Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
10.6, 10.11, 11.4
-
clang-20.1
-
Sprint 6 (24.03.2025)
Description
Undefined behaviour at same location as MDEV-32758 but quite different cause
main.mysql_client_test_comp w6 [ fail ] Found warnings/errors in server log file!
|
Test ended at 2025-04-03 03:27:53
|
line
|
/source/strings/ctype-ascii.h:110:27: runtime error: applying non-zero offset 4 to null pointer
|
SUMMARY: UndefinedBehaviorSanitizer: nullptr-with-nonzero-offset /source/strings/ctype-ascii.h:110:27
|
^ Found warnings in /build/mysql-test/var/6/log/mysqld.1.err
|
ok
|
Thread 7 "one_connection" hit Breakpoint 2, 0x000055555935b880 in __ubsan::ScopedReport::~ScopedReport() ()
|
(gdb) bt
|
#0 0x000055555935b880 in __ubsan::ScopedReport::~ScopedReport() ()
|
#1 0x00005555593604cb in handlePointerOverflowImpl(__ubsan::PointerOverflowData*, unsigned long, unsigned long, __ubsan::ReportOptions) ()
|
#2 0x0000555559360044 in __ubsan_handle_pointer_overflow ()
|
#3 0x000055555d9357ce in my_strcoll_ascii_4bytes_found (a=0x55555ddc5b80 <str> "information_schema", ae=0x55555ddc5b92 <str+18> "", b=0x0, be=0x0) at /source/strings/ctype-ascii.h:110
|
#4 0x000055555d93e38e in my_strnncoll_utf8mb3_general1400_as_ci (cs=0x555560eed720 <my_charset_utf8mb3_general1400_as_ci>, a=0x55555ddc5b80 <str> "information_schema", a_length=18, b=0x0,
|
b_length=0, b_is_prefix=0 '\000') at /source/strings/strcoll.inl:238
|
#5 0x000055555959fd1b in charset_info_st::strnncoll (this=0x555560eed720 <my_charset_utf8mb3_general1400_as_ci>, a=..., b=..., b_is_prefix=0 '\000') at /source/include/m_ctype.h:1081
|
#6 0x000055555959f9da in charset_info_st::streq (this=0x555560eed720 <my_charset_utf8mb3_general1400_as_ci>, a=..., b=...) at /source/include/m_ctype.h:1073
|
#7 0x000055555959b272 in Lex_ident<Compare_ident_ci>::streq (this=0x55555f697740 <INFORMATION_SCHEMA_NAME>, rhs=...) at /source/sql/lex_ident.h:119
|
#8 0x00005555598505a2 in is_infoschema_db (name=0x7bffe5a52fa0) at /source/sql/table.h:3586
|
#9 0x0000555559ba5d6b in st_select_lex::add_table_to_list (this=0x7ecff7e3e438, thd=0x7eaff626c288, table=0x7ecff7e3ea60, alias=0x0, table_options=0, lock_type=TL_READ_DEFAULT,
|
mdl_type=MDL_SHARED_READ, index_hints_arg=0x0, partition_names=0x0, option=0x0) at /source/sql/sql_parse.cc:8114
|
#10 0x000055555acfe855 in MYSQLparse (thd=0x7eaff626c288) at /source/sql/sql_yacc.yy:12267
|
#11 0x0000555559c073c2 in parse_sql (thd=0x7eaff626c288, parser_state=0x7bffe5d15d30, creation_ctx=0x0, do_pfs_digest=false) at /source/sql/sql_parse.cc:10327
|
#12 0x0000555559cf119a in Prepared_statement::prepare (this=0x7d8ff6361b08,
|
packet=0x7bffd8904889 "explain with T as ( select * from t1 where t1.a=? limit 2 ) select * from T as TA, T as TB;", packet_len=93) at /source/sql/sql_prepare.cc:4153
|
#13 0x0000555559cedd8c in mysqld_stmt_prepare (thd=0x7eaff626c288, packet=0x7bffd8904889 "explain with T as ( select * from t1 where t1.a=? limit 2 ) select * from T as TA, T as TB;",
|
packet_length=93) at /source/sql/sql_prepare.cc:2574
|
#14 0x0000555559b7b7d3 in dispatch_command (command=COM_STMT_PREPARE, thd=0x7eaff626c288,
|
packet=0x7bffd8904889 "explain with T as ( select * from t1 where t1.a=? limit 2 ) select * from T as TA, T as TB;", packet_length=93, blocking=true) at /source/sql/sql_parse.cc:1848
|
#15 0x0000555559b93854 in do_command (thd=0x7eaff626c288, blocking=true) at /source/sql/sql_parse.cc:1415
|
#16 0x000055555a5a4c84 in do_handle_one_connection (connect=0x7d0ff61ffd88, put_in_cache=true) at /source/sql/sql_connect.cc:1415
|
#17 0x000055555a5a3fc7 in handle_one_connection (arg=0x7d0ff61ffd88) at /source/sql/sql_connect.cc:1327
|
#18 0x000055555931b5d7 in asan_thread_start(void*) ()
|
#19 0x00007ffff742d1c4 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
|
#20 0x00007ffff74ad85c in ?? () from /lib/x86_64-linux-gnu/libc.so.6
|
|
Error at this layer - no point checking if a null db is an information_schema.
#9 0x0000555559ba5d6b in st_select_lex::add_table_to_list (this=0x7ecff7e3e438, thd=0x7eaff626c288, table=0x7ecff7e3ea60, alias=0x0, table_options=0, lock_type=TL_READ_DEFAULT,
|
mdl_type=MDL_SHARED_READ, index_hints_arg=0x0, partition_names=0x0, option=0x0) at /source/sql/sql_parse.cc:8114
|
8114 bool info_schema= is_infoschema_db(&db);
|
(gdb) p db
|
$6 = {<Lex_ident_fs> = {<Lex_ident<Compare_table_names>> = {<Lex_cstring> = {<st_mysql_const_lex_string> = {str = 0x0,
|
length = 0}, <No data fields>}, <No data fields>}, <No data fields>}, <No data fields>}
|
--- a/sql/lex_ident.h
|
+++ b/sql/lex_ident.h
|
@@ -165,6 +165,7 @@ class Lex_ident_fs: public Lex_ident<Compare_table_names>
|
*/
|
class Lex_ident_db: public Lex_ident_fs
|
{
|
+public:
|
bool is_null() const
|
{
|
return length == 0 && str == NULL;
|
@@ -174,7 +175,6 @@ class Lex_ident_db: public Lex_ident_fs
|
{
|
return length == 0 && str != NULL;
|
}
|
-public:
|
static bool check_name(const LEX_CSTRING &str);
|
static bool check_name_with_error(const LEX_CSTRING &str);
|
public:
|
diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc
|
index 787873c4d72..a1fa5b28ee9 100644
|
--- a/sql/sql_parse.cc
|
+++ b/sql/sql_parse.cc
|
@@ -8111,7 +8111,8 @@ TABLE_LIST *st_select_lex::add_table_to_list(THD *thd,
|
DBUG_RETURN(0);
|
else
|
fqtn= FALSE;
|
- bool info_schema= is_infoschema_db(&db);
|
+ bool info_schema= (db.is_null() || db.is_empty())
|
+ ? false : is_infoschema_db(&db);
|
if (!table->sel && info_schema &&
|
(table_options & TL_OPTION_UPDATING) &&
|
/* Special cases which are processed by commands itself */
|
occurs on other tests like main.json_equals, main.insert_returning, main.identifier, main.derived_view
Attachments
Issue Links
- is part of
-
MDEV-36479 Passing null pointer to low level character set functions result in undefined behaviour
-
- Open
-