Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-35714

UBSAN: runtime error: downcast of address 0x1549d2b0ba50 with insufficient space for an object of type 'my_decimal' in Item_dyncol_get::get_date

Details

    Description

      SELECT COLUMN_GET (COLUMN_CREATE (0,0 AS DECIMAL(0,0)),0 AS DATE);

      Leads to:

      CS 10.5.28 a226f12675c6312ca7632b90261397e313e6a7ae (Optimized, UBASAN, Clang)

      		 
      /test/10.5_opt_san/sql/item_strfunc.cc:5203:44: runtime error: downcast of address 0x1549d2b0ba50 with insufficient space for an object of type 'my_decimal'
      		 
      0x1549d2b0ba50: note: pointer points here
      		 
       00 00 00 00  01 00 00 00 00 00 00 00  09 00 00 00 00 00 00 00  28 ba b0 d2 49 15 00 00  00 00 00 00
      		 
                    ^ 
          #0 0x55e0bb0a34c6 in Item_dyncol_get::get_date(THD*, st_mysql_time*, date_mode_t) /test/10.5_opt_san/sql/item_strfunc.cc:5203:44
      		 
          #1 0x55e0ba6eae4b in Temporal_with_date::make_from_item(THD*, Item*, date_mode_t) /test/10.5_opt_san/sql/sql_type.cc:1011:13
      		 
          #2 0x55e0bb21e994 in Temporal_with_date::Temporal_with_date(THD*, Item*, date_mode_t) /test/10.5_opt_san/sql/sql_type.h:2120:5
      		 
          #3 0x55e0bb21e994 in Date::Date(THD*, Item*, date_mode_t) /test/10.5_opt_san/sql/sql_type.h:2193:5
      		 
          #4 0x55e0bb21e994 in Item_date_typecast::get_date(THD*, st_mysql_time*, date_mode_t) /test/10.5_opt_san/sql/item_timefunc.cc:2591:23
      		 
          #5 0x55e0ba738019 in Type_handler::Item_send_date(Item*, Protocol*, st_value*) const /test/10.5_opt_san/sql/sql_type.cc:7658:9
      		 
          #6 0x55e0b9817240 in Protocol::send_result_set_row(List<Item>*) /test/10.5_opt_san/sql/protocol.cc:1086:15
      		 
          #7 0x55e0b9afda15 in select_send::send_data(List<Item>&) /test/10.5_opt_san/sql/sql_class.cc:3161:17
      		 
          #8 0x55e0b9f00102 in JOIN::exec_inner() /test/10.5_opt_san/sql/sql_select.cc:4532:22
      		 
          #9 0x55e0b9efb80c in JOIN::exec() /test/10.5_opt_san/sql/sql_select.cc:4444:3
      		 
          #10 0x55e0b9e60df3 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.5_opt_san/sql/sql_select.cc:4921:9
      		 
          #11 0x55e0b9e5f5ad in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.5_opt_san/sql/sql_select.cc:449:10
      		 
          #12 0x55e0b9d75ab2 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/10.5_opt_san/sql/sql_parse.cc:6451:12
      		 
          #13 0x55e0b9d5891f in mysql_execute_command(THD*) /test/10.5_opt_san/sql/sql_parse.cc:4043:12
      		 
          #14 0x55e0b9d1fe98 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.5_opt_san/sql/sql_parse.cc:8251:18
      		 
          #15 0x55e0b9d129d0 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.5_opt_san/sql/sql_parse.cc:1891:7
      		 
          #16 0x55e0b9d228d9 in do_command(THD*) /test/10.5_opt_san/sql/sql_parse.cc:1375:17
      		 
          #17 0x55e0ba42a5c2 in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt_san/sql/sql_connect.cc:1386:11
      		 
          #18 0x55e0ba429a24 in handle_one_connection /test/10.5_opt_san/sql/sql_connect.cc:1298:5
      		 
          #19 0x55e0b978a10c in asan_thread_start(void*) asan_interceptors.cpp.o
      		 
          #20 0x154a0369ca93 in start_thread nptl/pthread_create.c:447:8
      		 
          #21 0x154a03729c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
      		 
       
      		 
      SUMMARY: UndefinedBehaviorSanitizer: insufficient-object-size /test/10.5_opt_san/sql/item_strfunc.cc:5203:44

      Setup:

      Compiled with a recent version of Clang (I used Clang 18.1.3) with LLVM 18:
      		 
           # Note: llvm-17-linker-tools installs /usr/lib/llvm-17/lib/LLVMgold.so, which is needed for compilation, and LLVMgold.so is no longer included in LLVM 18
      		 
           sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev llvm-17-linker-tools
      		 
           sudo ln -s /usr/lib/llvm-17/lib/LLVMgold.so /usr/lib/llvm-18/lib/LLVMgold.so
      		 
      Compiled with: '-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++' and:
      		 
          -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON
      		 
      Set before execution:
      		 
          export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1   # And you may also want to supress UBSAN startup issues using 'suppressions=UBSAN.filter'. For an example of UBSAN.filter, which includes current startup issues see: https://github.com/mariadb-corporation/mariadb-qa/blob/master/UBSAN.filter

      Bug confirmed present in:
      MariaDB: 10.5.28 (opt), 10.6.21 (opt), 10.11.11 (opt), 11.4.5 (opt), 11.7.1 (opt), 11.8.0 (opt)

      Bug (or feature/syntax) confirmed not present in:
      MariaDB: 10.5.28 (dbg), 10.6.21 (dbg), 10.11.11 (dbg), 11.4.5 (dbg), 11.7.1 (dbg), 11.8.0 (dbg)

      Attachments

        Issue Links

          is part of

          Task - A task that needs to be done. MDEV-25454 Make MariaDB server UBSAN safe

          • Major - Major loss of function.
          • Confirmed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-30931 UBSAN: negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself in get_interval_value on SELECT

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-35406 UBSAN runtime error: signed integer overflow on SELECT DATE_ADD/MAKEDATE

          • Major - Major loss of function.
          • Confirmed

          Activity

            Ascending order - Click to sort in descending order
            Roel Roel Van de Paar added a comment -

            Additional stack with

            SELECT COLUMN_GET (COLUMN_CREATE (1,99999999999999999999999999999 AS DECIMAL(32,10)),1 AS DATETIME) AS a;

            Leads to:

            CS 11.8.0 7734c85c31c9e292ef1133115fba2f7edd71dd51 (Optimized, UBASAN, Clang)

            		 
            /test/11.8_opt_san/sql/item_strfunc.cc:5677:44: runtime error: downcast of address 0x14aa6eb0f850 with insufficient space for an object of type 'my_decimal'
            		 
            0x14aa6eb0f850: note: pointer points here
            		 
             00 00 00 00  1d 00 00 00 00 00 00 00  09 00 00 00 00 00 00 00  28 f8 b0 6e aa 14 00 00  00 00 00 00
            		 
                          ^ 
                #0 0x55a4bb86c156 in Item_dyncol_get::get_date(THD*, st_mysql_time*, date_mode_t) /test/11.8_opt_san/sql/item_strfunc.cc:5677:44
            		 
                #1 0x55a4bae4e16b in Temporal_with_date::make_from_item(THD*, Item*, date_mode_t) /test/11.8_opt_san/sql/sql_type.cc:1069:13
            		 
                #2 0x55a4bb2f4a77 in Temporal_with_date::Temporal_with_date(THD*, Item*, date_mode_t) /test/11.8_opt_san/sql/sql_type.h:2156:5
            		 
                #3 0x55a4bb2f4a77 in Datetime::Datetime(THD*, Item*, date_mode_t) /test/11.8_opt_san/sql/sql_type.h:2439:5
            		 
                #4 0x55a4bb2f4a77 in Datetime::Datetime(THD*, Item*, date_mode_t, unsigned int) /test/11.8_opt_san/sql/sql_type.h:2490:5
            		 
                #5 0x55a4bba4b00b in Item_datetime_typecast::get_date(THD*, st_mysql_time*, date_mode_t) /test/11.8_opt_san/sql/item_timefunc.cc:3428:28
            		 
                #6 0x55a4bae9b234 in Type_handler::Item_send_datetime(Item*, Protocol*, st_value*) const /test/11.8_opt_san/sql/sql_type.cc:7748:9
            		 
                #7 0x55a4b9d8de04 in Protocol::send_result_set_row(List<Item>*) /test/11.8_opt_san/sql/protocol.cc:1353:15
            		 
                #8 0x55a4ba0576a3 in select_send::send_data(List<Item>&) /test/11.8_opt_san/sql/sql_class.cc:3275:17
            		 
                #9 0x55a4ba502648 in JOIN::exec_inner() /test/11.8_opt_san/sql/sql_select.cc:4908:22
            		 
                #10 0x55a4ba4fde21 in JOIN::exec() /test/11.8_opt_san/sql/sql_select.cc:4820:8
            		 
                #11 0x55a4ba45aa2b in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.8_opt_san/sql/sql_select.cc:5353:21
            		 
                #12 0x55a4ba458c4d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.8_opt_san/sql/sql_select.cc:633:10
            		 
                #13 0x55a4ba30cdac in execute_sqlcom_select(THD*, TABLE_LIST*) /test/11.8_opt_san/sql/sql_parse.cc:6177:12
            		 
                #14 0x55a4ba2f1fc7 in mysql_execute_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:3966:12
            		 
                #15 0x55a4ba2bac92 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.8_opt_san/sql/sql_parse.cc:7901:18
            		 
                #16 0x55a4ba2afb9e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.8_opt_san/sql/sql_parse.cc:1903:7
            		 
                #17 0x55a4ba2bda6e in do_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:1416:17
            		 
                #18 0x55a4baa9ee38 in do_handle_one_connection(CONNECT*, bool) /test/11.8_opt_san/sql/sql_connect.cc:1415:11
            		 
                #19 0x55a4baa9e280 in handle_one_connection /test/11.8_opt_san/sql/sql_connect.cc:1327:5
            		 
                #20 0x55a4b9be6b0c in asan_thread_start(void*) asan_interceptors.cpp.o
            		 
                #21 0x14aa9be9ca93 in start_thread nptl/pthread_create.c:447:8
            		 
                #22 0x14aa9bf29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
            		 
             
            		 
            SUMMARY: UndefinedBehaviorSanitizer: insufficient-object-size /test/11.8_opt_san/sql/item_strfunc.cc:5677:44

            Setup:

            Compiled with a recent version of Clang (I used Clang 18.1.3) with LLVM 18:
            		 
                 # Note: llvm-17-linker-tools installs /usr/lib/llvm-17/lib/LLVMgold.so, which is needed for compilation, and LLVMgold.so is no longer included in LLVM 18
            		 
                 sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev llvm-17-linker-tools
            		 
                 sudo ln -s /usr/lib/llvm-17/lib/LLVMgold.so /usr/lib/llvm-18/lib/LLVMgold.so
            		 
            Compiled with: '-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++' and:
            		 
                -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON
            		 
            Set before execution:
            		 
                export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1   # And you may also want to supress UBSAN startup issues using 'suppressions=UBSAN.filter'. For an example of UBSAN.filter, which includes current startup issues see: https://github.com/mariadb-corporation/mariadb-qa/blob/master/UBSAN.filter

            Bug confirmed present in:
            MariaDB: 10.5.28 (opt), 10.6.21 (opt), 10.11.11 (opt), 11.4.5 (opt), 11.7.1 (opt), 11.8.0 (opt)

            Bug (or feature/syntax) confirmed not present in:
            MariaDB: 10.5.28 (dbg), 10.6.21 (dbg), 10.11.11 (dbg), 11.4.5 (dbg), 11.7.1 (dbg), 11.8.0 (dbg)

            Roel Roel Van de Paar added a comment - Additional stack with SELECT COLUMN_GET (COLUMN_CREATE (1,99999999999999999999999999999 AS DECIMAL (32,10)),1 AS DATETIME) AS a; Leads to: CS 11.8.0 7734c85c31c9e292ef1133115fba2f7edd71dd51 (Optimized, UBASAN, Clang) /test/11.8_opt_san/sql/item_strfunc.cc:5677:44: runtime error: downcast of address 0x14aa6eb0f850 with insufficient space for an object of type 'my_decimal' 0x14aa6eb0f850: note: pointer points here 00 00 00 00 1d 00 00 00 00 00 00 00 09 00 00 00 00 00 00 00 28 f8 b0 6e aa 14 00 00 00 00 00 00 ^ #0 0x55a4bb86c156 in Item_dyncol_get::get_date(THD*, st_mysql_time*, date_mode_t) /test/11.8_opt_san/sql/item_strfunc.cc:5677:44 #1 0x55a4bae4e16b in Temporal_with_date::make_from_item(THD*, Item*, date_mode_t) /test/11.8_opt_san/sql/sql_type.cc:1069:13 #2 0x55a4bb2f4a77 in Temporal_with_date::Temporal_with_date(THD*, Item*, date_mode_t) /test/11.8_opt_san/sql/sql_type.h:2156:5 #3 0x55a4bb2f4a77 in Datetime::Datetime(THD*, Item*, date_mode_t) /test/11.8_opt_san/sql/sql_type.h:2439:5 #4 0x55a4bb2f4a77 in Datetime::Datetime(THD*, Item*, date_mode_t, unsigned int) /test/11.8_opt_san/sql/sql_type.h:2490:5 #5 0x55a4bba4b00b in Item_datetime_typecast::get_date(THD*, st_mysql_time*, date_mode_t) /test/11.8_opt_san/sql/item_timefunc.cc:3428:28 #6 0x55a4bae9b234 in Type_handler::Item_send_datetime(Item*, Protocol*, st_value*) const /test/11.8_opt_san/sql/sql_type.cc:7748:9 #7 0x55a4b9d8de04 in Protocol::send_result_set_row(List<Item>*) /test/11.8_opt_san/sql/protocol.cc:1353:15 #8 0x55a4ba0576a3 in select_send::send_data(List<Item>&) /test/11.8_opt_san/sql/sql_class.cc:3275:17 #9 0x55a4ba502648 in JOIN::exec_inner() /test/11.8_opt_san/sql/sql_select.cc:4908:22 #10 0x55a4ba4fde21 in JOIN::exec() /test/11.8_opt_san/sql/sql_select.cc:4820:8 #11 0x55a4ba45aa2b in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.8_opt_san/sql/sql_select.cc:5353:21 #12 0x55a4ba458c4d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.8_opt_san/sql/sql_select.cc:633:10 #13 0x55a4ba30cdac in execute_sqlcom_select(THD*, TABLE_LIST*) /test/11.8_opt_san/sql/sql_parse.cc:6177:12 #14 0x55a4ba2f1fc7 in mysql_execute_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:3966:12 #15 0x55a4ba2bac92 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.8_opt_san/sql/sql_parse.cc:7901:18 #16 0x55a4ba2afb9e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.8_opt_san/sql/sql_parse.cc:1903:7 #17 0x55a4ba2bda6e in do_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:1416:17 #18 0x55a4baa9ee38 in do_handle_one_connection(CONNECT*, bool) /test/11.8_opt_san/sql/sql_connect.cc:1415:11 #19 0x55a4baa9e280 in handle_one_connection /test/11.8_opt_san/sql/sql_connect.cc:1327:5 #20 0x55a4b9be6b0c in asan_thread_start(void*) asan_interceptors.cpp.o #21 0x14aa9be9ca93 in start_thread nptl/pthread_create.c:447:8 #22 0x14aa9bf29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78   SUMMARY: UndefinedBehaviorSanitizer: insufficient-object-size /test/11.8_opt_san/sql/item_strfunc.cc:5677:44 Setup: Compiled with a recent version of Clang (I used Clang 18.1.3) with LLVM 18: # Note: llvm-17-linker-tools installs /usr/lib/llvm-17/lib/LLVMgold.so, which is needed for compilation, and LLVMgold.so is no longer included in LLVM 18 sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev llvm-17-linker-tools sudo ln -s /usr/lib/llvm-17/lib/LLVMgold.so /usr/lib/llvm-18/lib/LLVMgold.so Compiled with: '-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++' and: -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON Set before execution: export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1 # And you may also want to supress UBSAN startup issues using 'suppressions=UBSAN.filter'. For an example of UBSAN.filter, which includes current startup issues see: https://github.com/mariadb-corporation/mariadb-qa/blob/master/UBSAN.filter Bug confirmed present in: MariaDB: 10.5.28 (opt), 10.6.21 (opt), 10.11.11 (opt), 11.4.5 (opt), 11.7.1 (opt), 11.8.0 (opt) Bug (or feature/syntax) confirmed not present in: MariaDB: 10.5.28 (dbg), 10.6.21 (dbg), 10.11.11 (dbg), 11.4.5 (dbg), 11.7.1 (dbg), 11.8.0 (dbg)
            Roel Roel Van de Paar added a comment - - edited

            Additional stack with this testacse:

            SELECT COLUMN_GET (COLUMN_CREATE (0,0 AS DECIMAL),0 AS TIME);

            Leads to:

            CS 10.5.28 df602ff7fa5ed9424a1d7ebaba67b665e2f6d1f6 (Debug, UBASAN, Clang)

            		 
            /test/10.5_dbg_san/sql/item_strfunc.cc:5203:44: runtime error: downcast of address 0x153065b14050 with insufficient space for an object of type 'my_decimal'
            		 
            0x153065b14050: note: pointer points here
            		 
             00 00 00 00  01 00 00 00 00 00 00 00  09 00 00 00 00 00 00 00  28 40 b1 65 30 15 00 00  00 00 00 00
            		 
                          ^ 
                #0 0x563f312307c6 in Item_dyncol_get::get_date(THD*, st_mysql_time*, date_mode_t) /test/10.5_dbg_san/sql/item_strfunc.cc:5203:44
            		 
                #1 0x563f309bac66 in Time::make_from_item(THD*, int*, Item*, Time::Options) /test/10.5_dbg_san/sql/sql_type.cc:759:13
            		 
                #2 0x563f3138b879 in Time::Time(THD*, Item*, Time::Options) /test/10.5_dbg_san/sql/sql_type.h:1795:5
            		 
                #3 0x563f3138b879 in Time::Time(THD*, Item*, Time::Options, unsigned int) /test/10.5_dbg_san/sql/sql_type.h:1838:5
            		 
                #4 0x563f3138b879 in Item_time_typecast::get_date(THD*, st_mysql_time*, date_mode_t) /test/10.5_dbg_san/sql/item_timefunc.cc:2572:21
            		 
                #5 0x563f309f9400 in Item::get_time(THD*, st_mysql_time*) /test/10.5_dbg_san/sql/item.h:1880:12
            		 
                #6 0x563f309f9400 in Type_handler::Item_send_time(Item*, Protocol*, st_value*) const /test/10.5_dbg_san/sql/sql_type.cc:7669:9
            		 
                #7 0x563f2fceb5fe in Protocol::send_result_set_row(List<Item>*) /test/10.5_dbg_san/sql/protocol.cc:1086:15
            		 
                #8 0x563f2ff82090 in select_send::send_data(List<Item>&) /test/10.5_dbg_san/sql/sql_class.cc:3162:17
            		 
                #9 0x563f302f2ca1 in JOIN::exec_inner() /test/10.5_dbg_san/sql/sql_select.cc:4532:22
            		 
                #10 0x563f302ef4c3 in JOIN::exec() /test/10.5_dbg_san/sql/sql_select.cc:4444:3
            		 
                #11 0x563f30270996 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.5_dbg_san/sql/sql_select.cc:4921:9
            		 
                #12 0x563f3026f3c2 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.5_dbg_san/sql/sql_select.cc:449:10
            		 
                #13 0x563f3019e1e3 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/10.5_dbg_san/sql/sql_parse.cc:6451:12
            		 
                #14 0x563f30186104 in mysql_execute_command(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:4043:12
            		 
                #15 0x563f301561c7 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.5_dbg_san/sql/sql_parse.cc:8251:18
            		 
                #16 0x563f3014a119 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.5_dbg_san/sql/sql_parse.cc:1891:7
            		 
                #17 0x563f3015831e in do_command(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:1375:17
            		 
                #18 0x563f30760a07 in do_handle_one_connection(CONNECT*, bool) /test/10.5_dbg_san/sql/sql_connect.cc:1386:11
            		 
                #19 0x563f307602cb in handle_one_connection /test/10.5_dbg_san/sql/sql_connect.cc:1298:5
            		 
                #20 0x563f2fc6b03c in asan_thread_start(void*) asan_interceptors.cpp.o
            		 
                #21 0x15309509ca93 in start_thread nptl/pthread_create.c:447:8
            		 
                #22 0x153095129c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
            		 
             
            		 
            SUMMARY: UndefinedBehaviorSanitizer: insufficient-object-size /test/10.5_dbg_san/sql/item_strfunc.cc:5203:44

            CS 10.5.28 df602ff7fa5ed9424a1d7ebaba67b665e2f6d1f6 (Optimized, UBASAN, Clang)

            		 
            /test/10.5_opt_san/sql/item_strfunc.cc:5203:44: runtime error: downcast of address 0x149d37111c50 with insufficient space for an object of type 'my_decimal'
            		 
            0x149d37111c50: note: pointer points here
            		 
             00 00 00 00  01 00 00 00 00 00 00 00  09 00 00 00 00 00 00 00  28 1c 11 37 9d 14 00 00  00 00 00 00
            		 
                          ^ 
                #0 0x55e8f944ab93 in Item_dyncol_get::get_date(THD*, st_mysql_time*, date_mode_t) /test/10.5_opt_san/sql/item_strfunc.cc:5203:44
            		 
                #1 0x55e8f8c4edf6 in Time::make_from_item(THD*, int*, Item*, Time::Options) /test/10.5_opt_san/sql/sql_type.cc:759:13
            		 
                #2 0x55e8f9041c4a in Time::Time(THD*, Item*, Time::Options) /test/10.5_opt_san/sql/sql_type.h:1795:5
            		 
                #3 0x55e8f9041c4a in Time::Time(THD*, Item*, Time::Options, unsigned int) /test/10.5_opt_san/sql/sql_type.h:1838:5
            		 
                #4 0x55e8f958b15b in Item_time_typecast::get_date(THD*, st_mysql_time*, date_mode_t) /test/10.5_opt_san/sql/item_timefunc.cc:2572:21
            		 
                #5 0x55e8f8c89abc in Type_handler::Item_send_time(Item*, Protocol*, st_value*) const /test/10.5_opt_san/sql/sql_type.cc:7669:9
            		 
                #6 0x55e8f80176a3 in Protocol::send_result_set_row(List<Item>*) /test/10.5_opt_san/sql/protocol.cc:1086:15
            		 
                #7 0x55e8f82770f0 in select_send::send_data(List<Item>&) /test/10.5_opt_san/sql/sql_class.cc:3162:17
            		 
                #8 0x55e8f85c35b9 in JOIN::exec_inner() /test/10.5_opt_san/sql/sql_select.cc:4532:22
            		 
                #9 0x55e8f85bf9ed in JOIN::exec() /test/10.5_opt_san/sql/sql_select.cc:4444:3
            		 
                #10 0x55e8f8542d14 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.5_opt_san/sql/sql_select.cc:4921:9
            		 
                #11 0x55e8f8541b10 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.5_opt_san/sql/sql_select.cc:449:10
            		 
                #12 0x55e8f8480fbd in execute_sqlcom_select(THD*, TABLE_LIST*) /test/10.5_opt_san/sql/sql_parse.cc:6451:12
            		 
                #13 0x55e8f845d2fe in mysql_execute_command(THD*) /test/10.5_opt_san/sql/sql_parse.cc:4043:12
            		 
                #14 0x55e8f843f0c6 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.5_opt_san/sql/sql_parse.cc:8251:18
            		 
                #15 0x55e8f8433d1e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.5_opt_san/sql/sql_parse.cc:1891:7
            		 
                #16 0x55e8f84410c0 in do_command(THD*) /test/10.5_opt_san/sql/sql_parse.cc:1375:17
            		 
                #17 0x55e8f8a0de37 in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt_san/sql/sql_connect.cc:1386:11
            		 
                #18 0x55e8f8a0d68a in handle_one_connection /test/10.5_opt_san/sql/sql_connect.cc:1298:5
            		 
                #19 0x55e8f7f9972c in asan_thread_start(void*) asan_interceptors.cpp.o
            		 
                #20 0x149d6a49ca93 in start_thread nptl/pthread_create.c:447:8
            		 
                #21 0x149d6a529c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
            		 
             
            		 
            SUMMARY: UndefinedBehaviorSanitizer: insufficient-object-size /test/10.5_opt_san/sql/item_strfunc.cc:5203:44

            Bug confirmed present in:
            MariaDB: 10.5.28 (dbg), 10.5.28 (opt), 10.6.21 (dbg), 10.6.21 (opt), 10.11.11 (dbg), 10.11.11 (opt), 11.4.5 (dbg), 11.4.5 (opt), 11.7.2 (dbg), 11.7.2 (opt), 11.8.0 (dbg), 11.8.0 (opt)

            Roel Roel Van de Paar added a comment - - edited Additional stack with this testacse: SELECT COLUMN_GET (COLUMN_CREATE (0,0 AS DECIMAL ),0 AS TIME ); Leads to: CS 10.5.28 df602ff7fa5ed9424a1d7ebaba67b665e2f6d1f6 (Debug, UBASAN, Clang) /test/10.5_dbg_san/sql/item_strfunc.cc:5203:44: runtime error: downcast of address 0x153065b14050 with insufficient space for an object of type 'my_decimal' 0x153065b14050: note: pointer points here 00 00 00 00 01 00 00 00 00 00 00 00 09 00 00 00 00 00 00 00 28 40 b1 65 30 15 00 00 00 00 00 00 ^ #0 0x563f312307c6 in Item_dyncol_get::get_date(THD*, st_mysql_time*, date_mode_t) /test/10.5_dbg_san/sql/item_strfunc.cc:5203:44 #1 0x563f309bac66 in Time::make_from_item(THD*, int*, Item*, Time::Options) /test/10.5_dbg_san/sql/sql_type.cc:759:13 #2 0x563f3138b879 in Time::Time(THD*, Item*, Time::Options) /test/10.5_dbg_san/sql/sql_type.h:1795:5 #3 0x563f3138b879 in Time::Time(THD*, Item*, Time::Options, unsigned int) /test/10.5_dbg_san/sql/sql_type.h:1838:5 #4 0x563f3138b879 in Item_time_typecast::get_date(THD*, st_mysql_time*, date_mode_t) /test/10.5_dbg_san/sql/item_timefunc.cc:2572:21 #5 0x563f309f9400 in Item::get_time(THD*, st_mysql_time*) /test/10.5_dbg_san/sql/item.h:1880:12 #6 0x563f309f9400 in Type_handler::Item_send_time(Item*, Protocol*, st_value*) const /test/10.5_dbg_san/sql/sql_type.cc:7669:9 #7 0x563f2fceb5fe in Protocol::send_result_set_row(List<Item>*) /test/10.5_dbg_san/sql/protocol.cc:1086:15 #8 0x563f2ff82090 in select_send::send_data(List<Item>&) /test/10.5_dbg_san/sql/sql_class.cc:3162:17 #9 0x563f302f2ca1 in JOIN::exec_inner() /test/10.5_dbg_san/sql/sql_select.cc:4532:22 #10 0x563f302ef4c3 in JOIN::exec() /test/10.5_dbg_san/sql/sql_select.cc:4444:3 #11 0x563f30270996 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.5_dbg_san/sql/sql_select.cc:4921:9 #12 0x563f3026f3c2 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.5_dbg_san/sql/sql_select.cc:449:10 #13 0x563f3019e1e3 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/10.5_dbg_san/sql/sql_parse.cc:6451:12 #14 0x563f30186104 in mysql_execute_command(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:4043:12 #15 0x563f301561c7 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.5_dbg_san/sql/sql_parse.cc:8251:18 #16 0x563f3014a119 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.5_dbg_san/sql/sql_parse.cc:1891:7 #17 0x563f3015831e in do_command(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:1375:17 #18 0x563f30760a07 in do_handle_one_connection(CONNECT*, bool) /test/10.5_dbg_san/sql/sql_connect.cc:1386:11 #19 0x563f307602cb in handle_one_connection /test/10.5_dbg_san/sql/sql_connect.cc:1298:5 #20 0x563f2fc6b03c in asan_thread_start(void*) asan_interceptors.cpp.o #21 0x15309509ca93 in start_thread nptl/pthread_create.c:447:8 #22 0x153095129c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78   SUMMARY: UndefinedBehaviorSanitizer: insufficient-object-size /test/10.5_dbg_san/sql/item_strfunc.cc:5203:44 CS 10.5.28 df602ff7fa5ed9424a1d7ebaba67b665e2f6d1f6 (Optimized, UBASAN, Clang) /test/10.5_opt_san/sql/item_strfunc.cc:5203:44: runtime error: downcast of address 0x149d37111c50 with insufficient space for an object of type 'my_decimal' 0x149d37111c50: note: pointer points here 00 00 00 00 01 00 00 00 00 00 00 00 09 00 00 00 00 00 00 00 28 1c 11 37 9d 14 00 00 00 00 00 00 ^ #0 0x55e8f944ab93 in Item_dyncol_get::get_date(THD*, st_mysql_time*, date_mode_t) /test/10.5_opt_san/sql/item_strfunc.cc:5203:44 #1 0x55e8f8c4edf6 in Time::make_from_item(THD*, int*, Item*, Time::Options) /test/10.5_opt_san/sql/sql_type.cc:759:13 #2 0x55e8f9041c4a in Time::Time(THD*, Item*, Time::Options) /test/10.5_opt_san/sql/sql_type.h:1795:5 #3 0x55e8f9041c4a in Time::Time(THD*, Item*, Time::Options, unsigned int) /test/10.5_opt_san/sql/sql_type.h:1838:5 #4 0x55e8f958b15b in Item_time_typecast::get_date(THD*, st_mysql_time*, date_mode_t) /test/10.5_opt_san/sql/item_timefunc.cc:2572:21 #5 0x55e8f8c89abc in Type_handler::Item_send_time(Item*, Protocol*, st_value*) const /test/10.5_opt_san/sql/sql_type.cc:7669:9 #6 0x55e8f80176a3 in Protocol::send_result_set_row(List<Item>*) /test/10.5_opt_san/sql/protocol.cc:1086:15 #7 0x55e8f82770f0 in select_send::send_data(List<Item>&) /test/10.5_opt_san/sql/sql_class.cc:3162:17 #8 0x55e8f85c35b9 in JOIN::exec_inner() /test/10.5_opt_san/sql/sql_select.cc:4532:22 #9 0x55e8f85bf9ed in JOIN::exec() /test/10.5_opt_san/sql/sql_select.cc:4444:3 #10 0x55e8f8542d14 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.5_opt_san/sql/sql_select.cc:4921:9 #11 0x55e8f8541b10 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.5_opt_san/sql/sql_select.cc:449:10 #12 0x55e8f8480fbd in execute_sqlcom_select(THD*, TABLE_LIST*) /test/10.5_opt_san/sql/sql_parse.cc:6451:12 #13 0x55e8f845d2fe in mysql_execute_command(THD*) /test/10.5_opt_san/sql/sql_parse.cc:4043:12 #14 0x55e8f843f0c6 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.5_opt_san/sql/sql_parse.cc:8251:18 #15 0x55e8f8433d1e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.5_opt_san/sql/sql_parse.cc:1891:7 #16 0x55e8f84410c0 in do_command(THD*) /test/10.5_opt_san/sql/sql_parse.cc:1375:17 #17 0x55e8f8a0de37 in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt_san/sql/sql_connect.cc:1386:11 #18 0x55e8f8a0d68a in handle_one_connection /test/10.5_opt_san/sql/sql_connect.cc:1298:5 #19 0x55e8f7f9972c in asan_thread_start(void*) asan_interceptors.cpp.o #20 0x149d6a49ca93 in start_thread nptl/pthread_create.c:447:8 #21 0x149d6a529c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78   SUMMARY: UndefinedBehaviorSanitizer: insufficient-object-size /test/10.5_opt_san/sql/item_strfunc.cc:5203:44 Bug confirmed present in: MariaDB: 10.5.28 (dbg), 10.5.28 (opt), 10.6.21 (dbg), 10.6.21 (opt), 10.11.11 (dbg), 10.11.11 (opt), 11.4.5 (dbg), 11.4.5 (opt), 11.7.2 (dbg), 11.7.2 (opt), 11.8.0 (dbg), 11.8.0 (opt)
            danblack Daniel Black added a comment -

            Affected main test dyncol:

            main.dyncol

            		 
            CURRENT_TEST: main.dyncol
            		 
            $ /build/sql/mariadbd --defaults-group-suffix=.1 --defaults-file=/build/mysql-test/var/3/my.cnf --log-output=file --core-file --loose-debug-sync-timeout=300
            		 
            2025-04-02  0:57:05 0 [Warning] Could not increase number of max_open_files to more than 1024 (request: 32198)
            		 
            2025-04-02  0:57:05 0 [Warning] Changed limits: max_open_files: 1024  max_connections: 151 (was 151)  table_cache: 421 (was 2000)
            		 
            2025-04-02  0:57:05 0 [Note] Starting MariaDB 10.6.22-MariaDB-log source revision  server_uid SuPi8N3uf2bDbPnxWA93za0IFVA= as process 1253818
            		 
            ...
            		 
            Version: '10.6.22-MariaDB-log'  socket: '/build/mysql-test/var/tmp/3/mysqld.1.sock'  port: 19060  Source distribution
            		 
            /source/sql/item_strfunc.cc:5256:44: runtime error: downcast of address 0x7b61abd9ce50 with insufficient space for an object of type 'my_decimal'
            		 
            0x7b61abd9ce50: note: pointer points here
            		 
             00 00 00 00  0e 00 00 00 06 00 00 00  09 00 00 00 00 00 00 00  28 ce d9 ab 61 7b 00 00  00 00 00 00
            		 
                          ^ 
                #0 0x5556372b2c34 in Item_dyncol_get::get_date(THD*, st_mysql_time*, date_mode_t) /source/sql/item_strfunc.cc:5256:44
            		 
                #1 0x555636b518f2 in Temporal_with_date::make_from_item(THD*, Item*, date_mode_t) /source/sql/sql_type.cc:1003:13
            		 
                #2 0x5556373e3085 in Temporal_with_date::Temporal_with_date(THD*, Item*, date_mode_t) /source/sql/sql_type.h:2160:5
            		 
                #3 0x5556373e3085 in Datetime::Datetime(THD*, Item*, date_mode_t) /source/sql/sql_type.h:2443:5
            		 
                #4 0x5556373e3085 in Datetime::Datetime(THD*, Item*, date_mode_t, unsigned int) /source/sql/sql_type.h:2494:5
            		 
                #5 0x5556373e3085 in Item_datetime_typecast::get_date(THD*, st_mysql_time*, date_mode_t) /source/sql/item_timefunc.cc:3407:28
            		 
                #6 0x555636b8552b in Type_handler::Item_send_datetime(Item*, Protocol*, st_value*) const /source/sql/sql_type.cc:7681:9
            		 
                #7 0x555635ff11f2 in Protocol::send_result_set_row(List<Item>*) /source/sql/protocol.cc:1329:15
            		 
                #8 0x55563621be27 in select_send::send_data(List<Item>&) /source/sql/sql_class.cc:3219:17
            		 
                #9 0x55563651f37d in JOIN::exec_inner() /source/sql/sql_select.cc:4805:22
            		 
                #10 0x55563651d51b in JOIN::exec() /source/sql/sql_select.cc:4717:3
            		 
                #11 0x5556364a8164 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /source/sql/sql_select.cc:5196:9
            		 
                #12 0x5556364a73b3 in handle_select(THD*, LEX*, select_result*, unsigned long) /source/sql/sql_select.cc:573:10
            		 
                #13 0x5556363f3bbc in execute_sqlcom_select(THD*, TABLE_LIST*) /source/sql/sql_parse.cc:6422:12
            		 
                #14 0x5556363d42f1 in mysql_execute_command(THD*, bool) /source/sql/sql_parse.cc:4013:12
            		 
                #15 0x5556363b9ce6 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /source/sql/sql_parse.cc:8209:18
            		 
                #16 0x5556363b1f8b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /source/sql/sql_parse.cc:1908:7
            		 
                #17 0x5556363bbc4b in do_command(THD*, bool) /source/sql/sql_parse.cc:1421:17
            		 
                #18 0x55563693bb9c in do_handle_one_connection(CONNECT*, bool) /source/sql/sql_connect.cc:1386:11
            		 
                #19 0x55563693b522 in handle_one_connection /source/sql/sql_connect.cc:1298:5
            		 
                #20 0x555635f6f756 in asan_thread_start(void*) asan_interceptors.cpp.o
            		 
                #21 0x7f61b4ebd1c3  (/lib/x86_64-linux-gnu/libc.so.6+0x891c3) (BuildId: c047672cae7964324658491e7dee26748ae5d2f8)
            		 
                #22 0x7f61b4f3d85b  (/lib/x86_64-linux-gnu/libc.so.6+0x10985b) (BuildId: c047672cae7964324658491e7dee26748ae5d2f8)
            		 
             
            		 
            SUMMARY: UndefinedBehaviorSanitizer: insufficient-object-size /source/sql/item_strfunc.cc:5256:44

            danblack Daniel Black added a comment - Affected main test dyncol: main.dyncol CURRENT_TEST: main.dyncol $ /build/sql/mariadbd --defaults-group-suffix=.1 --defaults-file=/build/mysql-test/var/3/my.cnf --log-output=file --core-file --loose-debug-sync-timeout=300 2025-04-02 0:57:05 0 [Warning] Could not increase number of max_open_files to more than 1024 (request: 32198) 2025-04-02 0:57:05 0 [Warning] Changed limits: max_open_files: 1024 max_connections: 151 (was 151) table_cache: 421 (was 2000) 2025-04-02 0:57:05 0 [Note] Starting MariaDB 10.6.22-MariaDB-log source revision server_uid SuPi8N3uf2bDbPnxWA93za0IFVA= as process 1253818 ... Version: '10.6.22-MariaDB-log' socket: '/build/mysql-test/var/tmp/3/mysqld.1.sock' port: 19060 Source distribution /source/sql/item_strfunc.cc:5256:44: runtime error: downcast of address 0x7b61abd9ce50 with insufficient space for an object of type 'my_decimal' 0x7b61abd9ce50: note: pointer points here 00 00 00 00 0e 00 00 00 06 00 00 00 09 00 00 00 00 00 00 00 28 ce d9 ab 61 7b 00 00 00 00 00 00 ^ #0 0x5556372b2c34 in Item_dyncol_get::get_date(THD*, st_mysql_time*, date_mode_t) /source/sql/item_strfunc.cc:5256:44 #1 0x555636b518f2 in Temporal_with_date::make_from_item(THD*, Item*, date_mode_t) /source/sql/sql_type.cc:1003:13 #2 0x5556373e3085 in Temporal_with_date::Temporal_with_date(THD*, Item*, date_mode_t) /source/sql/sql_type.h:2160:5 #3 0x5556373e3085 in Datetime::Datetime(THD*, Item*, date_mode_t) /source/sql/sql_type.h:2443:5 #4 0x5556373e3085 in Datetime::Datetime(THD*, Item*, date_mode_t, unsigned int) /source/sql/sql_type.h:2494:5 #5 0x5556373e3085 in Item_datetime_typecast::get_date(THD*, st_mysql_time*, date_mode_t) /source/sql/item_timefunc.cc:3407:28 #6 0x555636b8552b in Type_handler::Item_send_datetime(Item*, Protocol*, st_value*) const /source/sql/sql_type.cc:7681:9 #7 0x555635ff11f2 in Protocol::send_result_set_row(List<Item>*) /source/sql/protocol.cc:1329:15 #8 0x55563621be27 in select_send::send_data(List<Item>&) /source/sql/sql_class.cc:3219:17 #9 0x55563651f37d in JOIN::exec_inner() /source/sql/sql_select.cc:4805:22 #10 0x55563651d51b in JOIN::exec() /source/sql/sql_select.cc:4717:3 #11 0x5556364a8164 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /source/sql/sql_select.cc:5196:9 #12 0x5556364a73b3 in handle_select(THD*, LEX*, select_result*, unsigned long) /source/sql/sql_select.cc:573:10 #13 0x5556363f3bbc in execute_sqlcom_select(THD*, TABLE_LIST*) /source/sql/sql_parse.cc:6422:12 #14 0x5556363d42f1 in mysql_execute_command(THD*, bool) /source/sql/sql_parse.cc:4013:12 #15 0x5556363b9ce6 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /source/sql/sql_parse.cc:8209:18 #16 0x5556363b1f8b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /source/sql/sql_parse.cc:1908:7 #17 0x5556363bbc4b in do_command(THD*, bool) /source/sql/sql_parse.cc:1421:17 #18 0x55563693bb9c in do_handle_one_connection(CONNECT*, bool) /source/sql/sql_connect.cc:1386:11 #19 0x55563693b522 in handle_one_connection /source/sql/sql_connect.cc:1298:5 #20 0x555635f6f756 in asan_thread_start(void*) asan_interceptors.cpp.o #21 0x7f61b4ebd1c3 (/lib/x86_64-linux-gnu/libc.so.6+0x891c3) (BuildId: c047672cae7964324658491e7dee26748ae5d2f8) #22 0x7f61b4f3d85b (/lib/x86_64-linux-gnu/libc.so.6+0x10985b) (BuildId: c047672cae7964324658491e7dee26748ae5d2f8)   SUMMARY: UndefinedBehaviorSanitizer: insufficient-object-size /source/sql/item_strfunc.cc:5256:44

            People

              bar Alexander Barkov
              Roel Roel Van de Paar
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.