[MDEV-37528] Server crashes when installing spider engine after having wrong mysql.func structure, UBSAN runtime error: member call on null pointer of type 'Field' - Jira

XML

Word

Printable

Details

Type: Bug
Status: Open (View Workflow)
Priority: Minor
Resolution: Unresolved
Affects Version/s: 10.6, 10.11, 11.4, 11.8, 12.1, 12.2
Fix Version/s: 10.6, 10.11, 11.4, 11.8, 12.1
Component/s: Storage Engine - Spider
Labels:
- UBSAN
- null-pointer-use

Bug Category:
Can result in hang or crash

Description

CREATE OR REPLACE TABLE mysql.func (dummy INT);

INSTALL PLUGIN Spider SONAME 'ha_spider.so';

Leads to:

CS 12.2.0 e02f4d7e311e214ea62ff2e59599849e229f4165 (Debug, Clang) Build 13/08/2025
Core was generated by `/test/MD130825-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00006196373265e9 in mysql_create_function (thd=0x71d90c0a3b88, udf=0x71d90c5ae6f8) at /test/12.1_dbg/sql/sql_udf.cc:628

[Current thread is 1 (LWP 3897396)]
(gdb) bt
#0 0x00006196373265e9 in mysql_create_function (thd=0x71d90c0a3b88, udf=0x71d90c5ae6f8) at /test/12.1_dbg/sql/sql_udf.cc:628
#1 0x00006196371db0de in mysql_execute_command (thd=0x71d90c0a3b88, is_called_from_prepared_stmt=false) at /test/12.1_dbg/sql/sql_parse.cc:5168
#2 0x0000619637491a17 in sp_instr_stmt::exec_core (this=0x71d90c3f23c0, thd=0x71d90c0a3b88, nextp=0x71f7f81ff5c8)at /test/12.1_dbg/sql/sp_instr.cc:1268
#3 0x000061963748ee66 in sp_lex_keeper::reset_lex_and_exec_core (this=0x71d90c3f2400, thd=0x71d90c0a3b88, nextp=0x71f7f81ff5c8, open_tables=false, instr=0x71d90c3f23c0, rerun_the_same_instr=false)at /test/12.1_dbg/sql/sp_instr.cc:418
#4 0x000061963748f5ec in sp_lex_keeper::validate_lex_and_exec_core (this=0x71d90c3f2400, thd=0x71d90c0a3b88, nextp=0x71f7f81ff5c8, open_tables=false, instr=0x71d90c3f23c0)at /test/12.1_dbg/sql/sp_instr.cc:597
#5 0x0000619637490c69 in sp_instr_stmt::execute (this=0x71d90c3f23c0, thd=0x71d90c0a3b88, nextp=0x71f7f81ff5c8)at /test/12.1_dbg/sql/sp_instr.cc:1170
#6 0x00006196370acfac in sp_head::execute (this=0x71d90c3659d0, thd=0x71d90c0a3b88, merge_da_on_success=true)at /test/12.1_dbg/sql/sp_head.cc:1294
#7 0x00006196370af93e in sp_head::execute_procedure (this=0x71d90c3659d0, thd=0x71d90c0a3b88, args=0x71d90c0a8f28)at /test/12.1_dbg/sql/sp_head.cc:2328
#8 0x00006196371d2467 in do_execute_sp (thd=0x71d90c0a3b88, sp=0x71d90c3659d0)at /test/12.1_dbg/sql/sql_parse.cc:3056
#9 0x00006196371dd20c in mysql_execute_command (thd=0x71d90c0a3b88, is_called_from_prepared_stmt=false) at /test/12.1_dbg/sql/sql_parse.cc:5589
#10 0x0000619637218429 in execute_server_code (thd=0x71d90c0a3b88, sql_text=0x71f7f818a067 "if @win_plugin = 0 then begin not atomic declare exit handler for 1041, 1123 replace into mysql.func values ('spider_direct_sql', 2, 'ha_spider.so', 'function'), ('spider_bg_dir"..., sql_len=1844) at /test/12.1_dbg/sql/sql_prepare.cc:3875
#11 0x00006196372219f5 in loc_advanced_command (mysql=0x71d90c0a3448, command=COM_QUERY, header=0x0, header_length=0, arg=0x71f7f818a067 "if @win_plugin = 0 then begin not atomic declare exit handler for 1041, 1123 replace into mysql.func values ('spider_direct_sql', 2, 'ha_spider.so', 'function'), ('spider_bg_dir"..., arg_length=1844, skip_check=1 '\001', stmt=0x0)at /test/12.1_dbg/sql/sql_prepare.cc:6141
#12 0x00006196375bfed8 in server_mysql_send_query (mysql=0x71d90c0a3448, query=0x71f7f818a067 "if @win_plugin = 0 then begin not atomic declare exit handler for 1041, 1123 replace into mysql.func values ('spider_direct_sql', 2, 'ha_spider.so', 'function'), ('spider_bg_dir"..., length=1844) at /test/12.1_dbg/sql-common/client.c:3604
#13 0x00006196375bff24 in server_mysql_real_query (mysql=0x71d90c0a3448, query=0x71f7f818a067 "if @win_plugin = 0 then begin not atomic declare exit handler for 1041, 1123 replace into mysql.func values ('spider_direct_sql', 2, 'ha_spider.so', 'function'), ('spider_bg_dir"..., length=1844) at /test/12.1_dbg/sql-common/client.c:3614
#14 0x000071f7f810c17c in spider_init_system_tables ()at /test/12.1_dbg/storage/spider/spd_table.cc:6450
#15 0x000071f7f810d88f in spider_after_ddl_recovery ()at /test/12.1_dbg/storage/spider/spd_table.cc:6481
#16 0x000061963760c8dc in ha_initialize_handlerton (plugin_=0x619668243370)at /test/12.1_dbg/sql/handler.cc:822
#17 0x0000619637206ef3 in plugin_do_initialize (plugin=0x619668243370, state=@0x71f7f82019d4: 4) at /test/12.1_dbg/sql/sql_plugin.cc:1455
#18 0x000061963720691d in plugin_initialize (tmp_root=0x71d90c006e28, plugin=0x619668243370, argc=0x71f7f8201ac0, argv=0x71d90c084be8, options_only=false) at /test/12.1_dbg/sql/sql_plugin.cc:1509
#19 0x000061963720974c in finalize_install (thd=0x71d90c000d58, table=0x71d90c070138, name=0x71d90c005f10, argc=0x71f7f8201ac0, argv=0x71d90c084be8) at /test/12.1_dbg/sql/sql_plugin.cc:2213
#20 0x0000619637208c1a in mysql_install_plugin (thd=0x71d90c000d58, name=0x71d90c005f10, dl_arg=0x71d90c005f20)at /test/12.1_dbg/sql/sql_plugin.cc:2312
#21 0x00006196371ddc0e in mysql_execute_command (thd=0x71d90c000d58, is_called_from_prepared_stmt=false) at /test/12.1_dbg/sql/sql_parse.cc:5760
#22 0x00006196371cd664 in mysql_parse (thd=0x71d90c000d58, rawbuf=0x71d90c019e80 "INSTALL PLUGIN Spider SONAME 'ha_spider.so'", length=43, parser_state=0x71f7f8203a10)at /test/12.1_dbg/sql/sql_parse.cc:7883
#23 0x00006196371caa38 in dispatch_command (command=COM_QUERY, thd=0x71d90c000d58, packet=0x71d90c00b1f9 "INSTALL PLUGIN Spider SONAME 'ha_spider.so'", packet_length=43, blocking=true) at /test/12.1_dbg/sql/sql_parse.cc:1878
#24 0x00006196371ce213 in do_command (thd=0x71d90c000d58, blocking=true)at /test/12.1_dbg/sql/sql_parse.cc:1417
#25 0x00006196373bb4b9 in do_handle_one_connection (connect=0x6196686849c8, put_in_cache=true) at /test/12.1_dbg/sql/sql_connect.cc:1414
#26 0x00006196373bb25e in handle_one_connection (arg=0x6196685b03a8)at /test/12.1_dbg/sql/sql_connect.cc:1326
#27 0x000071f7fa29caa4 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#28 0x000071f7fa329c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

Bug Detection Matrix
Rel o/d Build Commit UniqueID observed
CS 10.6 dbg 040825 317f099ca56130a14a45b7250996c207cc95d461 SIGSEGV\|mysql_create_function\|mysql_execute_command\|sp_instr_stmt::exec_core\|sp_lex_keeper::reset_lex_and_exec_core
CS 10.6 opt 040825 317f099ca56130a14a45b7250996c207cc95d461 SIGSEGV\|mysql_create_function\|mysql_execute_command\|sp_instr_stmt::exec_core\|sp_lex_keeper::reset_lex_and_exec_core
CS 10.11 dbg 130825 e46c9a01529687401b0f82b1427855535d38c0c0 SIGSEGV\|mysql_create_function\|mysql_execute_command\|sp_instr_stmt::exec_core\|sp_lex_keeper::reset_lex_and_exec_core
CS 10.11 opt 130825 e46c9a01529687401b0f82b1427855535d38c0c0 SIGSEGV\|mysql_create_function\|mysql_execute_command\|sp_instr_stmt::exec_core\|sp_lex_keeper::reset_lex_and_exec_core
CS 11.4 dbg 130825 03b31c0bd99390c1984f19a19f22dd6e77b7692e SIGSEGV\|mysql_create_function\|mysql_execute_command\|sp_instr_stmt::exec_core\|sp_lex_keeper::reset_lex_and_exec_core
CS 11.4 opt 130825 03b31c0bd99390c1984f19a19f22dd6e77b7692e SIGSEGV\|mysql_create_function\|mysql_execute_command\|sp_instr_stmt::exec_core\|sp_lex_keeper::reset_lex_and_exec_core
CS 11.8 dbg 130825 1a446ccc48528e88a3cd6cd1d1ec9e7492d342ca SIGSEGV\|mysql_create_function\|mysql_execute_command\|sp_instr_stmt::exec_core\|sp_lex_keeper::reset_lex_and_exec_core
CS 11.8 opt 130825 1a446ccc48528e88a3cd6cd1d1ec9e7492d342ca SIGSEGV\|mysql_create_function\|mysql_execute_command\|sp_instr_stmt::exec_core\|sp_lex_keeper::reset_lex_and_exec_core
CS 12.1 dbg 130825 033471a367b4c60b7262e64f43f46b02e95b9d74 SIGSEGV\|mysql_create_function\|mysql_execute_command\|sp_instr_stmt::exec_core\|sp_lex_keeper::reset_lex_and_exec_core
CS 12.1 opt 130825 033471a367b4c60b7262e64f43f46b02e95b9d74 SIGSEGV\|mysql_create_function\|mysql_execute_command\|sp_instr_stmt::exec_core\|sp_lex_keeper::reset_lex_and_exec_core
CS 12.2 dbg 130825 e02f4d7e311e214ea62ff2e59599849e229f4165 SIGSEGV\|mysql_create_function\|mysql_execute_command\|sp_instr_stmt::exec_core\|sp_lex_keeper::reset_lex_and_exec_core
CS 12.2 opt 130825 e02f4d7e311e214ea62ff2e59599849e229f4165 SIGSEGV\|mysql_create_function\|mysql_execute_command\|sp_instr_stmt::exec_core\|sp_lex_keeper::reset_lex_and_exec_core
ES 10.5 dbg 040825 70586522eacf09d04d49962072e14325a75d8155 SIGSEGV\|mysql_create_function\|mysql_execute_command\|sp_instr_stmt::exec_core\|sp_lex_keeper::reset_lex_and_exec_core
ES 10.5 opt 040825 70586522eacf09d04d49962072e14325a75d8155 SIGSEGV\|mysql_create_function\|mysql_execute_command\|sp_instr_stmt::exec_core\|sp_lex_keeper::reset_lex_and_exec_core
ES 10.6 dbg 040825 9b794f34b48fb7eee490b6da44edc0f33a947447 SIGSEGV\|mysql_create_function\|mysql_execute_command\|sp_instr_stmt::exec_core\|sp_lex_keeper::reset_lex_and_exec_core
ES 10.6 opt 040825 9b794f34b48fb7eee490b6da44edc0f33a947447 SIGSEGV\|mysql_create_function\|mysql_execute_command\|sp_instr_stmt::exec_core\|sp_lex_keeper::reset_lex_and_exec_core
ES 11.4 dbg 040825 a1c03ccd54b582e75506687ee19b273ca897f261 SIGSEGV\|mysql_create_function\|mysql_execute_command\|sp_instr_stmt::exec_core\|sp_lex_keeper::reset_lex_and_exec_core
ES 11.4 opt 040825 a1c03ccd54b582e75506687ee19b273ca897f261 SIGSEGV\|mysql_create_function\|mysql_execute_command\|sp_instr_stmt::exec_core\|sp_lex_keeper::reset_lex_and_exec_core

UBSAN unique id

 opt: UBSAN|member call on null pointer of type 'Field'|sql/sql_udf.cc|mysql_create_function|mysql_execute_command|sp_instr_stmt::exec_core|sp_lex_keeper::reset_lex_and_exec_core

 dbg: UBSAN|member call on null pointer of type 'Field'|sql/sql_udf.cc|mysql_create_function|mysql_execute_command|sp_instr_stmt::exec_core|sp_lex_keeper::reset_lex_and_exec_core

/test/12.1_opt_san/sql/sql_udf.cc:628:20: runtime error: member call on null pointer of type 'Field'

    #0 0x5e06522070a5 in mysql_create_function(THD*, st_udf_func*) /test/12.1_opt_san/sql/sql_udf.cc:628:20

    #1 0x5e0651d8b198 in mysql_execute_command(THD*, bool) /test/12.1_opt_san/sql/sql_parse.cc:5168:17

    #2 0x5e06526d2ca9 in sp_instr_stmt::exec_core(THD*, unsigned int*) /test/12.1_opt_san/sql/sp_instr.cc:1268:12

    #3 0x5e06526c5c16 in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*, bool) /test/12.1_opt_san/sql/sp_instr.cc:418:17

    #4 0x5e06526c8bcc in sp_lex_keeper::validate_lex_and_exec_core(THD*, unsigned int*, bool, sp_lex_instr*) /test/12.1_opt_san/sql/sp_instr.cc:597:14

    #5 0x5e06526d0351 in sp_instr_stmt::execute(THD*, unsigned int*) /test/12.1_opt_san/sql/sp_instr.cc:1170:25

    #6 0x5e06519b4d08 in sp_head::execute(THD*, bool) /test/12.1_opt_san/sql/sp_head.cc:1294:20

    #7 0x5e06519bf25f in sp_head::execute_procedure(THD*, List<Item>*) /test/12.1_opt_san/sql/sp_head.cc:2328:5

    #8 0x5e0651d7f9ee in do_execute_sp(THD*, sp_head*) /test/12.1_opt_san/sql/sql_parse.cc:3056:16

    #9 0x5e0651d8cfe0 in mysql_execute_command(THD*, bool) /test/12.1_opt_san/sql/sql_parse.cc:5589:9

    #10 0x5e0651e574fb in execute_server_code(THD*, char const*, unsigned long) /test/12.1_opt_san/sql/sql_prepare.cc:3875:10

    #11 0x5e0651e86b9c in loc_advanced_command(st_mysql*, enum_server_command, unsigned char const*, unsigned long, unsigned char const*, unsigned long, char, st_mysql_stmt*) /test/12.1_opt_san/sql/sql_prepare.c

c:6141:13

    #12 0x5e0652a8a783 in server_mysql_send_query /test/12.1_opt_san/sql-common/client.c:3604:3

    #13 0x5e0652a8a8e6 in server_mysql_real_query /test/12.1_opt_san/sql-common/client.c:3614:7

    #14 0x73520d995096 in spider_init_system_tables() /test/12.1_opt_san/storage/spider/spd_table.cc:6450:9

    #15 0x73520d997c80 in spider_after_ddl_recovery(handlerton*) /test/12.1_opt_san/storage/spider/spd_table.cc:6481:10

    #16 0x5e0652bb1d69 in ha_initialize_handlerton(void*) /test/12.1_opt_san/sql/handler.cc:822:10

    #17 0x5e0651e1aa69 in plugin_do_initialize(st_plugin_int*, unsigned int&) /test/12.1_opt_san/sql/sql_plugin.cc:1455:18

    #18 0x5e0651e1a04e in plugin_initialize(st_mem_root*, st_plugin_int*, int*, char**, bool) /test/12.1_opt_san/sql/sql_plugin.cc:1509:10

    #19 0x5e0651e227fa in finalize_install(THD*, TABLE*, st_mysql_const_lex_string const*, int*, char**) /test/12.1_opt_san/sql/sql_plugin.cc:2213:9

    #20 0x5e0651e208c6 in mysql_install_plugin(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*) /test/12.1_opt_san/sql/sql_plugin.cc:2312:12

    #21 0x5e0651d8a9a9 in mysql_execute_command(THD*, bool) /test/12.1_opt_san/sql/sql_parse.cc:5760:17

    #22 0x5e0651d6a480 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/12.1_opt_san/sql/sql_parse.cc:7883:18

    #23 0x5e0651d617d6 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/12.1_opt_san/sql/sql_parse.cc:1878:7

    #24 0x5e0651d6c746 in do_command(THD*, bool) /test/12.1_opt_san/sql/sql_parse.cc:1417:17

    #25 0x5e06523fd94c in do_handle_one_connection(CONNECT*, bool) /test/12.1_opt_san/sql/sql_connect.cc:1414:11

    #26 0x5e06523fd1a6 in handle_one_connection /test/12.1_opt_san/sql/sql_connect.cc:1326:5

    #27 0x5e065179479c in asan_thread_start(void*) asan_interceptors.cpp.o

    #28 0x736ceaa9caa3 in start_thread nptl/pthread_create.c:447:8

    #29 0x736ceab29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

SUMMARY: UndefinedBehaviorSanitizer: null-pointer-use /test/12.1_opt_san/sql/sql_udf.cc:628:20

250829 16:27:49 [ERROR] /test/UBASAN_MD130825-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd got signal 11 ;

Attachments

Activity

People

Assignee:: Yuchen Pei

Reporter:: Ramesh Sivaraman

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2025-08-29 13:33

Updated:: 5 days ago 07:49

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.