[MDEV-28384] UBSAN: null pointer passed as argument 1, which is declared to never be null in my_strnncoll_binary on SELECT ... COUNT or GROUP_CONCAT - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL)
Fix Version/s: 10.8.8, 10.4.31, 10.5.22, 10.6.15, 10.9.8, 10.10.6, 10.11.5, 10.11.6, 11.0.3, 11.2.1
Component/s: Character Sets, Data types
Labels:

Description

CREATE TABLE t (c BLOB NOT NULL) ENGINE=InnoDB;

INSERT IGNORE INTO t VALUES (0);

SELECT COUNT(*) FROM t WHERE EXTRACTVALUE(c,'a')='a';

Leads to:

10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Optimized)
/test/10.9_opt_san/strings/ctype-bin.c:89:12: runtime error: null pointer passed as argument 1, which is declared to never be null

10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Optimized)
#0 0x5633c2674f25 in my_strnncoll_binary /test/10.9_opt_san/strings/ctype-bin.c:89
#1 0x5633c2674f25 in my_strnncollsp_binary /test/10.9_opt_san/strings/ctype-bin.c:128
#2 0x5633c493f6fb in Arg_comparator::compare() /test/10.9_opt_san/sql/item_cmpfunc.h:103
#3 0x5633c493f6fb in Item_func_eq::val_int() /test/10.9_opt_san/sql/item_cmpfunc.cc:1762
#4 0x5633c340c414 in evaluate_join_record /test/10.9_opt_san/sql/sql_select.cc:21193
#5 0x5633c3459933 in sub_select(JOIN, st_join_table, bool) /test/10.9_opt_san/sql/sql_select.cc:21095
#6 0x5633c3605123 in do_select /test/10.9_opt_san/sql/sql_select.cc:20640
#7 0x5633c3605123 in JOIN::exec_inner() /test/10.9_opt_san/sql/sql_select.cc:4749
#8 0x5633c36099f9 in JOIN::exec() /test/10.9_opt_san/sql/sql_select.cc:4527
#9 0x5633c35f7b61 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/10.9_opt_san/sql/sql_select.cc:5007
#10 0x5633c35fba73 in handle_select(THD, LEX, select_result*, unsigned long) /test/10.9_opt_san/sql/sql_select.cc:543
#11 0x5633c3212cdf in execute_sqlcom_select /test/10.9_opt_san/sql/sql_parse.cc:6268
#12 0x5633c325288b in mysql_execute_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:3959
#13 0x5633c31e20a8 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/10.9_opt_san/sql/sql_parse.cc:8043
#14 0x5633c3238439 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/10.9_opt_san/sql/sql_parse.cc:1910
#15 0x5633c3243c92 in do_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:1407
#16 0x5633c3b2ed3d in do_handle_one_connection(CONNECT*, bool) /test/10.9_opt_san/sql/sql_connect.cc:1418
#17 0x5633c3b31834 in handle_one_connection /test/10.9_opt_san/sql/sql_connect.cc:1312
#18 0x5633c5c2f1f9 in pfs_spawn_thread /test/10.9_opt_san/storage/perfschema/pfs.cc:2201
#19 0x14edd0d6b608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
#20 0x14edcffe0162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)

10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Debug)
/test/10.9_dbg_san/strings/ctype-bin.c:89:12: runtime error: null pointer passed as argument 1, which is declared to never be null

10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Debug)
#0 0x55f42cc16597 in my_strnncoll_binary /test/10.9_dbg_san/strings/ctype-bin.c:89
#1 0x55f42cc165dd in my_strnncollsp_binary /test/10.9_dbg_san/strings/ctype-bin.c:128
#2 0x55f428a406c5 in charset_info_st::strnncollsp(char const, unsigned long, char const, unsigned long) const /test/10.9_dbg_san/include/m_ctype.h:864
#3 0x55f428a406c5 in sortcmp(Binary_string const, Binary_string const, charset_info_st const*) /test/10.9_dbg_san/sql/sql_string.cc:853
#4 0x55f429f237bf in Arg_comparator::compare_string() /test/10.9_dbg_san/sql/item_cmpfunc.cc:765
#5 0x55f429f040f3 in Arg_comparator::compare() /test/10.9_dbg_san/sql/item_cmpfunc.h:103
#6 0x55f429f040f3 in Item_func_eq::val_int() /test/10.9_dbg_san/sql/item_cmpfunc.cc:1762
#7 0x55f4285b7d23 in evaluate_join_record /test/10.9_dbg_san/sql/sql_select.cc:21193
#8 0x55f42865bffe in sub_select(JOIN, st_join_table, bool) /test/10.9_dbg_san/sql/sql_select.cc:21095
#9 0x55f42882e362 in do_select /test/10.9_dbg_san/sql/sql_select.cc:20640
#10 0x55f42882e362 in JOIN::exec_inner() /test/10.9_dbg_san/sql/sql_select.cc:4749
#11 0x55f42882fc94 in JOIN::exec() /test/10.9_dbg_san/sql/sql_select.cc:4527
#12 0x55f42881f58b in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/10.9_dbg_san/sql/sql_select.cc:5007
#13 0x55f428820ef0 in handle_select(THD, LEX, select_result*, unsigned long) /test/10.9_dbg_san/sql/sql_select.cc:543
#14 0x55f42838dfc2 in execute_sqlcom_select /test/10.9_dbg_san/sql/sql_parse.cc:6268
#15 0x55f4283f3216 in mysql_execute_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:3959
#16 0x55f428355728 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/10.9_dbg_san/sql/sql_parse.cc:8043
#17 0x55f4283cb44e in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1910
#18 0x55f4283e1fa9 in do_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1407
#19 0x55f428eaec4b in do_handle_one_connection(CONNECT*, bool) /test/10.9_dbg_san/sql/sql_connect.cc:1418
#20 0x55f428eb1ae5 in handle_one_connection /test/10.9_dbg_san/sql/sql_connect.cc:1312
#21 0x55f42b40ac62 in pfs_spawn_thread /test/10.9_dbg_san/storage/perfschema/pfs.cc:2201
#22 0x15066de74608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
#23 0x15066d0e9162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)

Setup:

Compiled with GCC >=7.5.0 (I use GCC 9.4.0) and:

    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON

Set before execution:

    export UBSAN_OPTIONS=print_stacktrace=1

Bug confirmed present in:
MariaDB: 10.2.44 (dbg), 10.2.44 (opt), 10.3.35 (dbg), 10.3.35 (opt), 10.4.25 (dbg), 10.4.25 (opt), 10.5.16 (dbg), 10.5.16 (opt), 10.6.8 (dbg), 10.6.8 (opt), 10.7.4 (dbg), 10.7.4 (opt), 10.8.3 (dbg), 10.8.3 (opt), 10.9.0 (dbg), 10.9.0 (opt)

Attachments

Issue Links

is duplicated by

MDEV-30982 UBSAN: runtime error: null pointer passed as argument 2, which is declared to never be null in my_strnncoll_binary on DELETE

Closed

relates to

MDEV-30982 UBSAN: runtime error: null pointer passed as argument 2, which is declared to never be null in my_strnncoll_binary on DELETE

Closed

MDEV-20619 AddressSanitizer: heap-use-after-free in my_strnncollsp_simple or my_strnncoll_binary upon SELECT with partitions and virtual columns

Closed

MDEV-31845 UBSAN: runtime error: null pointer passed as argument 2, which is declared to never be null in my_strnncoll_binary on SELECT

Confirmed

Activity

People

Assignee:: Alexander Barkov

Reporter:: Roel Van de Paar

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2022-04-22 03:29

Updated:: 2023-08-04 22:02

Resolved:: 2023-07-20 08:22

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.