Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-36353

MariaDB SEGV in Item_subselect::init when executing query

Details

    Description

      MariaDB crashes when executing the following statement: 

      drop database if exists test123;
      		 
      create database if not exists test123;
      		 
      use test123;
      		 
      DESC FOR CONNECTION + INTERVAL TRUE IN ( SELECT 'string' ) YEAR_MONTH + FALSE <=> TRUE NOT IN ( SELECT * );

      Crash stack: 

      #0  0x0000000001bbe8bc in Item_subselect::init (this=0xffff7e8f2640, select_lex=0xffff7e8f17b8, result=0xffff7e8f2850)
      		 
          at /home/mariadb/mariadb-server/sql/item_subselect.cc:124
      		 
      #1  0x0000000001bccc44 in Item_in_subselect::Item_in_subselect (this=0xffff7e8f2640, thd=0xffff58e5b218, left_exp=<optimized out>,
      		 
          select_lex=0xffff7e8f17b8) at /home/mariadb/mariadb-server/sql/item_subselect.cc:1664
      		 
      #2  0x0000000001649b48 in MYSQLparse (thd=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_yacc.yy:9670
      		 
      #3  0x0000000000d575c0 in parse_sql (thd=0xffff58e5b218, parser_state=<optimized out>, creation_ctx=0x0, do_pfs_digest=true)
      		 
          at /home/mariadb/mariadb-server/sql/sql_parse.cc:10328
      		 
      #4  0x0000000000d1c8b8 in mysql_parse (thd=0xffff58e5b218,
      		 
          rawbuf=0xffff7e8f0438 "DESC FOR CONNECTION + INTERVAL TRUE IN ( SELECT 'string' ) YEAR_MONTH + FALSE <=> TRUE NOT IN ( SELECT * )",
      		 
          length=<optimized out>, parser_state=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_parse.cc:7867
      		 
      #5  0x0000000000d120f0 in dispatch_command (command=<optimized out>, thd=<optimized out>, packet=<optimized out>, packet_length=<optimized out>,
      		 
          blocking=<optimized out>) at /home/mariadb/mariadb-server/sql/sql_parse.cc:1902
      		 
      #6  0x0000000000d1dbf4 in do_command (thd=0xffff58e5b218, blocking=true) at /home/mariadb/mariadb-server/sql/sql_parse.cc:1415
      		 
      #7  0x00000000012846f8 in do_handle_one_connection (connect=<optimized out>, put_in_cache=true) at /home/mariadb/mariadb-server/sql/sql_connect.cc:1415
      		 
      #8  0x00000000012841b4 in handle_one_connection (arg=0xffff84a34db8) at /home/mariadb/mariadb-server/sql/sql_connect.cc:1327
      		 
      #9  0x0000000002200c38 in pfs_spawn_thread (arg=0xffff7e405f18) at /home/mariadb/mariadb-server/storage/perfschema/pfs.cc:2198
      		 
      #10 0x0000ffff8a44d624 in start_thread (arg=0x883ac8 <asan_thread_start(void*)>) at pthread_create.c:477
      		 
      #11 0x0000ffff8a16f66c in thread_start () at ../sysdeps/unix/sysv/linux/aarch64/clone.S:78

      Attachments

        Issue Links

          is part of

          Task - A task that needs to be done. MDEV-25454 Make MariaDB server UBSAN safe

          • Major - Major loss of function.
          • Confirmed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-31292 Procedure call with boolean expression parameter using more than one exists function crash the server

          • Major - Major loss of function.
          • Confirmed

          Activity

            Ascending order - Click to sort in descending order
            Roel Roel Van de Paar added a comment -

            Thank you for the report! Confirmed.

            DESC FOR CONNECTION + INTERVAL TRUE IN ( SELECT 'string' ) YEAR_MONTH + FALSE <=> TRUE NOT IN ( SELECT * );

            Leads to:

            CS 11.4.6 ef966af801afc2a07222b5df65dddd52c77431dd (Debug) Build 15/02/2025

            		 
            Core was generated by `/test/MD150225-mariadb-11.4.6-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'.
            		 
            Program terminated with signal SIGSEGV, Segmentation fault.
            		 
            #0  0x000055c8a469615c in Item_subselect::init (this=0x15395801bd68, select_lex=0x15395801af28, result=0x15395801bf70)at /test/11.4_dbg/sql/item_subselect.cc:128
            		 
             
            		 
            [Current thread is 1 (LWP 128415)]
            		 
            (gdb) bt
            		 
            #0  0x000055c8a469615c in Item_subselect::init (this=0x15395801bd68, select_lex=0x15395801af28, result=0x15395801bf70)at /test/11.4_dbg/sql/item_subselect.cc:128
            		 
            #1  0x000055c8a469b4fb in Item_in_subselect::Item_in_subselect (this=0x15395801bd68, thd=0x153958000d58, left_exp=0x15395801aea8, select_lex=0x15395801af28) at /test/11.4_dbg/sql/item_subselect.cc:1669
            		 
            #2  0x000055c8a44a062b in MYSQLparse (thd=0x153958000d58)at /test/11.4_dbg/sql/sql_yacc.yy:9537
            		 
            #3  0x000055c8a416ae0b in parse_sql (thd=0x153958000d58, parser_state=0x1539b589ea30, creation_ctx=0x0, do_pfs_digest=true)at /test/11.4_dbg/sql/sql_parse.cc:10318
            		 
            #4  0x000055c8a4153633 in mysql_parse (thd=0x153958000d58, rawbuf=0x153958019c40 "DESC FOR CONNECTION + INTERVAL TRUE IN ( SELECT 'string' ) YEAR_MONTH + FALSE <=> TRUE NOT IN ( SELECT * )", length=106, parser_state=0x1539b589ea30) at /test/11.4_dbg/sql/sql_parse.cc:7859
            		 
            #5  0x000055c8a4150c54 in dispatch_command (command=COM_QUERY, thd=0x153958000d58, packet=0x15395800afd9 "DESC FOR CONNECTION + INTERVAL TRUE IN ( SELECT 'string' ) YEAR_MONTH + FALSE <=> TRUE NOT IN ( SELECT * )", packet_length=106, blocking=true) at /test/11.4_dbg/sql/sql_parse.cc:1904
            		 
            #6  0x000055c8a4154353 in do_command (thd=0x153958000d58, blocking=true)at /test/11.4_dbg/sql/sql_parse.cc:1417
            		 
            #7  0x000055c8a43365a9 in do_handle_one_connection (connect=0x55c8a8c7ede8, put_in_cache=true) at /test/11.4_dbg/sql/sql_connect.cc:1408
            		 
            #8  0x000055c8a4336342 in handle_one_connection (arg=0x55c8a8ce2898)at /test/11.4_dbg/sql/sql_connect.cc:1320
            		 
            #9  0x00001539bc09ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
            		 
            #10 0x00001539bc129c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

            Bug Detection Matrix

            		 
                Rel    o/d  Build   Commit                                    UniqueID observed             
            CS  10.5   dbg  150225  c43d0a015f974c5a0142e6779332089a7a979853  No bug found                  
            CS  10.5   opt  150225  c43d0a015f974c5a0142e6779332089a7a979853  No bug found                  
            CS  10.6   dbg  150225  f1d7e0c17e33f77278e6226dd94aeb30fc856bf0  No bug found                  
            CS  10.6   opt  150225  f1d7e0c17e33f77278e6226dd94aeb30fc856bf0  No bug found                  
            CS  10.11  dbg  150225  43c5d1303f5c7c726db276815c459436110f342f  SIGSEGV|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql
            		 
            CS  10.11  opt  150225  43c5d1303f5c7c726db276815c459436110f342f  SIGSEGV|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql
            		 
            CS  11.4   dbg  150225  ef966af801afc2a07222b5df65dddd52c77431dd  SIGSEGV|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql
            		 
            CS  11.4   opt  150225  ef966af801afc2a07222b5df65dddd52c77431dd  SIGSEGV|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql
            		 
            CS  11.8   dbg  150225  33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d  SIGSEGV|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql
            		 
            CS  11.8   opt  150225  33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d  SIGSEGV|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql
            		 
            CS  12.0   dbg  150225  c92add291e636c797e6d6ddca605905541b2a441  SIGSEGV|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql
            		 
            CS  12.0   opt  150225  c92add291e636c797e6d6ddca605905541b2a441  SIGSEGV|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql
            		 
            ES  10.5   dbg  130325  52e0fd3f76eaa4b1e88fd2028f5640c48b6cbb06  No bug found                  
            ES  10.5   opt  130325  52e0fd3f76eaa4b1e88fd2028f5640c48b6cbb06  No bug found                  
            ES  10.6   dbg  130325  66c9276fa67d1aacf5cf47b31254e79a9d0e4a5d  No bug found                  
            ES  10.6   opt  130325  66c9276fa67d1aacf5cf47b31254e79a9d0e4a5d  No bug found                  
            ES  11.4   dbg  130325  ca7a2a835c4c982ffa35d3f0b5748b30c4c22763  SIGSEGV|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql
            		 
            ES  11.4   opt  130325  ca7a2a835c4c982ffa35d3f0b5748b30c4c22763  SIGSEGV|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql
            		 
            MS  5.5    dbg  070123  bac287c315b1792e7ae33f91add6a60292f9bae8  No bug found                  
            MS  5.5    opt  070123  bac287c315b1792e7ae33f91add6a60292f9bae8  No bug found                  
            MS  5.6    dbg  070123  dab95781a1244104d6b87020ac2fc4d190ba2946  No bug found                  
            MS  5.6    opt  070123  dab95781a1244104d6b87020ac2fc4d190ba2946  No bug found                  
            MS  5.7    dbg  060224  f7680e98b6bbe3500399fbad465d08a6b75d7a5c  No bug found                  
            MS  5.7    opt  060224  f7680e98b6bbe3500399fbad465d08a6b75d7a5c  No bug found                  
            MS  8.0    dbg  060224  49ef33f7edadef3ae04665e73d1babd40179a4f1  No bug found                  
            MS  8.0    opt  060224  49ef33f7edadef3ae04665e73d1babd40179a4f1  No bug found                  
            MS  9.1    dbg  211024  61a3a1d8ef15512396b4c2af46e922a19bf2b174  No bug found                  
            MS  9.1    opt  211024  61a3a1d8ef15512396b4c2af46e922a19bf2b174  No bug found

            Roel Roel Van de Paar added a comment - Thank you for the report! Confirmed. DESC FOR CONNECTION + INTERVAL TRUE IN ( SELECT 'string' ) YEAR_MONTH + FALSE <=> TRUE NOT IN ( SELECT * ); Leads to: CS 11.4.6 ef966af801afc2a07222b5df65dddd52c77431dd (Debug) Build 15/02/2025 Core was generated by `/test/MD150225-mariadb-11.4.6-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x000055c8a469615c in Item_subselect::init (this=0x15395801bd68, select_lex=0x15395801af28, result=0x15395801bf70)at /test/11.4_dbg/sql/item_subselect.cc:128   [Current thread is 1 (LWP 128415)] (gdb) bt #0 0x000055c8a469615c in Item_subselect::init (this=0x15395801bd68, select_lex=0x15395801af28, result=0x15395801bf70)at /test/11.4_dbg/sql/item_subselect.cc:128 #1 0x000055c8a469b4fb in Item_in_subselect::Item_in_subselect (this=0x15395801bd68, thd=0x153958000d58, left_exp=0x15395801aea8, select_lex=0x15395801af28) at /test/11.4_dbg/sql/item_subselect.cc:1669 #2 0x000055c8a44a062b in MYSQLparse (thd=0x153958000d58)at /test/11.4_dbg/sql/sql_yacc.yy:9537 #3 0x000055c8a416ae0b in parse_sql (thd=0x153958000d58, parser_state=0x1539b589ea30, creation_ctx=0x0, do_pfs_digest=true)at /test/11.4_dbg/sql/sql_parse.cc:10318 #4 0x000055c8a4153633 in mysql_parse (thd=0x153958000d58, rawbuf=0x153958019c40 "DESC FOR CONNECTION + INTERVAL TRUE IN ( SELECT 'string' ) YEAR_MONTH + FALSE <=> TRUE NOT IN ( SELECT * )", length=106, parser_state=0x1539b589ea30) at /test/11.4_dbg/sql/sql_parse.cc:7859 #5 0x000055c8a4150c54 in dispatch_command (command=COM_QUERY, thd=0x153958000d58, packet=0x15395800afd9 "DESC FOR CONNECTION + INTERVAL TRUE IN ( SELECT 'string' ) YEAR_MONTH + FALSE <=> TRUE NOT IN ( SELECT * )", packet_length=106, blocking=true) at /test/11.4_dbg/sql/sql_parse.cc:1904 #6 0x000055c8a4154353 in do_command (thd=0x153958000d58, blocking=true)at /test/11.4_dbg/sql/sql_parse.cc:1417 #7 0x000055c8a43365a9 in do_handle_one_connection (connect=0x55c8a8c7ede8, put_in_cache=true) at /test/11.4_dbg/sql/sql_connect.cc:1408 #8 0x000055c8a4336342 in handle_one_connection (arg=0x55c8a8ce2898)at /test/11.4_dbg/sql/sql_connect.cc:1320 #9 0x00001539bc09ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447 #10 0x00001539bc129c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 Bug Detection Matrix Rel o/d Build Commit UniqueID observed CS 10.5 dbg 150225 c43d0a015f974c5a0142e6779332089a7a979853 No bug found CS 10.5 opt 150225 c43d0a015f974c5a0142e6779332089a7a979853 No bug found CS 10.6 dbg 150225 f1d7e0c17e33f77278e6226dd94aeb30fc856bf0 No bug found CS 10.6 opt 150225 f1d7e0c17e33f77278e6226dd94aeb30fc856bf0 No bug found CS 10.11 dbg 150225 43c5d1303f5c7c726db276815c459436110f342f SIGSEGV|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql CS 10.11 opt 150225 43c5d1303f5c7c726db276815c459436110f342f SIGSEGV|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql CS 11.4 dbg 150225 ef966af801afc2a07222b5df65dddd52c77431dd SIGSEGV|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql CS 11.4 opt 150225 ef966af801afc2a07222b5df65dddd52c77431dd SIGSEGV|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql CS 11.8 dbg 150225 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d SIGSEGV|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql CS 11.8 opt 150225 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d SIGSEGV|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql CS 12.0 dbg 150225 c92add291e636c797e6d6ddca605905541b2a441 SIGSEGV|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql CS 12.0 opt 150225 c92add291e636c797e6d6ddca605905541b2a441 SIGSEGV|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql ES 10.5 dbg 130325 52e0fd3f76eaa4b1e88fd2028f5640c48b6cbb06 No bug found ES 10.5 opt 130325 52e0fd3f76eaa4b1e88fd2028f5640c48b6cbb06 No bug found ES 10.6 dbg 130325 66c9276fa67d1aacf5cf47b31254e79a9d0e4a5d No bug found ES 10.6 opt 130325 66c9276fa67d1aacf5cf47b31254e79a9d0e4a5d No bug found ES 11.4 dbg 130325 ca7a2a835c4c982ffa35d3f0b5748b30c4c22763 SIGSEGV|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql ES 11.4 opt 130325 ca7a2a835c4c982ffa35d3f0b5748b30c4c22763 SIGSEGV|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql MS 5.5 dbg 070123 bac287c315b1792e7ae33f91add6a60292f9bae8 No bug found MS 5.5 opt 070123 bac287c315b1792e7ae33f91add6a60292f9bae8 No bug found MS 5.6 dbg 070123 dab95781a1244104d6b87020ac2fc4d190ba2946 No bug found MS 5.6 opt 070123 dab95781a1244104d6b87020ac2fc4d190ba2946 No bug found MS 5.7 dbg 060224 f7680e98b6bbe3500399fbad465d08a6b75d7a5c No bug found MS 5.7 opt 060224 f7680e98b6bbe3500399fbad465d08a6b75d7a5c No bug found MS 8.0 dbg 060224 49ef33f7edadef3ae04665e73d1babd40179a4f1 No bug found MS 8.0 opt 060224 49ef33f7edadef3ae04665e73d1babd40179a4f1 No bug found MS 9.1 dbg 211024 61a3a1d8ef15512396b4c2af46e922a19bf2b174 No bug found MS 9.1 opt 211024 61a3a1d8ef15512396b4c2af46e922a19bf2b174 No bug found
            Roel Roel Van de Paar added a comment - - edited

            UBSAN sees a null-pointer-use:

            CS 11.8.1 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d (Optimized, UBASAN, Clang) Build 15/02/2025

            		 
            Version: '11.8.1-MariaDB'  socket: '/test/UBASAN_MD150225-mariadb-11.8.1-linux-x86_64-opt/socket.sock'  port: 11254  MariaDB Server
            		 
            /test/11.8_opt_san/sql/item_subselect.cc:124:35: runtime error: member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')
            		 
                #0 0x55b940a8cc2b in Item_subselect::init(st_select_lex*, select_result_interceptor*) /test/11.8_opt_san/sql/item_subselect.cc:124:35
            		 
                #1 0x55b940aa58bb in Item_in_subselect::Item_in_subselect(THD*, Item*, st_select_lex*) /test/11.8_opt_san/sql/item_subselect.cc:1664:3
            		 
                #2 0x55b9403a3808 in MYSQLparse(THD*) /test/11.8_opt_san/sql/sql_yacc.yy:9783:45
            		 
                #3 0x55b93f8846af in parse_sql(THD*, Parser_state*, Object_creation_ctx*, bool) /test/11.8_opt_san/sql/sql_parse.cc:10327:46
            		 
                #4 0x55b93f835c6e in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.8_opt_san/sql/sql_parse.cc:7867:15
            		 
                #5 0x55b93f82d8c6 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.8_opt_san/sql/sql_parse.cc:1902:7
            		 
                #6 0x55b93f8388c6 in do_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:1415:17
            		 
                #7 0x55b93febef5c in do_handle_one_connection(CONNECT*, bool) /test/11.8_opt_san/sql/sql_connect.cc:1415:11
            		 
                #8 0x55b93febe7b6 in handle_one_connection /test/11.8_opt_san/sql/sql_connect.cc:1327:5
            		 
                #9 0x55b93f27a99c in asan_thread_start(void*) asan_interceptors.cpp.o
            		 
                #10 0x14f0d049ca93 in start_thread nptl/pthread_create.c:447:8
            		 
                #11 0x14f0d0529c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
            		 
             
            		 
            SUMMARY: UndefinedBehaviorSanitizer: null-pointer-use /test/11.8_opt_san/sql/item_subselect.cc:124:35

            SAN Bug Detection Matrix

            		 
                Rel    o/d  Build   Commit                                    UniqueID observed             
            CS  10.5   dbg  150225  c43d0a015f974c5a0142e6779332089a7a979853  No bug found   
            CS  10.5   opt  150225  c43d0a015f974c5a0142e6779332089a7a979853  No bug found                  
            CS  10.6   dbg  150225  f1d7e0c17e33f77278e6226dd94aeb30fc856bf0  No bug found                  
            CS  10.6   opt  150225  f1d7e0c17e33f77278e6226dd94aeb30fc856bf0  No bug found                  
            CS  10.11  dbg  150225  43c5d1303f5c7c726db276815c459436110f342f  UBSAN|member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')|sql/item_subselect.cc|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql
            		 
            CS  10.11  opt  150225  43c5d1303f5c7c726db276815c459436110f342f  UBSAN|member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')|sql/item_subselect.cc|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql
            		 
            CS  11.4   dbg  150225  ef966af801afc2a07222b5df65dddd52c77431dd  UBSAN|member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')|sql/item_subselect.cc|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql
            		 
            CS  11.4   opt  150225  ef966af801afc2a07222b5df65dddd52c77431dd  UBSAN|member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')|sql/item_subselect.cc|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql
            		 
            CS  11.8   dbg  150225  33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d  UBSAN|member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')|sql/item_subselect.cc|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql
            		 
            CS  11.8   opt  150225  33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d  UBSAN|member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')|sql/item_subselect.cc|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql
            		 
            CS  12.0   dbg  150225  c92add291e636c797e6d6ddca605905541b2a441  UBSAN|member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')|sql/item_subselect.cc|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql
            		 
            CS  12.0   opt  150225  c92add291e636c797e6d6ddca605905541b2a441  UBSAN|member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')|sql/item_subselect.cc|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql
            		 
            ES  10.5   dbg  140325  6553c62369ab3606efc74295c902181f793fd6d1  No bug found                  
            ES  10.5   opt  140325  6553c62369ab3606efc74295c902181f793fd6d1  No bug found                  
            ES  10.6   dbg  140325  a99e9e4101f5d56a379577e6d81c829b7658df99  No bug found                  
            ES  10.6   opt  140325  a99e9e4101f5d56a379577e6d81c829b7658df99  No bug found                  
            ES  11.4   dbg  140325  26e39c99feaa4e6f9d3e1b13fd4a7d101059b7ba  UBSAN|member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')|sql/item_subselect.cc|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql
            		 
            ES  11.4   opt  140325  26e39c99feaa4e6f9d3e1b13fd4a7d101059b7ba  UBSAN|member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')|sql/item_subselect.cc|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql

            Roel Roel Van de Paar added a comment - - edited UBSAN sees a null-pointer-use: CS 11.8.1 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d (Optimized, UBASAN, Clang) Build 15/02/2025 Version: '11.8.1-MariaDB' socket: '/test/UBASAN_MD150225-mariadb-11.8.1-linux-x86_64-opt/socket.sock' port: 11254 MariaDB Server /test/11.8_opt_san/sql/item_subselect.cc:124:35: runtime error: member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex') #0 0x55b940a8cc2b in Item_subselect::init(st_select_lex*, select_result_interceptor*) /test/11.8_opt_san/sql/item_subselect.cc:124:35 #1 0x55b940aa58bb in Item_in_subselect::Item_in_subselect(THD*, Item*, st_select_lex*) /test/11.8_opt_san/sql/item_subselect.cc:1664:3 #2 0x55b9403a3808 in MYSQLparse(THD*) /test/11.8_opt_san/sql/sql_yacc.yy:9783:45 #3 0x55b93f8846af in parse_sql(THD*, Parser_state*, Object_creation_ctx*, bool) /test/11.8_opt_san/sql/sql_parse.cc:10327:46 #4 0x55b93f835c6e in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.8_opt_san/sql/sql_parse.cc:7867:15 #5 0x55b93f82d8c6 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.8_opt_san/sql/sql_parse.cc:1902:7 #6 0x55b93f8388c6 in do_command(THD*, bool) /test/11.8_opt_san/sql/sql_parse.cc:1415:17 #7 0x55b93febef5c in do_handle_one_connection(CONNECT*, bool) /test/11.8_opt_san/sql/sql_connect.cc:1415:11 #8 0x55b93febe7b6 in handle_one_connection /test/11.8_opt_san/sql/sql_connect.cc:1327:5 #9 0x55b93f27a99c in asan_thread_start(void*) asan_interceptors.cpp.o #10 0x14f0d049ca93 in start_thread nptl/pthread_create.c:447:8 #11 0x14f0d0529c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78   SUMMARY: UndefinedBehaviorSanitizer: null-pointer-use /test/11.8_opt_san/sql/item_subselect.cc:124:35 SAN Bug Detection Matrix Rel o/d Build Commit UniqueID observed CS 10.5 dbg 150225 c43d0a015f974c5a0142e6779332089a7a979853 No bug found CS 10.5 opt 150225 c43d0a015f974c5a0142e6779332089a7a979853 No bug found CS 10.6 dbg 150225 f1d7e0c17e33f77278e6226dd94aeb30fc856bf0 No bug found CS 10.6 opt 150225 f1d7e0c17e33f77278e6226dd94aeb30fc856bf0 No bug found CS 10.11 dbg 150225 43c5d1303f5c7c726db276815c459436110f342f UBSAN|member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')|sql/item_subselect.cc|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql CS 10.11 opt 150225 43c5d1303f5c7c726db276815c459436110f342f UBSAN|member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')|sql/item_subselect.cc|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql CS 11.4 dbg 150225 ef966af801afc2a07222b5df65dddd52c77431dd UBSAN|member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')|sql/item_subselect.cc|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql CS 11.4 opt 150225 ef966af801afc2a07222b5df65dddd52c77431dd UBSAN|member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')|sql/item_subselect.cc|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql CS 11.8 dbg 150225 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d UBSAN|member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')|sql/item_subselect.cc|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql CS 11.8 opt 150225 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d UBSAN|member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')|sql/item_subselect.cc|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql CS 12.0 dbg 150225 c92add291e636c797e6d6ddca605905541b2a441 UBSAN|member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')|sql/item_subselect.cc|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql CS 12.0 opt 150225 c92add291e636c797e6d6ddca605905541b2a441 UBSAN|member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')|sql/item_subselect.cc|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql ES 10.5 dbg 140325 6553c62369ab3606efc74295c902181f793fd6d1 No bug found ES 10.5 opt 140325 6553c62369ab3606efc74295c902181f793fd6d1 No bug found ES 10.6 dbg 140325 a99e9e4101f5d56a379577e6d81c829b7658df99 No bug found ES 10.6 opt 140325 a99e9e4101f5d56a379577e6d81c829b7658df99 No bug found ES 11.4 dbg 140325 26e39c99feaa4e6f9d3e1b13fd4a7d101059b7ba UBSAN|member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')|sql/item_subselect.cc|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql ES 11.4 opt 140325 26e39c99feaa4e6f9d3e1b13fd4a7d101059b7ba UBSAN|member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')|sql/item_subselect.cc|Item_subselect::init|Item_in_subselect::Item_in_subselect|MYSQLparse|parse_sql
            alice Alice Sherepa added a comment - 

            DESC FOR CONNECTION + INTERVAL 1 IN ( SELECT 'a') YEAR_MONTH + 1 IN ( SELECT 1);

            10.5,10.6- do not have DESC FOR CONNECTION, it was added in 10.9

            alice Alice Sherepa added a comment - DESC FOR CONNECTION + INTERVAL 1 IN ( SELECT 'a' ) YEAR_MONTH + 1 IN ( SELECT 1); 10.5,10.6- do not have DESC FOR CONNECTION, it was added in 10.9

            People

              psergei Sergei Petrunia
              luy70 Yu Liang
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.