[MDEV-38466] SIGSEGV in is_supported_parser_charset on EXECUTE - Jira

XML

Word

Printable

Details

Type: Bug
Status: Open (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.6, 10.11, 11.4, 11.8, 12.2, 12.3
Fix Version/s: 10.6, 10.11, 11.4, 11.8, 12.2
Component/s: Server, Stored routines
Labels:
- UBSAN
- null-pointer-use

Bug Category:
Can result in hang or crash

Description

PREPARE s FROM 'SET character_set_client=?';

EXECUTE s USING DEFAULT;

Leads to:

CS 12.2.0 fd15fd2765b53d0c070dd01d86fb231024b8f284 (Debug, Clang 21.1.3-20250923) Build 10/11/2025
Core was generated by `/test/MD101125-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000632faf181c6e in is_supported_parser_charset (cs=0x0)at /test/12.2_dbg/sql/sql_class.h:1180

[Current thread is 1 (LWP 3799340)]
(gdb) bt
#0 0x0000632faf181c6e in is_supported_parser_charset (cs=0x0)at /test/12.2_dbg/sql/sql_class.h:1180
#1 0x0000632faf17aebe in check_cs_client (self=0x632fb000f498 <Sys_character_set_client>, thd=0x781a90000d58, var=0x781a90025f90) at /test/12.2_dbg/sql/sys_vars.cc:921
#2 0x0000632faed7ee5a in sys_var::check (this=0x632fb000f498 <Sys_character_set_client>, thd=0x781a90000d58, var=0x781a90025f90) at /test/12.2_dbg/sql/set_var.cc:251
#3 0x0000632faed80a9e in set_var::check (this=0x781a90025f90, thd=0x781a90000d58) at /test/12.2_dbg/sql/set_var.cc:816
#4 0x0000632faed8077c in sql_set_variables (thd=0x781a90000d58, var_list=0x781a90024fc0, free=true) at /test/12.2_dbg/sql/set_var.cc:743
#5 0x0000632faef719e0 in mysql_execute_command (thd=0x781a90000d58, is_called_from_prepared_stmt=true) at /test/12.2_dbg/sql/sql_parse.cc:4858
#6 0x0000632faefb05ab in Prepared_statement::execute (this=0x781a90019278, expanded_query=0x781b800d0178, open_cursor=false)at /test/12.2_dbg/sql/sql_prepare.cc:5107
#7 0x0000632faeface0c in Prepared_statement::execute_loop (this=0x781a90019278, expanded_query=0x781b800d0178, open_cursor=false, packet=0x0, packet_end=0x0) at /test/12.2_dbg/sql/sql_prepare.cc:4471
#8 0x0000632faefac9eb in mysql_sql_stmt_execute (thd=0x781a90000d58)at /test/12.2_dbg/sql/sql_prepare.cc:3478
#9 0x0000632faef6de03 in mysql_execute_command (thd=0x781a90000d58, is_called_from_prepared_stmt=false) at /test/12.2_dbg/sql/sql_parse.cc:3967
#10 0x0000632faef66cf8 in mysql_parse (thd=0x781a90000d58, rawbuf=0x781a90019ee0 "EXECUTE s USING DEFAULT", length=23, parser_state=0x781b800d1a00) at /test/12.2_dbg/sql/sql_parse.cc:7888
#11 0x0000632faef644d9 in dispatch_command (command=COM_QUERY, thd=0x781a90000d58, packet=0x781a9000b239 "EXECUTE s USING DEFAULT", packet_length=23, blocking=true) at /test/12.2_dbg/sql/sql_parse.cc:1878
#12 0x0000632faef6777a in do_command (thd=0x781a90000d58, blocking=true)at /test/12.2_dbg/sql/sql_parse.cc:1417
#13 0x0000632faf15aafe in do_handle_one_connection (connect=0x632fb288d218, put_in_cache=true) at /test/12.2_dbg/sql/sql_connect.cc:1503
#14 0x0000632faf15a8e1 in handle_one_connection (arg=0x632fb27cc9f8)at /test/12.2_dbg/sql/sql_connect.cc:1415
#15 0x0000781b82a9ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#16 0x0000781b82b29c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

Bug Detection Matrix
Rel o/d Build Commit UniqueID observed
CS 10.6 dbg 101125 759e3523e3d832b174cf0a612704da38b2557b40 SIGSEGV\|is_supported_parser_charset\|check_cs_client\|sys_var::check\|set_var::check
CS 10.6 opt 101125 759e3523e3d832b174cf0a612704da38b2557b40 SIGSEGV\|is_supported_parser_charset\|check_cs_client\|sys_var::check\|set_var::check
CS 10.11 dbg 101125 536cd151f0370216d9ba4c15f40c7037060972a5 SIGSEGV\|is_supported_parser_charset\|check_cs_client\|sys_var::check\|set_var::check
CS 10.11 opt 101125 536cd151f0370216d9ba4c15f40c7037060972a5 SIGSEGV\|is_supported_parser_charset\|check_cs_client\|sys_var::check\|set_var::check
CS 11.4 dbg 101125 a1bb5c94fda453baa99e57e3927eaa7cd3c8bafe SIGSEGV\|is_supported_parser_charset\|check_cs_client\|sys_var::check\|set_var::check
CS 11.4 opt 101125 a1bb5c94fda453baa99e57e3927eaa7cd3c8bafe SIGSEGV\|is_supported_parser_charset\|check_cs_client\|sys_var::check\|set_var::check
CS 11.8 dbg 101125 e0428264d0095472c015eb58c46be68ca1a320ee SIGSEGV\|is_supported_parser_charset\|check_cs_client\|sys_var::check\|set_var::check
CS 11.8 opt 101125 e0428264d0095472c015eb58c46be68ca1a320ee SIGSEGV\|is_supported_parser_charset\|check_cs_client\|sys_var::check\|set_var::check
CS 12.2 dbg 101125 fd15fd2765b53d0c070dd01d86fb231024b8f284 SIGSEGV\|is_supported_parser_charset\|check_cs_client\|sys_var::check\|set_var::check
CS 12.2 opt 101125 fd15fd2765b53d0c070dd01d86fb231024b8f284 SIGSEGV\|is_supported_parser_charset\|check_cs_client\|sys_var::check\|set_var::check
CS 12.3 dbg 091225 e85bc659188be021897e8578aec42becfbb58c27 SIGSEGV\|is_supported_parser_charset\|check_cs_client\|sys_var::check\|set_var::check
CS 12.3 opt 091225 e85bc659188be021897e8578aec42becfbb58c27 SIGSEGV\|is_supported_parser_charset\|check_cs_client\|sys_var::check\|set_var::check
ES 10.6 dbg 101125 f0d4d34fb0314b03fddb71fb9dbde372744a8c13 SIGSEGV\|is_supported_parser_charset\|check_cs_client\|sys_var::check\|set_var::check
ES 10.6 opt 101125 f0d4d34fb0314b03fddb71fb9dbde372744a8c13 SIGSEGV\|is_supported_parser_charset\|check_cs_client\|sys_var::check\|set_var::check
ES 11.4 dbg 101125 b81ec4b57a5ddce88b8e2b2d16b64625ffdaa0e6 SIGSEGV\|is_supported_parser_charset\|check_cs_client\|sys_var::check\|set_var::check
ES 11.4 opt 101125 b81ec4b57a5ddce88b8e2b2d16b64625ffdaa0e6 SIGSEGV\|is_supported_parser_charset\|check_cs_client\|sys_var::check\|set_var::check
ES 11.8 dbg 101125 db36e8fb3bcdae26dd0acdcb2b52f7f4eb014df6 SIGSEGV\|is_supported_parser_charset\|check_cs_client\|sys_var::check\|set_var::check
ES 11.8 opt 101125 db36e8fb3bcdae26dd0acdcb2b52f7f4eb014df6 SIGSEGV\|is_supported_parser_charset\|check_cs_client\|sys_var::check\|set_var::check
MS 5.5 dbg 070123 bac287c315b1792e7ae33f91add6a60292f9bae8 No bug found
MS 5.5 opt 070123 bac287c315b1792e7ae33f91add6a60292f9bae8 No bug found
MS 5.6 dbg 070123 dab95781a1244104d6b87020ac2fc4d190ba2946 No bug found
MS 5.6 opt 070123 dab95781a1244104d6b87020ac2fc4d190ba2946 No bug found
MS 5.7 dbg 070525 f7680e98b6bbe3500399fbad465d08a6b75d7a5c No bug found
MS 5.7 opt 070525 f7680e98b6bbe3500399fbad465d08a6b75d7a5c No bug found
MS 8.0 dbg 060224 49ef33f7edadef3ae04665e73d1babd40179a4f1 No bug found
MS 8.0 opt 060224 49ef33f7edadef3ae04665e73d1babd40179a4f1 No bug found
MS 9.1 dbg 211024 61a3a1d8ef15512396b4c2af46e922a19bf2b174 No bug found
MS 9.1 opt 211024 61a3a1d8ef15512396b4c2af46e922a19bf2b174 No bug found

UBSAN sees a null pointer use issue:

CS 12.2.0 fd15fd2765b53d0c070dd01d86fb231024b8f284 (Debug, UBASAN, Clang 21.1.3-20250923) Build 10/11/2025
/test/12.2_dbg_san/sql/sql_class.h:1180:10: runtime error: member access within null pointer of type 'CHARSET_INFO' (aka 'const charset_info_st')
#0 0x5f923a8f80ea in is_supported_parser_charset(charset_info_st const*) /test/12.2_dbg_san/sql/sql_class.h:1180:10
#1 0x5f923a8f80ea in check_cs_client(sys_var, THD, set_var*) /test/12.2_dbg_san/sql/sys_vars.cc:921:8
#2 0x5f92399b13d5 in sys_var::check(THD, set_var) /test/12.2_dbg_san/sql/set_var.cc:251:7
#3 0x5f92399b5e26 in set_var::check(THD*) /test/12.2_dbg_san/sql/set_var.cc:816:15
#4 0x5f92399b53f9 in sql_set_variables(THD, List<set_var_base>, bool) /test/12.2_dbg_san/sql/set_var.cc:743:9
#5 0x5f923a09add5 in mysql_execute_command(THD*, bool) /test/12.2_dbg_san/sql/sql_parse.cc:4858:9
#6 0x5f923a1a2014 in Prepared_statement::execute(String*, bool) /test/12.2_dbg_san/sql/sql_prepare.cc:5107:14
#7 0x5f923a196ace in Prepared_statement::execute_loop(String, bool, unsigned char, unsigned char*) /test/12.2_dbg_san/sql/sql_prepare.cc:4471:10
#8 0x5f923a195f9a in mysql_sql_stmt_execute(THD*) /test/12.2_dbg_san/sql/sql_prepare.cc:3478:16
#9 0x5f923a09bc35 in mysql_execute_command(THD*, bool) /test/12.2_dbg_san/sql/sql_parse.cc:3967:5
#10 0x5f923a07a1e8 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/12.2_dbg_san/sql/sql_parse.cc:7888:18
#11 0x5f923a0739a3 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/12.2_dbg_san/sql/sql_parse.cc:1878:7
#12 0x5f923a07c62a in do_command(THD*, bool) /test/12.2_dbg_san/sql/sql_parse.cc:1417:17
#13 0x5f923a889b3c in do_handle_one_connection(CONNECT*, bool) /test/12.2_dbg_san/sql/sql_connect.cc:1503:11
#14 0x5f923a889645 in handle_one_connection /test/12.2_dbg_san/sql/sql_connect.cc:1415:5
#15 0x5f9238fd8b4a in asan_thread_start(void*) crtstuff.c
#16 0x7c7edb89ca93 in start_thread nptl/pthread_create.c:447:8
#17 0x7c7edb929c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

SUMMARY: UndefinedBehaviorSanitizer: null-pointer-use /test/12.2_dbg_san/sql/sql_class.h:1180:10

Setup:

Compiled with a recent version of Clang and LLVM. Ubuntu instructions for Clang/LLVM 18:

  # Note: It is strongly recommended to uninstall all old Clang & LLVM packages (ref  dpkg --list | grep -iE 'clang|llvm'  and use  apt purge  and  dpkg --purge  to remove the packages), before installing Clang/LLVM 18

     sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev lld-18

Compiled with: "-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++ -DCMAKE_C{,XX}_FLAGS='-march=native -mtune=native'" and:

    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON

Set before execution:

    export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1   # And you may also want to supress UBSAN startup issues using 'suppressions=UBSAN.filter' in UBSAN_OPTIONS. For an example of UBSAN.filter, which includes current startup issues see: https://github.com/mariadb-corporation/mariadb-qa/blob/master/UBSAN.filter

    export ASAN_OPTIONS=quarantine_size_mb=512:atexit=0:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1:allocator_may_return_null=1

SAN Bug Detection Matrix
Rel o/d Build Commit UniqueID observed
CS 10.6 dbg 101125 759e3523e3d832b174cf0a612704da38b2557b40 UBSAN\|member access within null pointer of type 'CHARSET_INFO' (aka 'const charset_info_st')\|sql/sql_class.h\|is_supported_parser_charset\|check_cs_client\|sys_var::check\|set_var::check
CS 10.6 opt 101125 759e3523e3d832b174cf0a612704da38b2557b40 UBSAN\|member access within null pointer of type 'CHARSET_INFO' (aka 'const charset_info_st')\|sql/sql_class.h\|is_supported_parser_charset\|check_cs_client\|sys_var::check\|set_var::check
CS 10.11 dbg 101125 536cd151f0370216d9ba4c15f40c7037060972a5 UBSAN\|member access within null pointer of type 'CHARSET_INFO' (aka 'const charset_info_st')\|sql/sql_class.h\|is_supported_parser_charset\|check_cs_client\|sys_var::check\|set_var::check
CS 10.11 opt 101125 536cd151f0370216d9ba4c15f40c7037060972a5 UBSAN\|member access within null pointer of type 'CHARSET_INFO' (aka 'const charset_info_st')\|sql/sql_class.h\|is_supported_parser_charset\|check_cs_client\|sys_var::check\|set_var::check
CS 11.4 dbg 101125 a1bb5c94fda453baa99e57e3927eaa7cd3c8bafe UBSAN\|member access within null pointer of type 'CHARSET_INFO' (aka 'const charset_info_st')\|sql/sql_class.h\|is_supported_parser_charset\|check_cs_client\|sys_var::check\|set_var::check
CS 11.4 opt 101125 a1bb5c94fda453baa99e57e3927eaa7cd3c8bafe UBSAN\|member access within null pointer of type 'CHARSET_INFO' (aka 'const charset_info_st')\|sql/sql_class.h\|is_supported_parser_charset\|check_cs_client\|sys_var::check\|set_var::check
CS 11.8 dbg 101125 e0428264d0095472c015eb58c46be68ca1a320ee UBSAN\|member access within null pointer of type 'CHARSET_INFO' (aka 'const charset_info_st')\|sql/sql_class.h\|is_supported_parser_charset\|check_cs_client\|sys_var::check\|set_var::check
CS 11.8 opt 101125 e0428264d0095472c015eb58c46be68ca1a320ee UBSAN\|member access within null pointer of type 'CHARSET_INFO' (aka 'const charset_info_st')\|sql/sql_class.h\|is_supported_parser_charset\|check_cs_client\|sys_var::check\|set_var::check
CS 12.1 dbg 101125 ba00960fdaee67a4efff6866e31f446bf486a1c2 UBSAN\|member access within null pointer of type 'CHARSET_INFO' (aka 'const charset_info_st')\|sql/sql_class.h\|is_supported_parser_charset\|check_cs_client\|sys_var::check\|set_var::check
CS 12.1 opt 101125 ba00960fdaee67a4efff6866e31f446bf486a1c2 UBSAN\|member access within null pointer of type 'CHARSET_INFO' (aka 'const charset_info_st')\|sql/sql_class.h\|is_supported_parser_charset\|check_cs_client\|sys_var::check\|set_var::check
CS 12.2 dbg 101125 fd15fd2765b53d0c070dd01d86fb231024b8f284 UBSAN\|member access within null pointer of type 'CHARSET_INFO' (aka 'const charset_info_st')\|sql/sql_class.h\|is_supported_parser_charset\|check_cs_client\|sys_var::check\|set_var::check
CS 12.2 opt 101125 fd15fd2765b53d0c070dd01d86fb231024b8f284 UBSAN\|member access within null pointer of type 'CHARSET_INFO' (aka 'const charset_info_st')\|sql/sql_class.h\|is_supported_parser_charset\|check_cs_client\|sys_var::check\|set_var::check
CS 12.3 dbg 091225 e85bc659188be021897e8578aec42becfbb58c27 UBSAN\|member access within null pointer of type 'CHARSET_INFO' (aka 'const charset_info_st')\|sql/sql_class.h\|is_supported_parser_charset\|check_cs_client\|sys_var::check\|set_var::check
CS 12.3 opt 091225 e85bc659188be021897e8578aec42becfbb58c27 UBSAN\|member access within null pointer of type 'CHARSET_INFO' (aka 'const charset_info_st')\|sql/sql_class.h\|is_supported_parser_charset\|check_cs_client\|sys_var::check\|set_var::check
ES 10.6 dbg 101125 f0d4d34fb0314b03fddb71fb9dbde372744a8c13 UBSAN\|member access within null pointer of type 'CHARSET_INFO' (aka 'const charset_info_st')\|sql/sql_class.h\|is_supported_parser_charset\|check_cs_client\|sys_var::check\|set_var::check
ES 10.6 opt 101125 f0d4d34fb0314b03fddb71fb9dbde372744a8c13 UBSAN\|member access within null pointer of type 'CHARSET_INFO' (aka 'const charset_info_st')\|sql/sql_class.h\|is_supported_parser_charset\|check_cs_client\|sys_var::check\|set_var::check
ES 11.4 dbg 101125 b81ec4b57a5ddce88b8e2b2d16b64625ffdaa0e6 UBSAN\|member access within null pointer of type 'CHARSET_INFO' (aka 'const charset_info_st')\|sql/sql_class.h\|is_supported_parser_charset\|check_cs_client\|sys_var::check\|set_var::check
ES 11.4 opt 101125 b81ec4b57a5ddce88b8e2b2d16b64625ffdaa0e6 UBSAN\|member access within null pointer of type 'CHARSET_INFO' (aka 'const charset_info_st')\|sql/sql_class.h\|is_supported_parser_charset\|check_cs_client\|sys_var::check\|set_var::check
ES 11.8 dbg 101125 db36e8fb3bcdae26dd0acdcb2b52f7f4eb014df6 UBSAN\|member access within null pointer of type 'CHARSET_INFO' (aka 'const charset_info_st')\|sql/sql_class.h\|is_supported_parser_charset\|check_cs_client\|sys_var::check\|set_var::check
ES 11.8 opt 101125 db36e8fb3bcdae26dd0acdcb2b52f7f4eb014df6 UBSAN\|member access within null pointer of type 'CHARSET_INFO' (aka 'const charset_info_st')\|sql/sql_class.h\|is_supported_parser_charset\|check_cs_client\|sys_var::check\|set_var::check

Testcase is CLI and MTR compatible.

Attachments

Activity

People

Assignee:: Dmitry Shulga

Reporter:: Roel Van de Paar

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2026-01-03 04:14

Updated:: 2026-01-03 04:20

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.