[MDEV-35545] UBSAN: runtime error: applying non-zero offset 1 to null pointer in Gis_geometry_collection::init_from_opresult - Jira

Details

Type: Bug
Status: Open (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.5, 10.6, 10.11, 11.4, 11.7(EOL), 11.8
Fix Version/s: 10.5, 10.6, 10.11, 11.4
Component/s: GIS
Labels:

Description

Looks related to MDEV-31499, however the testcase in that bug does not lead to the UBSAN issue described here, and the testcase in this bug does not crash unlike the one in MDEV-31499.

SELECT ST_WITHIN (ST_UNION (ST_GEOMFROMTEXT ('POINT(1 1)'),ST_GEOMFROMTEXT ('MULTIPOINT(2 2,3 3)')),ST_INTERSECTION (ST_GEOMFROMTEXT ('POINT(0 0)'),ST_GEOMFROMTEXT ('POINT(1 1)')));

Leads to:

CS 11.4.5 866a8ea6736d2edc0f6be552d1cdd6810c10d5ab (Debug, UBASAN)
/test/11.4_dbg_san/sql/spatial.cc:3340:10: runtime error: applying non-zero offset 1 to null pointer

CS 11.4.5 866a8ea6736d2edc0f6be552d1cdd6810c10d5ab (Debug, UBASAN)
#0 0x563c31ec12c6 in Gis_geometry_collection::init_from_opresult(String, char const, unsigned int) /test/11.4_dbg_san/sql/spatial.cc:3340:10
#1 0x563c31e6c26e in Geometry::create_from_opresult(Geometry_buffer, String, Gcalc_result_receiver&) /test/11.4_dbg_san/sql/spatial.cc:697:15
#2 0x563c3150e354 in Item_func_spatial_operation::val_str(String*) /test/11.4_dbg_san/sql/item_geofunc.cc:1582:8
#3 0x563c315047df in Geometry_ptr_with_buffer_and_mbr::construct(Item, String) /test/11.4_dbg_san/sql/item_geofunc.cc:1354:24
#4 0x563c31506938 in Item_func_spatial_precise_rel::val_bool() /test/11.4_dbg_san/sql/item_geofunc.cc:1411:24
#5 0x563c2dd3bb5b in Item_bool_func::val_int() /test/11.4_dbg_san/sql/item_cmpfunc.h:249:12
#6 0x563c3022d7fb in Type_handler::Item_send_long(Item, Protocol, st_value*) const /test/11.4_dbg_san/sql/sql_type.cc:7715:22
#7 0x563c3027938c in Type_handler_long::Item_send(Item, Protocol, st_value*) const /test/11.4_dbg_san/sql/sql_type.h:5851:12
#8 0x563c2db7abd7 in Item::send(Protocol, st_value) /test/11.4_dbg_san/sql/item.h:1261:28
#9 0x563c2de20bc1 in Protocol::send_result_set_row(List<Item>*) /test/11.4_dbg_san/sql/protocol.cc:1333:15
#10 0x563c2e4486fa in select_send::send_data(List<Item>&) /test/11.4_dbg_san/sql/sql_class.cc:3245:17
#11 0x563c2ee382a0 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.4_dbg_san/sql/sql_class.h:6092:12
#12 0x563c2ee326a3 in JOIN::exec_inner() /test/11.4_dbg_san/sql/sql_select.cc:4916:22
#13 0x563c2ee2eaaa in JOIN::exec() /test/11.4_dbg_san/sql/sql_select.cc:4828:8
#14 0x563c2eccddf9 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/11.4_dbg_san/sql/sql_select.cc:5358:21
#15 0x563c2ecc94b7 in handle_select(THD, LEX, select_result*, unsigned long long) /test/11.4_dbg_san/sql/sql_select.cc:642:10
#16 0x563c2e9b33e0 in execute_sqlcom_select(THD, TABLE_LIST) /test/11.4_dbg_san/sql/sql_parse.cc:6169:12
#17 0x563c2e953e7c in mysql_execute_command(THD*, bool) /test/11.4_dbg_san/sql/sql_parse.cc:3962:12
#18 0x563c2e8fa489 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.4_dbg_san/sql/sql_parse.cc:7893:18
#19 0x563c2e8db783 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.4_dbg_san/sql/sql_parse.cc:1905:7
#20 0x563c2e9043e6 in do_command(THD*, bool) /test/11.4_dbg_san/sql/sql_parse.cc:1418:17
#21 0x563c2fa4c896 in do_handle_one_connection(CONNECT*, bool) /test/11.4_dbg_san/sql/sql_connect.cc:1429:11
#22 0x563c2fa4b05d in handle_one_connection /test/11.4_dbg_san/sql/sql_connect.cc:1341:5
#23 0x563c2dade9bc in asan_thread_start(void*) asan_interceptors.cpp.o
#24 0x146875a9ca93 in start_thread nptl/pthread_create.c:447:8
#25 0x146875b29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

SUMMARY: UndefinedBehaviorSanitizer: nullptr-with-nonzero-offset /test/11.4_dbg_san/sql/spatial.cc:3340:10

Setup:

Compiled with a recent version of Clang (I used Clang 18.1.3) with LLVM 18:

# llvm-17-linker-tools installs /usr/lib/llvm-17/lib/LLVMgold.so, which is needed for compilation, and LLVMgold.so is no longer included in LLVM 18

sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev llvm-17-linker-tools

sudo ln -s /usr/lib/llvm-17/lib/LLVMgold.so /usr/lib/llvm-18/lib/LLVMgold.so

    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON

Set before execution:

    export UBSAN_OPTIONS=suppressions=/home/roel/mariadb-qa/UBSAN.filter:print_stacktrace=1:report_error_type=1

Bug confirmed present in:
MariaDB: 10.5.28 (dbg), 10.5.28 (opt), 10.6.21 (dbg), 10.6.21 (opt), 10.11.11 (dbg), 10.11.11 (opt), 11.4.5 (dbg), 11.4.5 (opt), 11.7.1 (dbg), 11.7.1 (opt), 11.8.0 (dbg), 11.8.0 (opt)

Attachments

Issue Links

relates to

MDEV-3293 LP:801243 - Assertion `(0)' failed in Gis_geometry_collection::init_from_opresult on ST_UNION in maria-5.3-gis

Closed

MDEV-31499 Assertion `(0)' failed in Gis_geometry_collection::init_from_opresult

Open

Activity

Roel Van de Paar added a comment - 2024-12-01 22:15

A suppression filter for pointer-overflow:Gis_geometry_collection::init_from_opresult was added for this bug.

Roel Van de Paar added a comment - 2024-12-01 22:15 A suppression filter for pointer-overflow:Gis_geometry_collection::init_from_opresult was added for this bug.

People

Assignee:: Alexey Botchkov

Reporter:: Roel Van de Paar

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2024-12-01 21:54

Updated:: 2025-02-14 11:39

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server