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:825 in __interceptor_memcmp
|
Shadow bytes around the buggy address:
|
0x0c2080009020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c2080009030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c2080009040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c2080009050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c2080009060: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
|
=>0x0c2080009070: fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd
|
0x0c2080009080: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
|
0x0c2080009090: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c20800090a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c20800090b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c20800090c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==652286==ABORTING
|
An additional UBSAN issue, this time on argument 2:
SET sql_mode=''; |
CREATE TABLE t (c INT) ENGINE=InnoDB; |
INSERT INTO t VALUES(); |
ALTER TABLE t ADD c2 BLOB NOT NULL; |
CREATE TABLE t2 SELECT * FROM t; |
DELETE FROM t; |
INSERT INTO t VALUES (0,0); |
INSERT INTO t SELECT * FROM t2; |
SELECT (SELECT GROUP_CONCAT(DISTINCT c2) FROM t); |
Leads to:
|
11.0.2 a79abb6517f2fa68b48e61aa3354a0631e3a63f7 (Debug) |
/test/11.0_dbg_san/strings/ctype-bin.c:89:12: runtime error: null pointer passed as argument 2, which is declared to never be null
|
#0 0x5583340c52c1 in my_strnncoll_binary /test/11.0_dbg_san/strings/ctype-bin.c:89
|
#1 0x5583340c52fc in my_strnncollsp_binary /test/11.0_dbg_san/strings/ctype-bin.c:128
|
#2 0x558331891ea4 in charset_info_st::strnncollsp(unsigned char const*, unsigned long, unsigned char const*, unsigned long) const /test/11.0_dbg_san/include/m_ctype.h:1013
|
#3 0x558331891ea4 in Field_blob::cmp(unsigned char const*, unsigned int, unsigned char const*, unsigned int) const /test/11.0_dbg_san/sql/field.cc:8801
|
#4 0x558331892264 in Field_blob::cmp(unsigned char const*, unsigned char const*) const /test/11.0_dbg_san/sql/field.cc:8811
|
#5 0x558332553756 in group_concat_key_cmp_with_distinct /test/11.0_dbg_san/sql/item_sum.cc:3584
|
#6 0x558334050bd7 in tree_insert /test/11.0_dbg_san/mysys/tree.c:249
|
#7 0x5583325ceca0 in Unique::unique_add(void*) /test/11.0_dbg_san/sql/uniques.h:66
|
#8 0x5583325ceca0 in Item_func_group_concat::add(bool) /test/11.0_dbg_san/sql/item_sum.cc:4213
|
#9 0x55833100cc35 in Item_func_group_concat::add() /test/11.0_dbg_san/sql/item_sum.h:2051
|
#10 0x5583325d75e5 in Aggregator_simple::add() /test/11.0_dbg_san/sql/item_sum.h:727
|
#11 0x55833043a778 in Item_sum::aggregator_add() /test/11.0_dbg_san/sql/item_sum.h:571
|
#12 0x55833043a778 in update_sum_func /test/11.0_dbg_san/sql/sql_select.cc:28279
|
#13 0x5583305ffc51 in end_send_group(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:24534
|
#14 0x55833045ca53 in evaluate_join_record /test/11.0_dbg_san/sql/sql_select.cc:23269
|
#15 0x55833050468a in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23073
|
#16 0x5583306c5dde in do_select /test/11.0_dbg_san/sql/sql_select.cc:22568
|
#17 0x5583306c5dde in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4895
|
#18 0x5583306c757a in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4672
|
#19 0x558332488a07 in subselect_single_select_engine::exec() /test/11.0_dbg_san/sql/item_subselect.cc:4157
|
#20 0x558332498f29 in Item_subselect::exec() /test/11.0_dbg_san/sql/item_subselect.cc:812
|
#21 0x5583324762a6 in Item_singlerow_subselect::val_str(String*) /test/11.0_dbg_san/sql/item_subselect.cc:1484
|
#22 0x5583311d25a1 in Type_handler::Item_send_str(Item*, Protocol*, st_value*) const /test/11.0_dbg_san/sql/sql_type.cc:7446
|
#23 0x558330c20aa2 in Type_handler_string_result::Item_send(Item*, Protocol*, st_value*) const /test/11.0_dbg_san/sql/sql_type.h:5455
|
#24 0x55832f9c459c in Item::send(Protocol*, st_value*) /test/11.0_dbg_san/sql/item.h:1235
|
#25 0x55832fb8005c in Protocol::send_result_set_row(List<Item>*) /test/11.0_dbg_san/sql/protocol.cc:1332
|
#26 0x55832ff499ca in select_send::send_data(List<Item>&) /test/11.0_dbg_san/sql/sql_class.cc:3102
|
#27 0x5583306c0b03 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.0_dbg_san/sql/sql_class.h:5748
|
#28 0x5583306c0b03 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4761
|
#29 0x5583306c757a in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4672
|
#30 0x5583306b5d38 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5153
|
#31 0x5583306ba193 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:611
|
#32 0x558330239973 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6267
|
#33 0x55833029acce in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949
|
#34 0x5583302ca5e6 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:7999
|
#35 0x5583302da37a in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894
|
#36 0x5583302e817f in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407
|
#37 0x558330cac459 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416
|
#38 0x558330cad974 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318
|
#39 0x150abc01db42 in start_thread nptl/pthread_create.c:442
|
#40 0x150abc0af9ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)
|
Setup:
Compiled with GCC >=7.5.0 (I use GCC 11.3.0) and:
|
-DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON
|
Set before execution:
|
export ASAN_OPTIONS=quarantine_size_mb=512:atexit=0:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1:allocator_may_return_null=1
|
Bug confirmed present in:
MariaDB: 10.3.39 (dbg), 10.3.39 (opt), 10.4.29 (dbg), 10.4.29 (opt), 10.5.20 (dbg), 10.5.20 (opt), 10.6.13 (dbg), 10.6.13 (opt), 10.7.8 (dbg), 10.7.8 (opt), 10.8.8 (dbg), 10.8.8 (opt), 10.9.6 (dbg), 10.9.6 (opt), 10.10.4 (dbg), 10.10.4 (opt), 10.11.3 (dbg), 10.11.3 (opt), 11.0.2 (dbg), 11.0.2 (opt)
Three new UBSAN stacks/UniqueID's seen across versions and build types with this testcase:
UBSAN|null pointer passed as argument 2, which is declared to never be null|strings/ctype-bin.c|my_strnncoll_binary|my_strnncollsp_binary|Field_blob::cmp|Field_blob::cmp
|
UBSAN|null pointer passed as argument 2, which is declared to never be null|strings/ctype-bin.c|my_strnncoll_binary|my_strnncollsp_binary|charset_info_st::strnncollsp|Field_blob::cmp
|
UBSAN|null pointer passed as argument 2, which is declared to never be null|strings/ctype-bin.c|my_strnncoll_binary|my_strnncollsp_binary|group_concat_key_cmp_with_distinct|tree_insert
|
Additional testcase which produces a new stack on optimized builds:
SET sql_mode=''; |
CREATE TABLE t (c DECIMAL(2,2) ZEROFILL,c2 SET('') CHARACTER SET 'BINARY' COLLATE 'BINARY',c3 TIMESTAMP,KEY(c)) ENGINE=InnoDB; |
INSERT INTO t VALUES (1,0,0); |
SELECT * FROM t WHERE c2 BETWEEN ':1:1' AND ':1:1' ORDER BY c2; |
Leads to:
|
11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Optimized) |
/test/11.0_opt_san/strings/ctype-bin.c:89:12: runtime error: null pointer passed as argument 1, which is declared to never be null
|
|
11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Optimized) |
#0 0x5573b84c9547 in my_strnncoll_binary /test/11.0_opt_san/strings/ctype-bin.c:89
|
#1 0x5573b84c9547 in my_strnncollsp_binary /test/11.0_opt_san/strings/ctype-bin.c:128
|
#2 0x5573ba7fd2c7 in Item_func_between::val_int_cmp_string() /test/11.0_opt_san/sql/item_cmpfunc.cc:2238
|
#3 0x5573ba4f8532 in SQL_SELECT::skip_record(THD*) /test/11.0_opt_san/sql/opt_range.h:1913
|
#4 0x5573ba4f8532 in find_all_keys /test/11.0_opt_san/sql/filesort.cc:1004
|
#5 0x5573ba4f8532 in filesort(THD*, TABLE*, Filesort*, Filesort_tracker*, JOIN*, unsigned long long) /test/11.0_opt_san/sql/filesort.cc:408
|
#6 0x5573b9342ed1 in create_sort_index(THD*, JOIN*, st_join_table*, Filesort*) /test/11.0_opt_san/sql/sql_select.cc:26630
|
#7 0x5573b934490d in st_join_table::sort_table() /test/11.0_opt_san/sql/sql_select.cc:24293
|
#8 0x5573b9344ea9 in join_init_read_record(st_join_table*) /test/11.0_opt_san/sql/sql_select.cc:24213
|
#9 0x5573b9285934 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_opt_san/sql/sql_select.cc:23249
|
#10 0x5573b94672e3 in do_select /test/11.0_opt_san/sql/sql_select.cc:22780
|
#11 0x5573b94672e3 in JOIN::exec_inner() /test/11.0_opt_san/sql/sql_select.cc:4900
|
#12 0x5573b946c743 in JOIN::exec() /test/11.0_opt_san/sql/sql_select.cc:4677
|
#13 0x5573b945a1f0 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_opt_san/sql/sql_select.cc:5158
|
#14 0x5573b945dd80 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_opt_san/sql/sql_select.cc:616
|
#15 0x5573b8fdeb80 in execute_sqlcom_select /test/11.0_opt_san/sql/sql_parse.cc:6279
|
#16 0x5573b90445f6 in mysql_execute_command(THD*, bool) /test/11.0_opt_san/sql/sql_parse.cc:3949
|
#17 0x5573b90554d2 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_opt_san/sql/sql_parse.cc:8014
|
#18 0x5573b9062f5d in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_opt_san/sql/sql_parse.cc:1894
|
#19 0x5573b906c728 in do_command(THD*, bool) /test/11.0_opt_san/sql/sql_parse.cc:1407
|
#20 0x5573b997b80c in do_handle_one_connection(CONNECT*, bool) /test/11.0_opt_san/sql/sql_connect.cc:1416
|
#21 0x5573b997de0c in handle_one_connection /test/11.0_opt_san/sql/sql_connect.cc:1318
|
#22 0x14b655894b42 in start_thread nptl/pthread_create.c:442
|
#23 0x14b6559269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)
|
This one is present in 10.6+ only
The same problem is repeatable with a binary collation of a 8bit character set, e.g.:
CREATE TABLE t (c TEXT CHARACTER SET latin1 COLLATE latin1_bin NOT NULL); |
INSERT IGNORE INTO t VALUES (0); |
SELECT COUNT(*) FROM t WHERE EXTRACTVALUE(c,'a')='a'; |
DROP TABLE t; |
SET sql_mode=''; |
CREATE TABLE t (c TEXT CHARACTER SET latin1 COLLATE latin1_bin NOT NULL); |
INSERT INTO t VALUES(); |
INSERT IGNORE INTO t VALUES (NULL); |
SELECT GROUP_CONCAT(c ORDER BY BINARY c) FROM t GROUP BY c; |
DROP TABLE t; |
The various UniqueID's seen throughout the versions and dbg/opt
UBSAN|null pointer passed as argument 1, which is declared to never be null|strings/ctype-bin.c|my_strnncoll_binary|my_strnncollsp_binary|Arg_comparator::compare|Item_func_eq::val_intUBSAN|null pointer passed as argument 1, which is declared to never be null|strings/ctype-bin.c|my_strnncoll_binary|my_strnncollsp_binary|charset_info_st::strnncollsp|sortcmpUBSAN|null pointer passed as argument 1, which is declared to never be null|strings/ctype-bin.c|my_strnncoll_binary|my_strnncollsp_binary|sortcmp|Arg_comparator::compare_string