Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-38828

SIGSEGV and UBSAN null-pointer-use in Item_subselect::init on CREATE PROCEDURE

    XMLWordPrintable

Details

    • Can result in hang or crash

    Description

      CREATE PROCEDURE proc (id INT) BEGIN DECLARE dt DATE DEFAULT ROW(1,2)=SOME (SELECT 1)=ALL (SELECT 1);

      Leads to:

      CS 12.3.0 fa36b269f139252b81d4384fbed07b167855cabb (Debug, Clang 21.1.3-20250923) Build 05/02/2026

      		 
      Core was generated by `/test/MD050226-mariadb-12.3.0-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  0x00005ad47bf5c11e in Item_subselect::init (this=0x71170802b488, select_lex=0x71170802a750, result=0x711708025e48)at /test/12.3_dbg/sql/item_subselect.cc:124
      		 
       
      		 
      [Current thread is 1 (LWP 116976)]
      		 
      (gdb) bt
      		 
      #0  0x00005ad47bf5c11e in Item_subselect::init (this=0x71170802b488, select_lex=0x71170802a750, result=0x711708025e48)at /test/12.3_dbg/sql/item_subselect.cc:124
      		 
      #1  0x00005ad47bf60fbc in Item_allany_subselect::Item_allany_subselect (this=0x71170802b488, thd=0x711708000d58, left_exp=0x711708025ad0, fc=0x5ad47c044a20 <comp_eq_creator(bool)>, select_lex=0x71170802a750, all_arg=true) at /test/12.3_dbg/sql/item_subselect.cc:1724
      		 
      #2  0x00005ad47c044e1b in all_any_subquery_creator (thd=0x711708000d58, left_expr=0x711708025ad0, cmp=0x5ad47c044a20 <comp_eq_creator(bool)>, all=true, select_lex=0x71170802a750)at /test/12.3_dbg/sql/sql_parse.cc:9477
      		 
      #3  0x00005ad47bf91762 in MYSQLparse (thd=0x711708000d58)at /test/12.3_dbg/sql/sql_yacc.yy:9891
      		 
      #4  0x00005ad47c042a28 in parse_sql (thd=0x711708000d58, parser_state=0x711824146a00, creation_ctx=0x0, do_pfs_digest=true)at /test/12.3_dbg/sql/sql_parse.cc:10370
      		 
      #5  0x00005ad47c02d902 in mysql_parse (thd=0x711708000d58, rawbuf=0x71170801a068 "CREATE PROCEDURE proc (id INT) BEGIN DECLARE dt DATE DEFAULT ROW(1,2)=some (SELECT 1)=ALL (SELECT 1)", length=100, parser_state=0x711824146a00) at /test/12.3_dbg/sql/sql_parse.cc:7902
      		 
      #6  0x00005ad47c02b20e in dispatch_command (command=COM_QUERY, thd=0x711708000d58, packet=0x71170800b239 "CREATE PROCEDURE proc (id INT) BEGIN DECLARE dt DATE DEFAULT ROW(1,2)=some (SELECT 1)=ALL (SELECT 1)", packet_length=100, blocking=true) at /test/12.3_dbg/sql/sql_parse.cc:1896
      		 
      #7  0x00005ad47c02e4da in do_command (thd=0x711708000d58, blocking=true)at /test/12.3_dbg/sql/sql_parse.cc:1432
      		 
      #8  0x00005ad47c22642e in do_handle_one_connection (connect=0x5ad47e43bdd8, put_in_cache=true) at /test/12.3_dbg/sql/sql_connect.cc:1503
      		 
      #9  0x00005ad47c226211 in handle_one_connection (arg=0x5ad47e378598)at /test/12.3_dbg/sql/sql_connect.cc:1415
      		 
      #10 0x000071182d89ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
      		 
      #11 0x000071182d929c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

      Bug Detection Matrix

      		 
          Rel    o/d  Build   Commit                                    UniqueID observed             
      CS  10.6   dbg  230126  cd02709a315c9f08965d6b8fb7e75baaae17a4f4  SIGSEGV|Item_subselect::init|Item_allany_subselect::Item_allany_subselect|all_any_subquery_creator|MYSQLparse
      		 
      CS  10.6   opt  230126  cd02709a315c9f08965d6b8fb7e75baaae17a4f4  SIGSEGV|Item_subselect::init|Item_allany_subselect::Item_allany_subselect|all_any_subquery_creator|MYSQLparse
      		 
      CS  10.11  dbg  230126  b061b5ab1f2cd2a6993e53dc24a865304ced14cd  SIGSEGV|Item_subselect::init|Item_allany_subselect::Item_allany_subselect|all_any_subquery_creator|MYSQLparse
      		 
      CS  10.11  opt  230126  b061b5ab1f2cd2a6993e53dc24a865304ced14cd  SIGSEGV|Item_subselect::init|Item_allany_subselect::Item_allany_subselect|all_any_subquery_creator|MYSQLparse
      		 
      CS  11.4   dbg  260126  b6d0e23d76fe5936b6a29379ab494852e4d493b1  SIGSEGV|Item_subselect::init|Item_allany_subselect::Item_allany_subselect|all_any_subquery_creator|MYSQLparse
      		 
      CS  11.4   opt  260126  b6d0e23d76fe5936b6a29379ab494852e4d493b1  SIGSEGV|Item_subselect::init|Item_allany_subselect::Item_allany_subselect|all_any_subquery_creator|MYSQLparse
      		 
      CS  11.8   dbg  230126  01ff5ae6b677bead4c41d91bf5afb25c593a1d02  SIGSEGV|Item_subselect::init|Item_allany_subselect::Item_allany_subselect|all_any_subquery_creator|MYSQLparse
      		 
      CS  11.8   opt  230126  01ff5ae6b677bead4c41d91bf5afb25c593a1d02  SIGSEGV|Item_subselect::init|Item_allany_subselect::Item_allany_subselect|all_any_subquery_creator|MYSQLparse
      		 
      CS  12.2   dbg  230126  6ca70dd64ce56da40fad3bcd0641493210dd0a4c  SIGSEGV|Item_subselect::init|Item_allany_subselect::Item_allany_subselect|all_any_subquery_creator|MYSQLparse
      		 
      CS  12.2   opt  230126  6ca70dd64ce56da40fad3bcd0641493210dd0a4c  SIGSEGV|Item_subselect::init|Item_allany_subselect::Item_allany_subselect|all_any_subquery_creator|MYSQLparse
      		 
      CS  12.3   dbg  050226  fa36b269f139252b81d4384fbed07b167855cabb  SIGSEGV|Item_subselect::init|Item_allany_subselect::Item_allany_subselect|all_any_subquery_creator|MYSQLparse
      		 
      CS  12.3   opt  050226  fa36b269f139252b81d4384fbed07b167855cabb  SIGSEGV|Item_subselect::init|Item_allany_subselect::Item_allany_subselect|all_any_subquery_creator|MYSQLparse
      		 
      ES  10.6   dbg  230126  0fe345fff3a0463224ca714831303d40fb83648b  SIGSEGV|Item_subselect::init|Item_allany_subselect::Item_allany_subselect|all_any_subquery_creator|MYSQLparse
      		 
      ES  10.6   opt  230126  0fe345fff3a0463224ca714831303d40fb83648b  SIGSEGV|Item_subselect::init|Item_allany_subselect::Item_allany_subselect|all_any_subquery_creator|MYSQLparse
      		 
      ES  11.4   dbg  230126  34f616d5fd2c649d0c79acb4e2423c90b8f10436  SIGSEGV|Item_subselect::init|Item_allany_subselect::Item_allany_subselect|all_any_subquery_creator|MYSQLparse
      		 
      ES  11.4   opt  230126  34f616d5fd2c649d0c79acb4e2423c90b8f10436  SIGSEGV|Item_subselect::init|Item_allany_subselect::Item_allany_subselect|all_any_subquery_creator|MYSQLparse
      		 
      ES  11.8   dbg  230126  405ee76b60c4ab82155f339136ed20d3b7363717  SIGSEGV|Item_subselect::init|Item_allany_subselect::Item_allany_subselect|all_any_subquery_creator|MYSQLparse
      		 
      ES  11.8   opt  230126  405ee76b60c4ab82155f339136ed20d3b7363717  SIGSEGV|Item_subselect::init|Item_allany_subselect::Item_allany_subselect|all_any_subquery_creator|MYSQLparse
      		 
      MS  5.5    dbg  070123  bac287c315b1792e7ae33f91add6a60292f9bae8  No bug found                  
      MS  5.5    opt  070123  bac287c315b1792e7ae33f91add6a60292f9bae8  No bug found                  
      MS  5.6    dbg  070123  dab95781a1244104d6b87020ac2fc4d190ba2946  No bug found                  
      MS  5.6    opt  070123  dab95781a1244104d6b87020ac2fc4d190ba2946  No bug found                  
      MS  5.7    dbg  070525  f7680e98b6bbe3500399fbad465d08a6b75d7a5c  No bug found                  
      MS  5.7    opt  070525  f7680e98b6bbe3500399fbad465d08a6b75d7a5c  No bug found                  
      MS  8.0    dbg  060224  49ef33f7edadef3ae04665e73d1babd40179a4f1  No bug found                  
      MS  8.0    opt  060224  49ef33f7edadef3ae04665e73d1babd40179a4f1  No bug found                  
      MS  9.1    dbg  211024  61a3a1d8ef15512396b4c2af46e922a19bf2b174  No bug found                  
      MS  9.1    opt  211024  61a3a1d8ef15512396b4c2af46e922a19bf2b174  No bug found

      And UBSAN sees a null-pointer-use issue:

      CS 11.4.10 b6d0e23d76fe5936b6a29379ab494852e4d493b1 (Optimized, UBASAN, Clang 21.1.3-20250923) Build 26/01/2026

      		 
      /test/11.4_opt_san/sql/item_subselect.cc:128:35: runtime error: member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')
      		 
          #0 0x57223e6d27d3 in Item_subselect::init(st_select_lex*, select_result_interceptor*) /test/11.4_opt_san/sql/item_subselect.cc:128:35
      		 
          #1 0x57223e6e5f0d in Item_allany_subselect::Item_allany_subselect(THD*, Item*, Comp_creator* (*)(bool), st_select_lex*, bool) /test/11.4_opt_san/sql/item_subselect.cc:1729:3
      		 
          #2 0x57223e9f8285 in all_any_subquery_creator(THD*, Item*, Comp_creator* (*)(bool), bool, st_select_lex*) /test/11.4_opt_san/sql/sql_parse.cc:9470:25
      		 
          #3 0x57223e5e8b84 in MYSQLparse(THD*) /test/11.4_opt_san/sql/sql_yacc.yy:9524:27
      		 
          #4 0x57223e9eb45e in parse_sql(THD*, Parser_state*, Object_creation_ctx*, bool) /test/11.4_opt_san/sql/sql_parse.cc:10362:46
      		 
          #5 0x57223e99ee69 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.4_opt_san/sql/sql_parse.cc:7897:15
      		 
          #6 0x57223e997795 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.4_opt_san/sql/sql_parse.cc:1923:7
      		 
          #7 0x57223e9a1441 in do_command(THD*, bool) /test/11.4_opt_san/sql/sql_parse.cc:1433:17
      		 
          #8 0x57223f19bf1c in do_handle_one_connection(CONNECT*, bool) /test/11.4_opt_san/sql/sql_connect.cc:1497:11
      		 
          #9 0x57223f19ba3a in handle_one_connection /test/11.4_opt_san/sql/sql_connect.cc:1409:5
      		 
          #10 0x57223da366da in asan_thread_start(void*) crtstuff.c
      		 
          #11 0x7a5a2249ca93 in start_thread nptl/pthread_create.c:447:8
      		 
          #12 0x7a5a22529c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
      		 
       
      		 
      SUMMARY: UndefinedBehaviorSanitizer: null-pointer-use /test/11.4_opt_san/sql/item_subselect.cc:128:35

      Setup:

      Compiled with a recent version of Clang and LLVM. Ubuntu instructions for Clang/LLVM 18:
      		 
        # Note: It is strongly recommended to uninstall all old Clang & LLVM packages (ref  dpkg --list | grep -iE 'clang|llvm'  and use  apt purge  and  dpkg --purge  to remove the packages), before installing Clang/LLVM 18
      		 
           sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev lld-18
      		 
      Compiled with: "-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++ -DCMAKE_C{,XX}_FLAGS='-march=native -mtune=native'" and:
      		 
          -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON
      		 
      Set before execution:
      		 
          export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1   # And you may also want to supress UBSAN startup issues using 'suppressions=UBSAN.filter' in UBSAN_OPTIONS. For an example of UBSAN.filter, which includes current startup issues see: https://github.com/mariadb-corporation/mariadb-qa/blob/master/UBSAN.filter

      SAN Bug Detection Matrix

      		 
          Rel    o/d  Build   Commit                                    UniqueID observed             
      CS  10.6   dbg  230126  cd02709a315c9f08965d6b8fb7e75baaae17a4f4  UBSAN|member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')|sql/item_subselect.cc|Item_subselect::init|Item_allany_subselect::Item_allany_subselect|all_any_subquery_creator|MYSQLparse
      		 
      CS  10.6   opt  230126  cd02709a315c9f08965d6b8fb7e75baaae17a4f4  UBSAN|member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')|sql/item_subselect.cc|Item_subselect::init|Item_allany_subselect::Item_allany_subselect|all_any_subquery_creator|MYSQLparse
      		 
      CS  10.11  dbg  230126  b061b5ab1f2cd2a6993e53dc24a865304ced14cd  UBSAN|member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')|sql/item_subselect.cc|Item_subselect::init|Item_allany_subselect::Item_allany_subselect|all_any_subquery_creator|MYSQLparse
      		 
      CS  10.11  opt  230126  b061b5ab1f2cd2a6993e53dc24a865304ced14cd  UBSAN|member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')|sql/item_subselect.cc|Item_subselect::init|Item_allany_subselect::Item_allany_subselect|all_any_subquery_creator|MYSQLparse
      		 
      CS  11.4   dbg  260126  b6d0e23d76fe5936b6a29379ab494852e4d493b1  UBSAN|member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')|sql/item_subselect.cc|Item_subselect::init|Item_allany_subselect::Item_allany_subselect|all_any_subquery_creator|MYSQLparse
      		 
      CS  11.4   opt  260126  b6d0e23d76fe5936b6a29379ab494852e4d493b1  UBSAN|member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')|sql/item_subselect.cc|Item_subselect::init|Item_allany_subselect::Item_allany_subselect|all_any_subquery_creator|MYSQLparse
      		 
      CS  11.8   dbg  230126  01ff5ae6b677bead4c41d91bf5afb25c593a1d02  UBSAN|member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')|sql/item_subselect.cc|Item_subselect::init|Item_allany_subselect::Item_allany_subselect|all_any_subquery_creator|MYSQLparse
      		 
      CS  11.8   opt  230126  01ff5ae6b677bead4c41d91bf5afb25c593a1d02  UBSAN|member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')|sql/item_subselect.cc|Item_subselect::init|Item_allany_subselect::Item_allany_subselect|all_any_subquery_creator|MYSQLparse
      		 
      CS  12.2   dbg  230126  6ca70dd64ce56da40fad3bcd0641493210dd0a4c  UBSAN|member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')|sql/item_subselect.cc|Item_subselect::init|Item_allany_subselect::Item_allany_subselect|all_any_subquery_creator|MYSQLparse
      		 
      CS  12.2   opt  230126  6ca70dd64ce56da40fad3bcd0641493210dd0a4c  UBSAN|member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')|sql/item_subselect.cc|Item_subselect::init|Item_allany_subselect::Item_allany_subselect|all_any_subquery_creator|MYSQLparse
      		 
      CS  12.3   dbg  050226  fa36b269f139252b81d4384fbed07b167855cabb  UBSAN|member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')|sql/item_subselect.cc|Item_subselect::init|Item_allany_subselect::Item_allany_subselect|all_any_subquery_creator|MYSQLparse
      		 
      CS  12.3   opt  050226  fa36b269f139252b81d4384fbed07b167855cabb  UBSAN|member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')|sql/item_subselect.cc|Item_subselect::init|Item_allany_subselect::Item_allany_subselect|all_any_subquery_creator|MYSQLparse
      		 
      ES  10.6   dbg  260126  0fe345fff3a0463224ca714831303d40fb83648b  UBSAN|member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')|sql/item_subselect.cc|Item_subselect::init|Item_allany_subselect::Item_allany_subselect|all_any_subquery_creator|MYSQLparse
      		 
      ES  10.6   opt  230126  0fe345fff3a0463224ca714831303d40fb83648b  UBSAN|member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')|sql/item_subselect.cc|Item_subselect::init|Item_allany_subselect::Item_allany_subselect|all_any_subquery_creator|MYSQLparse
      		 
      ES  11.4   dbg  260126  34f616d5fd2c649d0c79acb4e2423c90b8f10436  UBSAN|member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')|sql/item_subselect.cc|Item_subselect::init|Item_allany_subselect::Item_allany_subselect|all_any_subquery_creator|MYSQLparse
      		 
      ES  11.4   opt  260126  34f616d5fd2c649d0c79acb4e2423c90b8f10436  UBSAN|member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')|sql/item_subselect.cc|Item_subselect::init|Item_allany_subselect::Item_allany_subselect|all_any_subquery_creator|MYSQLparse
      		 
      ES  11.8   dbg  230126  405ee76b60c4ab82155f339136ed20d3b7363717  UBSAN|member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')|sql/item_subselect.cc|Item_subselect::init|Item_allany_subselect::Item_allany_subselect|all_any_subquery_creator|MYSQLparse
      		 
      ES  11.8   opt  230126  405ee76b60c4ab82155f339136ed20d3b7363717  UBSAN|member access within null pointer of type 'SELECT_LEX' (aka 'st_select_lex')|sql/item_subselect.cc|Item_subselect::init|Item_allany_subselect::Item_allany_subselect|all_any_subquery_creator|MYSQLparse

      Testcase is CLI and MTR compatible

      Attachments

        Activity

          People

            psergei Sergei Petrunia
            Roel Roel Van de Paar
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.