[MDEV-37203] UBSAN: applying zero offset to null pointer in strings/ctype-uca.inl | my_uca_strnncollsp_onelevel_utf8mb4 | handler::check_duplicate_long_entries_update - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.6, 10.11, 11.4, 11.8, 12.0(EOL), 12.1
Fix Version/s: 10.6.23, 10.11.14, 11.4.8, 11.8.3
Component/s: Tests
Labels:
- UBSAN
- nullptr-with-offset

Bug Category:
Not for Release Notes

Description

CREATE TABLE t (a INT,b TEXT UNIQUE KEY);

INSERT INTO t (a) VALUES (1);

UPDATE t SET a=2;

Leads to:

CS 12.1.0 891108ed665cbcf882454caa16ec2565ed36e337 (Debug, UBASAN, Clang) Build 10/07/2025
/test/12.1_dbg_san/strings/ctype-uca.inl:223:4: runtime error: applying zero offset to null pointer
#0 0x556306de9894 in my_uca_strnncollsp_onelevel_utf8mb4 /test/12.1_dbg_san/strings/ctype-uca.inl:223:4
#1 0x5563053858a0 in handler::check_duplicate_long_entries_update(unsigned char const*) /test/12.1_dbg_san/sql/handler.cc:8020:39
#2 0x55630538c2f0 in handler::ha_update_row(unsigned char const, unsigned char const) /test/12.1_dbg_san/sql/handler.cc:8316:12
#3 0x55630497fea2 in Sql_cmd_update::update_single_table(THD*) /test/12.1_dbg_san/sql/sql_update.cc:1062:31
#4 0x5563049ab04a in Sql_cmd_update::execute_inner(THD*) /test/12.1_dbg_san/sql/sql_update.cc:3216:10
#5 0x55630473e4ca in Sql_cmd_dml::execute(THD*) /test/12.1_dbg_san/sql/sql_select.cc:34679:9
#6 0x55630448aec7 in mysql_execute_command(THD*, bool) /test/12.1_dbg_san/sql/sql_parse.cc:4403:27
#7 0x556304468988 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/12.1_dbg_san/sql/sql_parse.cc:7882:18
#8 0x55630445c8f1 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/12.1_dbg_san/sql/sql_parse.cc:1877:7
#9 0x55630446b3ad in do_command(THD*, bool) /test/12.1_dbg_san/sql/sql_parse.cc:1416:17
#10 0x556304b3c29c in do_handle_one_connection(CONNECT*, bool) /test/12.1_dbg_san/sql/sql_connect.cc:1414:11
#11 0x556304b3bb57 in handle_one_connection /test/12.1_dbg_san/sql/sql_connect.cc:1326:5
#12 0x556303e3480c in asan_thread_start(void*) asan_interceptors.cpp.o
#13 0x7f705249caa3 in start_thread nptl/pthread_create.c:447:8
#14 0x7f7052529c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

SUMMARY: UndefinedBehaviorSanitizer: nullptr-with-offset /test/12.1_dbg_san/strings/ctype-uca.inl:223:4

CS 12.1.0 891108ed665cbcf882454caa16ec2565ed36e337 (Debug, UBASAN, Clang) Build 10/07/2025
/test/12.1_dbg_san/strings/ctype-uca.inl:224:4: runtime error: applying zero offset to null pointer
#0 0x556306de98c0 in my_uca_strnncollsp_onelevel_utf8mb4 /test/12.1_dbg_san/strings/ctype-uca.inl:224:4
#1 0x5563053858a0 in handler::check_duplicate_long_entries_update(unsigned char const*) /test/12.1_dbg_san/sql/handler.cc:8020:39
#2 0x55630538c2f0 in handler::ha_update_row(unsigned char const, unsigned char const) /test/12.1_dbg_san/sql/handler.cc:8316:12
#3 0x55630497fea2 in Sql_cmd_update::update_single_table(THD*) /test/12.1_dbg_san/sql/sql_update.cc:1062:31
#4 0x5563049ab04a in Sql_cmd_update::execute_inner(THD*) /test/12.1_dbg_san/sql/sql_update.cc:3216:10
#5 0x55630473e4ca in Sql_cmd_dml::execute(THD*) /test/12.1_dbg_san/sql/sql_select.cc:34679:9
#6 0x55630448aec7 in mysql_execute_command(THD*, bool) /test/12.1_dbg_san/sql/sql_parse.cc:4403:27
#7 0x556304468988 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/12.1_dbg_san/sql/sql_parse.cc:7882:18
#8 0x55630445c8f1 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/12.1_dbg_san/sql/sql_parse.cc:1877:7
#9 0x55630446b3ad in do_command(THD*, bool) /test/12.1_dbg_san/sql/sql_parse.cc:1416:17
#10 0x556304b3c29c in do_handle_one_connection(CONNECT*, bool) /test/12.1_dbg_san/sql/sql_connect.cc:1414:11
#11 0x556304b3bb57 in handle_one_connection /test/12.1_dbg_san/sql/sql_connect.cc:1326:5
#12 0x556303e3480c in asan_thread_start(void*) asan_interceptors.cpp.o
#13 0x7f705249caa3 in start_thread nptl/pthread_create.c:447:8
#14 0x7f7052529c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

SUMMARY: UndefinedBehaviorSanitizer: nullptr-with-offset /test/12.1_dbg_san/strings/ctype-uca.inl:224:4

CS 12.1.0 891108ed665cbcf882454caa16ec2565ed36e337 (Debug, UBASAN, Clang) Build 10/07/2025
/test/12.1_dbg_san/strings/ctype-uca.c:32014:22: runtime error: applying zero offset to null pointer
#0 0x556306de98f3 in my_uca_scanner_init_any /test/12.1_dbg_san/strings/ctype-uca.c:32014:22
#1 0x556306de98f3 in my_uca_strnncollsp_onelevel_utf8mb4 /test/12.1_dbg_san/strings/ctype-uca.inl:229:3
#2 0x5563053858a0 in handler::check_duplicate_long_entries_update(unsigned char const*) /test/12.1_dbg_san/sql/handler.cc:8020:39
#3 0x55630538c2f0 in handler::ha_update_row(unsigned char const, unsigned char const) /test/12.1_dbg_san/sql/handler.cc:8316:12
#4 0x55630497fea2 in Sql_cmd_update::update_single_table(THD*) /test/12.1_dbg_san/sql/sql_update.cc:1062:31
#5 0x5563049ab04a in Sql_cmd_update::execute_inner(THD*) /test/12.1_dbg_san/sql/sql_update.cc:3216:10
#6 0x55630473e4ca in Sql_cmd_dml::execute(THD*) /test/12.1_dbg_san/sql/sql_select.cc:34679:9
#7 0x55630448aec7 in mysql_execute_command(THD*, bool) /test/12.1_dbg_san/sql/sql_parse.cc:4403:27
#8 0x556304468988 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/12.1_dbg_san/sql/sql_parse.cc:7882:18
#9 0x55630445c8f1 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/12.1_dbg_san/sql/sql_parse.cc:1877:7
#10 0x55630446b3ad in do_command(THD*, bool) /test/12.1_dbg_san/sql/sql_parse.cc:1416:17
#11 0x556304b3c29c in do_handle_one_connection(CONNECT*, bool) /test/12.1_dbg_san/sql/sql_connect.cc:1414:11
#12 0x556304b3bb57 in handle_one_connection /test/12.1_dbg_san/sql/sql_connect.cc:1326:5
#13 0x556303e3480c in asan_thread_start(void*) asan_interceptors.cpp.o
#14 0x7f705249caa3 in start_thread nptl/pthread_create.c:447:8
#15 0x7f7052529c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

SUMMARY: UndefinedBehaviorSanitizer: nullptr-with-offset /test/12.1_dbg_san/strings/ctype-uca.c:32014:22

CS 12.1.0 891108ed665cbcf882454caa16ec2565ed36e337 (Debug, UBASAN, Clang) Build 10/07/2025
/test/12.1_dbg_san/strings/ctype-uca-scanner_next.inl:84:23: runtime error: applying non-zero offset 1 to null pointer
#0 0x556306de7ca4 in my_uca_scanner_next_utf8mb4 /test/12.1_dbg_san/strings/ctype-uca-scanner_next.inl:84:23
#1 0x556306de972b in my_uca_strnncollsp_onelevel_utf8mb4 /test/12.1_dbg_san/strings/ctype-uca.inl:234:12
#2 0x5563053858a0 in handler::check_duplicate_long_entries_update(unsigned char const*) /test/12.1_dbg_san/sql/handler.cc:8020:39
#3 0x55630538c2f0 in handler::ha_update_row(unsigned char const, unsigned char const) /test/12.1_dbg_san/sql/handler.cc:8316:12
#4 0x55630497fea2 in Sql_cmd_update::update_single_table(THD*) /test/12.1_dbg_san/sql/sql_update.cc:1062:31
#5 0x5563049ab04a in Sql_cmd_update::execute_inner(THD*) /test/12.1_dbg_san/sql/sql_update.cc:3216:10
#6 0x55630473e4ca in Sql_cmd_dml::execute(THD*) /test/12.1_dbg_san/sql/sql_select.cc:34679:9
#7 0x55630448aec7 in mysql_execute_command(THD*, bool) /test/12.1_dbg_san/sql/sql_parse.cc:4403:27
#8 0x556304468988 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/12.1_dbg_san/sql/sql_parse.cc:7882:18
#9 0x55630445c8f1 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/12.1_dbg_san/sql/sql_parse.cc:1877:7
#10 0x55630446b3ad in do_command(THD*, bool) /test/12.1_dbg_san/sql/sql_parse.cc:1416:17
#11 0x556304b3c29c in do_handle_one_connection(CONNECT*, bool) /test/12.1_dbg_san/sql/sql_connect.cc:1414:11
#12 0x556304b3bb57 in handle_one_connection /test/12.1_dbg_san/sql/sql_connect.cc:1326:5
#13 0x556303e3480c in asan_thread_start(void*) asan_interceptors.cpp.o
#14 0x7f705249caa3 in start_thread nptl/pthread_create.c:447:8
#15 0x7f7052529c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

SUMMARY: UndefinedBehaviorSanitizer: nullptr-with-nonzero-offset /test/12.1_dbg_san/strings/ctype-uca-scanner_next.inl:84:23

Setup:

Compiled with a recent version of Clang (I used Clang 18.1.3) with LLVM 18. Ubuntu instructions:

  # Note: It is strongly recommended to uninstall all old Clang & LLVM packages (ref  dpkg --list | grep -iE 'clang|llvm'  and use  apt purge  and  dpkg --purge  to remove the packages), before installing Clang/LLVM 18

     sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev

Compiled with: "-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++ -DCMAKE_C{,XX}_FLAGS='-march=native -mtune=native'" and:

    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON

Set before execution:

    export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1   # And you may also want to supress UBSAN startup issues using 'suppressions=UBSAN.filter' in UBSAN_OPTIONS. For an example of UBSAN.filter, which includes current startup issues see: https://github.com/mariadb-corporation/mariadb-qa/blob/master/UBSAN.filter

SAN Bug Detection Matrix
Rel o/d Build Commit UniqueID observed
CS 10.6 dbg 140725 3bcfc2ed0aed64882868b42885c6b55a98e7c505 UBSAN\|applying zero offset to null pointer\|strings/ctype-simple.c\|my_strnncollsp_simple\|handler::check_duplicate_long_entries_update\|handler::ha_update_row\|mysql_update
CS 10.6 opt 140725 3bcfc2ed0aed64882868b42885c6b55a98e7c505 UBSAN\|applying zero offset to null pointer\|strings/ctype-simple.c\|my_strnncollsp_simple\|handler::check_duplicate_long_entries_update\|handler::ha_update_row\|mysql_update
CS 10.11 dbg 170625 629b8d782cd20194cc1181451306321e44d2ae02 UBSAN\|applying zero offset to null pointer\|strings/ctype-simple.c\|my_strnncollsp_simple\|handler::check_duplicate_long_entries_update\|handler::ha_update_row\|mysql_update
CS 10.11 opt 170625 629b8d782cd20194cc1181451306321e44d2ae02 UBSAN\|applying zero offset to null pointer\|strings/ctype-simple.c\|my_strnncollsp_simple\|handler::check_duplicate_long_entries_update\|handler::ha_update_row\|mysql_update
CS 11.4 dbg 030725 ef9adb569ed9189cbe0fcc4aa75b897f0754c448 UBSAN\|applying zero offset to null pointer\|strings/ctype-simple.c\|my_strnncollsp_simple\|handler::check_duplicate_long_entries_update\|handler::ha_update_row\|Sql_cmd_update::update_single_table
CS 11.4 opt 030725 ef9adb569ed9189cbe0fcc4aa75b897f0754c448 UBSAN\|applying zero offset to null pointer\|strings/ctype-simple.c\|my_strnncollsp_simple\|handler::check_duplicate_long_entries_update\|handler::ha_update_row\|Sql_cmd_update::update_single_table
CS 12.0 dbg 140725 107291bf980822fcc3c02bd4e01ecbc4db7fd192 UBSAN\|applying zero offset to null pointer\|strings/ctype-uca.inl\|my_uca_strnncollsp_onelevel_utf8mb4\|handler::check_duplicate_long_entries_update\|handler::ha_update_row\|Sql_cmd_update::update_single_table
CS 12.0 opt 140725 107291bf980822fcc3c02bd4e01ecbc4db7fd192 UBSAN\|applying zero offset to null pointer\|strings/ctype-uca.inl\|my_uca_strnncollsp_onelevel_utf8mb4\|handler::check_duplicate_long_entries_update\|handler::ha_update_row\|Sql_cmd_update::update_single_table
CS 12.1 dbg 100725 891108ed665cbcf882454caa16ec2565ed36e337 UBSAN\|applying zero offset to null pointer\|strings/ctype-uca.inl\|my_uca_strnncollsp_onelevel_utf8mb4\|handler::check_duplicate_long_entries_update\|handler::ha_update_row\|Sql_cmd_update::update_single_table
CS 12.1 opt 100725 891108ed665cbcf882454caa16ec2565ed36e337 UBSAN\|applying zero offset to null pointer\|strings/ctype-uca.inl\|my_uca_strnncollsp_onelevel_utf8mb4\|handler::check_duplicate_long_entries_update\|handler::ha_update_row\|Sql_cmd_update::update_single_table
ES 10.6 opt 150525 6111fbaf7bdcb6f1170f556ffd05d6e1a4159f62 UBSAN\|applying zero offset to null pointer\|strings/ctype-simple.c\|my_strnncollsp_simple\|handler::check_duplicate_long_entries_update\|handler::ha_update_row\|mysql_update
ES 11.4 dbg 150525 9cd12544ebfd0d52d2158af66b5aced58121cf1f UBSAN\|applying zero offset to null pointer\|strings/ctype-simple.c\|my_strnncollsp_simple\|handler::check_duplicate_long_entries_update\|handler::ha_update_row\|Sql_cmd_update::update_single_table
ES 11.4 opt 150525 9cd12544ebfd0d52d2158af66b5aced58121cf1f UBSAN\|applying zero offset to null pointer\|strings/ctype-simple.c\|my_strnncollsp_simple\|handler::check_duplicate_long_entries_update\|handler::ha_update_row\|Sql_cmd_update::update_single_table

Unique Ids

UBSAN|applying zero offset to null pointer|strings/ctype-simple.c|my_strnncollsp_simple|handler::check_duplicate_long_entries_update|handler::ha_update_row|mysql_update

UBSAN|applying zero offset to null pointer|strings/ctype-simple.c|my_strnncollsp_simple|handler::check_duplicate_long_entries_update|handler::ha_update_row|Sql_cmd_update::update_single_table

UBSAN|applying zero offset to null pointer|strings/ctype-uca.inl|my_uca_strnncollsp_onelevel_utf8mb4|handler::check_duplicate_long_entries_update|handler::ha_update_row|Sql_cmd_update::update_single_table

Attachments

Activity

People

Assignee:: Sergei Golubchik

Reporter:: Ramesh Sivaraman

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2025-07-11 05:54

Updated:: 2025-07-31 12:05

Resolved:: 2025-07-16 11:39

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.