Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-39591

UBSAN: invalid-null-argument in _ma_rec_pack with VECTOR and JSON columns in INTERSECT

    XMLWordPrintable

Details

    • Can result in hang or crash

    Description

      CLI/MTR compatible test case:-

      CREATE TABLE t1 (c1 INT KEY,c2 VECTOR(1)) ;
      		 
      ALTER TABLE t1 ADD COLUMN c_range_flag TINYINT GENERATED ALWAYS AS(IF(c1 AND 100,1,0)) STORED,ADD CHECK(c_range_flag IN (0,1));
      		 
      CREATE TEMPORARY TABLE t2 LIKE t1;
      		 
      CREATE TEMPORARY TABLE t1 (c1 INT KEY,c2 TEXT,c3 JSON) ;
      		 
      INSERT INTO t1 VALUES (1,2,3);
      		 
      SELECT * FROM t1 INTERSECT SELECT * FROM t2;

      Leads to:

      CS 11.8.7 04e09010773caf0b302b2933fff3fe95381a5e13 (Debug, UBASAN, Clang 18.1.3-11) Build 10/05/2026

      		 
      2026-05-13 15:58:48 0 [Note] /test/UBASAN_MD100526-mariadb-11.8.7-linux-x86_64-dbg/bin/mariadbd: ready for connections.
      		 
      Version: '11.8.7-MariaDB-asan-debug'  socket: '/test/UBASAN_MD100526-mariadb-11.8.7-linux-x86_64-dbg/socket.sock'  port: 11927  MariaDB Server
      		 
      /test/11.8_dbg_san/storage/maria/ma_dynrec.c:1023:25: runtime error: null pointer passed as argument 2, which is declared to never be null
      		 
      /usr/include/string.h:44:28: note: nonnull attribute specified here
      		 
          #0 0x5a2cd740fcbd in _ma_rec_pack /test/11.8_dbg_san/storage/maria/ma_dynrec.c:1023:4
      		 
          #1 0x5a2cd741292d in _ma_write_blob_record /test/11.8_dbg_san/storage/maria/ma_dynrec.c:266:15
      		 
          #2 0x5a2cd74799ad in maria_write /test/11.8_dbg_san/storage/maria/ma_write.c:285:9
      		 
          #3 0x5a2cd5bb384b in handler::ha_write_tmp_row(unsigned char*) /test/11.8_dbg_san/sql/sql_class.h:8163:3
      		 
          #4 0x5a2cd6ba2f3e in select_unit::write_record() /test/11.8_dbg_san/sql/sql_union.cc:417:7
      		 
          #5 0x5a2cd6ba15f0 in select_unit::send_data(List<Item>&) /test/11.8_dbg_san/sql/sql_union.cc:161:9
      		 
          #6 0x5a2cd684ada2 in end_send(JOIN*, st_join_table*, bool) /test/11.8_dbg_san/sql/sql_select.cc:25738:9
      		 
          #7 0x5a2cd6904679 in evaluate_join_record(JOIN*, st_join_table*, int) /test/11.8_dbg_san/sql/sql_select.cc:24625:11
      		 
          #8 0x5a2cd67d3cc5 in sub_select(JOIN*, st_join_table*, bool) /test/11.8_dbg_san/sql/sql_select.cc:24392:9
      		 
          #9 0x5a2cd6865bb6 in do_select(JOIN*, Procedure*) /test/11.8_dbg_san/sql/sql_select.cc:23903:14
      		 
          #10 0x5a2cd6862573 in JOIN::exec_inner() /test/11.8_dbg_san/sql/sql_select.cc:5112:50
      		 
          #11 0x5a2cd685fd46 in JOIN::exec() /test/11.8_dbg_san/sql/sql_select.cc:4900:8
      		 
          #12 0x5a2cd6bbee25 in st_select_lex_unit::exec_inner() /test/11.8_dbg_san/sql/sql_union.cc:2454:27
      		 
          #13 0x5a2cd6b9647d in mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long long) /test/11.8_dbg_san/sql/sql_union.cc:45:16
      		 
          #14 0x5a2cd67d6305 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.8_dbg_san/sql/sql_select.cc:624:10
      		 
          #15 0x5a2cd66a0367 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/11.8_dbg_san/sql/sql_parse.cc:6234:12
      		 
          #16 0x5a2cd667d04f in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:4016:12
      		 
          #17 0x5a2cd665c1a4 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.8_dbg_san/sql/sql_parse.cc:7955:18
      		 
          #18 0x5a2cd66552a3 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1923:7
      		 
          #19 0x5a2cd665d938 in do_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1431:17
      		 
          #20 0x5a2cd6deba5c in do_handle_one_connection(CONNECT*, bool) /test/11.8_dbg_san/sql/sql_connect.cc:1504:11
      		 
          #21 0x5a2cd6deb32d in handle_one_connection /test/11.8_dbg_san/sql/sql_connect.cc:1416:5
      		 
          #22 0x5a2cd54ccaec in asan_thread_start(void*) crtstuff.c
      		 
          #23 0x72d54ac9caa3 in start_thread nptl/pthread_create.c:447:8
      		 
          #24 0x72d54ad29c6b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
      		 
       
      		 
      SUMMARY: UndefinedBehaviorSanitizer: invalid-null-argument /test/11.8_dbg_san/storage/maria/ma_dynrec.c:1023:25

      Setup:

      Compiled with a recent version of Clang and LLVM. Ubuntu instructions for Clang/LLVM 18:
      		 
        # Note: It is strongly recommended to uninstall all old Clang & LLVM packages (ref  dpkg --list | grep -iE 'clang|llvm'  and use  apt purge  and  dpkg --purge  to remove the packages), before installing Clang/LLVM 18
      		 
           sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev lld-18
      		 
      Compiled with: "-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++ -DCMAKE_C{,XX}_FLAGS='-march=native -mtune=native'" and:
      		 
          -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON
      		 
      Set before execution:
      		 
          export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1   # And you may also want to supress UBSAN startup issues using 'suppressions=UBSAN.filter' in UBSAN_OPTIONS. For an example of UBSAN.filter, which includes current startup issues see: https://github.com/mariadb-corporation/mariadb-qa/blob/master/UBSAN.filter

      SAN Bug Detection Matrix

      		 
          Rel    o/d  Build   Commit                                    UniqueID observed
      		 
      CS  10.6   dbg  100526  d37e50c6d04c7c27362f1668ae86fa592b94fb23  No bug found 
      CS  10.6   opt  100526  d37e50c6d04c7c27362f1668ae86fa592b94fb23  No bug found 
      CS  10.11  dbg  100526  8721a00dd38dc0aa1514a3b5ca8c95c6e94af1c9  No bug found 
      CS  10.11  opt  100526  8721a00dd38dc0aa1514a3b5ca8c95c6e94af1c9  No bug found 
      CS  11.4   dbg  100526  f279551013d1319f27344080e2c0758f3959cebf  No bug found 
      CS  11.4   opt  100526  f279551013d1319f27344080e2c0758f3959cebf  No bug found 
      CS  11.8   dbg  100526  04e09010773caf0b302b2933fff3fe95381a5e13  UBSAN|null pointer passed as argument 2, which is declared to never be null|storage/maria/ma_dynrec.c|_ma_rec_pack|_ma_write_blob_record|maria_write|handler::ha_write_tmp_row
      		 
      CS  11.8   opt  100526  04e09010773caf0b302b2933fff3fe95381a5e13  UBSAN|null pointer passed as argument 2, which is declared to never be null|storage/maria/ma_dynrec.c|_ma_rec_pack|_ma_write_blob_record|maria_write|handler::ha_write_tmp_row
      		 
      CS  12.3   dbg  100526  4c371e30f003b601e7485533476208ae27d51937  UBSAN|applying zero offset to null pointer|strings/strcoll.inl|my_strnncoll_utf8mb3_general1400_as_ci|charset_info_st::streq|Lex_ident<Compare_ident_ci>::streq|mysql_prepare_alter_table
      		 
      CS  12.3   opt  100526  4c371e30f003b601e7485533476208ae27d51937  UBSAN|applying zero offset to null pointer|strings/strcoll.inl|my_strnncoll_utf8mb3_general1400_as_ci|charset_info_st::strnncoll|charset_info_st::streq|Lex_ident<Compare_ident_ci>::streq
      		 
      CS  13.0   dbg  100526  96b3dd0c34427e9338dda1375575a0e05a7cd267  UBSAN|applying zero offset to null pointer|strings/strcoll.inl|my_strnncoll_utf8mb3_general1400_as_ci|charset_info_st::streq|Lex_ident<Compare_ident_ci>::streq|mysql_prepare_alter_table
      		 
      CS  13.0   opt  100526  96b3dd0c34427e9338dda1375575a0e05a7cd267  UBSAN|applying zero offset to null pointer|strings/strcoll.inl|my_strnncoll_utf8mb3_general1400_as_ci|charset_info_st::strnncoll|charset_info_st::streq|Lex_ident<Compare_ident_ci>::streq
      		 
      ES  10.6   dbg  100526  55cfada6c54d1b08f2372adc1369a5e5e76f472d  No bug found 
      ES  10.6   opt  100526  55cfada6c54d1b08f2372adc1369a5e5e76f472d  No bug found 
      ES  11.4   dbg  100526  90f707057d44f1b5c013a0c3672fd12f32ea7085  UBSAN|null pointer passed as argument 2, which is declared to never be null|storage/maria/ma_dynrec.c|_ma_rec_pack|_ma_write_blob_record|maria_write|handler::ha_write_tmp_row
      		 
      ES  11.4   opt  100526  90f707057d44f1b5c013a0c3672fd12f32ea7085  UBSAN|null pointer passed as argument 2, which is declared to never be null|storage/maria/ma_dynrec.c|_ma_rec_pack|_ma_write_blob_record|maria_write|handler::ha_write_tmp_row
      		 
      ES  11.8   dbg  100526  d4fbd664a4514441bb3d9042c0089842ee6fc3c8  UBSAN|applying zero offset to null pointer|strings/strcoll.inl|my_strnncoll_utf8mb3_general1400_as_ci|charset_info_st::streq|Lex_ident<Compare_ident_ci>::streq|mysql_prepare_alter_table
      		 
      ES  11.8   opt  100526  d4fbd664a4514441bb3d9042c0089842ee6fc3c8  UBSAN|applying zero offset to null pointer|strings/strcoll.inl|my_strnncoll_utf8mb3_general1400_as_ci|charset_info_st::strnncoll|charset_info_st::streq|Lex_ident<Compare_ident_ci>::streq
      		 
      ES  12.3   dbg  100526  4063148254974421994024b7cc94f6f2a850177d  UBSAN|applying zero offset to null pointer|strings/strcoll.inl|my_strnncoll_utf8mb3_general1400_as_ci|charset_info_st::streq|Lex_ident<Compare_ident_ci>::streq|mysql_prepare_alter_table
      		 
      ES  12.3   opt  100526  4063148254974421994024b7cc94f6f2a850177d  UBSAN|applying zero offset to null pointer|strings/strcoll.inl|my_strnncoll_utf8mb3_general1400_as_ci|charset_info_st::strnncoll|charset_info_st::streq|Lex_ident<Compare_ident_ci>::streq

      Leads to:

      CS 11.8.7 04e09010773caf0b302b2933fff3fe95381a5e13 (Debug, Clang 18.1.3-11) Build 10/05/2026

      		 
      Core was generated by `/test/MD100526-mariadb-11.8.7-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      Download failed: Invalid argument.  Continuing without source file ./string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S.
      		 
      #0  __memcpy_evex_unaligned_erms ()at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:265
      		 
       
      		 
      [Current thread is 1 (LWP 1188156)]
      		 
      (gdb) bt
      		 
      #0  __memcpy_evex_unaligned_erms ()at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:265
      		 
      #1  0x0000652175fce8ae in _ma_rec_pack (info=0x6f5470086488, to=0x77558c113df8 "", from=0x6f547005507e "")at /test/11.8_dbg/storage/maria/ma_dynrec.c:1023
      		 
      #2  0x0000652175fcf936 in _ma_write_blob_record (info=0x6f5470086488, record=0x6f5470055070 <incomplete sequence \374>)at /test/11.8_dbg/storage/maria/ma_dynrec.c:266
      		 
      #3  0x000065217605c206 in maria_write (info=0x6f5470086488, record=0x6f5470055070 <incomplete sequence \374>)at /test/11.8_dbg/storage/maria/ma_write.c:285
      		 
      #4  0x0000652175fdd7e9 in ha_maria::write_row (this=0x6f547004e5f8, buf=0x6f5470055070 <incomplete sequence \374>)at /test/11.8_dbg/storage/maria/ha_maria.cc:1235
      		 
      #5  0x00006521758a1a34 in handler::ha_write_tmp_row (this=0x6f547004e5f8, buf=0x6f5470055070 <incomplete sequence \374>)at /test/11.8_dbg/sql/sql_class.h:8163
      		 
      #6  0x0000652175a6416f in select_unit::write_record (this=0x6f547001c6a8)at /test/11.8_dbg/sql/sql_union.cc:417
      		 
      #7  0x0000652175a63e0b in select_unit::send_data (this=0x6f547001c6a8, values=@0x6f547001a040: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x6f547001a370, last = 0x6f547001d328, elements = 3}, <No data fields>})at /test/11.8_dbg/sql/sql_union.cc:161
      		 
      #8  0x00006521759d92a0 in select_result_sink::send_data_with_check (this=0x6f547001c6a8, items=@0x6f547001a040: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x6f547001a370, last = 0x6f547001d328, elements = 3}, <No data fields>}, u=0x6f54700050a8, sent=0) at /test/11.8_dbg/sql/sql_class.h:6368
      		 
      #9  0x0000652175993af3 in end_send (join=0x6f547001c798, join_tab=0x6f5470020578, end_of_records=false)at /test/11.8_dbg/sql/sql_select.cc:25738
      		 
      #10 0x00006521759bf29d in evaluate_join_record (join=0x6f547001c798, join_tab=0x6f5470020100, error=0) at /test/11.8_dbg/sql/sql_select.cc:24625
      		 
      #11 0x0000652175972d3e in sub_select (join=0x6f547001c798, join_tab=0x6f5470020100, end_of_records=false)at /test/11.8_dbg/sql/sql_select.cc:24392
      		 
      #12 0x000065217599a605 in do_select (join=0x6f547001c798, procedure=0x0)at /test/11.8_dbg/sql/sql_select.cc:23903
      		 
      #13 0x00006521759999b1 in JOIN::exec_inner (this=0x6f547001c798)at /test/11.8_dbg/sql/sql_select.cc:5112
      		 
      #14 0x0000652175998bb0 in JOIN::exec (this=0x6f547001c798)at /test/11.8_dbg/sql/sql_select.cc:4900
      		 
      #15 0x0000652175a690f5 in st_select_lex_unit::exec_inner (this=0x6f54700050a8)at /test/11.8_dbg/sql/sql_union.cc:2454
      		 
      #16 0x0000652175a63441 in st_select_lex_unit::exec (this=0x6f54700050a8)at /test/11.8_dbg/sql/sql_union.cc:2350
      		 
      #17 0x0000652175a60f4b in mysql_union (thd=0x6f5470000d58, lex=0x6f5470004fc8, result=0x6f547001c680, unit=0x6f54700050a8, setup_tables_done_option=0)at /test/11.8_dbg/sql/sql_union.cc:45
      		 
      #18 0x000065217597300f in handle_select (thd=0x6f5470000d58, lex=0x6f5470004fc8, result=0x6f547001c680, setup_tables_done_option=0)at /test/11.8_dbg/sql/sql_select.cc:624
      		 
      #19 0x0000652175919a51 in execute_sqlcom_select (thd=0x6f5470000d58, all_tables=0x6f547001a3c0) at /test/11.8_dbg/sql/sql_parse.cc:6234
      		 
      #20 0x000065217590e932 in mysql_execute_command (thd=0x6f5470000d58, is_called_from_prepared_stmt=false) at /test/11.8_dbg/sql/sql_parse.cc:4016
      		 
      #21 0x0000652175906964 in mysql_parse (thd=0x6f5470000d58, rawbuf=0x6f5470019cd0 "SELECT * FROM t1 INTERSECT SELECT * FROM t2", length=43, parser_state=0x77558c119a10)at /test/11.8_dbg/sql/sql_parse.cc:7955
      		 
      #22 0x0000652175903ca9 in dispatch_command (command=COM_QUERY, thd=0x6f5470000d58, packet=0x6f547000b079 "SELECT * FROM t1 INTERSECT SELECT * FROM t2", packet_length=43, blocking=true) at /test/11.8_dbg/sql/sql_parse.cc:1923
      		 
      #23 0x0000652175907513 in do_command (thd=0x6f5470000d58, blocking=true)at /test/11.8_dbg/sql/sql_parse.cc:1431
      		 
      #24 0x0000652175af4df9 in do_handle_one_connection (connect=0x6521a598af08, put_in_cache=true) at /test/11.8_dbg/sql/sql_connect.cc:1504
      		 
      #25 0x0000652175af4b9e in handle_one_connection (arg=0x6521a5a4b7b8)at /test/11.8_dbg/sql/sql_connect.cc:1416
      		 
      #26 0x000077559029caa4 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
      		 
      #27 0x0000775590329c6c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

      Bug Detection Matrix

      		 
          Rel    o/d  Build   Commit                                    UniqueID observed
      		 
      CS  10.6   dbg  100526  d37e50c6d04c7c27362f1668ae86fa592b94fb23  No bug found
      		 
      CS  10.6   opt  100526  d37e50c6d04c7c27362f1668ae86fa592b94fb23  No bug found
      		 
      CS  10.11  dbg  100526  8721a00dd38dc0aa1514a3b5ca8c95c6e94af1c9  No bug found
      		 
      CS  10.11  opt  100526  8721a00dd38dc0aa1514a3b5ca8c95c6e94af1c9  No bug found
      		 
      CS  11.4   dbg  100526  f279551013d1319f27344080e2c0758f3959cebf  No bug found
      		 
      CS  11.4   opt  100526  f279551013d1319f27344080e2c0758f3959cebf  No bug found
      		 
      CS  11.8   dbg  100526  04e09010773caf0b302b2933fff3fe95381a5e13  SIGSEGV|_ma_rec_pack|_ma_write_blob_record|maria_write|ha_maria::write_row
      		 
      CS  11.8   opt  100526  04e09010773caf0b302b2933fff3fe95381a5e13  SIGSEGV|_ma_rec_pack|_ma_write_blob_record|maria_write|handler::ha_write_tmp_row
      		 
      CS  12.3   dbg  100526  4c371e30f003b601e7485533476208ae27d51937  SIGSEGV|_ma_rec_pack|_ma_write_blob_record|maria_write|ha_maria::write_row
      		 
      CS  12.3   dbg  110526  c0849d98f7ca2627ea90283b125b5b86f75b173a  SIGSEGV|_ma_rec_pack|_ma_write_blob_record|maria_write|ha_maria::write_row
      		 
      CS  12.3   opt  100526  4c371e30f003b601e7485533476208ae27d51937  SIGSEGV|_ma_rec_pack|_ma_write_blob_record|maria_write|handler::ha_write_tmp_row
      		 
      CS  12.3   opt  110526  c0849d98f7ca2627ea90283b125b5b86f75b173a  SIGSEGV|_ma_rec_pack|_ma_write_blob_record|maria_write|handler::ha_write_tmp_row
      		 
      CS  13.0   dbg  100526  96b3dd0c34427e9338dda1375575a0e05a7cd267  SIGSEGV|_ma_rec_pack|_ma_write_blob_record|maria_write|ha_maria::write_row
      		 
      CS  13.0   opt  100526  96b3dd0c34427e9338dda1375575a0e05a7cd267  SIGSEGV|_ma_rec_pack|_ma_write_blob_record|maria_write|handler::ha_write_tmp_row
      		 
      ES  10.6   dbg  100526  55cfada6c54d1b08f2372adc1369a5e5e76f472d  No bug found
      		 
      ES  10.6   opt  100526  55cfada6c54d1b08f2372adc1369a5e5e76f472d  No bug found
      		 
      ES  11.4   dbg  100526  90f707057d44f1b5c013a0c3672fd12f32ea7085  SIGSEGV|_ma_rec_pack|_ma_write_blob_record|maria_write|ha_maria::write_row
      		 
      ES  11.4   opt  100526  90f707057d44f1b5c013a0c3672fd12f32ea7085  SIGSEGV|_ma_rec_pack|_ma_write_blob_record|maria_write|handler::ha_write_tmp_row
      		 
      ES  11.8   dbg  100526  d4fbd664a4514441bb3d9042c0089842ee6fc3c8  SIGSEGV|_ma_rec_pack|_ma_write_blob_record|maria_write|ha_maria::write_row
      		 
      ES  11.8   opt  100526  d4fbd664a4514441bb3d9042c0089842ee6fc3c8  SIGSEGV|_ma_rec_pack|_ma_write_blob_record|maria_write|handler::ha_write_tmp_row
      		 
      ES  12.3   dbg  100526  4063148254974421994024b7cc94f6f2a850177d  SIGSEGV|_ma_rec_pack|_ma_write_blob_record|maria_write|ha_maria::write_row
      		 
      ES  12.3   opt  100526  4063148254974421994024b7cc94f6f2a850177d  SIGSEGV|_ma_rec_pack|_ma_write_blob_record|maria_write|handler::ha_write_tmp_row

      Attachments

        Activity

          People

            Unassigned Unassigned
            saahil Saahil Alam
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.