Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-35881

SIGSEGV in __strcmp_evex() from my_load_defaults on INSERT when using DEFAULT_GROUP and UBSAN: runtime error: member access within null pointer of type 'struct st_my_thread_var'

    XMLWordPrintable

Details

    Description

      Testcase is MTR and CLI compatible

      INSTALL PLUGIN spider SONAME 'ha_spider.so';
      		 
      CREATE TABLE t (c INT) ENGINE=Spider DEFAULT_GROUP=foo;
      		 
      INSERT INTO t VALUES (1);

      Leads to:

      CS 11.8.0 ae998c22b2ce4f1023a6c9c2e925324e2c86c6a1 (Debug)

      		 
      Core was generated by `/test/MD010125-mariadb-11.8.0-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      Download failed: Invalid argument.  Continuing without source file ./string/../sysdeps/x86_64/multiarch/strcmp-evex.S.
      		 
      #0  __strcmp_evex () at ../sysdeps/x86_64/multiarch/strcmp-evex.S:314
      		 
       
      		 
      [Current thread is 1 (LWP 2963634)]
      		 
      (gdb) bt
      		 
      #0  __strcmp_evex () at ../sysdeps/x86_64/multiarch/strcmp-evex.S:314
      		 
      #1  0x0000555d7858af2f in get_defaults_options (argv=0x14a1d9672920)at /test/11.8_dbg/mysys/my_default.c:293
      		 
      #2  0x0000555d7858b25d in my_load_defaults (conf_file=0x555d78a3f1fa "my", groups=0x14a1d96728e0, argc=0x14a1d9672924, argv=0x14a1d9672910, default_directories=0x0) at /test/11.8_dbg/mysys/my_default.c:417
      		 
      #3  0x0000555d77bb97ab in mysql_read_default_options (options=0x14a17c0bd878, filename=0x555d78a3f1fa "my", group=0x14a17c29d1e8 "foo")at /test/11.8_dbg/sql-common/client.c:911
      		 
      #4  0x0000555d77bbd9db in server_mysql_real_connect (mysql=0x14a17c0bd4e8, host=0x14a17c2ab6a8 "localhost", user=0x0, passwd=0x0, db=0x0, port=3306, unix_socket=0x14a17c0b2388 "/tmp/mysql.sock", client_flag=65536)at /test/11.8_dbg/sql-common/client.c:2730
      		 
      #5  0x000014a1d8b97f1f in spider_db_mbase::connect (this=0x14a17c0192b0, tgt_host=0x14a17c2ab6a8 "localhost", tgt_username=0x0, tgt_password=0x0, tgt_port=3306, tgt_socket=0x14a17c0b2388 "/tmp/mysql.sock", server_name=0x0, connect_retry_count=0, connect_retry_interval=1000)at /test/11.8_dbg/storage/spider/spd_db_mysql.cc:1984
      		 
      #6  0x000014a1d8aff3ff in spider_db_connect (share=0x14a17c1e46c8, conn=0x14a17c290748, link_idx=0)at /test/11.8_dbg/storage/spider/spd_db_conn.cc:130
      		 
      #7  0x000014a1d8affc35 in spider_db_conn_queue_action (conn=0x14a17c290748)at /test/11.8_dbg/storage/spider/spd_db_conn.cc:242
      		 
      #8  0x000014a1d8b01563 in spider_db_before_query (conn=0x14a17c290748, need_mon=0x14a17c174e88)at /test/11.8_dbg/storage/spider/spd_db_conn.cc:556
      		 
      #9  0x000014a1d8b04d31 in spider_db_set_names_internal (trx=0x14a17c294588, share=0x14a17c1e46c8, conn=0x14a17c290748, all_link_idx=0, need_mon=0x14a17c174e88)at /test/11.8_dbg/storage/spider/spd_db_conn.cc:777
      		 
      #10 0x000014a1d8b04fce in spider_db_set_names (spider=0x14a17c051380, conn=0x14a17c290748, link_idx=0)at /test/11.8_dbg/storage/spider/spd_db_conn.cc:820
      		 
      #11 0x000014a1d8bb9ff5 in spider_mbase_handler::show_table_status (this=0x14a17c27a2a0, link_idx=0, sts_mode=1, flag=88)at /test/11.8_dbg/storage/spider/spd_db_mysql.cc:12564
      		 
      #12 0x000014a1d8b10137 in spider_db_show_table_status (spider=0x14a17c051380, link_idx=0, sts_mode=1, flag=88)at /test/11.8_dbg/storage/spider/spd_db_conn.cc:5037
      		 
      #13 0x000014a1d8b4afd0 in spider_get_sts (share=0x14a17c1e46c8, link_idx=0, tmp_time=1737172283, spider=0x14a17c051380, sts_interval=10, sts_mode=1, sts_sync=0, sts_sync_level=1, flag=88)at /test/11.8_dbg/storage/spider/spd_table.cc:7070
      		 
      #14 0x000014a1d8b4aa74 in spider_share_get_sts_crd (thd=0x14a17c000d58, spider=0x14a17c051380, share=0x14a17c1e46c8, table=0x14a17c082008, init_share=true, has_lock=false, error_num=0x14a1d967438c)at /test/11.8_dbg/storage/spider/spd_table.cc:5346
      		 
      #15 0x000014a1d8b4ba63 in spider_init_share (table_name=0x14a17c18e450 "./test/t", table=0x14a17c082008, thd=0x14a17c000d58, spider=0x14a17c051380, error_num=0x14a1d967438c, share=0x14a17c1e46c8, table_share=0x14a17c18ddb0, new_share=true)at /test/11.8_dbg/storage/spider/spd_table.cc:5505
      		 
      #16 0x000014a1d8b4bf09 in spider_get_share (table_name=0x14a17c18e450 "./test/t", table=0x14a17c082008, thd=0x14a17c000d58, spider=0x14a17c051380, error_num=0x14a1d967438c)at /test/11.8_dbg/storage/spider/spd_table.cc:5596
      		 
      #17 0x000014a1d8b762e1 in ha_spider::open (this=0x14a17c051380, name=0x14a17c18e450 "./test/t", mode=2, test_if_locked=18)at /test/11.8_dbg/storage/spider/ha_spider.cc:269
      		 
      #18 0x0000555d77c12e54 in handler::ha_open (this=0x14a17c051380, table_arg=0x14a17c082008, name=0x14a17c18e450 "./test/t", mode=2, test_if_locked=18, mem_root=0x0, partitions_to_open=0x0)at /test/11.8_dbg/sql/handler.cc:3627
      		 
      #19 0x0000555d77973ec5 in open_table_from_share (thd=0x14a17c000d58, share=0x14a17c18ddb0, alias=0x14a17c01aca8, db_stat=33, prgflag=8, ha_open_flags=18, outparam=0x14a17c082008, is_create_table=false, partitions_to_open=0x0) at /test/11.8_dbg/sql/table.cc:4633
      		 
      #20 0x0000555d7772b88c in open_table (thd=0x14a17c000d58, table_list=0x14a17c01ac60, ot_ctx=0x14a1d9674be8)at /test/11.8_dbg/sql/sql_base.cc:2239
      		 
      #21 0x0000555d777312fd in open_and_process_table (thd=0x14a17c000d58, tables=0x14a17c01ac60, counter=0x14a1d9674c9c, flags=0, prelocking_strategy=0x14a1d9674d00, has_prelocking_list=false, ot_ctx=0x14a1d9674be8) at /test/11.8_dbg/sql/sql_base.cc:4177
      		 
      #22 0x0000555d7772fe44 in open_tables (thd=0x14a17c000d58, options=@0x14a17c006828: {m_options = DDL_options_st::OPT_NONE}, start=0x14a1d9674cb0, counter=0x14a1d9674c9c, flags=0, prelocking_strategy=0x14a1d9674d00) at /test/11.8_dbg/sql/sql_base.cc:4663
      		 
      #23 0x0000555d777331dd in open_and_lock_tables (thd=0x14a17c000d58, options=@0x14a17c006828: {m_options = DDL_options_st::OPT_NONE}, tables=0x14a17c01ac60, derived=true, flags=0, prelocking_strategy=0x14a1d9674d00) at /test/11.8_dbg/sql/sql_base.cc:5632
      		 
      #24 0x0000555d7774259e in open_and_lock_tables (thd=0x14a17c000d58, tables=0x14a17c01ac60, derived=true, flags=0)at /test/11.8_dbg/sql/sql_base.h:532
      		 
      #25 0x0000555d7778d7f5 in mysql_insert (thd=0x14a17c000d58, table_list=0x14a17c01ac60, fields=@0x14a17c0061d8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x555d794e8de0 <end_of_list>, last = 0x14a17c0061d8, elements = 0}, <No data fields>}, values_list=@0x14a17c006220: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14a17c01b900, last = 0x14a17c01b900, elements = 1}, <No data fields>}, update_fields=@0x14a17c006208: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x555d794e8de0 <end_of_list>, last = 0x14a17c006208, elements = 0}, <No data fields>}, update_values=@0x14a17c0061f0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x555d794e8de0 <end_of_list>, last = 0x14a17c0061f0, elements = 0}, <No data fields>}, duplic=DUP_ERROR, ignore=false, result=0x0)at /test/11.8_dbg/sql/sql_insert.cc:784
      		 
      #26 0x0000555d777edd82 in mysql_execute_command (thd=0x14a17c000d58, is_called_from_prepared_stmt=false) at /test/11.8_dbg/sql/sql_parse.cc:4471
      		 
      #27 0x0000555d777e37a0 in mysql_parse (thd=0x14a17c000d58, rawbuf=0x14a17c01ab80 "INSERT INTO t VALUES (1)", length=24, parser_state=0x14a1d9676980) at /test/11.8_dbg/sql/sql_parse.cc:7901
      		 
      #28 0x0000555d777e0af7 in dispatch_command (command=COM_QUERY, thd=0x14a17c000d58, packet=0x14a17c00b2a9 "INSERT INTO t VALUES (1)", packet_length=24, blocking=true) at /test/11.8_dbg/sql/sql_parse.cc:1903
      		 
      #29 0x0000555d777e442a in do_command (thd=0x14a17c000d58, blocking=true)at /test/11.8_dbg/sql/sql_parse.cc:1416
      		 
      #30 0x0000555d779d06b9 in do_handle_one_connection (connect=0x555d7b1dcbf8, put_in_cache=true) at /test/11.8_dbg/sql/sql_connect.cc:1415
      		 
      #31 0x0000555d779d0426 in handle_one_connection (arg=0x555d7b1b1688)at /test/11.8_dbg/sql/sql_connect.cc:1327
      		 
      #32 0x0000555d77f959cf in pfs_spawn_thread (arg=0x555d7b14a808)at /test/11.8_dbg/storage/perfschema/pfs.cc:2198
      		 
      #33 0x000014a1dbc9ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
      		 
      #34 0x000014a1dbd29c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

      CS 11.8.0 cacaaebf01939d387645fb850ceeec5392496171 (Optimized, UBASAN, Clang)

      		 
      2025-01-18 15:57:17 0 [Note] /test/UBASAN_MD170125-mariadb-11.8.0-linux-x86_64-opt/bin/mariadbd: ready for connections.
      		 
      Version: '11.8.0-MariaDB-debug'  socket: '/test/UBASAN_MD170125-mariadb-11.8.0-linux-x86_64-opt/socket.sock'  port: 12863  MariaDB Server
      		 
      250118 15:58:37 [ERROR] /test/UBASAN_MD170125-mariadb-11.8.0-linux-x86_64-opt/bin/mariadbd got signal 11 ;
      		 
      /test/11.8_opt_san/storage/spider/spd_table.cc:82:21: runtime error: member access within null pointer of type 'struct st_my_thread_var'
      		 
      Sorry, we probably made a mistake, and this is a bug.
      		 
       
      		 
      Your assistance in bug reporting will enable us to fix this for the next release.
      		 
      To report this bug, see https://mariadb.com/kb/en/reporting-bugs about how to report
      		 
      a bug on https://jira.mariadb.org/.
      		 
       
      		 
      Please include the information from the server start above, to the end of the
      		 
      information below.
      		 
       
      		 
      Server version: 11.8.0-MariaDB-debug source revision: cacaaebf01939d387645fb850ceeec5392496171
      		 
       
      		 
      The information page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mariadbd/
      		 
      contains instructions to obtain a better version of the backtrace below.
      		 
      Following these instructions will help MariaDB developers provide a fix quicker.
      		 
       
      		 
      Attempting backtrace. Include this in the bug report.
      		 
      (note: Retrieving this information may fail)
      		 
       
      		 
      Thread pointer: 0x52b00017a218
      		 
      stack_bottom = 0x14629b001000 thread_stack 0xb00000
      		 
          #0 0x14629a9bcbee in spider_create_sys_thd(st_spider_thread*) /test/11.8_opt_san/storage/spider/spd_table.cc:82:21
      		 
          #1 0x14629a9b66c9 in spider_table_bg_sts_action(void*) /test/11.8_opt_san/storage/spider/spd_table.cc:8947:15
      		 
          #2 0x55f56fbdab5c in asan_thread_start(void*) asan_interceptors.cpp.o
      		 
          #3 0x1462b969ca93 in start_thread nptl/pthread_create.c:447:8
      		 
          #4 0x1462b9729c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
      		 
       
      		 
      SUMMARY: UndefinedBehaviorSanitizer: null-pointer-use /test/11.8_opt_san/storage/spider/spd_table.cc:82:21

      Bug confirmed present in:
      MariaDB: 11.4.5 (dbg), 11.7.1 (dbg), 11.8.0 (dbg)

      Bug (or feature/syntax) confirmed not present in:
      MariaDB: 10.5.28 (dbg), 10.5.28 (opt), 10.6.21 (dbg), 10.6.21 (opt), 10.11.11 (dbg), 10.11.11 (opt), 11.4.5 (opt), 11.7.1 (opt), 11.8.0 (opt)

      Setup: a standard debug build (I used Clang to compile) for the SIGSEGV and a Cland UBASAN build for the UBSAN issue, setup as follows:

      Compiled with a recent version of Clang (I used Clang 18.1.3) with LLVM 18:
      		 
           # Note: llvm-17-linker-tools installs /usr/lib/llvm-17/lib/LLVMgold.so, which is needed for compilation, and LLVMgold.so is no longer included in LLVM 18
      		 
           sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev llvm-17-linker-tools
      		 
           sudo ln -s /usr/lib/llvm-17/lib/LLVMgold.so /usr/lib/llvm-18/lib/LLVMgold.so
      		 
      Compiled with: '-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++' and:
      		 
          -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON
      		 
      Set before execution:
      		 
          export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1   # And you may also want to supress UBSAN startup issues using 'suppressions=UBSAN.filter'. For an example of UBSAN.filter, which includes current startup issues see: https://github.com/mariadb-corporation/mariadb-qa/blob/master/UBSAN.filter

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-34591 UBSAN: runtime error: member access within null pointer of type 'struct st_my_thread_var' in spider_create_sys_thd and untime error: null pointer passed as argument 1, which is declared to never be null in spider_create_table_name_string

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-33197 SIGSEGV and UBSAN member access [within/on] null pointer in spider_db_get_row_from_tmp_tbl, Assertion in spider_db_errorno and SIGSEGV in spider_db_store_result

          • Major - Major loss of function.
          • Confirmed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-34849 SIGSEGV in server_mysql_real_connect, spider_db_connect, __strcmp_evex and __strnlen_evex, ASAN heap-use-after-free in spider_db_connect on INSERT

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            People

              ycp Yuchen Pei
              Roel Roel Van de Paar
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.