[MDEV-39752] [draft] use-of-uninitialized-value in ftb_parse_query_internal - Jira

XML

Word

Printable

Details

Type: Bug
Status: Open (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.11
Fix Version/s: 10.11
Component/s: Storage Engine - Aria
Labels:
- MSAN
- use-of-uninitialized-value

Bug Category:
Can result in hang or crash

Description

Test case is CLI and MTR compatible when using an MSAN build

CREATE TABLE t1 (c1 INT KEY,c2 TEXT,c3 JSON) ENGINE=Aria;

SELECT * FROM t1 WHERE MATCH(c2) AGAINST ('(a ' IN BOOLEAN MODE);

Leads to:

CS 10.11.18 9ed3a7f9f6929aa34420a8616930844d3a35bb91 (Debug, MSAN, Clang 20.1.8-20250708) Build 25/05/2026
Version: '10.11.18-MariaDB-debug' socket: '/test/MD_MSAN_10.11/socket.sock' port: 10823 Source distribution
2026-05-25 16:03:12 4 [Warning] Aborted connection 4 to db: 'test' user: 'root' host: 'localhost' (Got an error reading communication packets)
==2553666==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x55555732e075 in ftb_parse_query_internal /test/10.11/storage/maria/ma_ft_boolean_search.c:300:5
#1 0x55555732a1ed in _ftb_parse_query /test/10.11/storage/maria/ma_ft_boolean_search.c:331:3
#2 0x55555732a1ed in maria_ft_init_boolean_search /test/10.11/storage/maria/ma_ft_boolean_search.c:596:7
#3 0x555557152af0 in ha_maria::ft_init_ext(unsigned int, unsigned int, String*) /test/10.11/storage/maria/ha_maria.cc:3507:10
#4 0x555556d1ea9b in Item_func_match::init_search(THD*, bool) /test/10.11/sql/item_func.cc:6295:28
#5 0x55555606dd8c in init_ftfuncs(THD, st_select_lex, bool) /test/10.11/sql/sql_base.cc:9650:21
#6 0x55555631b08c in JOIN::optimize_stage2() /test/10.11/sql/sql_select.cc:3280:9
#7 0x555556314963 in JOIN::optimize_inner() /test/10.11/sql/sql_select.cc:2705:9
#8 0x5555562f6f9b in JOIN::optimize() /test/10.11/sql/sql_select.cc:1967:10
#9 0x5555562f6f9b in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/10.11/sql/sql_select.cc:5271:19
#10 0x5555562f5bd2 in handle_select(THD, LEX, select_result*, unsigned long long) /test/10.11/sql/sql_select.cc:601:10
#11 0x555556227531 in execute_sqlcom_select(THD, TABLE_LIST) /test/10.11/sql/sql_parse.cc:6461:12
#12 0x555556210d8a in mysql_execute_command(THD*, bool) /test/10.11/sql/sql_parse.cc:4040:12
#13 0x5555561fe606 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/10.11/sql/sql_parse.cc:8221:18
#14 0x5555561f6f3f in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/10.11/sql/sql_parse.cc:1924:7
#15 0x5555561ffbd3 in do_command(THD*, bool) /test/10.11/sql/sql_parse.cc:1434:17
#16 0x5555566c287c in do_handle_one_connection(CONNECT*, bool) /test/10.11/sql/sql_connect.cc:1475:11
#17 0x5555566c2335 in handle_one_connection /test/10.11/sql/sql_connect.cc:1387:5
#18 0x5555573974c2 in pfs_spawn_thread /test/10.11/storage/perfschema/pfs.cc:2201:3
#19 0x7fffe669caa3 in start_thread nptl/pthread_create.c:447:8
#20 0x7fffe6729c6b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

Uninitialized value was stored to memory at
#0 0x55555732e06e in ftb_parse_query_internal /test/10.11/storage/maria/ma_ft_boolean_search.c:300:43

Uninitialized value was created by an allocation of 'w' in the stack frame
#0 0x55555732dfa7 in ftb_parse_query_internal /test/10.11/storage/maria/ma_ft_boolean_search.c:295:3

SUMMARY: MemorySanitizer: use-of-uninitialized-value /test/10.11/storage/maria/ma_ft_boolean_search.c:300:5 in ftb_parse_query_internal
Exiting
260525 16:03:25 [ERROR] /test/MD_MSAN_10.11/bin/mariadbd got signal 6 ;
Sorry, we probably made a mistake, and this is a bug.

Your assistance in bug reporting will enable us to fix this for the next release.
To report this bug, see https://mariadb.com/docs/general-resources/community/community/bug-tracking/reporting-bugs about how to report
a bug on https://jira.mariadb.org/.

Please include the information from the server start above, to the end of the
information below.

Server version: 10.11.18-MariaDB-debug source revision: 9ed3a7f9f6929aa34420a8616930844d3a35bb91

The information page at https://mariadb.com/docs/server/reference/product-development/mariadb-fault-finding/how-to-produce-a-full-stack-trace-for-mariadbdcontains instructions to obtain a better version of the backtrace below.
Following these instructions will help MariaDB developers provide a fix quicker.

Attempting backtrace. Include this in the bug report.
(note: Retrieving this information may fail)

Thread pointer: 0x72b000126018
stack_bottom = 0x7fff3414c000 thread_stack 0x200000
/test/MD_MSAN_10.11/bin/mariadbd(__interceptor_backtrace+0xd2)[0x555555dc75c2]
mysys/stacktrace.c:215(my_print_stacktrace)[0x555557fda515]
sql/signal_handler.cc:0(handle_fatal_signal)[0x555556b448f0]
msan_interceptors.cpp.o:0(SignalHandler(int))[0x555555dfab29]
libc_sigaction.c:0(__restore_rt)[0x7fffe6645330]
nptl/pthread_kill.c:44(__pthread_kill_implementation)[0x7fffe669eb2c]
posix/raise.c:27(__GI_raise)[0x7fffe664527e]
stdlib/abort.c:81(__GI_abort)[0x7fffe66288ff]
/test/MD_MSAN_10.11/bin/mariadbd(+0x831e7c)[0x555555d85e7c]
/test/MD_MSAN_10.11/bin/mariadbd(+0x82fd1e)[0x555555d83d1e]
/test/MD_MSAN_10.11/bin/mariadbd(+0x847003)[0x555555d9b003]
maria/ma_ft_boolean_search.c:300(ftb_parse_query_internal)[0x55555732e076]
maria/ma_ft_boolean_search.c:331(maria_ft_init_boolean_search)[0x55555732a1ee]
maria/ha_maria.cc:3507(ha_maria::ft_init_ext(unsigned int, unsigned int, String*))[0x555557152af1]
sql/item_func.cc:0(Item_func_match::init_search(THD*, bool))[0x555556d1ea9c]
sql/sql_base.cc:9650(init_ftfuncs(THD, st_select_lex, bool))[0x55555606dd8d]
sql/sql_select.cc:3280(JOIN::optimize_stage2())[0x55555631b08d]
sql/sql_select.cc:2705(JOIN::optimize_inner())[0x555556314964]
sql/sql_select.cc:0(mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex))[0x5555562f6f9c]
sql/sql_select.cc:601(handle_select(THD, LEX, select_result*, unsigned long long))[0x5555562f5bd3]
sql/sql_parse.cc:6461(execute_sqlcom_select(THD, TABLE_LIST))[0x555556227532]
sql/sql_parse.cc:0(mysql_execute_command(THD*, bool))[0x555556210d8b]
sql/sql_class.h:2954(mysql_parse(THD, char, unsigned int, Parser_state*))[0x5555561fe607]
sql/sql_parse.cc:0(dispatch_command(enum_server_command, THD, char, unsigned int, bool))[0x5555561f6f40]
sql/sql_parse.cc:0(do_command(THD*, bool))[0x5555561ffbd4]
sql/sql_connect.cc:1475(do_handle_one_connection(CONNECT*, bool))[0x5555566c287d]
sql/sql_connect.cc:0(handle_one_connection)[0x5555566c2336]
perfschema/pfs.cc:2203(pfs_spawn_thread)[0x5555573974c3]
nptl/pthread_create.c:447(start_thread)[0x7fffe669caa4]
x86_64/clone3.S:80(clone3)[0x7fffe6729c6c]

Connection ID (thread ID): 5
Status: NOT_KILLED
Query (0x70d000006830): SELECT * FROM t1 WHERE MATCH(c2) AGAINST ('(a ' IN BOOLEAN MODE)

UniqueID Bug signature
MSAN\|use-of-uninitialized-value\|storage/maria/ma_ft_boolean_search.c\|ftb_parse_query_internal\|_ftb_parse_query\|maria_ft_init_boolean_search\|ha_maria::ft_init_ext

Attachments

Activity

People

Assignee:: Saahil Alam

Reporter:: Saahil Alam

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 12 hours ago

Updated:: 1 hour ago

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.