Details
-
Bug
-
Status: Confirmed (View Workflow)
-
Critical
-
Resolution: Unresolved
-
11.8, 12.1, 12.2
Description
CREATE TABLE t (c TEXT); |
INSERT INTO t VALUES (''),(''); |
SELECT LENGTH (GROUP_CONCAT(DISTINCT c)) FROM t; |
Leads to:
|
CS 12.1.2 033471a367b4c60b7262e64f43f46b02e95b9d74 (Debug, UBASAN, Clang 21.1.0-20250811) Build 22/08/2025 |
/test/12.1_dbg_san/strings/ctype-uca-scanner_next.inl:84:23: runtime error: applying non-zero offset 1 to null pointer
|
#0 0x5a4d56e0142c in my_uca_scanner_next_utf8mb4 /test/12.1_dbg_san/strings/ctype-uca-scanner_next.inl:84:23
|
#1 0x5a4d56e0358a in my_uca_strnncollsp_onelevel_utf8mb4 /test/12.1_dbg_san/strings/ctype-uca.inl:234:12
|
#2 0x5a4d5407c34d in group_concat_key_cmp_with_distinct /test/12.1_dbg_san/sql/item_sum.cc:3620:21
|
#3 0x5a4d56cb749c in tree_insert /test/12.1_dbg_san/mysys/tree.c:249:9
|
#4 0x5a4d54085fb2 in Unique::unique_add(void*) /test/12.1_dbg_san/sql/uniques.h:66:5
|
#5 0x5a4d54085fb2 in Item_func_group_concat::add(bool) /test/12.1_dbg_san/sql/item_sum.cc:4240:20
|
#6 0x5a4d54df8a21 in Item_sum::aggregator_add() /test/12.1_dbg_san/sql/item_sum.h:569:47
|
#7 0x5a4d54df8a21 in update_sum_func(Item_sum**) /test/12.1_dbg_san/sql/sql_select.cc:30067:15
|
#8 0x5a4d54de647f in end_send_group(JOIN*, st_join_table*, bool) /test/12.1_dbg_san/sql/sql_select.cc:26068:7
|
#9 0x5a4d54dea353 in evaluate_join_record(JOIN*, st_join_table*, int) /test/12.1_dbg_san/sql/sql_select.cc:24699:11
|
#10 0x5a4d54c914ae in sub_select(JOIN*, st_join_table*, bool) /test/12.1_dbg_san/sql/sql_select.cc:24503:9
|
#11 0x5a4d54d3f028 in do_select(JOIN*, Procedure*) /test/12.1_dbg_san/sql/sql_select.cc:23977:14
|
#12 0x5a4d54d3c0cf in JOIN::exec_inner() /test/12.1_dbg_san/sql/sql_select.cc:5086:50
|
#13 0x5a4d54d392f2 in JOIN::exec() /test/12.1_dbg_san/sql/sql_select.cc:4874:8
|
#14 0x5a4d54c96154 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/12.1_dbg_san/sql/sql_select.cc:5402:21
|
#15 0x5a4d54c94980 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/12.1_dbg_san/sql/sql_select.cc:634:10
|
#16 0x5a4d54b48253 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/12.1_dbg_san/sql/sql_parse.cc:6167:12
|
#17 0x5a4d54b33033 in mysql_execute_command(THD*, bool) /test/12.1_dbg_san/sql/sql_parse.cc:3950:12
|
#18 0x5a4d54b0c6d8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/12.1_dbg_san/sql/sql_parse.cc:7883:18
|
#19 0x5a4d54b05e9c in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/12.1_dbg_san/sql/sql_parse.cc:1878:7
|
#20 0x5a4d54b0eb0a in do_command(THD*, bool) /test/12.1_dbg_san/sql/sql_parse.cc:1417:17
|
#21 0x5a4d5530e55c in do_handle_one_connection(CONNECT*, bool) /test/12.1_dbg_san/sql/sql_connect.cc:1414:11
|
#22 0x5a4d5530e065 in handle_one_connection /test/12.1_dbg_san/sql/sql_connect.cc:1326:5
|
#23 0x5a4d53ace38a in asan_thread_start(void*) crtstuff.c
|
#24 0x75cc8689ca93 in start_thread nptl/pthread_create.c:447:8
|
#25 0x75cc86929c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
 |
SUMMARY: UndefinedBehaviorSanitizer: nullptr-with-nonzero-offset /test/12.1_dbg_san/strings/ctype-uca-scanner_next.inl:84:23
|
Setup:
Compiled with a recent version of Clang and LLVM. Ubuntu instructions for Clang/LLVM 18:
|
# Note: It is strongly recommended to uninstall all old Clang & LLVM packages (ref dpkg --list | grep -iE 'clang|llvm' and use apt purge and dpkg --purge to remove the packages), before installing Clang/LLVM 18
|
sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev lld-18
|
Compiled with: "-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++ -DCMAKE_C{,XX}_FLAGS='-march=native -mtune=native'" and:
|
-DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON
|
Set before execution:
|
export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1 # And you may also want to supress UBSAN startup issues using 'suppressions=UBSAN.filter' in UBSAN_OPTIONS. For an example of UBSAN.filter, which includes current startup issues see: https://github.com/mariadb-corporation/mariadb-qa/blob/master/UBSAN.filter
|
export ASAN_OPTIONS=quarantine_size_mb=512:atexit=0:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1:allocator_may_return_null=1
|
|
SAN Bug Detection Matrix |
Rel o/d Build Commit UniqueID observed
|
CS 10.6 dbg 220825 1d84cb272f4bc223b4df05dae9b3669eb506b3bd No bug found
|
CS 10.6 opt 220825 1d84cb272f4bc223b4df05dae9b3669eb506b3bd No bug found
|
CS 10.11 dbg 220825 ba9e8ebdbe903aa6f8b4f388356085dfd2df91a8 No bug found
|
CS 10.11 opt 220825 ba9e8ebdbe903aa6f8b4f388356085dfd2df91a8 No bug found
|
CS 11.4 dbg 220825 03b31c0bd99390c1984f19a19f22dd6e77b7692e No bug found
|
CS 11.4 opt 220825 03b31c0bd99390c1984f19a19f22dd6e77b7692e No bug found
|
CS 11.8 dbg 220825 1a446ccc48528e88a3cd6cd1d1ec9e7492d342ca UBSAN|applying non-zero offset X to null pointer|strings/ctype-uca-scanner_next.inl|my_uca_scanner_next_utf8mb4|my_uca_strnncollsp_onelevel_utf8mb4|group_concat_key_cmp_with_distinct|tree_insert
|
CS 11.8 opt 220825 1a446ccc48528e88a3cd6cd1d1ec9e7492d342ca UBSAN|applying non-zero offset X to null pointer|strings/ctype-uca-scanner_next.inl|my_uca_scanner_next_utf8mb4|my_uca_strnncollsp_onelevel_utf8mb4|group_concat_key_cmp_with_distinct|tree_insert
|
CS 12.1 dbg 220825 033471a367b4c60b7262e64f43f46b02e95b9d74 UBSAN|applying non-zero offset X to null pointer|strings/ctype-uca-scanner_next.inl|my_uca_scanner_next_utf8mb4|my_uca_strnncollsp_onelevel_utf8mb4|group_concat_key_cmp_with_distinct|tree_insert
|
CS 12.1 opt 220825 033471a367b4c60b7262e64f43f46b02e95b9d74 UBSAN|applying non-zero offset X to null pointer|strings/ctype-uca-scanner_next.inl|my_uca_scanner_next_utf8mb4|my_uca_strnncollsp_onelevel_utf8mb4|group_concat_key_cmp_with_distinct|tree_insert
|
CS 12.2 dbg 220825 e02f4d7e311e214ea62ff2e59599849e229f4165 UBSAN|applying non-zero offset X to null pointer|strings/ctype-uca-scanner_next.inl|my_uca_scanner_next_utf8mb4|my_uca_strnncollsp_onelevel_utf8mb4|group_concat_key_cmp_with_distinct|tree_insert
|
CS 12.2 opt 220825 e02f4d7e311e214ea62ff2e59599849e229f4165 UBSAN|applying non-zero offset X to null pointer|strings/ctype-uca-scanner_next.inl|my_uca_scanner_next_utf8mb4|my_uca_strnncollsp_onelevel_utf8mb4|group_concat_key_cmp_with_distinct|tree_insert
|
ES 10.6 dbg 230825 9b794f34b48fb7eee490b6da44edc0f33a947447 No bug found
|
ES 10.6 opt 230825 9b794f34b48fb7eee490b6da44edc0f33a947447 No bug found
|
ES 11.4 dbg 220825 a1c03ccd54b582e75506687ee19b273ca897f261 No bug found
|
ES 11.4 opt 220825 a1c03ccd54b582e75506687ee19b273ca897f261 No bug found
|
ES 11.8 dbg 220825 4cdf75ab6ba37d4e7e208690785e880ed3176f2f UBSAN|applying non-zero offset X to null pointer|strings/ctype-uca-scanner_next.inl|my_uca_scanner_next_utf8mb4|my_uca_strnncollsp_onelevel_utf8mb4|group_concat_key_cmp_with_distinct|tree_insert
|
ES 11.8 opt 220825 4cdf75ab6ba37d4e7e208690785e880ed3176f2f UBSAN|applying non-zero offset X to null pointer|strings/ctype-uca-scanner_next.inl|my_uca_scanner_next_utf8mb4|my_uca_strnncollsp_onelevel_utf8mb4|group_concat_key_cmp_with_distinct|tree_insert
|
Testcase is MTR and CLI compatible. InnoDB and MyISAM both affected.