[MDEV-26839] UBSAN: null pointer passed as argument 2, which is declared to never be null in maria/ma_key.c on ALTER Created: 2021-10-15  Updated: 2023-11-28

Status: Confirmed
Project: MariaDB Server
Component/s: Data Definition - Alter Table, Storage Engine - Aria
Affects Version/s: 10.2, 10.3, 10.4, 10.5, 10.6, 10.7, 10.9, 10.10, 10.11, 11.0, 11.1
Fix Version/s: 10.4, 10.5, 10.6, 10.11, 11.0, 11.1

Type: Bug Priority: Major
Reporter: Roel Van de Paar Assignee: Michael Widenius
Resolution: Unresolved Votes: 0
Labels: None

Issue Links:
Relates
relates to MDEV-25454 Make MariaDB server UBSAN safe Confirmed

 Description    

CREATE TABLE t (a INT) ENGINE=Aria;
 
INSERT INTO t VALUES();
 
ALTER TABLE t ADD b GEOMETRY NOT NULL,ALGORITHM=copy;
 
ALTER TABLE t ADD INDEX i (b(1));

Leads to:

10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized)

 
/test/10.7_opt_san/storage/maria/ma_key.c:279:7: runtime error: null pointer passed as argument 2, which is declared to never be null

10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized)

 
    #0 0x55fc8247b895 in _ma_make_key /test/10.7_opt_san/storage/maria/ma_key.c:279
 
    #1 0x55fc85714360 in maria_write /test/10.7_opt_san/storage/maria/ma_write.c:189
 
    #2 0x55fc84500414 in handler::ha_write_row(unsigned char const*) /test/10.7_opt_san/sql/handler.cc:7519
 
    #3 0x55fc835f94ea in copy_data_between_tables /test/10.7_opt_san/sql/sql_table.cc:11081
 
    #4 0x55fc836695c7 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool, bool) /test/10.7_opt_san/sql/sql_table.cc:10356
 
    #5 0x55fc83983423 in Sql_cmd_alter_table::execute(THD*) /test/10.7_opt_san/sql/sql_alter.cc:550
 
    #6 0x55fc830c2e75 in mysql_execute_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:5989
 
    #7 0x55fc8304cfe8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_opt_san/sql/sql_parse.cc:8028
 
    #8 0x55fc830a2655 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_opt_san/sql/sql_parse.cc:1894
 
    #9 0x55fc830ade52 in do_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:1402
 
    #10 0x55fc839597bd in do_handle_one_connection(CONNECT*, bool) /test/10.7_opt_san/sql/sql_connect.cc:1418
 
    #11 0x55fc8395c2b4 in handle_one_connection /test/10.7_opt_san/sql/sql_connect.cc:1312
 
    #12 0x55fc85924ce1 in pfs_spawn_thread /test/10.7_opt_san/storage/perfschema/pfs.cc:2201
 
    #13 0x149631c47608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
    #14 0x149630ebd292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Debug)

 
    #0 0x55b47550c333 in _ma_make_key /test/10.7_dbg_san/storage/maria/ma_key.c:279
 
    #1 0x55b47558c582 in maria_write /test/10.7_dbg_san/storage/maria/ma_write.c:189
 
    #2 0x55b4753a7015 in ha_maria::write_row(unsigned char const*) /test/10.7_dbg_san/storage/maria/ha_maria.cc:1266
 
    #3 0x55b4740d2e4a in handler::ha_write_row(unsigned char const*) /test/10.7_dbg_san/sql/handler.cc:7519
 
    #4 0x55b472f520d9 in copy_data_between_tables /test/10.7_dbg_san/sql/sql_table.cc:11081
 
    #5 0x55b472fbc27c in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool, bool) /test/10.7_dbg_san/sql/sql_table.cc:10356
 
    #6 0x55b473381b19 in Sql_cmd_alter_table::execute(THD*) /test/10.7_dbg_san/sql/sql_alter.cc:550
 
    #7 0x55b4728f7b1f in mysql_execute_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:5989
 
    #8 0x55b472834c94 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_dbg_san/sql/sql_parse.cc:8028
 
    #9 0x55b4728a967a in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1894
 
    #10 0x55b4728c00c2 in do_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1402
 
    #11 0x55b47334b2aa in do_handle_one_connection(CONNECT*, bool) /test/10.7_dbg_san/sql/sql_connect.cc:1418
 
    #12 0x55b47334e143 in handle_one_connection /test/10.7_dbg_san/sql/sql_connect.cc:1312
 
    #13 0x55b47576e4ee in pfs_spawn_thread /test/10.7_dbg_san/storage/perfschema/pfs.cc:2201
 
    #14 0x145b39153608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
    #15 0x145b383c9292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

Setup:

Compiled with GCC >=7.5.0 (I use GCC 9.3.0) and:
 
    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON
 
Set before execution:
 
    export UBSAN_OPTIONS=print_stacktrace=1

Bug confirmed present in:
MariaDB: 10.2.41 (dbg), 10.2.41 (opt), 10.3.32 (dbg), 10.3.32 (opt), 10.4.22 (dbg), 10.4.22 (opt), 10.5.13 (dbg), 10.5.13 (opt), 10.6.5 (dbg), 10.6.5 (opt), 10.7.1 (dbg), 10.7.1 (opt)

 Comments   
Comment by Roel Van de Paar [ 2021-10-15 ]

Additional testcase leading to similar but slightly different stack

SET SQL_MODE='';
 
CREATE TABLE t (c INT,d BLOB (1) NOT NULL,INDEX (c,d(1))) ENGINE=Aria;
 
INSERT INTO t (c) VALUES (0);

Leads to:

11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Debug, UBASAN)

 
/test/11.0_dbg_san/storage/maria/ma_key.c:279:7: runtime error: null pointer passed as argument 2, which is declared to never be null

11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Debug, UBASAN)

 
    #0 0x558073758037 in _ma_make_key /test/11.0_dbg_san/storage/maria/ma_key.c:279
 
    #1 0x5580737c2ee8 in maria_write /test/11.0_dbg_san/storage/maria/ma_write.c:189
 
    #2 0x5580736458ab in ha_maria::write_row(unsigned char const*) /test/11.0_dbg_san/storage/maria/ha_maria.cc:1304
 
    #3 0x558072442943 in handler::ha_write_row(unsigned char const*) /test/11.0_dbg_san/sql/handler.cc:7798
 
    #4 0x558070a67f8c in write_record(THD*, TABLE*, st_copy_info*, select_result*) /test/11.0_dbg_san/sql/sql_insert.cc:2204
 
    #5 0x558070acc88c in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /test/11.0_dbg_san/sql/sql_insert.cc:1154
 
    #6 0x558070cd700f in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:4569
 
    #7 0x558070cfc973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014
 
    #8 0x558070d0c707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894
 
    #9 0x558070d1a542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407
 
    #10 0x5580716ef8b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416
 
    #11 0x5580716f0dd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318
 
    #12 0x149e95a94b42 in start_thread nptl/pthread_create.c:442
 
    #13 0x149e95b269ff  (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)

Bug confirmed present in 10.2-11.1 (opt+dbg).

Comment by Roel Van de Paar [ 2023-07-01 ]

This additional testcase:

SET sql_mode='';
 
CREATE TABLE t (c BLOB, PRIMARY KEY(c(1))) ENGINE=Aria;
 
INSERT INTO t VALUES (0);
 
UPDATE t SET c=NULL;

Produces these additional stacks/UniqueID's:

UBSAN|null pointer passed as argument 2, which is declared to never be null|storage/maria/ma_key.c|_ma_make_key|maria_update|ha_maria::update_row|handler::ha_update_row
 
UBSAN|null pointer passed as argument 2, which is declared to never be null|storage/maria/ma_key.c|_ma_make_key|maria_update|handler::ha_update_row|Sql_cmd_update::update_single_table
 
UBSAN|null pointer passed as argument 2, which is declared to never be null|storage/maria/ma_key.c|_ma_make_key|maria_update|handler::ha_update_row|mysql_update

Note that without the sql_mode we get ERROR 1048 (23000): Column 'c' cannot be null.

Also, this testcase:

CREATE TABLE t (c BLOB, PRIMARY KEY(c(1))) ENGINE=Aria;
 
INSERT INTO t VALUES (0);
 
UPDATE t SET c=(1+DEGREES (-1) MOD LOG2 (-1))%NULL;

Leads to:

11.1.2 3883eb63dc5e663558571c33d086c9fd3aa0cf8f (Debug)

 
11.1.2-dbg>CREATE TABLE t (c BLOB, PRIMARY KEY(c(1))) ENGINE=Aria;
 
Query OK, 0 rows affected (0.016 sec)
 
 
 
11.1.2-dbg>INSERT INTO t VALUES (0);
 
Query OK, 1 row affected (0.002 sec)
 
 
 
11.1.2-dbg>UPDATE t SET c=(1+DEGREES (-1) MOD LOG2 (-1))%NULL;
 
ERROR 1365 (22012): Division by 0

Which seems to be an additional rounding bug of some sort (as NULL%NULL or 0%NULL results in ERROR 1048 (23000): Column 'c' cannot be null error instead.

Generated at Thu Feb 08 09:48:21 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.