[MDEV-35688] UBSAN: SUMMARY: UndefinedBehaviorSanitizer: nullptr-with-offset in my_casedn_utf8mb3 - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 11.4, 11.7(EOL), 11.8
Fix Version/s: 11.4.5, 11.7.2
Component/s: Character Sets
Labels:

Description

Possibly related to the fixed ~~MDEV-32640~~. ycp FYI in case related.
Create a test ./main/test.test with:

SELECT 1;

And execute as:

export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1; ./mtr test

Leads to:

CS 11.4.5 2719cc4925c032f483edb0e61c0f487e0c429ae6 (Optimized, UBASAN, Clang)
2024-12-19 17:07:34 0 [Note] /test/UBASAN_MD031224-mariadb-11.4.5-linux-x86_64-opt/bin/mariadbd: ready for connections.
Version: '11.4.5-MariaDB-log' socket: '/test/UBASAN_MD031224-mariadb-11.4.5-linux-x86_64-opt/mariadb-test/var/tmp/mysqld.1.sock' port: 19000 MariaDB Server
/test/11.4_opt_san/strings/ctype-utf8.c:754:27: runtime error: applying zero offset to null pointer
#0 0x564f545db62d in my_casedn_utf8mb3 /test/11.4_opt_san/strings/ctype-utf8.c:754:27
#1 0x564f51dfe02b in CharBuffer<192ul>::copy_casedn(charset_info_st const*, st_mysql_const_lex_string const&) /test/11.4_opt_san/sql/char_buffer.h:65:15
#2 0x564f5216930b in IdentBuffer<192ul>::copy_casedn(st_mysql_const_lex_string const&) /test/11.4_opt_san/sql/lex_ident.h:153:26
#3 0x564f5216930b in IdentBufferCasedn<192ul>::IdentBufferCasedn(st_mysql_const_lex_string const&) /test/11.4_opt_san/sql/lex_ident.h:165:27
#4 0x564f5216930b in Master_info_index::get_master_info(st_mysql_const_lex_string const*, Sql_state_errno_level::enum_warning_level) /test/11.4_opt_san/sql/rpl_mi.cc:1376:42
#5 0x564f5216a18e in get_master_info(st_mysql_const_lex_string const*, Sql_state_errno_level::enum_warning_level) /test/11.4_opt_san/sql/rpl_mi.cc:1322:31
#6 0x564f522209f2 in Sys_var_rpl_filter::global_value_ptr(THD, st_mysql_const_lex_string const) const /test/11.4_opt_san/sql/sys_vars.cc:5621:7
#7 0x564f514cfec2 in sys_var::value_ptr(THD, enum_var_type, st_mysql_const_lex_string const) const /test/11.4_opt_san/sql/set_var.cc:283:12
#8 0x564f51d7f20d in get_one_variable(THD, st_mysql_show_var const, enum_var_type, enum_mysql_show_type, system_status_var, charset_info_st const, char, unsigned long*) /test/11.4_opt_san/sql/sql_show.cc:3708:26
#9 0x564f51dc0750 in show_status_array(THD, char const, st_mysql_show_var, enum_var_type, system_status_var, char const, TABLE, bool, Item*) /test/11.4_opt_san/sql/sql_show.cc:3929:14
#10 0x564f51dbec32 in fill_variables(THD, TABLE_LIST, Item*) /test/11.4_opt_san/sql/sql_show.cc:8415:8
#11 0x564f51dce7b1 in get_schema_tables_result(JOIN*, enum_schema_table_state) /test/11.4_opt_san/sql/sql_show.cc:9412:11
#12 0x564f51bfb1eb in JOIN::exec_inner() /test/11.4_opt_san/sql/sql_select.cc:5006:7
#13 0x564f51bf9621 in JOIN::exec() /test/11.4_opt_san/sql/sql_select.cc:4828:8
#14 0x564f51b56927 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/11.4_opt_san/sql/sql_select.cc:5358:21
#15 0x564f51b5477d in handle_select(THD, LEX, select_result*, unsigned long long) /test/11.4_opt_san/sql/sql_select.cc:642:10
#16 0x564f51a07a4c in execute_sqlcom_select(THD, TABLE_LIST) /test/11.4_opt_san/sql/sql_parse.cc:6169:12
#17 0x564f519f123f in mysql_execute_command(THD*, bool) /test/11.4_opt_san/sql/sql_parse.cc:3962:12
#18 0x564f524fb8a9 in sp_instr_stmt::exec_core(THD, unsigned int) /test/11.4_opt_san/sql/sp_instr.cc:1051:12
#19 0x564f524ed2bb in sp_lex_keeper::reset_lex_and_exec_core(THD, unsigned int, bool, sp_instr*, bool) /test/11.4_opt_san/sql/sp_instr.cc:297:17
#20 0x564f524f0a7f in sp_lex_keeper::validate_lex_and_exec_core(THD, unsigned int, bool, sp_lex_instr*) /test/11.4_opt_san/sql/sp_instr.cc:476:14
#21 0x564f524f8727 in sp_instr_stmt::execute(THD, unsigned int) /test/11.4_opt_san/sql/sp_instr.cc:954:25
#22 0x564f51574acc in sp_head::execute(THD*, bool) /test/11.4_opt_san/sql/sp_head.cc:1286:20
#23 0x564f515827fc in sp_head::execute_procedure(THD, List<Item>) /test/11.4_opt_san/sql/sp_head.cc:2302:5
#24 0x564f519d2eb8 in do_execute_sp(THD, sp_head) /test/11.4_opt_san/sql/sql_parse.cc:3069:16
#25 0x564f519d1d85 in Sql_cmd_call::execute(THD*) /test/11.4_opt_san/sql/sql_parse.cc:3292:9
#26 0x564f519e3560 in mysql_execute_command(THD*, bool) /test/11.4_opt_san/sql/sql_parse.cc:5864:26
#27 0x564f519b67e2 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.4_opt_san/sql/sql_parse.cc:7893:18
#28 0x564f519ab668 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.4_opt_san/sql/sql_parse.cc:1905:7
#29 0x564f519b95be in do_command(THD*, bool) /test/11.4_opt_san/sql/sql_parse.cc:1418:17
#30 0x564f5218c9a8 in do_handle_one_connection(CONNECT*, bool) /test/11.4_opt_san/sql/sql_connect.cc:1408:11
#31 0x564f5218bdf4 in handle_one_connection /test/11.4_opt_san/sql/sql_connect.cc:1320:5
#32 0x564f512efbdc in asan_thread_start(void*) asan_interceptors.cpp.o
#33 0x14bfdd09ca93 in start_thread nptl/pthread_create.c:447:8
#34 0x14bfdd129c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

SUMMARY: UndefinedBehaviorSanitizer: nullptr-with-offset /test/11.4_opt_san/strings/ctype-utf8.c:754:27

CS 11.4.5 2719cc4925c032f483edb0e61c0f487e0c429ae6 (Debug, UBASAN, Clang)
2024-12-19 17:07:31 0 [Note] /test/UBASAN_MD031224-mariadb-11.4.5-linux-x86_64-dbg/bin/mariadbd: ready for connections.
Version: '11.4.5-MariaDB-debug-log' socket: '/test/UBASAN_MD031224-mariadb-11.4.5-linux-x86_64-dbg/mariadb-test/var/tmp/mysqld.1.sock' port: 19000 MariaDB Server
/test/11.4_dbg_san/strings/ctype-utf8.c:754:27: runtime error: applying zero offset to null pointer
#0 0x55896eb5ef17 in my_casedn_utf8mb3 /test/11.4_dbg_san/strings/ctype-utf8.c:754:27
#1 0x5589691a0e08 in CharBuffer<192ul>::copy_casedn(charset_info_st const*, st_mysql_const_lex_string const&) /test/11.4_dbg_san/sql/char_buffer.h:65:15
#2 0x55896919fce3 in IdentBuffer<192ul>::copy_casedn(st_mysql_const_lex_string const&) /test/11.4_dbg_san/sql/lex_ident.h:153:26
#3 0x55896992bec2 in IdentBufferCasedn<192ul>::IdentBufferCasedn(st_mysql_const_lex_string const&) /test/11.4_dbg_san/sql/lex_ident.h:165:27
#4 0x558969929154 in Master_info_index::get_master_info(st_mysql_const_lex_string const*, Sql_state_errno_level::enum_warning_level) /test/11.4_dbg_san/sql/rpl_mi.cc:1376:42
#5 0x55896992b315 in get_master_info(st_mysql_const_lex_string const*, Sql_state_errno_level::enum_warning_level) /test/11.4_dbg_san/sql/rpl_mi.cc:1322:31
#6 0x558969acf699 in Sys_var_rpl_filter::global_value_ptr(THD, st_mysql_const_lex_string const) const /test/11.4_dbg_san/sql/sys_vars.cc:5621:7
#7 0x558967dd0abf in sys_var::value_ptr(THD, enum_var_type, st_mysql_const_lex_string const) const /test/11.4_dbg_san/sql/set_var.cc:283:12
#8 0x55896909723c in get_one_variable(THD, st_mysql_show_var const, enum_var_type, enum_mysql_show_type, system_status_var, charset_info_st const, char, unsigned long*) /test/11.4_dbg_san/sql/sql_show.cc:3708:26
#9 0x55896912141f in show_status_array(THD, char const, st_mysql_show_var, enum_var_type, system_status_var, char const, TABLE, bool, Item*) /test/11.4_dbg_san/sql/sql_show.cc:3929:14
#10 0x55896911dda2 in fill_variables(THD, TABLE_LIST, Item*) /test/11.4_dbg_san/sql/sql_show.cc:8415:8
#11 0x5589691404cc in get_schema_tables_result(JOIN*, enum_schema_table_state) /test/11.4_dbg_san/sql/sql_show.cc:9412:11
#12 0x558968d63e4e in JOIN::exec_inner() /test/11.4_dbg_san/sql/sql_select.cc:5006:7
#13 0x558968d5dd1a in JOIN::exec() /test/11.4_dbg_san/sql/sql_select.cc:4828:8
#14 0x558968bfd019 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/11.4_dbg_san/sql/sql_select.cc:5358:21
#15 0x558968bf86d7 in handle_select(THD, LEX, select_result*, unsigned long long) /test/11.4_dbg_san/sql/sql_select.cc:642:10
#16 0x5589688e25f0 in execute_sqlcom_select(THD, TABLE_LIST) /test/11.4_dbg_san/sql/sql_parse.cc:6169:12
#17 0x55896888308c in mysql_execute_command(THD*, bool) /test/11.4_dbg_san/sql/sql_parse.cc:3962:12
#18 0x55896a051199 in sp_instr_stmt::exec_core(THD, unsigned int) /test/11.4_dbg_san/sql/sp_instr.cc:1051:12
#19 0x55896a0352f6 in sp_lex_keeper::reset_lex_and_exec_core(THD, unsigned int, bool, sp_instr*, bool) /test/11.4_dbg_san/sql/sp_instr.cc:297:17
#20 0x55896a03b4e8 in sp_lex_keeper::validate_lex_and_exec_core(THD, unsigned int, bool, sp_lex_instr*) /test/11.4_dbg_san/sql/sp_instr.cc:476:14
#21 0x55896a049f3f in sp_instr_stmt::execute(THD, unsigned int) /test/11.4_dbg_san/sql/sp_instr.cc:954:25
#22 0x558967f40201 in sp_head::execute(THD*, bool) /test/11.4_dbg_san/sql/sp_head.cc:1286:20
#23 0x558967f5e122 in sp_head::execute_procedure(THD, List<Item>) /test/11.4_dbg_san/sql/sp_head.cc:2302:5
#24 0x558968862ad8 in do_execute_sp(THD, sp_head) /test/11.4_dbg_san/sql/sql_parse.cc:3069:16
#25 0x55896885fd67 in Sql_cmd_call::execute(THD*) /test/11.4_dbg_san/sql/sql_parse.cc:3292:9
#26 0x5589688cb2e8 in mysql_execute_command(THD*, bool) /test/11.4_dbg_san/sql/sql_parse.cc:5864:26
#27 0x558968829699 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.4_dbg_san/sql/sql_parse.cc:7893:18
#28 0x55896880a993 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.4_dbg_san/sql/sql_parse.cc:1905:7
#29 0x5589688335f6 in do_command(THD*, bool) /test/11.4_dbg_san/sql/sql_parse.cc:1418:17
#30 0x55896997c8c6 in do_handle_one_connection(CONNECT*, bool) /test/11.4_dbg_san/sql/sql_connect.cc:1408:11
#31 0x55896997b08d in handle_one_connection /test/11.4_dbg_san/sql/sql_connect.cc:1320:5
#32 0x558967a0c9dc in asan_thread_start(void*) asan_interceptors.cpp.o
#33 0x1554d9a9ca93 in start_thread nptl/pthread_create.c:447:8
#34 0x1554d9b29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

SUMMARY: UndefinedBehaviorSanitizer: nullptr-with-offset /test/11.4_dbg_san/strings/ctype-utf8.c:754:27

cmake command:

cmake . -DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++ -DWITH_SSL=bundled -DBUILD_CONFIG=mysql_release -DWITH_TOKUDB=0 -DWITH_JEMALLOC=no -DFEATURE_SET=community -DDEBUG_EXTNAME=OFF -DWITH_EMBEDDED_SERVER=0 -DENABLE_DOWNLOADS=1 -DDOWNLOAD_BOOST=1 -DWITH_BOOST=/tmp/boost_024627 -DENABLED_LOCAL_INFILE=1 -DENABLE_DTRACE=0 -DWITH_SAFEMALLOC=OFF -DPLUGIN_PERFSCHEMA=NO -DWITH_DBUG_TRACE=OFF -DWITH_ZLIB=bundled -DWITH_ROCKSDB=1 -DWITH_PAM=ON -DWITH_MARIABACKUP=0 -DFORCE_INSOURCE_BUILD=1 -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON -DCMAKE_CXX_FLAGS=-fsanitize-coverage=trace-pc-guard -DMYSQL_MAINTAINER_MODE=OFF -DWARNING_AS_ERROR='' -DCMAKE_BUILD_TYPE=RelWithDebInfo

Setup:

Compiled with a recent version of Clang (I used Clang 18.1.3) with LLVM 18:

     # Note: llvm-17-linker-tools installs /usr/lib/llvm-17/lib/LLVMgold.so, which is needed for compilation, and LLVMgold.so is no longer included in LLVM 18

     sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev llvm-17-linker-tools

     sudo ln -s /usr/lib/llvm-17/lib/LLVMgold.so /usr/lib/llvm-18/lib/LLVMgold.so

Compiled with: '-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++' and:

    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON

Set before execution:

    export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1   # And you may also want to supress other UBSAN issues using 'suppressions=UBSAN.filter'. For an example of UBSAN.filter, which includes current startup issues see: https://github.com/mariadb-corporation/mariadb-qa/blob/master/UBSAN.filter - just remember to remove the errors seen in this report.

Present in optimized & debug builds.

Attachments

Issue Links

causes

MDEV-35945 Assertion `src != ((void *)0)' failed in my_caseup_8bit

Closed

MDEV-36565 Assertion `src != ((void *)0)' failed in my_casedn_8bit

Closed

is part of

MDEV-25454 Make MariaDB server UBSAN safe

Confirmed

relates to

MDEV-35620 UBSAN: runtime error: applying zero offset to null pointer in _ma_unique_hash, skip_trailing_space, my_hash_sort_mb_nopad_bin and my_strnncollsp_utf8mb4_bin

Closed

Activity

Ascending order - Click to sort in descending order

Marko Mäkelä added a comment - 2024-12-19 06:59

For the record, you will really need clang for this. The -fsanitize=undefined in GCC fails to flag this undefined behaviour. See also ~~MDEV-26272~~.

I was disappointed to see the ~~MDEV-34770~~ "fix". I hope that this bug will be fixed properly.

Marko Mäkelä added a comment - 2024-12-19 06:59 For the record, you will really need clang for this. The -fsanitize=undefined in GCC fails to flag this undefined behaviour. See also MDEV-26272 . I was disappointed to see the MDEV-34770 "fix" . I hope that this bug will be fixed properly.

Alexander Barkov added a comment - 2024-12-19 10:43

Hi Roel. It can be scritical.
However I cannot build an UBSAN related bugs- beacuse the server just stops on another UBSAN bugs at early initialization step.

Alexander Barkov added a comment - 2024-12-19 10:43 Hi Roel. It can be scritical. However I cannot build an UBSAN related bugs- beacuse the server just stops on another UBSAN bugs at early initialization step.

Roel Van de Paar added a comment - 2024-12-19 19:28 - edited

bar Thank you! Have a look at the description near the end "And you may also want to supress other UBSAN issues..." for the startup bugs issue.

Roel Van de Paar added a comment - 2024-12-19 19:28 - edited bar Thank you! Have a look at the description near the end "And you may also want to supress other UBSAN issues..." for the startup bugs issue.

Roel Van de Paar added a comment - 2025-01-09 23:02

bar Hi! Were you able to get it running with a supression file? So the syntax would be

export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1:suppressions=/some_local_path/UBSAN.filter

Where UBSAN.filter is https://github.com/mariadb-corporation/mariadb-qa/blob/master/UBSAN.filter

Roel Van de Paar added a comment - 2025-01-09 23:02 bar Hi! Were you able to get it running with a supression file? So the syntax would be export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1:suppressions=/some_local_path/UBSAN.filter Where UBSAN.filter is https://github.com/mariadb-corporation/mariadb-qa/blob/master/UBSAN.filter

Alexander Barkov added a comment - 2025-01-17 13:37

Repeatable with the client application issuing this SQL statement:

show variables like 'replicate_do_db';

Alexander Barkov added a comment - 2025-01-17 13:37 Repeatable with the client application issuing this SQL statement: show variables like 'replicate_do_db' ;

People

Assignee:: Alexander Barkov

Reporter:: Roel Van de Paar

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2024-12-19 06:22

Updated:: 2025-04-15 04:01

Resolved:: 2025-01-21 06:55

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server