[MDEV-36344] UBSAN: lifo buffer (optimizer) - runtime error: applying non-zero offset 12 to null pointer - Jira

Details

Type: Bug
Status: Confirmed (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.5, 10.6, 10.11, 11.4, 11.8, 12.0
Fix Version/s: 10.5, 10.6, 10.11, 11.4, 11.8
Component/s: Optimizer
Labels:
- UBSAN
- nullptr-with-nonzero-offset
Environment:
clang-20.1 or clang-18.1

Description

10.6.22 main.index_intersect_innodb
CURRENT_TEST: main.index_intersect_innodb
/source/sql/sql_lifo_buffer.h:177:17: runtime error: applying non-zero offset 12 to null pointer
#0 0x55b8b4b88c1b in Forward_lifo_buffer::have_space_for(unsigned long) /source/sql/sql_lifo_buffer.h:177:17
#1 0x55b8b4b80797 in DsMrr_impl::dsmrr_init(handler, st_range_seq_if, void, unsigned int, unsigned int, st_handler_buffer) /source/sql/multi_range_read
.cc:1200:25
#2 0x55b8b5d5ae89 in ha_innobase::multi_range_read_init(st_range_seq_if, void, unsigned int, unsigned int, st_handler_buffer*) /source/storage/innobase/h
andler/ha_innodb.cc:20149:18
#3 0x55b8b57374e0 in QUICK_RANGE_SELECT::reset() /source/sql/opt_range.cc:12841:16
#4 0x55b8b572eff3 in read_keys_and_merge_scans(THD, TABLE, List<QUICK_RANGE_SELECT>, QUICK_RANGE_SELECT, READ_RECORD, bool, Bitmap<64u>, Unique*) /so
urce/sql/opt_range.cc:12395:39
#5 0x55b8b573183f in QUICK_INDEX_INTERSECT_SELECT::read_keys_and_merge() /source/sql/opt_range.cc:12539:11
#6 0x55b8b4659d2d in join_init_read_record(st_join_table*) /source/sql/sql_select.cc:23390:64
#7 0x55b8b45e6cf6 in sub_select(JOIN, st_join_table, bool) /source/sql/sql_select.cc:22388:12
#8 0x55b8b4664752 in do_select(JOIN, Procedure) /source/sql/sql_select.cc:21914:14
#9 0x55b8b46623b4 in JOIN::exec_inner() /source/sql/sql_select.cc:4939:50
#10 0x55b8b465f2eb in JOIN::exec() /source/sql/sql_select.cc:4717:3
#11 0x55b8b45e9f34 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order*, unsigned long long, select_
result, st_select_lex_unit, st_select_lex*) /source/sql/sql_select.cc:5196:9
#12 0x55b8b45e9183 in handle_select(THD, LEX, select_result*, unsigned long) /source/sql/sql_select.cc:573:10
#13 0x55b8b453598c in execute_sqlcom_select(THD, TABLE_LIST) /source/sql/sql_parse.cc:6422:12
#14 0x55b8b45160c1 in mysql_execute_command(THD*, bool) /source/sql/sql_parse.cc:4013:12
#15 0x55b8b44fbab6 in mysql_parse(THD, char, unsigned int, Parser_state*) /source/sql/sql_parse.cc:8209:18
#16 0x55b8b44f3d5b in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /source/sql/sql_parse.cc:1908:7
#17 0x55b8b44fda1b in do_command(THD*, bool) /source/sql/sql_parse.cc:1421:17
#18 0x55b8b4a7d94c in do_handle_one_connection(CONNECT*, bool) /source/sql/sql_connect.cc:1386:11
#19 0x55b8b4a7d2d2 in handle_one_connection /source/sql/sql_connect.cc:1298:5
#20 0x55b8b40b1476 in asan_thread_start(void*) asan_interceptors.cpp.o
#21 0x7ff458d351c3 (/lib/x86_64-linux-gnu/libc.so.6+0x891c3) (BuildId: c047672cae7964324658491e7dee26748ae5d2f8)
#22 0x7ff458db585b (/lib/x86_64-linux-gnu/libc.so.6+0x10985b) (BuildId: c047672cae7964324658491e7dee26748ae5d2f8)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /source/sql/sql_lifo_buffer.h:177:17

Attachments

Issue Links

is part of

MDEV-25454 Make MariaDB server UBSAN safe

Confirmed

relates to

MDBF-741 Remove the gcc UBSAN builder to use the clang based UBSAN

In Testing

Activity

Ascending order - Click to sort in descending order

Daniel Black added a comment - 2025-03-24 03:28

Looks like pos is undefined, but because set_buffer_space defined/start/end. it looks like the follow may be needed:

diff --git a/sql/multi_range_read.cc b/sql/multi_range_read.cc

index 6e8c4fd35df..174aa503f5a 100644

--- a/sql/multi_range_read.cc

+++ b/sql/multi_range_read.cc

@@ -1197,6 +1197,7 @@ int DsMrr_impl::dsmrr_init(handler *h_arg, RANGE_SEQ_IF *seq_funcs,

       /* index strategy doesn't need buffer, give all space to rowids*/

       rowid_buffer.set_buffer_space(full_buf, full_buf_end);

+      rowid_buffer.reset();

       if (!rowid_buffer.have_space_for(primary_file->ref_length +

                                        (int)is_mrr_assoc * sizeof(range_id_t)))

         goto use_default_impl;

Daniel Black added a comment - 2025-03-24 03:28 Looks like pos is undefined, but because set_buffer_space defined/start/end. it looks like the follow may be needed: diff --git a/sql/multi_range_read.cc b/sql/multi_range_read.cc index 6e8c4fd35df..174aa503f5a 100644 --- a/sql/multi_range_read.cc +++ b/sql/multi_range_read.cc @@ -1197,6 +1197,7 @@ int DsMrr_impl::dsmrr_init(handler *h_arg, RANGE_SEQ_IF *seq_funcs, { /* index strategy doesn't need buffer, give all space to rowids*/ rowid_buffer.set_buffer_space(full_buf, full_buf_end); + rowid_buffer.reset(); if (!rowid_buffer.have_space_for(primary_file->ref_length + (int)is_mrr_assoc * sizeof(range_id_t))) goto use_default_impl;

Roel Van de Paar added a comment - 2025-03-24 03:48

Confirmed. Trace with error type report:

export UBSAN_OPTIONS=suppressions=${HOME}/mariadb-qa/UBSAN.filter:print_stacktrace=1:report_error_type=1

CS 10.6.22 f1d7e0c17e33f77278e6226dd94aeb30fc856bf0 (Debug, UBASAN) Build 15/02/2025
/test/10.6_dbg_san/sql/sql_lifo_buffer.h:177:17: runtime error: applying non-zero offset 12 to null pointer
#0 0x55bed03a6685 in Forward_lifo_buffer::have_space_for(unsigned long) /test/10.6_dbg_san/sql/sql_lifo_buffer.h:177:17
#1 0x55bed039c8f4 in DsMrr_impl::dsmrr_init(handler, st_range_seq_if, void, unsigned int, unsigned int, st_handler_buffer) /test/10.6_dbg_san/sql/multi_range_read.cc:1200:25
#2 0x55bed18e5c71 in ha_innobase::multi_range_read_init(st_range_seq_if, void, unsigned int, unsigned int, st_handler_buffer*) /test/10.6_dbg_san/storage/innobase/handler/ha_innodb.cc:20136:18
#3 0x55bed113a4fa in QUICK_RANGE_SELECT::reset() /test/10.6_dbg_san/sql/opt_range.cc:12841:16
#4 0x55bed1130c41 in read_keys_and_merge_scans(THD, TABLE, List<QUICK_RANGE_SELECT>, QUICK_RANGE_SELECT, READ_RECORD, bool, Bitmap<64u>, Unique*) /test/10.6_dbg_san/sql/opt_range.cc:12395:39
#5 0x55bed1133ef9 in QUICK_INDEX_INTERSECT_SELECT::read_keys_and_merge() /test/10.6_dbg_san/sql/opt_range.cc:12539:11
#6 0x55becfdbefca in join_init_read_record(st_join_table*) /test/10.6_dbg_san/sql/sql_select.cc:23390:64
#7 0x55becfd3f2bc in sub_select(JOIN, st_join_table, bool) /test/10.6_dbg_san/sql/sql_select.cc:22388:12
#8 0x55becfdcb42d in do_select(JOIN, Procedure) /test/10.6_dbg_san/sql/sql_select.cc:21914:14
#9 0x55becfdc7cd9 in JOIN::exec_inner() /test/10.6_dbg_san/sql/sql_select.cc:4939:50
#10 0x55becfdc5623 in JOIN::exec() /test/10.6_dbg_san/sql/sql_select.cc:4717:3
#11 0x55becfd42f76 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/10.6_dbg_san/sql/sql_select.cc:5196:9
#12 0x55becfd419a2 in handle_select(THD, LEX, select_result*, unsigned long) /test/10.6_dbg_san/sql/sql_select.cc:573:10
#13 0x55becfc67ab5 in execute_sqlcom_select(THD, TABLE_LIST) /test/10.6_dbg_san/sql/sql_parse.cc:6422:12
#14 0x55becfc50119 in mysql_execute_command(THD*, bool) /test/10.6_dbg_san/sql/sql_parse.cc:4013:12
#15 0x55becfc1fb28 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/10.6_dbg_san/sql/sql_parse.cc:8209:18
#16 0x55becfc13db4 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/10.6_dbg_san/sql/sql_parse.cc:1908:7
#17 0x55becfc2254d in do_command(THD*, bool) /test/10.6_dbg_san/sql/sql_parse.cc:1421:17
#18 0x55bed02696ec in do_handle_one_connection(CONNECT*, bool) /test/10.6_dbg_san/sql/sql_connect.cc:1386:11
#19 0x55bed0268fab in handle_one_connection /test/10.6_dbg_san/sql/sql_connect.cc:1298:5
#20 0x55becf7293ac in asan_thread_start(void*) asan_interceptors.cpp.o
#21 0x145bc7c9ca93 in start_thread nptl/pthread_create.c:447:8
#22 0x145bc7d29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

SUMMARY: UndefinedBehaviorSanitizer: nullptr-with-nonzero-offset /test/10.6_dbg_san/sql/sql_lifo_buffer.h:177:17

Roel Van de Paar added a comment - 2025-03-24 03:48 Confirmed. Trace with error type report: export UBSAN_OPTIONS=suppressions=${HOME} /mariadb-qa/UBSAN .filter:print_stacktrace=1:report_error_type=1 CS 10.6.22 f1d7e0c17e33f77278e6226dd94aeb30fc856bf0 (Debug, UBASAN) Build 15/02/2025 /test/10.6_dbg_san/sql/sql_lifo_buffer.h:177:17: runtime error: applying non-zero offset 12 to null pointer #0 0x55bed03a6685 in Forward_lifo_buffer::have_space_for(unsigned long) /test/10.6_dbg_san/sql/sql_lifo_buffer.h:177:17 #1 0x55bed039c8f4 in DsMrr_impl::dsmrr_init(handler*, st_range_seq_if*, void*, unsigned int, unsigned int, st_handler_buffer*) /test/10.6_dbg_san/sql/multi_range_read.cc:1200:25 #2 0x55bed18e5c71 in ha_innobase::multi_range_read_init(st_range_seq_if*, void*, unsigned int, unsigned int, st_handler_buffer*) /test/10.6_dbg_san/storage/innobase/handler/ha_innodb.cc:20136:18 #3 0x55bed113a4fa in QUICK_RANGE_SELECT::reset() /test/10.6_dbg_san/sql/opt_range.cc:12841:16 #4 0x55bed1130c41 in read_keys_and_merge_scans(THD*, TABLE*, List<QUICK_RANGE_SELECT>, QUICK_RANGE_SELECT*, READ_RECORD*, bool, Bitmap<64u>*, Unique**) /test/10.6_dbg_san/sql/opt_range.cc:12395:39 #5 0x55bed1133ef9 in QUICK_INDEX_INTERSECT_SELECT::read_keys_and_merge() /test/10.6_dbg_san/sql/opt_range.cc:12539:11 #6 0x55becfdbefca in join_init_read_record(st_join_table*) /test/10.6_dbg_san/sql/sql_select.cc:23390:64 #7 0x55becfd3f2bc in sub_select(JOIN*, st_join_table*, bool) /test/10.6_dbg_san/sql/sql_select.cc:22388:12 #8 0x55becfdcb42d in do_select(JOIN*, Procedure*) /test/10.6_dbg_san/sql/sql_select.cc:21914:14 #9 0x55becfdc7cd9 in JOIN::exec_inner() /test/10.6_dbg_san/sql/sql_select.cc:4939:50 #10 0x55becfdc5623 in JOIN::exec() /test/10.6_dbg_san/sql/sql_select.cc:4717:3 #11 0x55becfd42f76 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.6_dbg_san/sql/sql_select.cc:5196:9 #12 0x55becfd419a2 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.6_dbg_san/sql/sql_select.cc:573:10 #13 0x55becfc67ab5 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/10.6_dbg_san/sql/sql_parse.cc:6422:12 #14 0x55becfc50119 in mysql_execute_command(THD*, bool) /test/10.6_dbg_san/sql/sql_parse.cc:4013:12 #15 0x55becfc1fb28 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.6_dbg_san/sql/sql_parse.cc:8209:18 #16 0x55becfc13db4 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.6_dbg_san/sql/sql_parse.cc:1908:7 #17 0x55becfc2254d in do_command(THD*, bool) /test/10.6_dbg_san/sql/sql_parse.cc:1421:17 #18 0x55bed02696ec in do_handle_one_connection(CONNECT*, bool) /test/10.6_dbg_san/sql/sql_connect.cc:1386:11 #19 0x55bed0268fab in handle_one_connection /test/10.6_dbg_san/sql/sql_connect.cc:1298:5 #20 0x55becf7293ac in asan_thread_start(void*) asan_interceptors.cpp.o #21 0x145bc7c9ca93 in start_thread nptl/pthread_create.c:447:8 #22 0x145bc7d29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 SUMMARY: UndefinedBehaviorSanitizer: nullptr-with-nonzero-offset /test/10.6_dbg_san/sql/sql_lifo_buffer.h:177:17

Roel Van de Paar added a comment - 2025-03-24 05:04

ES all versions affected also.

Roel Van de Paar added a comment - 2025-03-24 05:04 ES all versions affected also.

MariaDB Server

UBSAN: lifo buffer (optimizer) - runtime error: applying non-zero offset 12 to null pointer

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration