[MDEV-38971] ASAN/UBSAN errors, assertion `is_valid_value_slow()' failure upon combination temporal functions and ZERO_DATE_TIME_CAST - Jira

XML

Word

Printable

Details

Type: Bug
Status: Open (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.6, 10.11, 11.4, 11.8, 12.3
Fix Version/s: 10.11, 11.4, 11.8, 12.3
Component/s: Server
Labels:
None

Description

The separation between UBSAN/ASAN/debug tests below is approximate, that's how they currently they fail for me on 11.4 build (one and the same debug build with ASAN and UBSAN). They can fail differently on different versions and builds, but generally something always fail somewhere.

For UBSAN errors
SET old_mode = ZERO_DATE_TIME_CAST;
SELECT EXTRACT(HOUR_SECOND FROM LAST_DAY(202112010000));

For ASAN errors
SET old_mode = ZERO_DATE_TIME_CAST;
SELECT EXTRACT(HOUR_SECOND FROM LAST_DAY(202612012300));

For debug assertion failure
SET old_mode = ZERO_DATE_TIME_CAST;
SELECT EXTRACT(HOUR_SECOND FROM LAST_DAY(200012010000));

11.4 a6e98760d9ded7803a752b9fb0a4b31ba6fb4c11

/data/bld/11.4-asan-ubsan/sql-common/my_time.c:106:52: runtime error: index 27164 out of bounds for type 'uchar [13]'

/data/bld/11.4-asan-ubsan/sql-common/my_time.c:106:52: runtime error: load of address 0x55edf5eacb5c with insufficient space for an object of type 'uchar'

11.4 a6e98760d9ded7803a752b9fb0a4b31ba6fb4c11
==2756086==ERROR: AddressSanitizer: global-buffer-overflow on address 0x555b17225b9f at pc 0x555b0dfe2e9b bp 0x7f7559effdc0 sp 0x7f7559effdb8
READ of size 1 at 0x555b17225b9f thread T5
#0 0x555b0dfe2e9a in check_date /data/bld/11.4-asan-ubsan/sql-common/my_time.c:106
#1 0x555b0b1365a4 in check_date /data/bld/11.4-asan-ubsan/sql/sql_time.h:150
#2 0x555b0b13ebde in time_to_datetime_with_warn(THD, st_mysql_time const, st_mysql_time*, date_conv_mode_t) /data/bld/11.4-asan-ubsan/sql/sql_time.cc:1034
#3 0x555b0b6fc985 in Temporal_with_date::make_from_item(THD, Item, date_mode_t) /data/bld/11.4-asan-ubsan/sql/sql_type.cc:1095
#4 0x555b0a2ce73a in Temporal_with_date::Temporal_with_date(THD, Item, date_mode_t) /data/bld/11.4-asan-ubsan/sql/sql_type.h:2161
#5 0x555b0a2ce73a in Datetime::Datetime(THD, Item, date_mode_t) /data/bld/11.4-asan-ubsan/sql/sql_type.h:2444
#6 0x555b0c587409 in Item_func_last_day::get_date(THD, st_mysql_time, date_mode_t) /data/bld/11.4-asan-ubsan/sql/item_timefunc.cc:4039
#7 0x555b0b6eefd0 in Temporal_hybrid::Temporal_hybrid(THD, Item, date_mode_t) /data/bld/11.4-asan-ubsan/sql/sql_type.cc:441
#8 0x555b0c5c58d7 in Extract_source::Extract_source(THD, Item, date_mode_t) /data/bld/11.4-asan-ubsan/sql/sql_type.h:1396
#9 0x555b0c5ab2da in Item_extract::val_int() /data/bld/11.4-asan-ubsan/sql/item_timefunc.cc:3094
#10 0x555b0b711fa0 in Type_handler::Item_send_long(Item, Protocol, st_value*) const /data/bld/11.4-asan-ubsan/sql/sql_type.cc:7744
#11 0x555b0b7775e3 in Type_handler_long::Item_send(Item, Protocol, st_value*) const /data/bld/11.4-asan-ubsan/sql/sql_type.h:5855
#12 0x555b0a2c07c0 in Item::send(Protocol, st_value) /data/bld/11.4-asan-ubsan/sql/item.h:1272
#13 0x555b0a43f834 in Protocol::send_result_set_row(List<Item>*) /data/bld/11.4-asan-ubsan/sql/protocol.cc:1339
#14 0x555b0a71723f in select_send::send_data(List<Item>&) /data/bld/11.4-asan-ubsan/sql/sql_class.cc:3268
#15 0x555b0ad71e22 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /data/bld/11.4-asan-ubsan/sql/sql_class.h:6210
#16 0x555b0ad54a34 in JOIN::exec_inner() /data/bld/11.4-asan-ubsan/sql/sql_select.cc:4976
#17 0x555b0ad572c4 in JOIN::exec() /data/bld/11.4-asan-ubsan/sql/sql_select.cc:4893
#18 0x555b0ad4df69 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/bld/11.4-asan-ubsan/sql/sql_select.cc:5416
#19 0x555b0ad4eecb in handle_select(THD, LEX, select_result*, unsigned long long) /data/bld/11.4-asan-ubsan/sql/sql_select.cc:643
#20 0x555b0a9cec7d in execute_sqlcom_select /data/bld/11.4-asan-ubsan/sql/sql_parse.cc:6224
#21 0x555b0aa12e7a in mysql_execute_command(THD*, bool) /data/bld/11.4-asan-ubsan/sql/sql_parse.cc:4012
#22 0x555b0aa30e5a in mysql_parse(THD, char, unsigned int, Parser_state*) /data/bld/11.4-asan-ubsan/sql/sql_parse.cc:7945
#23 0x555b0aa3a24a in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/bld/11.4-asan-ubsan/sql/sql_parse.cc:1925
#24 0x555b0aa470f2 in do_command(THD*, bool) /data/bld/11.4-asan-ubsan/sql/sql_parse.cc:1433
#25 0x555b0b27257f in do_handle_one_connection(CONNECT*, bool) /data/bld/11.4-asan-ubsan/sql/sql_connect.cc:1497
#26 0x555b0b2736dc in handle_one_connection /data/bld/11.4-asan-ubsan/sql/sql_connect.cc:1409
#27 0x555b0ccc7f74 in pfs_spawn_thread /data/bld/11.4-asan-ubsan/storage/perfschema/pfs.cc:2201
#28 0x7f7565ea81c3 in start_thread nptl/pthread_create.c:442
#29 0x7f7565f2885b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x555b17225b9f is located 33 bytes to the left of global variable '*.Lubsan_data143' defined in '/data/bld/11.4-asan-ubsan/sql-common/my_time.c' (0x555b17225bc0) of size 32
0x555b17225b9f is located 15 bytes to the right of global variable '*.Lubsan_data144' defined in '/data/bld/11.4-asan-ubsan/sql-common/my_time.c' (0x555b17225b80) of size 16
SUMMARY: AddressSanitizer: global-buffer-overflow /data/bld/11.4-asan-ubsan/sql-common/my_time.c:106 in check_date
Shadow bytes around the buggy address:
0x0aabe2e3cb20: 00 00 00 00 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
0x0aabe2e3cb30: 00 00 00 00 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
0x0aabe2e3cb40: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
0x0aabe2e3cb50: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
0x0aabe2e3cb60: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
=>0x0aabe2e3cb70: 00 00 f9[f9]f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
0x0aabe2e3cb80: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
0x0aabe2e3cb90: 00 00 f9 f9 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
0x0aabe2e3cba0: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
0x0aabe2e3cbb0: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
0x0aabe2e3cbc0: 00 00 00 00 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Thread T5 created by T0 here:
#0 0x7f7566649726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
#1 0x555b0ccbd840 in my_thread_create /data/bld/11.4-asan-ubsan/storage/perfschema/my_thread.h:52
#2 0x555b0ccc5168 in pfs_spawn_thread_v1 /data/bld/11.4-asan-ubsan/storage/perfschema/pfs.cc:2252
#3 0x555b0a2aa980 in inline_mysql_thread_create /data/bld/11.4-asan-ubsan/include/mysql/psi/mysql_thread.h:1139
#4 0x555b0a2aa980 in create_thread_to_handle_connection(CONNECT*) /data/bld/11.4-asan-ubsan/sql/mysqld.cc:6177
#5 0x555b0a2bca87 in create_new_thread(CONNECT*) /data/bld/11.4-asan-ubsan/sql/mysqld.cc:6239
#6 0x555b0a2bcca5 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/11.4-asan-ubsan/sql/mysqld.cc:6301
#7 0x555b0a2bd8e6 in handle_connections_sockets() /data/bld/11.4-asan-ubsan/sql/mysqld.cc:6413
#8 0x555b0a2bdd92 in run_main_loop /data/bld/11.4-asan-ubsan/sql/mysqld.cc:5656
#9 0x555b0a2bf335 in mysqld_main(int, char**) /data/bld/11.4-asan-ubsan/sql/mysqld.cc:6078
#10 0x555b0a291ad1 in main /data/bld/11.4-asan-ubsan/sql/main.cc:34
#11 0x7f7565e46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

==2756086==ABORTING

11.4 a6e98760d9ded7803a752b9fb0a4b31ba6fb4c11
mariadbd: /data/bld/11.4-asan-ubsan/sql/sql_type.h:2447: Datetime::Datetime(THD, Item, date_mode_t): Assertion `is_valid_value_slow()' failed.
260304 21:16:07 [ERROR] /share8t/bld/11.4-asan-ubsan/sql/mariadbd got signal 6 ;

#9 0x00007f4428245395 in __assert_fail_base (fmt=0x7f44283b9a90 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x55ed6cda75a0 "is_valid_value_slow()", file=file@entry=0x55ed6cda75e0 "/data/bld/11.4-asan-ubsan/sql/sql_type.h", line=line@entry=2447, function=function@entry=0x55ed6cda7760 "Datetime::Datetime(THD, Item, date_mode_t)") at ./assert/assert.c:92
#10 0x00007f4428253eb2 in __GI___assert_fail (assertion=0x55ed6cda75a0 "is_valid_value_slow()", file=0x55ed6cda75e0 "/data/bld/11.4-asan-ubsan/sql/sql_type.h", line=2447, function=0x55ed6cda7760 "Datetime::Datetime(THD, Item, date_mode_t)") at ./assert/assert.c:101
#11 0x000055ed68cf97dd in Datetime::Datetime (this=0x7f441cd874c0, thd=0x62c0000b0218, item=0x62d00005aa18, fuzzydate=...) at /data/bld/11.4-asan-ubsan/sql/sql_type.h:2447
#12 0x000055ed6afb240a in Item_func_last_day::get_date (this=0x62d00005ab08, thd=<optimized out>, ltime=0x7f441cd874c0, fuzzydate=...) at /data/bld/11.4-asan-ubsan/sql/item_timefunc.cc:4039
#13 0x000055ed6a119fd1 in Temporal_hybrid::Temporal_hybrid (this=this@entry=0x7f441cd874c0, thd=thd@entry=0x62c0000b0218, item=item@entry=0x62d00005ab08, fuzzydate=fuzzydate@entry=...) at /data/bld/11.4-asan-ubsan/sql/sql_type.cc:441
#14 0x000055ed6aff08d8 in Extract_source::Extract_source (this=0x7f441cd874c0, thd=0x62c0000b0218, item=0x62d00005ab08, mode=...) at /data/bld/11.4-asan-ubsan/sql/sql_type.h:1396
#15 0x000055ed6afd62db in Item_extract::val_int (this=0x62d00005abc0) at /data/bld/11.4-asan-ubsan/sql/item_timefunc.cc:3094
#16 0x000055ed6a13cfa1 in Type_handler::Item_send_long (this=this@entry=0x55ed767f1ec0 <type_handler_slong>, item=item@entry=0x62d00005abc0, protocol=protocol@entry=0x62c0000b0838, buf=buf@entry=0x7f441cd876a0) at /data/bld/11.4-asan-ubsan/sql/sql_type.cc:7744
#17 0x000055ed6a1a25e4 in Type_handler_long::Item_send (this=0x55ed767f1ec0 <type_handler_slong>, item=0x62d00005abc0, protocol=0x62c0000b0838, buf=0x7f441cd876a0) at /data/bld/11.4-asan-ubsan/sql/sql_type.h:5855
#18 0x000055ed68ceb7c1 in Item::send (this=0x62d00005abc0, protocol=0x62c0000b0838, buffer=0x7f441cd876a0) at /data/bld/11.4-asan-ubsan/sql/item.h:1272
#19 0x000055ed68e6a835 in Protocol::send_result_set_row (this=this@entry=0x62c0000b0838, row_items=row_items@entry=0x62d00005a7c8) at /data/bld/11.4-asan-ubsan/sql/protocol.cc:1339
#20 0x000055ed69142240 in select_send::send_data (this=0x62d00005b648, items=...) at /data/bld/11.4-asan-ubsan/sql/sql_class.cc:3268
#21 0x000055ed6979ce23 in select_result_sink::send_data_with_check (this=this@entry=0x62d00005b648, items=..., u=0x62c0000b46d8, sent=sent@entry=0) at /data/bld/11.4-asan-ubsan/sql/sql_class.h:6210
#22 0x000055ed6977fa35 in JOIN::exec_inner (this=this@entry=0x62d00005b678) at /data/bld/11.4-asan-ubsan/sql/sql_select.cc:4976
#23 0x000055ed697822c5 in JOIN::exec (this=this@entry=0x62d00005b678) at /data/bld/11.4-asan-ubsan/sql/sql_select.cc:4893
#24 0x000055ed69778f6a in mysql_select (thd=thd@entry=0x62c0000b0218, tables=<optimized out>, fields=..., conds=conds@entry=0x0, og_num=og_num@entry=0, order=order@entry=0x0, group=<optimized out>, having=<optimized out>, proc_param=<optimized out>, select_options=<optimized out>, result=<optimized out>, unit=<optimized out>, select_lex=<optimized out>) at /data/bld/11.4-asan-ubsan/sql/sql_select.cc:5416
#25 0x000055ed69779ecc in handle_select (thd=thd@entry=0x62c0000b0218, lex=lex@entry=0x62c0000b45f8, result=result@entry=0x62d00005b648, setup_tables_done_option=setup_tables_done_option@entry=0) at /data/bld/11.4-asan-ubsan/sql/sql_select.cc:643
#26 0x000055ed693f9c7e in execute_sqlcom_select (thd=thd@entry=0x62c0000b0218, all_tables=<optimized out>) at /data/bld/11.4-asan-ubsan/sql/sql_parse.cc:6224
#27 0x000055ed6943de7b in mysql_execute_command (thd=thd@entry=0x62c0000b0218, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /data/bld/11.4-asan-ubsan/sql/sql_parse.cc:4012
#28 0x000055ed6945be5b in mysql_parse (thd=thd@entry=0x62c0000b0218, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x7f441cd89ab0) at /data/bld/11.4-asan-ubsan/sql/sql_parse.cc:7945
#29 0x000055ed6946524b in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x62c0000b0218, packet=packet@entry=0x629000253219 "", packet_length=packet_length@entry=55, blocking=blocking@entry=true) at /data/bld/11.4-asan-ubsan/sql/sql_parse.cc:1925
#30 0x000055ed694720f3 in do_command (thd=thd@entry=0x62c0000b0218, blocking=blocking@entry=true) at /data/bld/11.4-asan-ubsan/sql/sql_parse.cc:1433
#31 0x000055ed69c9d580 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x6080000039b8, put_in_cache=put_in_cache@entry=true) at /data/bld/11.4-asan-ubsan/sql/sql_connect.cc:1497
#32 0x000055ed69c9e6dd in handle_one_connection (arg=0x6080000039b8) at /data/bld/11.4-asan-ubsan/sql/sql_connect.cc:1409
#33 0x000055ed6b6f2f75 in pfs_spawn_thread (arg=0x617000005b98) at /data/bld/11.4-asan-ubsan/storage/perfschema/pfs.cc:2201
#34 0x00007f44282a81c4 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#35 0x00007f442832885c in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Attachments

Activity

People

Assignee:: Oleksandr Byelkin

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2026-03-04 19:17

Updated:: 2026-03-04 19:17

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.