Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-36467

UBSAN: _ma_unique_hash on NULL BLOB results in strings/ctype-uca-scanner_next.inl:84:23: runtime error: applying non-zero offset 1 to null pointer (main.type_blob)

Details

    Description

      the main.type_blob test is doing "select distinct t from t1" where t is NULL. Its a null row and attempting to do a hash on this.

      12.0 main - 22efc2c784e1b7199fb5804e6330168277ea7dce - main.type_blob test

      		 
      Thread 12 "one_connection" hit Breakpoint 2, 0x000055555935b880 in __ubsan::ScopedReport::~ScopedReport() ()
      		 
      (gdb) bt
      		 
      #0  0x000055555935b880 in __ubsan::ScopedReport::~ScopedReport() ()
      		 
      #1  0x00005555593604cb in handlePointerOverflowImpl(__ubsan::PointerOverflowData*, unsigned long, unsigned long, __ubsan::ReportOptions) ()
      		 
      #2  0x0000555559360044 in __ubsan_handle_pointer_overflow ()
      		 
      #3  0x000055555d8c66ad in my_uca_scanner_next_utf8mb4 (scanner=0x7bffde533920, param=0x7bffde533970) at /source/strings/ctype-uca-scanner_next.inl:84
      		 
      #4  0x000055555d881b81 in my_uca_hash_sort_utf8mb4 (cs=0x7e0ff61f9cb0, s=0x0, slen=0, nr1=0x7bffde4b38a0, nr2=0x7bffde4b38c0) at /source/strings/ctype-uca.inl:643
      		 
      #5  0x000055555bcb6e2a in my_ci_hash_sort (ci=0x7e0ff61f9cb0, key=0x0, len=0, nr1=0x7bffde4b38a0, nr2=0x7bffde4b38c0) at /source/include/m_ctype.h:1440
      		 
      #6  0x000055555bcb6b8e in _ma_unique_hash (def=0x7e0ff631c048, record=0x7ecff6619c40 "\376") at /source/storage/maria/ma_unique.c:149
      		 
      #7  0x000055555bfd7f1f in maria_write (info=0x7e8ff6406288, record=0x7ecff6619c40 "\376") at /source/storage/maria/ma_write.c:134
      		 
      #8  0x000055555bce5866 in ha_maria::write_row (this=0x7ecff66193e0, buf=0x7ecff6619c40 "\376") at /source/storage/maria/ha_maria.cc:1235
      		 
      #9  0x000055555998d2da in handler::ha_write_tmp_row (this=0x7ecff66193e0, buf=0x7ecff6619c40 "\376") at /source/sql/sql_class.h:8044
      		 
      #10 0x0000555559f5d792 in end_write (join=0x7ecff65b5ca8, join_tab=0x7ecff65b78d0, end_of_records=false) at /source/sql/sql_select.cc:25813
      		 
      #11 0x0000555559fa9f11 in AGGR_OP::put_record (this=0x7ecff65b87d0, end_of_records=false) at /source/sql/sql_select.cc:33247
      		 
      #12 0x000055555a00ecd5 in AGGR_OP::put_record (this=0x7ecff65b87d0) at /source/sql/sql_select.h:1191
      		 
      #13 0x0000555559e70915 in sub_select_postjoin_aggr (join=0x7ecff65b5ca8, join_tab=0x7ecff65b78d0, end_of_records=false) at /source/sql/sql_select.cc:23874
      		 
      #14 0x0000555559f655e9 in evaluate_join_record (join=0x7ecff65b5ca8, join_tab=0x7ecff65b7458, error=0) at /source/sql/sql_select.cc:24423
      		 
      #15 0x0000555559db9dd1 in sub_select (join=0x7ecff65b5ca8, join_tab=0x7ecff65b7458, end_of_records=false) at /source/sql/sql_select.cc:24227
      		 
      #16 0x0000555559e91c65 in do_select (join=0x7ecff65b5ca8, procedure=0x0) at /source/sql/sql_select.cc:23701
      		 
      #17 0x0000555559e8ccd3 in JOIN::exec_inner (this=0x7ecff65b5ca8) at /source/sql/sql_select.cc:5059
      		 
      #18 0x0000555559e87f8e in JOIN::exec (this=0x7ecff65b5ca8) at /source/sql/sql_select.cc:4842
      		 
      #19 0x0000555559dbd594 in mysql_select (thd=0x7eaff635a288, tables=0x7ecff65b4bd0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, 
          select_options=2164525825, result=0x7ecff65b5c78, unit=0x7eaff635e5b0, select_lex=0x7ecff65b4548) at /source/sql/sql_select.cc:5375
      		 
      #20 0x0000555559dbae84 in handle_select (thd=0x7eaff635a288, lex=0x7eaff635e4d0, result=0x7ecff65b5c78, setup_tables_done_option=0) at /source/sql/sql_select.cc:633
      		 
      #21 0x0000555559bf00b8 in execute_sqlcom_select (thd=0x7eaff635a288, all_tables=0x7ecff65b4bd0) at /source/sql/sql_parse.cc:6191
      		 
      #22 0x0000555559bbd8b4 in mysql_execute_command (thd=0x7eaff635a288, is_called_from_prepared_stmt=false) at /source/sql/sql_parse.cc:3979
      		 
      #23 0x0000555559b8e585 in mysql_parse (thd=0x7eaff635a288, rawbuf=0x7ecff65b44a8 "select distinct t from t1", length=25, parser_state=0x7bffdea297b0) at /source/sql/sql_parse.cc:7915
      		 
      #24 0x0000555559b7d076 in dispatch_command (command=COM_QUERY, thd=0x7eaff635a288, packet=0x7e8ff6320289 "", packet_length=25, blocking=true) at /source/sql/sql_parse.cc:1902
      		 
      #25 0x0000555559b93854 in do_command (thd=0x7eaff635a288, blocking=true) at /source/sql/sql_parse.cc:1415
      		 
      #26 0x000055555a5a4cb4 in do_handle_one_connection (connect=0x7d0ff6209248, put_in_cache=true) at /source/sql/sql_connect.cc:1415
      		 
      #27 0x000055555a5a3ff7 in handle_one_connection (arg=0x7d0ff6209248) at /source/sql/sql_connect.cc:1327
      		 
      #28 0x000055555931b5d7 in asan_thread_start(void*) ()
      		 
      #29 0x00007ffff742d1c4 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
      		 
      #30 0x00007ffff74ad85c in ?? () from /lib/x86_64-linux-gnu/libc.so.6
      		 
      (gdb) up
      		 
      #1  0x00005555593604cb in handlePointerOverflowImpl(__ubsan::PointerOverflowData*, unsigned long, unsigned long, __ubsan::ReportOptions) ()
      		 
      (gdb) up
      		 
      #2  0x0000555559360044 in __ubsan_handle_pointer_overflow ()
      		 
      (gdb) up
      		 
      #3  0x000055555d8c66ad in my_uca_scanner_next_utf8mb4 (scanner=0x7bffde533920, param=0x7bffde533970) at /source/strings/ctype-uca-scanner_next.inl:84
      		 
      84	    if (scanner->sbeg + 1 < scanner->send)
      		 
      (gdb) list
      		 
      79	    int mblen;
      		 
      80	    my_wc_t currwc= 0;
      		 
      81	    const uint16 *cweight;
      		 
      82	
      83	#if MY_UCA_ASCII_OPTIMIZE && !defined(SCANNER_NEXT_NCHARS)
      		 
      84	    if (scanner->sbeg + 1 < scanner->send)
      		 
      85	    {
      		 
      86	      const MY_UCA_2BYTES_ITEM *ww;
      		 
      87	      ww= my_uca_level_booster_2bytes_item_addr_const(param->level->booster,
      		 
      88	                                                      scanner->sbeg[0],
      		 
      (gdb) p scanner
      		 
      $1 = (my_uca_scanner *) 0x7bffde533920
      		 
      (gdb) p *scanner
      		 
      $2 = {wbeg = 0x55555e8999c0 <nochar>, sbeg = 0x0, send = 0x0, implicit = {16559, 22986}, page = 21845, code = 1506520939}
      		 
      (gdb)  up
      		 
      #4  0x000055555d881b81 in my_uca_hash_sort_utf8mb4 (cs=0x7e0ff61f9cb0, s=0x0, slen=0, nr1=0x7bffde4b38a0, nr2=0x7bffde4b38c0) at /source/strings/ctype-uca.inl:643
      		 
      643	  while ((s_res= MY_FUNCTION_NAME(scanner_next)(&scanner, &param)) >0)
      		 
      (gdb) info locals
      		 
      s_res = 32223
      		 
      scanner = {wbeg = 0x55555e8999c0 <nochar>, sbeg = 0x0, send = 0x0, implicit = {16559, 22986}, page = 21845, code = 1506520939}
      		 
      param = {level = 0x555562886a90 <my_uca1400_info_tailored+8944>, cs = 0x7e0ff61f9cb0}
      		 
      space_weight = 521
      		 
      m1 = 0
      		 
      m2 = 4
      		 
      (gdb) up
      		 
      #5  0x000055555bcb6e2a in my_ci_hash_sort (ci=0x7e0ff61f9cb0, key=0x0, len=0, nr1=0x7bffde4b38a0, nr2=0x7bffde4b38c0) at /source/include/m_ctype.h:1440
      		 
      1440	  (ci->coll->hash_sort)(ci, key, len, nr1, nr2);
      		 
      (gdb) up
      		 
      #6  0x000055555bcb6b8e in _ma_unique_hash (def=0x7e0ff631c048, record=0x7ecff6619c40 "\376") at /source/storage/maria/ma_unique.c:149
      		 
      149	      my_ci_hash_sort(keyseg->charset,
      		 
      (gdb) list
      		 
      144	    }
      		 
      145	    end= pos+length;
      		 
      146	    if (type == HA_KEYTYPE_TEXT || type == HA_KEYTYPE_VARTEXT1 ||
      		 
      147	        type == HA_KEYTYPE_VARTEXT2)
      		 
      148	    {
      		 
      149	      my_ci_hash_sort(keyseg->charset,
      		 
      150	                      (const uchar*) pos, length,
      		 
      151	                      &seed1, &seed2);
      		 
      152	      crc+= seed1;
      		 
      153	    }
      		 
      (gdb) info locals
      		 
      type = HA_KEYTYPE_VARTEXT2
      		 
      length = 0
      		 
      pos = 0x0
      		 
      end = 0x0
      		 
      crc = 0
      		 
      seed1 = 0
      		 
      seed2 = 4
      		 
      keyseg = 0x7e0ff631c0a8
      		 
      (gdb) p *keyseg
      		 
      $3 = {charset = 0x7e0ff61f9cb0, start = 1, null_pos = 0, bit_pos = 0, flag = 32, length = 0, language = 2304, type = 17 '\021', null_bit = 1 '\001', bit_start = 2 '\002', 
        bit_length = 0 '\000'}

      There seems to be an optimisation that can be done at _ma_unique_hash which avoid key=null, len=0 call on my_ci_hash_sort and all those calls down handle something.

      Attachments

        Issue Links

          is part of

          Task - A task that needs to be done. MDEV-25454 Make MariaDB server UBSAN safe

          • Major - Major loss of function.
          • Confirmed

          Task - A task that needs to be done. MDEV-36479 Passing null pointer to low level character set functions result in undefined behaviour

          • Major - Major loss of function.
          • Open
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDBF-741 Remove the gcc UBSAN builder to use the clang based UBSAN

          • Major - Major loss of function.
          • In Testing

          Activity

            danblack Daniel Black added a comment -

            Same behaviour in other tests like:

            main.ctype_utf16_uca

            		 
            #0  0x000055555935b880 in __ubsan::ScopedReport::~ScopedReport() ()
            		 
            #1  0x00005555593604cb in handlePointerOverflowImpl(__ubsan::PointerOverflowData*, unsigned long, unsigned long, __ubsan::ReportOptions) ()
            		 
            #2  0x0000555559360044 in __ubsan_handle_pointer_overflow ()
            		 
            #3  0x000055555d8dc29b in my_mb_wc_utf16_quick (pwc=0x7bffe6f658a0, s=0x0, e=0x0) at /source/strings/ctype-utf16.h:52
            		 
            #4  0x000055555d8db08d in my_uca_scanner_next_utf16 (scanner=0x7bffe71c4f20, param=0x7bffe71c4f70) at /source/strings/ctype-uca-scanner_next.inl:155
            		 
            #5  0x000055555d88a851 in my_uca_hash_sort_utf16 (cs=0x555560daa680 <my_charset_utf16_polish_uca_ci>, s=0x0, slen=0, nr1=0x7bffe7031520, nr2=0x7bffe7031540)
            		 
                at /source/strings/ctype-uca.inl:643
            		 
            #6  0x000055555bcb6e2a in my_ci_hash_sort (ci=0x555560daa680 <my_charset_utf16_polish_uca_ci>, key=0x0, len=0, nr1=0x7bffe7031520, nr2=0x7bffe7031540) at /source/include/m_ctype.h:1440
            		 
            #7  0x000055555bcb6b8e in _ma_unique_hash (def=0x7e0ff6409848, record=0x7ecff67a9ed0 "\001") at /source/storage/maria/ma_unique.c:149
            		 
            #8  0x000055555bfd7f1f in maria_write (info=0x7e8ff6451288, record=0x7ecff67a9ed0 "\001") at /source/storage/maria/ma_write.c:134
            		 
            #9  0x000055555bce5866 in ha_maria::write_row (this=0x7ecff67a9670, buf=0x7ecff67a9ed0 "\001") at /source/storage/maria/ha_maria.cc:1235
            		 
            #10 0x000055555998d2da in handler::ha_write_tmp_row (this=0x7ecff67a9670, buf=0x7ecff67a9ed0 "\001") at /source/sql/sql_class.h:8044
            		 
            #11 0x0000555559f592e3 in end_unique_update (join=0x7ecff6534050, join_tab=0x7ecff6535db0, end_of_records=false) at /source/sql/sql_select.cc:25970
            		 
            #12 0x0000555559fa9f11 in AGGR_OP::put_record (this=0x7ecff6536dd0, end_of_records=false) at /source/sql/sql_select.cc:33247
            		 
            #13 0x000055555a00ecd5 in AGGR_OP::put_record (this=0x7ecff6536dd0) at /source/sql/sql_select.h:1191
            		 
            #14 0x0000555559e70915 in sub_select_postjoin_aggr (join=0x7ecff6534050, join_tab=0x7ecff6535db0, end_of_records=false) at /source/sql/sql_select.cc:23874
            		 
            #15 0x0000555559f655e9 in evaluate_join_record (join=0x7ecff6534050, join_tab=0x7ecff6535938, error=0) at /source/sql/sql_select.cc:24423
            		 
            #16 0x0000555559db8dbd in sub_select (join=0x7ecff6534050, join_tab=0x7ecff6535938, end_of_records=false) at /source/sql/sql_select.cc:24190
            		 
            #17 0x0000555559e91c65 in do_select (join=0x7ecff6534050, procedure=0x0) at /source/sql/sql_select.cc:23701
            		 
            #18 0x0000555559e8ccd3 in JOIN::exec_inner (this=0x7ecff6534050) at /source/sql/sql_select.cc:5059
            		 
            #19 0x0000555559e87f8e in JOIN::exec (this=0x7ecff6534050) at /source/sql/sql_select.cc:4842
            		 
            #20 0x0000555559dbd594 in mysql_select (thd=0x7eaff625e288, tables=0x7ecff6532de0, fields=..., conds=0x0, og_num=1, order=0x0, group=0x7ecff6533660, having=0x0, proc_param=0x0, 
                select_options=2164525824, result=0x7ecff6534020, unit=0x7eaff62625b0, select_lex=0x7ecff6532560) at /source/sql/sql_select.cc:5375
            		 
            #21 0x0000555559dbae84 in handle_select (thd=0x7eaff625e288, lex=0x7eaff62624d0, result=0x7ecff6534020, setup_tables_done_option=0) at /source/sql/sql_select.cc:633
            		 
            #22 0x0000555559bf00b8 in execute_sqlcom_select (thd=0x7eaff625e288, all_tables=0x7ecff6532de0) at /source/sql/sql_parse.cc:6191
            		 
            #23 0x0000555559bbd8b4 in mysql_execute_command (thd=0x7eaff625e288, is_called_from_prepared_stmt=false) at /source/sql/sql_parse.cc:3979
            		 
            #24 0x0000555559b8e585 in mysql_parse (thd=0x7eaff625e288, rawbuf=0x7ecff65324a8 "SELECT COUNT(*), c1 FROM t1 GROUP BY c1", length=39, parser_state=0x7bffe76df7b0)
            		 
                at /source/sql/sql_parse.cc:7915
            		 
            #25 0x0000555559b7d076 in dispatch_command (command=COM_QUERY, thd=0x7eaff625e288, packet=0x7e8ff630c289 "", packet_length=39, blocking=true) at /source/sql/sql_parse.cc:1902
            		 
            #26 0x0000555559b93854 in do_command (thd=0x7eaff625e288, blocking=true) at /source/sql/sql_parse.cc:1415
            		 
            #27 0x000055555a5a4cb4 in do_handle_one_connection (connect=0x7d0ff61ff888, put_in_cache=true) at /source/sql/sql_connect.cc:1415
            		 
            #28 0x000055555a5a3ff7 in handle_one_connection (arg=0x7d0ff61ff888) at /source/sql/sql_connect.cc:1327
            		 
            #29 0x000055555931b5d7 in asan_thread_start(void*) ()
            		 
            #30 0x00007ffff742d1c4 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
            		 
            #31 0x00007ffff74ad85c in ?? () from /lib/x86_64-linux-gnu/libc.so.6

            danblack Daniel Black added a comment - Same behaviour in other tests like: main.ctype_utf16_uca #0 0x000055555935b880 in __ubsan::ScopedReport::~ScopedReport() () #1 0x00005555593604cb in handlePointerOverflowImpl(__ubsan::PointerOverflowData*, unsigned long, unsigned long, __ubsan::ReportOptions) () #2 0x0000555559360044 in __ubsan_handle_pointer_overflow () #3 0x000055555d8dc29b in my_mb_wc_utf16_quick (pwc=0x7bffe6f658a0, s=0x0, e=0x0) at /source/strings/ctype-utf16.h:52 #4 0x000055555d8db08d in my_uca_scanner_next_utf16 (scanner=0x7bffe71c4f20, param=0x7bffe71c4f70) at /source/strings/ctype-uca-scanner_next.inl:155 #5 0x000055555d88a851 in my_uca_hash_sort_utf16 (cs=0x555560daa680 <my_charset_utf16_polish_uca_ci>, s=0x0, slen=0, nr1=0x7bffe7031520, nr2=0x7bffe7031540) at /source/strings/ctype-uca.inl:643 #6 0x000055555bcb6e2a in my_ci_hash_sort (ci=0x555560daa680 <my_charset_utf16_polish_uca_ci>, key=0x0, len=0, nr1=0x7bffe7031520, nr2=0x7bffe7031540) at /source/include/m_ctype.h:1440 #7 0x000055555bcb6b8e in _ma_unique_hash (def=0x7e0ff6409848, record=0x7ecff67a9ed0 "\001") at /source/storage/maria/ma_unique.c:149 #8 0x000055555bfd7f1f in maria_write (info=0x7e8ff6451288, record=0x7ecff67a9ed0 "\001") at /source/storage/maria/ma_write.c:134 #9 0x000055555bce5866 in ha_maria::write_row (this=0x7ecff67a9670, buf=0x7ecff67a9ed0 "\001") at /source/storage/maria/ha_maria.cc:1235 #10 0x000055555998d2da in handler::ha_write_tmp_row (this=0x7ecff67a9670, buf=0x7ecff67a9ed0 "\001") at /source/sql/sql_class.h:8044 #11 0x0000555559f592e3 in end_unique_update (join=0x7ecff6534050, join_tab=0x7ecff6535db0, end_of_records=false) at /source/sql/sql_select.cc:25970 #12 0x0000555559fa9f11 in AGGR_OP::put_record (this=0x7ecff6536dd0, end_of_records=false) at /source/sql/sql_select.cc:33247 #13 0x000055555a00ecd5 in AGGR_OP::put_record (this=0x7ecff6536dd0) at /source/sql/sql_select.h:1191 #14 0x0000555559e70915 in sub_select_postjoin_aggr (join=0x7ecff6534050, join_tab=0x7ecff6535db0, end_of_records=false) at /source/sql/sql_select.cc:23874 #15 0x0000555559f655e9 in evaluate_join_record (join=0x7ecff6534050, join_tab=0x7ecff6535938, error=0) at /source/sql/sql_select.cc:24423 #16 0x0000555559db8dbd in sub_select (join=0x7ecff6534050, join_tab=0x7ecff6535938, end_of_records=false) at /source/sql/sql_select.cc:24190 #17 0x0000555559e91c65 in do_select (join=0x7ecff6534050, procedure=0x0) at /source/sql/sql_select.cc:23701 #18 0x0000555559e8ccd3 in JOIN::exec_inner (this=0x7ecff6534050) at /source/sql/sql_select.cc:5059 #19 0x0000555559e87f8e in JOIN::exec (this=0x7ecff6534050) at /source/sql/sql_select.cc:4842 #20 0x0000555559dbd594 in mysql_select (thd=0x7eaff625e288, tables=0x7ecff6532de0, fields=..., conds=0x0, og_num=1, order=0x0, group=0x7ecff6533660, having=0x0, proc_param=0x0, select_options=2164525824, result=0x7ecff6534020, unit=0x7eaff62625b0, select_lex=0x7ecff6532560) at /source/sql/sql_select.cc:5375 #21 0x0000555559dbae84 in handle_select (thd=0x7eaff625e288, lex=0x7eaff62624d0, result=0x7ecff6534020, setup_tables_done_option=0) at /source/sql/sql_select.cc:633 #22 0x0000555559bf00b8 in execute_sqlcom_select (thd=0x7eaff625e288, all_tables=0x7ecff6532de0) at /source/sql/sql_parse.cc:6191 #23 0x0000555559bbd8b4 in mysql_execute_command (thd=0x7eaff625e288, is_called_from_prepared_stmt=false) at /source/sql/sql_parse.cc:3979 #24 0x0000555559b8e585 in mysql_parse (thd=0x7eaff625e288, rawbuf=0x7ecff65324a8 "SELECT COUNT(*), c1 FROM t1 GROUP BY c1", length=39, parser_state=0x7bffe76df7b0) at /source/sql/sql_parse.cc:7915 #25 0x0000555559b7d076 in dispatch_command (command=COM_QUERY, thd=0x7eaff625e288, packet=0x7e8ff630c289 "", packet_length=39, blocking=true) at /source/sql/sql_parse.cc:1902 #26 0x0000555559b93854 in do_command (thd=0x7eaff625e288, blocking=true) at /source/sql/sql_parse.cc:1415 #27 0x000055555a5a4cb4 in do_handle_one_connection (connect=0x7d0ff61ff888, put_in_cache=true) at /source/sql/sql_connect.cc:1415 #28 0x000055555a5a3ff7 in handle_one_connection (arg=0x7d0ff61ff888) at /source/sql/sql_connect.cc:1327 #29 0x000055555931b5d7 in asan_thread_start(void*) () #30 0x00007ffff742d1c4 in ?? () from /lib/x86_64-linux-gnu/libc.so.6 #31 0x00007ffff74ad85c in ?? () from /lib/x86_64-linux-gnu/libc.so.6

            People

              monty Michael Widenius
              danblack Daniel Black
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.