[MDEV-36240] UBSAN: runtime error: applying zero offset to null pointer in my_strnncollsp_simple on SELECT - Jira

Details

Type: Bug
Status: Open (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.5, 10.6
Fix Version/s: 10.5, 10.6
Component/s: Storage Engine - Spider
Labels:

Description

Possibly related, though not the same as, MDEV-32756.

INSTALL PLUGIN Spider SONAME 'ha_spider.so';

SET SESSION default_storage_engine=Spider;

CREATE TEMPORARY TABLE t (c INT);

SET NAMES latin1;

INSERT INTO t VALUES (-1);

SELECT * FROM t WHERE EXTRACTVALUE (c,'a')='a';

Leads to:

CS 10.5.29 c43d0a015f974c5a0142e6779332089a7a979853 (Debug, UBASAN, Clang) Build 15/02/2025
/test/10.5_dbg_san/strings/ctype-simple.c:179:10: runtime error: applying zero offset to null pointer
#0 0x55641f97c525 in my_strnncollsp_simple /test/10.5_dbg_san/strings/ctype-simple.c:179:10
#1 0x55641df565af in Arg_comparator::compare() /test/10.5_dbg_san/sql/item_cmpfunc.h:117:33
#2 0x55641df565af in Item_func_eq::val_int() /test/10.5_dbg_san/sql/item_cmpfunc.cc:1812:18
#3 0x55641d24e651 in make_join_select(JOIN, SQL_SELECT, Item*) /test/10.5_dbg_san/sql/sql_select.cc:11828:46
#4 0x55641d223f15 in JOIN::optimize_stage2() /test/10.5_dbg_san/sql/sql_select.cc:2696:7
#5 0x55641d22dd2d in JOIN::optimize_inner() /test/10.5_dbg_san/sql/sql_select.cc:2445:9
#6 0x55641d22108b in JOIN::optimize() /test/10.5_dbg_san/sql/sql_select.cc:1765:10
#7 0x55641d202f60 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/10.5_dbg_san/sql/sql_select.cc:4907:19
#8 0x55641d202392 in handle_select(THD, LEX, select_result*, unsigned long) /test/10.5_dbg_san/sql/sql_select.cc:449:10
#9 0x55641d1311f3 in execute_sqlcom_select(THD, TABLE_LIST) /test/10.5_dbg_san/sql/sql_parse.cc:6452:12
#10 0x55641d119242 in mysql_execute_command(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:4043:12
#11 0x55641d0e9467 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /test/10.5_dbg_san/sql/sql_parse.cc:8252:18
#12 0x55641d0dd3b9 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /test/10.5_dbg_san/sql/sql_parse.cc:1891:7
#13 0x55641d0eb5be in do_command(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:1375:17
#14 0x55641d6f5257 in do_handle_one_connection(CONNECT*, bool) /test/10.5_dbg_san/sql/sql_connect.cc:1386:11
#15 0x55641d6f4b1b in handle_one_connection /test/10.5_dbg_san/sql/sql_connect.cc:1298:5
#16 0x55641cbfe03c in asan_thread_start(void*) asan_interceptors.cpp.o
#17 0x147a1d09ca93 in start_thread nptl/pthread_create.c:447:8
#18 0x147a1d129c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

SUMMARY: UndefinedBehaviorSanitizer: nullptr-with-offset /test/10.5_dbg_san/strings/ctype-simple.c:179:10

Setup:

Compiled with a recent version of Clang (I used Clang 18.1.3) with LLVM 18. Ubuntu instructions:

  # Note: It is strongly recommended to uninstall all old Clang & LLVM packages (ref  dpkg --list | grep -iE 'clang|llvm'  and use  apt purge  and  dpkg --purge  to remove the packages), before installing Clang/LLVM 18

     sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev

Compiled with: "-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++ -DCMAKE_C{,XX}_FLAGS='-march=native -mtune=native'" and:

    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON

Set before execution:

    export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1   # And you may also want to supress UBSAN startup issues using 'suppressions=UBSAN.filter' in UBSAN_OPTIONS. For an example of UBSAN.filter, which includes current startup issues see: https://github.com/mariadb-corporation/mariadb-qa/blob/master/UBSAN.filter

Bug confirmed present in:
MariaDB: 10.5.29 (dbg), 10.5.29 (opt), 10.6.22 (dbg), 10.6.22 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.11.12 (dbg), 10.11.12 (opt), 11.4.6 (dbg), 11.4.6 (opt), 11.8.1 (dbg), 11.8.1 (opt), 12.0.0 (dbg), 12.0.0 (opt)

Attachments

Activity

Ascending order - Click to sort in descending order

Roel Van de Paar added a comment - 2025-03-07 09:06

Testcase is both CLI and MTR compatible. Use UBSAN_OPTIONS before executing MTR to get full stacks, as usual.

Roel Van de Paar added a comment - 2025-03-07 09:06 Testcase is both CLI and MTR compatible. Use UBSAN_OPTIONS before executing MTR to get full stacks, as usual.

Roel Van de Paar added a comment - 2025-03-07 09:09

Two stacks observed (note int vs bool):

UBSAN|applying zero offset to null pointer|strings/ctype-simple.c|my_strnncollsp_simple|Arg_comparator::compare|Item_func_eq::val_bool|make_join_select

UBSAN|applying zero offset to null pointer|strings/ctype-simple.c|my_strnncollsp_simple|Arg_comparator::compare|Item_func_eq::val_int|make_join_select

People

Assignee:: Yuchen Pei

Reporter:: Roel Van de Paar

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2025-03-07 09:02

Updated:: 2025-03-13 03:26

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server