Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-37254

UBSAN: applying non-zero offset X to null pointer in strings/ctype-mb.c | my_charpos_mb|charset_info_st::charpos | Field_blob::get_key_image_itRAW

    XMLWordPrintable

Details

    Description

      the issue seems to be a 12.0 regression, and the issue was reproduced in the commit 22efc2c784e1b7199fb5804e6330168277ea7dce pushed out the first week of April 

      --source include/have_innodb.inc
      		 
       
      		 
      CREATE TABLE t (a TEXT,KEY(a)) ENGINE=INNODB;
      		 
      INSERT INTO t VALUES(''); # Optional, fails either way
      		 
      SELECT * FROM t WHERE a='';
      		 
       
      		 
      # cleanup 
      DROP TABLE t;

      Leads to:

      CS 12.1.0 891108ed665cbcf882454caa16ec2565ed36e337 (Debug, UBASAN, Clang) Build 10/07/2025

      		 
      /test/12.1_dbg_san/strings/ctype-mb.c:261:32: runtime error: applying non-zero offset 2 to null pointer
      		 
          #0 0x64b478f5539a in my_charpos_mb /test/12.1_dbg_san/strings/ctype-mb.c:261:32
      		 
          #1 0x64b47746626f in charset_info_st::charpos(unsigned char const*, unsigned char const*, unsigned long) const /test/12.1_dbg_san/include/m_ctype.h:875:12
      		 
          #2 0x64b47746626f in Field_blob::get_key_image_itRAW(unsigned char const*, unsigned char*, unsigned int) const /test/12.1_dbg_san/sql/field.cc:9091:39
      		 
          #3 0x64b4760de6c1 in Field::make_key_image(st_mem_root*, KEY_PART const*) /test/12.1_dbg_san/sql/opt_range.cc:9495:3
      		 
          #4 0x64b4760df02f in Field::stored_field_make_mm_leaf(RANGE_OPT_PARAM*, KEY_PART*, scalar_comparison_op, Item*) /test/12.1_dbg_san/sql/opt_range.cc:9718:14
      		 
          #5 0x64b4760e0312 in Field_str::get_mm_leaf(RANGE_OPT_PARAM*, KEY_PART*, Item_bool_func const*, scalar_comparison_op, Item*) /test/12.1_dbg_san/sql/opt_range.cc:9630:3
      		 
          #6 0x64b4760cdcd3 in Item_bool_func::get_mm_parts(RANGE_OPT_PARAM*, Field*, Item_func::Functype, Item*) /test/12.1_dbg_san/sql/opt_range.cc:9334:20
      		 
          #7 0x64b4760d614a in Item_bool_func::get_full_func_mm_tree(RANGE_OPT_PARAM*, Item_field*, Item*) /test/12.1_dbg_san/sql/opt_range.cc:8724:12
      		 
          #8 0x64b47614225b in Item_bool_func2_with_rev::get_mm_tree(RANGE_OPT_PARAM*, Item**) /test/12.1_dbg_san/sql/item_cmpfunc.h:570:18
      		 
          #9 0x64b47609d273 in SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool, bool, bool, Item_func::Bitmap) /test/12.1_dbg_san/sql/opt_range.cc:2943:23
      		 
          #10 0x64b47690da40 in get_quick_record_count(THD*, SQL_SELECT*, TABLE*, Bitmap<64u> const*, unsigned long long, unsigned long long*) /test/12.1_dbg_san/sql/sql_select.cc:5445:20
      		 
          #11 0x64b4767e5971 in make_join_statistics(JOIN*, List<TABLE_LIST>&, st_dynamic_array*) /test/12.1_dbg_san/sql/sql_select.cc:6179:15
      		 
          #12 0x64b4767d0d3b in JOIN::optimize_inner() /test/12.1_dbg_san/sql/sql_select.cc:2725:7
      		 
          #13 0x64b4767c0f12 in JOIN::optimize() /test/12.1_dbg_san/sql/sql_select.cc:2006:10
      		 
          #14 0x64b4767a21f8 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/12.1_dbg_san/sql/sql_select.cc:5370:19
      		 
          #15 0x64b4767a1512 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/12.1_dbg_san/sql/sql_select.cc:634:10
      		 
          #16 0x64b476676427 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/12.1_dbg_san/sql/sql_parse.cc:6166:12
      		 
          #17 0x64b4766548de in mysql_execute_command(THD*, bool) /test/12.1_dbg_san/sql/sql_parse.cc:3954:12
      		 
          #18 0x64b476632988 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/12.1_dbg_san/sql/sql_parse.cc:7882:18
      		 
          #19 0x64b4766268f1 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/12.1_dbg_san/sql/sql_parse.cc:1877:7
      		 
          #20 0x64b4766353ad in do_command(THD*, bool) /test/12.1_dbg_san/sql/sql_parse.cc:1416:17
      		 
          #21 0x64b476d0629c in do_handle_one_connection(CONNECT*, bool) /test/12.1_dbg_san/sql/sql_connect.cc:1414:11
      		 
          #22 0x64b476d05b57 in handle_one_connection /test/12.1_dbg_san/sql/sql_connect.cc:1326:5
      		 
          #23 0x64b475ffe80c in asan_thread_start(void*) asan_interceptors.cpp.o
      		 
          #24 0x79920149caa3 in start_thread nptl/pthread_create.c:447:8
      		 
          #25 0x799201529c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
      		 
       
      		 
      SUMMARY: UndefinedBehaviorSanitizer: nullptr-with-nonzero-offset /test/12.1_dbg_san/strings/ctype-mb.c:261:32

      Setup:

      Compiled with a recent version of Clang (I used Clang 18.1.3) with LLVM 18. Ubuntu instructions:
      		 
        # Note: It is strongly recommended to uninstall all old Clang & LLVM packages (ref  dpkg --list | grep -iE 'clang|llvm'  and use  apt purge  and  dpkg --purge  to remove the packages), before installing Clang/LLVM 18
      		 
           sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev
      		 
      Compiled with: "-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++ -DCMAKE_C{,XX}_FLAGS='-march=native -mtune=native'" and:
      		 
          -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON
      		 
      Set before execution:
      		 
          export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1   # And you may also want to supress UBSAN startup issues using 'suppressions=UBSAN.filter' in UBSAN_OPTIONS. For an example of UBSAN.filter, which includes current startup issues see: https://github.com/mariadb-corporation/mariadb-qa/blob/master/UBSAN.filter

      SAN Bug Detection Matrix

      		 
          Rel    o/d  Build   Commit                                    UniqueID observed             
      CS  10.6   dbg  140725  3bcfc2ed0aed64882868b42885c6b55a98e7c505  No bug found                  
      CS  10.6   opt  140725  3bcfc2ed0aed64882868b42885c6b55a98e7c505  No bug found                  
      CS  10.11  dbg  170625  629b8d782cd20194cc1181451306321e44d2ae02  No bug found                  
      CS  10.11  opt  170625  629b8d782cd20194cc1181451306321e44d2ae02  No bug found                  
      CS  11.4   dbg  030725  ef9adb569ed9189cbe0fcc4aa75b897f0754c448  No bug found                  
      CS  11.4   opt  030725  ef9adb569ed9189cbe0fcc4aa75b897f0754c448  No bug found            
      CS  11.8   opt  170725  311b4445c59caa36ed031f5499eae79d07b68c0c  No bug found
      		 
      CS  12.0   dbg  140725  107291bf980822fcc3c02bd4e01ecbc4db7fd192  UBSAN|applying non-zero offset X to null pointer|strings/ctype-mb.c|my_charpos_mb|charset_info_st::charpos|Field_blob::get_key_image_itRAW|Field::make_key_image
      		 
      CS  12.0   opt  140725  107291bf980822fcc3c02bd4e01ecbc4db7fd192  UBSAN|applying non-zero offset X to null pointer|strings/ctype-mb.c|my_charpos_mb|charset_info_st::charpos|Field_blob::get_key_image_itRAW|Field::make_key_image
      		 
      CS  12.1   dbg  100725  891108ed665cbcf882454caa16ec2565ed36e337  UBSAN|applying non-zero offset X to null pointer|strings/ctype-mb.c|my_charpos_mb|charset_info_st::charpos|Field_blob::get_key_image_itRAW|Field::make_key_image
      		 
      CS  12.1   opt  100725  891108ed665cbcf882454caa16ec2565ed36e337  UBSAN|applying non-zero offset X to null pointer|strings/ctype-mb.c|my_charpos_mb|charset_info_st::charpos|Field_blob::get_key_image_itRAW|Field::make_key_image
      		 
      CS  12.1   opt  160625  247e2f8d4dd4124356a337f6b903b176c6780440  UBSAN|applying non-zero offset X to null pointer|strings/ctype-mb.c|my_charpos_mb|charset_info_st::charpos|Field_blob::get_key_image_itRAW|Field::make_key_image
      		 
      ES  10.6   opt  150525  6111fbaf7bdcb6f1170f556ffd05d6e1a4159f62  No bug found                  
      ES  11.4   dbg  150525  9cd12544ebfd0d52d2158af66b5aced58121cf1f  No bug found                  
      ES  11.4   opt  150525  9cd12544ebfd0d52d2158af66b5aced58121cf1f  No bug found

      Attachments

        Activity

          People

            bar Alexander Barkov
            ramesh Ramesh Sivaraman
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.