[#MDEV-22744] *SAN: sql/item_xmlfunc.cc:791:43: runtime error: downcast of address ... which does not point to an object of type 'Item_func' note: object is of type 'Item

[MDEV-22744] *SAN: sql/item_xmlfunc.cc:791:43: runtime error: downcast of address ... which does not point to an object of type 'Item_func' note: object is of type 'Item_bool' (on optimized builds) Created: 2020-05-28 Updated: 2020-05-30 Resolved: 2020-05-29
Status:	Closed
Project:	MariaDB Server
Component/s:	XML Functions
Affects Version/s:	10.1, 10.5.4, 10.2, 10.3, 10.4
Fix Version/s:	10.5.4, 10.1.46, 10.2.33, 10.3.24, 10.4.14

Type:

Bug

Priority:

Major

Reporter:

Roel Van de Paar

Assignee:

Alexander Barkov

Resolution:

Fixed

Votes:

Labels:

None

Description

10.5.4>SELECT extractValue('<a>a</a>', '/a[true()]');

+----------------------------------------+

| extractValue('<a>a</a>', '/a[true()]') |

+----------------------------------------+

| a                                      |

+----------------------------------------+

1 row in set (0.003 sec)

Leads to:

10.5.4 c2a929185c147fc85bbf91e2c537bcdd98f2e680
/test/10.5_opt/sql/item_xmlfunc.cc:791:43: runtime error: downcast of address 0x62b000087538 which does not point to an object of type 'Item_func'
0x62b000087538: note: object is of type 'Item_bool'
00 00 00 00 e8 5d 59 0a f0 55 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 71 41 10
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'Item_bool'

Setup:

Compiled with GCC >=7.5.0 and:

    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF

Set before execution:

    export ASAN_OPTIONS=quarantine_size_mb=512:atexit=true:detect_invalid_pointer_pairs=1:dump_instruction_bytes=true:abort_on_error=1

Bug confirmed present in:
MariaDB: 10.4.14 (dbg), 10.4.14 (opt), 10.5.4 (dbg), 10.5.4 (opt)

Comments

Comment by Alexander Barkov [ 2020-05-29 ]

For some reasons this problem is not always repeatable in ASAN builds for versions before 10.5.
But tracing in gdb shows the problem:

797	String *Item_nodeset_func_predicate::val_nodeset(String *str)

798	{

799	  Item_nodeset_func *nodeset_func= (Item_nodeset_func*) args[0];

800	  Item_func *comp_func= (Item_func*)args[1];

801	  uint pos= 0, size;

802	  prepare(str);

803	  size= fltend - fltbeg;

804	  for (MY_XPATH_FLT *flt= fltbeg; flt < fltend; flt++)

(gdb) p args[1]

$2 = (Item_bool *) 0x7fff98008580

Comment by Roel Van de Paar [ 2020-05-29 ]

Confirmed fixed in 10.5.4 with proposed patch! Indeed not reproducible 10.1-10.3. Thanks

Generated at Thu Feb 08 09:17:08 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.