ASAN: global-buffer-overflow in my_charlen_utf8mb3 on spider_ping_table

INSTALL PLUGIN Spider SONAME 'ha_spider.so';

SET NAMES utf8,collation_connection=utf16le_bin;

SELECT spider_ping_table ('./aaa_bbb / ccc',0,0,1,'',5,3,1,0,1);

==3886547==ERROR: AddressSanitizer: global-buffer-overflow on address 0x753b57cdbf41 at pc 0x5dfadad457e6 bp 0x753b5a0ff8c0 sp 0x753b5a0ff8b8

READ of size 1 at 0x753b57cdbf41 thread T12

    #0 0x5dfadad457e5 in my_charlen_utf8mb3 /test/12.1_dbg_san/strings/ctype-utf8.c:669:6

    #1 0x5dfadad457e5 in my_well_formed_char_length_utf8mb3 /test/12.1_dbg_san/strings/ctype-mb.inl:187:17

    #2 0x5dfadac87bcf in my_ci_well_formed_char_length /test/12.1_dbg_san/include/m_ctype.h:1395:10

    #3 0x5dfadac87bcf in my_copy_fix_mb /test/12.1_dbg_san/strings/ctype-mb.c:339:23

    #4 0x5dfad8eb5a30 in charset_info_st::copy_fix(char*, unsigned long, char const*, unsigned long, unsigned long, MY_STRCOPY_STATUS*) const /test/12.1_dbg_san/include/m_ctype.h:1062:12

    #5 0x5dfad8eb5a30 in String_copier::well_formed_copy(charset_info_st const*, char*, unsigned long, charset_info_st const*, char const*, unsigned long, unsigned long) /test/12.1_dbg_san/sql/sql_string.cc:1132:26

    #6 0x5dfad7bfe59f in Field_longstr::well_formed_copy_with_check(char*, unsigned long, charset_info_st const*, char const*, unsigned long, unsigned long, bool, unsigned int*) /test/12.1_dbg_san/sql/field.h:2354:26

    #7 0x5dfad7bbf704 in Field_string::store(char const*, unsigned long, charset_info_st const*) /test/12.1_dbg_san/sql/field.cc:7530:7

    #8 0x753b58084eb2 in spider_get_ping_table_tgt(THD*, char*, unsigned int, int, char*, unsigned int, unsigned int, spider_string*, bool, int*) /test/12.1_dbg_san/storage/spider/spd_ping_table.cc:531:3

    #9 0x753b58082914 in spider_get_ping_table_mon_list(st_spider_transaction*, THD*, spider_string*, unsigned int, int, char*, unsigned int, unsigned int, bool, int*) /test/12.1_dbg_san/storage/spider/spd_ping_table.cc:150:28

    #10 0x753b5808cb04 in spider_ping_table_body(st_udf_init*, st_udf_args*, unsigned char*, unsigned char*) /test/12.1_dbg_san/storage/spider/spd_ping_table.cc:1200:26

    #11 0x5dfad7d636c3 in udf_handler::val_int(char*) /test/12.1_dbg_san/sql/sql_udf.h:104:18

    #12 0x5dfad7d373c5 in Item_func_udf_int::val_int() /test/12.1_dbg_san/sql/item_func.cc:3923:12

    #13 0x5dfad958b0fa in Type_handler::Item_send_longlong(Item*, Protocol*, st_value*) const /test/12.1_dbg_san/sql/sql_type.cc:7615:22

    #14 0x5dfad830fa08 in Protocol::send_result_set_row(List<Item>*) /test/12.1_dbg_san/sql/protocol.cc:1359:15

    #15 0x5dfad85c6448 in select_send::send_data(List<Item>&) /test/12.1_dbg_san/sql/sql_class.cc:3348:17

    #16 0x5dfad85c550b in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/12.1_dbg_san/sql/sql_class.cc:3246:11

    #17 0x5dfad8c30f47 in JOIN::exec_inner() /test/12.1_dbg_san/sql/sql_select.cc:4957:22

    #18 0x5dfad8c2f2f2 in JOIN::exec() /test/12.1_dbg_san/sql/sql_select.cc:4874:8

    #19 0x5dfad8b8c154 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/12.1_dbg_san/sql/sql_select.cc:5402:21

    #20 0x5dfad8b8a980 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/12.1_dbg_san/sql/sql_select.cc:634:10

    #21 0x5dfad8a3e253 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/12.1_dbg_san/sql/sql_parse.cc:6167:12

    #22 0x5dfad8a29033 in mysql_execute_command(THD*, bool) /test/12.1_dbg_san/sql/sql_parse.cc:3950:12

    #23 0x5dfad8a026d8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/12.1_dbg_san/sql/sql_parse.cc:7883:18

    #24 0x5dfad89fbe9c in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/12.1_dbg_san/sql/sql_parse.cc:1878:7

    #25 0x5dfad8a04b0a in do_command(THD*, bool) /test/12.1_dbg_san/sql/sql_parse.cc:1417:17

    #26 0x5dfad920455c in do_handle_one_connection(CONNECT*, bool) /test/12.1_dbg_san/sql/sql_connect.cc:1414:11

    #27 0x5dfad9204065 in handle_one_connection /test/12.1_dbg_san/sql/sql_connect.cc:1326:5

    #28 0x5dfad79c438a in asan_thread_start(void*) crtstuff.c

    #29 0x793c4789ca93 in start_thread nptl/pthread_create.c:447:8

    #30 0x793c47929c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

0x753b57cdbf41 is located 31 bytes before global variable '.str.26' defined in '/test/12.1_dbg_san/storage/spider/spd_sys_table.cc:1367' (0x753b57cdbf60) of size 24

  '.str.26' is ascii string 'This xid already exists'

0x753b57cdbf41 is located 0 bytes after global variable '.str.25' defined in '/test/12.1_dbg_san/storage/spider/spd_sys_table.cc:897' (0x753b57cdbf40) of size 1

  '.str.25' is ascii string ''

SUMMARY: AddressSanitizer: global-buffer-overflow /test/12.1_dbg_san/strings/ctype-utf8.c:669:6 in my_charlen_utf8mb3

Shadow bytes around the buggy address:

  0x753b57cdbc80: 00 02 f9 f9 00 00 00 00 05 f9 f9 f9 f9 f9 f9 f9

  0x753b57cdbd00: 02 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00

  0x753b57cdbd80: 01 f9 f9 f9 f9 f9 f9 f9 00 06 f9 f9 00 00 01 f9

  0x753b57cdbe00: f9 f9 f9 f9 00 00 05 f9 f9 f9 f9 f9 00 00 07 f9

  0x753b57cdbe80: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 00 00

=>0x753b57cdbf00: 03 f9 f9 f9 f9 f9 f9 f9[01]f9 f9 f9 00 00 00 f9

  0x753b57cdbf80: f9 f9 f9 f9 00 00 00 07 f9 f9 f9 f9 00 00 00 f9

  0x753b57cdc000: f9 f9 f9 f9 00 00 00 00 00 00 06 f9 f9 f9 f9 f9

  0x753b57cdc080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 f9

  0x753b57cdc100: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 06 f9 f9

  0x753b57cdc180: f9 f9 f9 f9 00 00 00 00 00 00 00 02 f9 f9 f9 f9

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07 

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

Thread T12 created by T0 here:

    #0 0x5dfad79aaa85 in pthread_create (/test/UBASAN_MD220825-mariadb-12.1.2-linux-x86_64-dbg/bin/mariadbd+0x3b6ba85) (BuildId: c2d460c954959869129e3dab1935414adb4eb07a)

    #1 0x5dfad7a1e3dc in create_thread_to_handle_connection(CONNECT*) /test/12.1_dbg_san/sql/mysqld.cc:6272:19

    #2 0x5dfad7a1f465 in handle_connections_sockets() /test/12.1_dbg_san/sql/mysqld.cc:6508:9

    #3 0x5dfad7a1d9ea in run_main_loop() /test/12.1_dbg_san/sql/mysqld.cc:5750:3

    #4 0x5dfad7a1339e in mysqld_main(int, char**) /test/12.1_dbg_san/sql/mysqld.cc:6173:3

    #5 0x793c4782a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

    #6 0x793c4782a28a in __libc_start_main csu/../csu/libc-start.c:360:3

    #7 0x5dfad7921394 in _start (/test/UBASAN_MD220825-mariadb-12.1.2-linux-x86_64-dbg/bin/mariadbd+0x3ae2394) (BuildId: c2d460c954959869129e3dab1935414adb4eb07a)

==3886547==ABORTING

Compiled with a recent version of Clang and LLVM. Ubuntu instructions for Clang/LLVM 18:

  # Note: It is strongly recommended to uninstall all old Clang & LLVM packages (ref  dpkg --list | grep -iE 'clang|llvm'  and use  apt purge  and  dpkg --purge  to remove the packages), before installing Clang/LLVM 18

     sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev lld-18

Compiled with: "-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++ -DCMAKE_C{,XX}_FLAGS='-march=native -mtune=native'" and:

    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON

Set before execution:

    export ASAN_OPTIONS=quarantine_size_mb=512:atexit=0:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1:allocator_may_return_null=1

    Rel    o/d  Build   Commit                                    UniqueID observed             

CS  10.6   dbg  220825  1d84cb272f4bc223b4df05dae9b3669eb506b3bd  ASAN|global-buffer-overflow|strings/ctype-utf8.c|my_charlen_utf8mb3|my_well_formed_char_length_utf8mb3|my_ci_well_formed_char_length|my_copy_fix_mb

CS  10.6   opt  220825  1d84cb272f4bc223b4df05dae9b3669eb506b3bd  ASAN|global-buffer-overflow|strings/ctype-utf8.c|my_charlen_utf8mb3|my_well_formed_char_length_utf8mb3|my_ci_well_formed_char_length|my_copy_fix_mb

CS  10.11  dbg  220825  ba9e8ebdbe903aa6f8b4f388356085dfd2df91a8  ASAN|global-buffer-overflow|strings/ctype-utf8.c|my_charlen_utf8mb3|my_well_formed_char_length_utf8mb3|my_ci_well_formed_char_length|my_copy_fix_mb

CS  10.11  opt  220825  ba9e8ebdbe903aa6f8b4f388356085dfd2df91a8  ASAN|global-buffer-overflow|strings/ctype-utf8.c|my_charlen_utf8mb3|my_well_formed_char_length_utf8mb3|my_ci_well_formed_char_length|my_copy_fix_mb

CS  11.4   dbg  220825  03b31c0bd99390c1984f19a19f22dd6e77b7692e  ASAN|global-buffer-overflow|strings/ctype-utf8.c|my_charlen_utf8mb3|my_well_formed_char_length_utf8mb3|my_ci_well_formed_char_length|my_copy_fix_mb

CS  11.4   opt  220825  03b31c0bd99390c1984f19a19f22dd6e77b7692e  ASAN|global-buffer-overflow|strings/ctype-utf8.c|my_charlen_utf8mb3|my_well_formed_char_length_utf8mb3|my_ci_well_formed_char_length|my_copy_fix_mb

CS  11.8   dbg  220825  1a446ccc48528e88a3cd6cd1d1ec9e7492d342ca  ASAN|global-buffer-overflow|strings/ctype-utf8.c|my_charlen_utf8mb3|my_well_formed_char_length_utf8mb3|my_ci_well_formed_char_length|my_copy_fix_mb

CS  11.8   opt  220825  1a446ccc48528e88a3cd6cd1d1ec9e7492d342ca  ASAN|global-buffer-overflow|strings/ctype-utf8.c|my_charlen_utf8mb3|my_well_formed_char_length_utf8mb3|my_ci_well_formed_char_length|my_copy_fix_mb

CS  12.1   dbg  220825  033471a367b4c60b7262e64f43f46b02e95b9d74  ASAN|global-buffer-overflow|strings/ctype-utf8.c|my_charlen_utf8mb3|my_well_formed_char_length_utf8mb3|my_ci_well_formed_char_length|my_copy_fix_mb

CS  12.1   opt  220825  033471a367b4c60b7262e64f43f46b02e95b9d74  ASAN|global-buffer-overflow|strings/ctype-utf8.c|my_charlen_utf8mb3|my_well_formed_char_length_utf8mb3|my_ci_well_formed_char_length|my_copy_fix_mb

CS  12.2   dbg  220825  e02f4d7e311e214ea62ff2e59599849e229f4165  ASAN|global-buffer-overflow|strings/ctype-utf8.c|my_charlen_utf8mb3|my_well_formed_char_length_utf8mb3|my_ci_well_formed_char_length|my_copy_fix_mb

CS  12.2   opt  220825  e02f4d7e311e214ea62ff2e59599849e229f4165  ASAN|global-buffer-overflow|strings/ctype-utf8.c|my_charlen_utf8mb3|my_well_formed_char_length_utf8mb3|my_ci_well_formed_char_length|my_copy_fix_mb

ES  10.6   dbg  230825  9b794f34b48fb7eee490b6da44edc0f33a947447  ASAN|global-buffer-overflow|strings/ctype-utf8.c|my_charlen_utf8mb3|my_well_formed_char_length_utf8mb3|my_ci_well_formed_char_length|my_copy_fix_mb

ES  10.6   opt  230825  9b794f34b48fb7eee490b6da44edc0f33a947447  ASAN|global-buffer-overflow|strings/ctype-utf8.c|my_charlen_utf8mb3|my_well_formed_char_length_utf8mb3|my_ci_well_formed_char_length|my_copy_fix_mb

ES  11.4   dbg  220825  a1c03ccd54b582e75506687ee19b273ca897f261  ASAN|global-buffer-overflow|strings/ctype-utf8.c|my_charlen_utf8mb3|my_well_formed_char_length_utf8mb3|my_ci_well_formed_char_length|my_copy_fix_mb

ES  11.4   opt  220825  a1c03ccd54b582e75506687ee19b273ca897f261  ASAN|global-buffer-overflow|strings/ctype-utf8.c|my_charlen_utf8mb3|my_well_formed_char_length_utf8mb3|my_ci_well_formed_char_length|my_copy_fix_mb

ES  11.8   dbg  220825  4cdf75ab6ba37d4e7e208690785e880ed3176f2f  ASAN|global-buffer-overflow|strings/ctype-utf8.c|my_charlen_utf8mb3|my_well_formed_char_length_utf8mb3|my_ci_well_formed_char_length|my_copy_fix_mb

ES  11.8   opt  220825  4cdf75ab6ba37d4e7e208690785e880ed3176f2f  ASAN|global-buffer-overflow|strings/ctype-utf8.c|my_charlen_utf8mb3|my_well_formed_char_length_utf8mb3|my_ci_well_formed_char_length|my_copy_fix_mb