Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-34102

ASAN: heap-use-after-free in escape_string_for_mysql from spider_string::append_escape_string, UBSAN: runtime error: applying zero offset to null pointer in escape_string_for_mysql

Details

    Description

      INSTALL PLUGIN Spider SONAME 'ha_spider.so';
      CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock',DATABASE 'test',user 'Spider',PASSWORD'');
      CREATE TABLE t (c INT,c2 TEXT) ENGINE=InnoDB;
      INSERT INTO t VALUES (0,'a'),(1,'b'),(2,'c');
      CREATE TABLE t2 (c INT KEY,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",SRV "srv",TABLE "t"';
      SELECT HEX (c2) FROM t2 WHERE c=0;
      

      Leads to:

      11.5.0 3f9182126c64bcec359bebe9ebad2a0e559b13e2 (Debug)

      ==2031582==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000013862 at pc 0x55666cf633b5 bp 0x15388c20d9b0 sp 0x15388c20d9a0
      READ of size 1 at 0x608000013862 thread T12
          #0 0x55666cf633b4 in escape_string_for_mysql /test/11.5_dbg_san/mysys/charset.c:1162
          #1 0x15388ac3bfde in spider_string::append_escape_string(char const*, unsigned int) /test/11.5_dbg_san/storage/spider/spd_malloc.cc:1203
          #2 0x15388ab00761 in spider_db_open_item_field(Item_field*, ha_spider*, spider_string*, char const*, unsigned int, unsigned int, bool, spider_fields*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:7549
          #3 0x15388ab069d6 in spider_db_print_item_type(Item*, Field*, ha_spider*, spider_string*, char const*, unsigned int, unsigned int, bool, spider_fields*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:7220
          #4 0x15388adae805 in spider_db_mbase_util::print_item_func(Item_func*, ha_spider*, spider_string*, char const*, unsigned int, bool, spider_fields*) /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:6562
          #5 0x15388adaf816 in spider_db_mbase_util::open_item_func(Item_func*, ha_spider*, spider_string*, char const*, unsigned int, bool, spider_fields*) /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:5513
          #6 0x15388aafd1ee in spider_db_open_item_func(Item_func*, ha_spider*, spider_string*, char const*, unsigned int, unsigned int, bool, spider_fields*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:7380
          #7 0x15388ab0675a in spider_db_print_item_type(Item*, Field*, ha_spider*, spider_string*, char const*, unsigned int, unsigned int, bool, spider_fields*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:7211
          #8 0x15388ae21e43 in spider_mbase_handler::append_list_item_select(List<Item>*, spider_string*, char const*, unsigned int, bool, spider_fields*) /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:14680
          #9 0x15388ae2290a in spider_mbase_handler::append_list_item_select_part(List<Item>*, char const*, unsigned int, bool, spider_fields*, unsigned long) /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:14651
          #10 0x15388ae3bd9a in spider_make_query /test/11.5_dbg_san/storage/spider/spd_group_by_handler.cc:1095
          #11 0x15388ae3bd9a in spider_group_by_handler::init_scan() /test/11.5_dbg_san/storage/spider/spd_group_by_handler.cc:1292
          #12 0x55666958f7f0 in Pushdown_query::execute(JOIN*) /test/11.5_dbg_san/sql/group_by_handler.cc:49
          #13 0x5566693f8052 in do_select /test/11.5_dbg_san/sql/sql_select.cc:23000
          #14 0x5566693f8052 in JOIN::exec_inner() /test/11.5_dbg_san/sql/sql_select.cc:4988
          #15 0x5566693fb00c in JOIN::exec() /test/11.5_dbg_san/sql/sql_select.cc:4774
          #16 0x5566693e9138 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5304
          #17 0x5566693ed67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
          #18 0x556668f5d467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
          #19 0x556668fb7dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
          #20 0x556668fde1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
          #21 0x556668fee546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
          #22 0x556668ffd387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
          #23 0x556669a3554b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
          #24 0x556669a36af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
          #25 0x1538ade8f189 in start_thread nptl/pthread_create.c:444
          #26 0x1538adf1dbcf in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
       
      0x608000013862 is located 66 bytes inside of 88-byte region [0x608000013820,0x608000013878)
      freed by thread T12 here:
          #0 0x556668658570 in __interceptor_free.part.0 (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7ec7570)
          #1 0x55666cfc732c in my_free /test/11.5_dbg_san/mysys/my_malloc.c:221
          #2 0x15388ac1f6d6 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.5_dbg_san/storage/spider/spd_malloc.cc:183
          #3 0x15388ad8879d in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:377
          #4 0x15388ad8889c in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:380
          #5 0x15388aaa7288 in spider_db_free_one_result(st_spider_result_list*, st_spider_result*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:2803
          #6 0x15388aaa7fb5 in spider_db_free_one_result_for_start_next(ha_spider*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:2751
          #7 0x15388ae3a87b in spider_prepare_init_scan /test/11.5_dbg_san/storage/spider/spd_group_by_handler.cc:1028
          #8 0x15388ae3a87b in spider_group_by_handler::init_scan() /test/11.5_dbg_san/storage/spider/spd_group_by_handler.cc:1288
          #9 0x55666958f7f0 in Pushdown_query::execute(JOIN*) /test/11.5_dbg_san/sql/group_by_handler.cc:49
          #10 0x5566693f8052 in do_select /test/11.5_dbg_san/sql/sql_select.cc:23000
          #11 0x5566693f8052 in JOIN::exec_inner() /test/11.5_dbg_san/sql/sql_select.cc:4988
          #12 0x5566693fb00c in JOIN::exec() /test/11.5_dbg_san/sql/sql_select.cc:4774
          #13 0x5566693e9138 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5304
          #14 0x5566693ed67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
          #15 0x556668f5d467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
          #16 0x556668fb7dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
          #17 0x556668fde1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
          #18 0x556668fee546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
          #19 0x556668ffd387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
          #20 0x556669a3554b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
          #21 0x556669a36af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
          #22 0x1538ade8f189 in start_thread nptl/pthread_create.c:444
       
      previously allocated by thread T12 here:
          #0 0x556668659a1f in __interceptor_malloc (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7ec8a1f)
          #1 0x55666cfc6fac in my_malloc /test/11.5_dbg_san/mysys/my_malloc.c:93
          #2 0x15388ac1fb06 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.5_dbg_san/storage/spider/spd_malloc.cc:231
          #3 0x15388ad93e86 in spider_db_mbase_row::clone() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:547
          #4 0x15388aab220a in spider_db_store_result(ha_spider*, int, TABLE*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:3398
          #5 0x15388ac93aac in ha_spider::index_read_map_internal(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/storage/spider/ha_spider.cc:1515
          #6 0x15388ac95058 in ha_spider::index_read_map(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/storage/spider/ha_spider.cc:1600
          #7 0x55666a83003b in handler::index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/sql/handler.cc:7082
          #8 0x55666a85b73d in handler::ha_index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/sql/handler.cc:3718
          #9 0x5566693263fe in join_read_const /test/11.5_dbg_san/sql/sql_select.cc:24195
          #10 0x556669327297 in join_read_const_table /test/11.5_dbg_san/sql/sql_select.cc:24065
          #11 0x5566693a8382 in make_join_statistics /test/11.5_dbg_san/sql/sql_select.cc:5968
          #12 0x5566693e659f in JOIN::optimize_inner() /test/11.5_dbg_san/sql/sql_select.cc:2657
          #13 0x5566693e86a7 in JOIN::optimize() /test/11.5_dbg_san/sql/sql_select.cc:1966
          #14 0x5566693e8e42 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5290
          #15 0x5566693ed67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
          #16 0x556668f5d467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
          #17 0x556668fb7dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
          #18 0x556668fde1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
          #19 0x556668fee546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
          #20 0x556668ffd387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
          #21 0x556669a3554b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
          #22 0x556669a36af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
          #23 0x1538ade8f189 in start_thread nptl/pthread_create.c:444
       
      Thread T12 created by T0 here:
          #0 0x5566685e50a5 in pthread_create (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e540a5)
          #1 0x5566686b76f9 in create_thread_to_handle_connection(CONNECT*) /test/11.5_dbg_san/sql/mysqld.cc:6079
          #2 0x5566686c92cd in create_new_thread(CONNECT*) /test/11.5_dbg_san/sql/mysqld.cc:6141
          #3 0x5566686c9ad9 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.5_dbg_san/sql/mysqld.cc:6203
          #4 0x5566686cad56 in handle_connections_sockets() /test/11.5_dbg_san/sql/mysqld.cc:6316
          #5 0x5566686cf73e in mysqld_main(int, char**) /test/11.5_dbg_san/sql/mysqld.cc:5974
          #6 0x5566686a4cbc in main /test/11.5_dbg_san/sql/main.cc:34
          #7 0x1538ade23a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
       
      SUMMARY: AddressSanitizer: heap-use-after-free /test/11.5_dbg_san/mysys/charset.c:1162 in escape_string_for_mysql
      Shadow bytes around the buggy address:
        0x0c107fffa6b0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c107fffa6c0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c107fffa6d0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c107fffa6e0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c107fffa6f0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
      =>0x0c107fffa700: fa fa fa fa fd fd fd fd fd fd fd fd[fd]fd fd fa
        0x0c107fffa710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c107fffa720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c107fffa730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c107fffa740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c107fffa750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
      ==2031582==ABORTING
      

      Setup:

      Compiled with a recent version of GCC (I use GCC 12.3.0) and:
          -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON
      Set before execution:
          export ASAN_OPTIONS=quarantine_size_mb=512:atexit=0:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1:allocator_may_return_null=1
      

      Bug confirmed present in:
      MariaDB: 11.1.5 (dbg), 11.1.5 (opt), 11.2.4 (dbg), 11.2.4 (opt), 11.3.3 (dbg), 11.3.3 (opt), 11.4.2 (dbg), 11.4.2 (opt), 11.5.0 (dbg), 11.5.0 (opt)

      Bug (or feature/syntax) confirmed not present in:
      MariaDB: 10.5.25 (dbg), 10.5.25 (opt), 10.6.18 (dbg), 10.6.18 (opt), 10.11.8 (dbg), 10.11.8 (opt)

      Attachments

        Issue Links

          Activity

            MTR Testcase

            --source include/have_innodb.inc
            --let $SOCKET= `SELECT @@global.socket`
            INSTALL PLUGIN Spider SONAME 'ha_spider.so';
            SET SESSION spider_same_server_link=1;
            CREATE USER spider@localhost IDENTIFIED BY 'pwd';
            GRANT ALL ON test.* TO spider@localhost;
            eval CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET "$SOCKET",DATABASE 'test',USER 'spider',PASSWORD 'pwd');
            CREATE TABLE t (c INT,c2 TEXT) ENGINE=InnoDB;
            INSERT INTO t VALUES (0,'a'),(1,'b'),(2,'c');
            CREATE TABLE t2 (c INT KEY,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",SRV "srv",TABLE "t"';
            SELECT HEX (c2) FROM t2 WHERE c=0;
            

            Roel Roel Van de Paar added a comment - MTR Testcase --source include/have_innodb.inc --let $SOCKET= `SELECT @@global.socket` INSTALL PLUGIN Spider SONAME 'ha_spider.so' ; SET SESSION spider_same_server_link=1; CREATE USER spider@localhost IDENTIFIED BY 'pwd' ; GRANT ALL ON test.* TO spider@localhost; eval CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET "$SOCKET" , DATABASE 'test' , USER 'spider' , PASSWORD 'pwd' ); CREATE TABLE t (c INT ,c2 TEXT) ENGINE=InnoDB; INSERT INTO t VALUES (0, 'a' ),(1, 'b' ),(2, 'c' ); CREATE TABLE t2 (c INT KEY ,c2 TEXT) ENGINE=Spider COMMENT= 'WRAPPER "mysql",SRV "srv",TABLE "t"' ; SELECT HEX (c2) FROM t2 WHERE c=0;
            ycp Yuchen Pei added a comment -

            Like MDEV-34003 and MDEV-34076 I can confirm this is yet another bug fixed by MDEV-33742. I'll spend a bit of time to see if there's more serious underlying issues.

            ycp Yuchen Pei added a comment - Like MDEV-34003 and MDEV-34076 I can confirm this is yet another bug fixed by MDEV-33742 . I'll spend a bit of time to see if there's more serious underlying issues.
            ycp Yuchen Pei added a comment - - edited

            I did some debugging, and it seems to be caused by having constant tables involved in the query, which results in spider reading remote table and storing the result. The result is freed during the spider group by handler (gbh) preparation for the init scan, but later reused when spider assembles the query for execution. Thus MDEV-33742 is not an accidental fix for this issue as it prevents the creation of spider gbh when all tables are constant.

            Is it possible that when some but not all tables are constant this bug would reproduce? Yes, as the following reproduces at 10.5 ec6aa9ac42b8fada5927687c6e81a04fa0004393 which contains the MDEV-33742 fix:

            CREATE TABLE t (c INT,c2 TEXT) ENGINE=InnoDB;
            INSERT INTO t VALUES (0,'a'),(1,'b'),(2,'c');
            CREATE TABLE t2 (c INT KEY,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",SRV "srv",TABLE "t"';
            CREATE TABLE t3 (d INT,d2 TEXT) ENGINE=InnoDB;
            INSERT INTO t3 VALUES (0,'a'),(0,'b'),(2,'c');
            CREATE TABLE t4 (d INT,d2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",SRV "srv",TABLE "t3"';
            SELECT HEX (c2) FROM t2 join t4 on c = d WHERE c=0;

            I also note that when we align t2's table definition with t, i.e. remove the key, then the testcase passes. So one potential fix could be not allowing different table definitions between local and remote tables. When fixing it one should also check for similar modifications to MDEV-34003 and MDEV-34076 cases.

            ycp Yuchen Pei added a comment - - edited I did some debugging, and it seems to be caused by having constant tables involved in the query, which results in spider reading remote table and storing the result. The result is freed during the spider group by handler (gbh) preparation for the init scan, but later reused when spider assembles the query for execution. Thus MDEV-33742 is not an accidental fix for this issue as it prevents the creation of spider gbh when all tables are constant. Is it possible that when some but not all tables are constant this bug would reproduce? Yes, as the following reproduces at 10.5 ec6aa9ac42b8fada5927687c6e81a04fa0004393 which contains the MDEV-33742 fix: CREATE TABLE t (c INT ,c2 TEXT) ENGINE=InnoDB; INSERT INTO t VALUES (0, 'a' ),(1, 'b' ),(2, 'c' ); CREATE TABLE t2 (c INT KEY ,c2 TEXT) ENGINE=Spider COMMENT= 'WRAPPER "mysql",SRV "srv",TABLE "t"' ; CREATE TABLE t3 (d INT ,d2 TEXT) ENGINE=InnoDB; INSERT INTO t3 VALUES (0, 'a' ),(0, 'b' ),(2, 'c' ); CREATE TABLE t4 (d INT ,d2 TEXT) ENGINE=Spider COMMENT= 'WRAPPER "mysql",SRV "srv",TABLE "t3"' ; SELECT HEX (c2) FROM t2 join t4 on c = d WHERE c=0; I also note that when we align t2's table definition with t, i.e. remove the key, then the testcase passes. So one potential fix could be not allowing different table definitions between local and remote tables. When fixing it one should also check for similar modifications to MDEV-34003 and MDEV-34076 cases.

            Additional stack observed with:

            INSTALL PLUGIN Spider SONAME 'ha_spider.so';
            CREATE SERVER srv FOREIGN DATA WRAPPER mysql OPTIONS (SOCKET '../socket.sock',DATABASE 'test',user 'Spider',PASSWORD'');
            CREATE TABLE t (c INT) ENGINE=InnoDB;
            CREATE TABLE t2 ENGINE=Spider COMMENT='TABLE "st"' PARTITION BY LIST COLUMNS (c1) (PARTITION p1 DEFAULT COMMENT='srv "d"' ENGINE=Spider COMMENT='WRAPPER "mysql",SRV "srv",TABLE "t"');
            

            Leads to:

            CS 10.5.28 df602ff7fa5ed9424a1d7ebaba67b665e2f6d1f6 (Debug, UBASAN, Clang)

            /test/10.5_dbg_san/mysys/charset.c:1109:18: runtime error: applying zero offset to null pointer
                #0 0x55e733ffb905 in escape_string_for_mysql /test/10.5_dbg_san/mysys/charset.c:1109:18
                #1 0x145ce483347f in spider_string::append_escape_string(char const*, unsigned int) /test/10.5_dbg_san/storage/spider/spd_malloc.cc:1216:29
                #2 0x145ce47ce5e1 in spider_discover_table_structure(handlerton*, THD*, TABLE_SHARE*, HA_CREATE_INFO*) /test/10.5_dbg_san/storage/spider/spd_table.cc:8436:7
                #3 0x55e731c51c82 in create_table_impl(THD*, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, char const*, DDL_options_st, HA_CREATE_INFO*, Alter_info*, int, bool*, st_key**, unsigned int*, st_mysql_const_unsigned_lex_string*) /test/10.5_dbg_san/sql/sql_table.cc:5410:13
                #4 0x55e731c4f8b8 in mysql_create_table_no_lock(THD*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /test/10.5_dbg_san/sql/sql_table.cc:5536:8
                #5 0x55e731c54115 in mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*) /test/10.5_dbg_san/sql/sql_table.cc:5749:7
                #6 0x55e731ca585a in Sql_cmd_create_table_like::execute(THD*) /test/10.5_dbg_san/sql/sql_table.cc:12710:12
                #7 0x55e7318d7c90 in mysql_execute_command(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:6193:26
                #8 0x55e7318b71c7 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.5_dbg_san/sql/sql_parse.cc:8251:18
                #9 0x55e7318ab119 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.5_dbg_san/sql/sql_parse.cc:1891:7
                #10 0x55e7318b931e in do_command(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:1375:17
                #11 0x55e731ec1a07 in do_handle_one_connection(CONNECT*, bool) /test/10.5_dbg_san/sql/sql_connect.cc:1386:11
                #12 0x55e731ec12cb in handle_one_connection /test/10.5_dbg_san/sql/sql_connect.cc:1298:5
                #13 0x55e7313cc03c in asan_thread_start(void*) asan_interceptors.cpp.o
                #14 0x145d1629ca93 in start_thread nptl/pthread_create.c:447:8
                #15 0x145d16329c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
             
            SUMMARY: UndefinedBehaviorSanitizer: nullptr-with-offset /test/10.5_dbg_san/mysys/charset.c:1109:18 
            

            CS 10.5.28 df602ff7fa5ed9424a1d7ebaba67b665e2f6d1f6 (Optimized, UBASAN, Clang)

            /test/10.5_opt_san/mysys/charset.c:1109:18: runtime error: applying zero offset to null pointer
                #0 0x55e0fec0fcee in escape_string_for_mysql /test/10.5_opt_san/mysys/charset.c:1109:18
                #1 0x1516d7c0fa51 in spider_string::append_escape_string(char const*, unsigned int) /test/10.5_opt_san/storage/spider/spd_malloc.cc:1216:29
                #2 0x1516d7bafd81 in spider_discover_table_structure(handlerton*, THD*, TABLE_SHARE*, HA_CREATE_INFO*) /test/10.5_opt_san/storage/spider/spd_table.cc:8436:7
                #3 0x55e0fcbee432 in create_table_impl(THD*, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, char const*, DDL_options_st, HA_CREATE_INFO*, Alter_info*, int, bool*, st_key**, unsigned int*, st_mysql_const_unsigned_lex_string*) /test/10.5_opt_san/sql/sql_table.cc:5410:13
                #4 0x55e0fcbec098 in mysql_create_table_no_lock(THD*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /test/10.5_opt_san/sql/sql_table.cc:5536:8
                #5 0x55e0fcbf0219 in mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*) /test/10.5_opt_san/sql/sql_table.cc:5749:7
                #6 0x55e0fcc415d4 in Sql_cmd_create_table_like::execute(THD*) /test/10.5_opt_san/sql/sql_table.cc:12710:12
                #7 0x55e0fc88b03d in mysql_execute_command(THD*) /test/10.5_opt_san/sql/sql_parse.cc:6193:26
                #8 0x55e0fc86d0c6 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.5_opt_san/sql/sql_parse.cc:8251:18
                #9 0x55e0fc861d1e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.5_opt_san/sql/sql_parse.cc:1891:7
                #10 0x55e0fc86f0c0 in do_command(THD*) /test/10.5_opt_san/sql/sql_parse.cc:1375:17
                #11 0x55e0fce3be37 in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt_san/sql/sql_connect.cc:1386:11
                #12 0x55e0fce3b68a in handle_one_connection /test/10.5_opt_san/sql/sql_connect.cc:1298:5
                #13 0x55e0fc3c772c in asan_thread_start(void*) asan_interceptors.cpp.o
                #14 0x15170769ca93 in start_thread nptl/pthread_create.c:447:8
                #15 0x151707729c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
             
            SUMMARY: UndefinedBehaviorSanitizer: nullptr-with-offset /test/10.5_opt_san/mysys/charset.c:1109:18 
            

            Setup:

            Compiled with a recent version of Clang (I used Clang 18.1.3) with LLVM 18. Ubuntu instructions:
                 # Note: llvm-17-linker-tools installs /usr/lib/llvm-17/lib/LLVMgold.so, which is needed for compilation, and LLVMgold.so is no longer included in LLVM 18
                 sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev llvm-17-linker-tools
                 sudo ln -s /usr/lib/llvm-17/lib/LLVMgold.so /usr/lib/llvm-18/lib/LLVMgold.so
            Compiled with: "-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++ -DCMAKE_C{,XX}_FLAGS='-march=native -mtune=native'" and:
                -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON
            Set before execution:
                export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1   # And you may also want to supress UBSAN startup issues using 'suppressions=UBSAN.filter' in UBSAN_OPTIONS. For an example of UBSAN.filter, which includes current startup issues see: https://github.com/mariadb-corporation/mariadb-qa/blob/master/UBSAN.filter
                export ASAN_OPTIONS=quarantine_size_mb=512:atexit=0:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1:allocator_may_return_null=1
            

            Bug confirmed present in:
            MariaDB: 10.5.28 (dbg), 10.5.28 (opt), 10.6.21 (dbg), 10.6.21 (opt), 10.11.11 (dbg), 10.11.11 (opt), 11.4.5 (dbg), 11.4.5 (opt), 11.7.2 (dbg), 11.7.2 (opt), 11.8.0 (dbg), 11.8.0 (opt)

            Roel Roel Van de Paar added a comment - Additional stack observed with: INSTALL PLUGIN Spider SONAME 'ha_spider.so' ; CREATE SERVER srv FOREIGN DATA WRAPPER mysql OPTIONS (SOCKET '../socket.sock' , DATABASE 'test' , user 'Spider' , PASSWORD '' ); CREATE TABLE t (c INT ) ENGINE=InnoDB; CREATE TABLE t2 ENGINE=Spider COMMENT= 'TABLE "st"' PARTITION BY LIST COLUMNS (c1) (PARTITION p1 DEFAULT COMMENT= 'srv "d"' ENGINE=Spider COMMENT= 'WRAPPER "mysql",SRV "srv",TABLE "t"' ); Leads to: CS 10.5.28 df602ff7fa5ed9424a1d7ebaba67b665e2f6d1f6 (Debug, UBASAN, Clang) /test/10.5_dbg_san/mysys/charset.c:1109:18: runtime error: applying zero offset to null pointer #0 0x55e733ffb905 in escape_string_for_mysql /test/10.5_dbg_san/mysys/charset.c:1109:18 #1 0x145ce483347f in spider_string::append_escape_string(char const*, unsigned int) /test/10.5_dbg_san/storage/spider/spd_malloc.cc:1216:29 #2 0x145ce47ce5e1 in spider_discover_table_structure(handlerton*, THD*, TABLE_SHARE*, HA_CREATE_INFO*) /test/10.5_dbg_san/storage/spider/spd_table.cc:8436:7 #3 0x55e731c51c82 in create_table_impl(THD*, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, char const*, DDL_options_st, HA_CREATE_INFO*, Alter_info*, int, bool*, st_key**, unsigned int*, st_mysql_const_unsigned_lex_string*) /test/10.5_dbg_san/sql/sql_table.cc:5410:13 #4 0x55e731c4f8b8 in mysql_create_table_no_lock(THD*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /test/10.5_dbg_san/sql/sql_table.cc:5536:8 #5 0x55e731c54115 in mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*) /test/10.5_dbg_san/sql/sql_table.cc:5749:7 #6 0x55e731ca585a in Sql_cmd_create_table_like::execute(THD*) /test/10.5_dbg_san/sql/sql_table.cc:12710:12 #7 0x55e7318d7c90 in mysql_execute_command(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:6193:26 #8 0x55e7318b71c7 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.5_dbg_san/sql/sql_parse.cc:8251:18 #9 0x55e7318ab119 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.5_dbg_san/sql/sql_parse.cc:1891:7 #10 0x55e7318b931e in do_command(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:1375:17 #11 0x55e731ec1a07 in do_handle_one_connection(CONNECT*, bool) /test/10.5_dbg_san/sql/sql_connect.cc:1386:11 #12 0x55e731ec12cb in handle_one_connection /test/10.5_dbg_san/sql/sql_connect.cc:1298:5 #13 0x55e7313cc03c in asan_thread_start(void*) asan_interceptors.cpp.o #14 0x145d1629ca93 in start_thread nptl/pthread_create.c:447:8 #15 0x145d16329c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78   SUMMARY: UndefinedBehaviorSanitizer: nullptr-with-offset /test/10.5_dbg_san/mysys/charset.c:1109:18 CS 10.5.28 df602ff7fa5ed9424a1d7ebaba67b665e2f6d1f6 (Optimized, UBASAN, Clang) /test/10.5_opt_san/mysys/charset.c:1109:18: runtime error: applying zero offset to null pointer #0 0x55e0fec0fcee in escape_string_for_mysql /test/10.5_opt_san/mysys/charset.c:1109:18 #1 0x1516d7c0fa51 in spider_string::append_escape_string(char const*, unsigned int) /test/10.5_opt_san/storage/spider/spd_malloc.cc:1216:29 #2 0x1516d7bafd81 in spider_discover_table_structure(handlerton*, THD*, TABLE_SHARE*, HA_CREATE_INFO*) /test/10.5_opt_san/storage/spider/spd_table.cc:8436:7 #3 0x55e0fcbee432 in create_table_impl(THD*, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, char const*, DDL_options_st, HA_CREATE_INFO*, Alter_info*, int, bool*, st_key**, unsigned int*, st_mysql_const_unsigned_lex_string*) /test/10.5_opt_san/sql/sql_table.cc:5410:13 #4 0x55e0fcbec098 in mysql_create_table_no_lock(THD*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /test/10.5_opt_san/sql/sql_table.cc:5536:8 #5 0x55e0fcbf0219 in mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*) /test/10.5_opt_san/sql/sql_table.cc:5749:7 #6 0x55e0fcc415d4 in Sql_cmd_create_table_like::execute(THD*) /test/10.5_opt_san/sql/sql_table.cc:12710:12 #7 0x55e0fc88b03d in mysql_execute_command(THD*) /test/10.5_opt_san/sql/sql_parse.cc:6193:26 #8 0x55e0fc86d0c6 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.5_opt_san/sql/sql_parse.cc:8251:18 #9 0x55e0fc861d1e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.5_opt_san/sql/sql_parse.cc:1891:7 #10 0x55e0fc86f0c0 in do_command(THD*) /test/10.5_opt_san/sql/sql_parse.cc:1375:17 #11 0x55e0fce3be37 in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt_san/sql/sql_connect.cc:1386:11 #12 0x55e0fce3b68a in handle_one_connection /test/10.5_opt_san/sql/sql_connect.cc:1298:5 #13 0x55e0fc3c772c in asan_thread_start(void*) asan_interceptors.cpp.o #14 0x15170769ca93 in start_thread nptl/pthread_create.c:447:8 #15 0x151707729c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78   SUMMARY: UndefinedBehaviorSanitizer: nullptr-with-offset /test/10.5_opt_san/mysys/charset.c:1109:18 Setup: Compiled with a recent version of Clang (I used Clang 18.1.3) with LLVM 18. Ubuntu instructions: # Note: llvm-17-linker-tools installs /usr/lib/llvm-17/lib/LLVMgold.so, which is needed for compilation, and LLVMgold.so is no longer included in LLVM 18 sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev llvm-17-linker-tools sudo ln -s /usr/lib/llvm-17/lib/LLVMgold.so /usr/lib/llvm-18/lib/LLVMgold.so Compiled with: "-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++ -DCMAKE_C{,XX}_FLAGS='-march=native -mtune=native'" and: -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON Set before execution: export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1 # And you may also want to supress UBSAN startup issues using 'suppressions=UBSAN.filter' in UBSAN_OPTIONS. For an example of UBSAN.filter, which includes current startup issues see: https://github.com/mariadb-corporation/mariadb-qa/blob/master/UBSAN.filter export ASAN_OPTIONS=quarantine_size_mb=512:atexit=0:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1:allocator_may_return_null=1 Bug confirmed present in: MariaDB: 10.5.28 (dbg), 10.5.28 (opt), 10.6.21 (dbg), 10.6.21 (opt), 10.11.11 (dbg), 10.11.11 (opt), 11.4.5 (dbg), 11.4.5 (opt), 11.7.2 (dbg), 11.7.2 (opt), 11.8.0 (dbg), 11.8.0 (opt)

            MTR testcase for the testcase in the last comment:

            --source include/have_innodb.inc
            --source include/have_partition.inc
            --let $SOCKET= `SELECT @@global.socket`
            INSTALL PLUGIN Spider SONAME 'ha_spider.so';
            SET SESSION spider_same_server_link=1;
            CREATE USER spider@localhost IDENTIFIED BY 'pwd';
            GRANT ALL ON test.* TO spider@localhost;
            eval CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET "$SOCKET",DATABASE 'test',USER 'spider',PASSWORD 'pwd');
            CREATE TABLE t (c INT) ENGINE=InnoDB;
            --error ER_SQL_DISCOVER_ERROR
            CREATE TABLE t2 ENGINE=Spider COMMENT='TABLE "st"' PARTITION BY LIST COLUMNS (c1) (PARTITION p1 DEFAULT COMMENT='srv "d"' ENGINE=Spider COMMENT='WRAPPER "mysql",SRV "srv",TABLE "t"');
            

            Roel Roel Van de Paar added a comment - MTR testcase for the testcase in the last comment: --source include/have_innodb.inc --source include/have_partition.inc --let $SOCKET= `SELECT @@global.socket` INSTALL PLUGIN Spider SONAME 'ha_spider.so' ; SET SESSION spider_same_server_link=1; CREATE USER spider@localhost IDENTIFIED BY 'pwd' ; GRANT ALL ON test.* TO spider@localhost; eval CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET "$SOCKET" , DATABASE 'test' , USER 'spider' , PASSWORD 'pwd' ); CREATE TABLE t (c INT ) ENGINE=InnoDB; --error ER_SQL_DISCOVER_ERROR CREATE TABLE t2 ENGINE=Spider COMMENT= 'TABLE "st"' PARTITION BY LIST COLUMNS (c1) (PARTITION p1 DEFAULT COMMENT= 'srv "d"' ENGINE=Spider COMMENT= 'WRAPPER "mysql",SRV "srv",TABLE "t"' );

            People

              ycp Yuchen Pei
              Roel Roel Van de Paar
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.