[MDEV-39267] UBSAN : member access within null pointer of type 'THD' in sql/handler.cc | handler::update_global_table_stats - Jira

Details

Type: Bug
Status: Open (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.6, 10.11, 11.4, 11.8, 12.2, 12.3
Fix Version/s: 10.6, 10.11, 11.4, 11.8, 12.2, 12.3
Component/s: Versioned Tables
Labels:
- UBSAN
- null-pointer-use

Bug Category:
Can result in unexpected behaviour

Description

Please replay using CLI to reproduce the issue. Could not reproduce the issue using MTR

SET SESSION max_session_mem_used=8192;

CREATE TABLE t (b INT,ROW_START BIGINT UNSIGNED GENERATED ALWAYS AS ROW START INVISIBLE,ROW_END BIGINT UNSIGNED GENERATED ALWAYS AS ROW END INVISIBLE,PERIOD FOR SYSTEM_TIME(ROW_START,ROW_END)) ENGINE=INNODB WITH SYSTEM VERSIONING;

SELECT * FROM t FOR SYSTEM_TIME AS OF TIMESTAMP NOW(0) GROUP BY b HAVING b=0;

SELECT * FROM t FOR SYSTEM_TIME AS OF TIMESTAMP NOW(0) GROUP BY b HAVING b=0;

SELECT * FROM t FOR SYSTEM_TIME AS OF TIMESTAMP NOW(0) GROUP BY b HAVING b=0;

SELECT * FROM t FOR SYSTEM_TIME AS OF TIMESTAMP NOW(0) GROUP BY b HAVING b=0;

SELECT * FROM t FOR SYSTEM_TIME AS OF TIMESTAMP NOW(0) GROUP BY b HAVING b=0;

Leads to:

CS 12.3.2 669e7aa798f984c0c4178c20f6926b956c8f095e (Debug, UBASAN, Clang 18.1.3-11) Build 02/04/2026
/test/12.3_dbg_san/sql/handler.cc:6442:3: runtime error: member access within null pointer of type 'THD'
#0 0x5e9ba421a035 in handler::update_global_table_stats() /test/12.3_dbg_san/sql/handler.cc:6442:3
#1 0x5e9ba4e79d07 in close_thread_table(THD, TABLE*) /test/12.3_dbg_san/sql/sql_base.cc:1044:9
#2 0x5e9ba4e7cad2 in close_thread_tables(THD*) /test/12.3_dbg_san/sql/sql_base.cc:1009:12
#3 0x5e9ba538fb0c in mysql_execute_command(THD*, bool) /test/12.3_dbg_san/sql/sql_parse.cc:5997:3
#4 0x5e9ba5360a88 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/12.3_dbg_san/sql/sql_parse.cc:7944:18
#5 0x5e9ba5359b4e in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/12.3_dbg_san/sql/sql_parse.cc:1898:7
#6 0x5e9ba53634ad in do_command(THD*, bool) /test/12.3_dbg_san/sql/sql_parse.cc:1432:17
#7 0x5e9ba5b2153c in do_handle_one_connection(CONNECT*, bool) /test/12.3_dbg_san/sql/sql_connect.cc:1503:11
#8 0x5e9ba5b20df7 in handle_one_connection /test/12.3_dbg_san/sql/sql_connect.cc:1415:5
#9 0x5e9ba407efcc in asan_thread_start(void*) crtstuff.c
#10 0x77840b89caa3 in start_thread nptl/pthread_create.c:447:8
#11 0x77840b929c6b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

SUMMARY: UndefinedBehaviorSanitizer: null-pointer-use /test/12.3_dbg_san/sql/handler.cc:6442:3

Setup:

Compiled with a recent version of GCC (I used GCC 13.3.0) and:

    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON

Set before execution:

    export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1   # And you may also want to supress UBSAN startup issues using 'suppressions=UBSAN.filter' in UBSAN_OPTIONS. For an example of UBSAN.filter, which includes current startup issues see: https://github.com/mariadb-corporation/mariadb-qa/blob/master/UBSAN.filter

SAN Bug Detection Matrix
Rel o/d Build Commit UniqueID observed
CS 10.6 dbg 050126 b64db51ad89d78e6a6f8bc238dd2e208b5f7aa92 UBSAN\|member access within null pointer of type 'THD'\|sql/handler.cc\|handler::update_global_table_stats\|close_thread_table\|close_thread_tables\|mysql_execute_command
CS 10.6 opt 050126 b64db51ad89d78e6a6f8bc238dd2e208b5f7aa92 UBSAN\|member access within null pointer of type 'THD'\|sql/handler.cc\|handler::update_global_table_stats\|close_thread_table\|close_thread_tables\|mysql_execute_command
CS 10.11 dbg 120226 67fceadfa45b3f14921114544734455ecbdd480e UBSAN\|member access within null pointer of type 'THD'\|sql/handler.cc\|handler::update_global_table_stats\|close_thread_table\|close_thread_tables\|mysql_execute_command
CS 10.11 opt 120226 67fceadfa45b3f14921114544734455ecbdd480e UBSAN\|member access within null pointer of type 'THD'\|sql/handler.cc\|handler::update_global_table_stats\|close_thread_table\|close_thread_tables\|mysql_execute_command
CS 11.4 dbg 120226 78201a41b5e88b94c27f5ecc16c9e5486e2e50c3 UBSAN\|member access within null pointer of type 'THD'\|sql/handler.cc\|handler::update_global_table_stats\|close_thread_table\|close_thread_tables\|mysql_execute_command
CS 11.4 opt 120226 78201a41b5e88b94c27f5ecc16c9e5486e2e50c3 UBSAN\|member access within null pointer of type 'THD'\|sql/handler.cc\|handler::update_global_table_stats\|close_thread_table\|close_thread_tables\|mysql_execute_command
CS 11.8 dbg 120226 65ee9a7b4694d1b6f366b5a7a3d1b0549e5a3671 UBSAN\|member access within null pointer of type 'THD'\|sql/handler.cc\|handler::update_global_table_stats\|close_thread_table\|close_thread_tables\|mysql_execute_command
CS 11.8 opt 120226 65ee9a7b4694d1b6f366b5a7a3d1b0549e5a3671 UBSAN\|member access within null pointer of type 'THD'\|sql/handler.cc\|handler::update_global_table_stats\|close_thread_table\|close_thread_tables\|mysql_execute_command
CS 12.2 dbg 120226 d26a6f44c1f2119377e79a9540886c6d8c01472f UBSAN\|member access within null pointer of type 'THD'\|sql/handler.cc\|handler::update_global_table_stats\|close_thread_table\|close_thread_tables\|mysql_execute_command
CS 12.2 opt 120226 d26a6f44c1f2119377e79a9540886c6d8c01472f UBSAN\|member access within null pointer of type 'THD'\|sql/handler.cc\|handler::update_global_table_stats\|close_thread_table\|close_thread_tables\|mysql_execute_command
CS 12.3 dbg 020426 669e7aa798f984c0c4178c20f6926b956c8f095e UBSAN\|member access within null pointer of type 'THD'\|sql/handler.cc\|handler::update_global_table_stats\|close_thread_table\|close_thread_tables\|mysql_execute_command
CS 12.3 opt 020426 669e7aa798f984c0c4178c20f6926b956c8f095e UBSAN\|member access within null pointer of type 'THD'\|sql/handler.cc\|handler::update_global_table_stats\|close_thread_table\|close_thread_tables\|mysql_execute_command
ES 10.6 dbg 170226 22e626b9c17e9969925c54f14d30e39e25320b22 UBSAN\|member access within null pointer of type 'THD'\|sql/handler.cc\|handler::update_global_table_stats\|close_thread_table\|close_thread_tables\|mysql_execute_command
ES 10.6 opt 170226 22e626b9c17e9969925c54f14d30e39e25320b22 UBSAN\|member access within null pointer of type 'THD'\|sql/handler.cc\|handler::update_global_table_stats\|close_thread_table\|close_thread_tables\|mysql_execute_command
ES 11.4 dbg 170226 34f616d5fd2c649d0c79acb4e2423c90b8f10436 UBSAN\|member access within null pointer of type 'THD'\|sql/handler.cc\|handler::update_global_table_stats\|close_thread_table\|close_thread_tables\|mysql_execute_command
ES 11.4 opt 170226 34f616d5fd2c649d0c79acb4e2423c90b8f10436 UBSAN\|member access within null pointer of type 'THD'\|sql/handler.cc\|handler::update_global_table_stats\|close_thread_table\|close_thread_tables\|mysql_execute_command
ES 11.8 dbg 170226 405ee76b60c4ab82155f339136ed20d3b7363717 UBSAN\|member access within null pointer of type 'THD'\|sql/handler.cc\|handler::update_global_table_stats\|close_thread_table\|close_thread_tables\|mysql_execute_command
ES 11.8 opt 170226 405ee76b60c4ab82155f339136ed20d3b7363717 UBSAN\|member access within null pointer of type 'THD'\|sql/handler.cc\|handler::update_global_table_stats\|close_thread_table\|close_thread_tables\|mysql_execute_command

UBSAN : member access within null pointer of type 'THD' in sql/handler.cc | handler::update_global_table_stats

Details

Description

Attachments

Activity

People

Dates

Git Integration