[MDEV-27164] UBSAN: strings/ctype-tis620.c:613:3: runtime error: null pointer passed as argument 2, which is declared to never be null Created: 2021-12-03  Updated: 2023-11-28

Status: Confirmed
Project: MariaDB Server
Component/s: Character Sets
Affects Version/s: 10.2, 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10, 10.11
Fix Version/s: 10.4, 10.5, 10.6

Type: Bug Priority: Major
Reporter: Roel Van de Paar Assignee: Alexander Barkov
Resolution: Unresolved Votes: 0
Labels: None


 Description   

Possibly connected to MDEV-24901

SET NAMES tis620;
 
DO CHAR((WEIGHT_STRING (EXTRACTVALUE ((0),('t')) LEVEL 7 DESC)) USING cp852);

Leads to:

10.8.0 5566cbadb03856aba9c236b131f544490cd2bee4 (Debug)

 
/test/10.8_dbg_san/strings/ctype-tis620.c:613:3: runtime error: null pointer passed as argument 2, which is declared to never be null

10.8.0 5566cbadb03856aba9c236b131f544490cd2bee4 (Debug)

 
    #0 0x55d20db82193 in my_strnxfrm_tis620 /test/10.8_dbg_san/strings/ctype-tis620.c:613
 
    #1 0x55d20b4df5d7 in charset_info_st::strnxfrm(char*, unsigned long, unsigned int, char const*, unsigned long, unsigned int) const /test/10.8_dbg_san/include/m_ctype.h:816
 
    #2 0x55d20b4df5d7 in Item_func_weight_string::val_str(String*) /test/10.8_dbg_san/sql/item_strfunc.cc:3859
 
    #3 0x55d20b50dc22 in Item_str_func::val_int() /test/10.8_dbg_san/sql/item_strfunc.cc:160
 
    #4 0x55d20b525e2c in Item_func_char::val_str(String*) /test/10.8_dbg_san/sql/item_strfunc.cc:3095
 
    #5 0x55d20a2c6328 in Type_handler_string_result::Item_update_null_value(Item*) const /test/10.8_dbg_san/sql/sql_type.cc:4269
 
    #6 0x55d20899e69b in Item::update_null_value() /test/10.8_dbg_san/sql/item.h:2055
 
    #7 0x55d208b00328 in Item_func::is_null() /test/10.8_dbg_san/sql/item_func.h:176
 
    #8 0x55d20bd2b902 in mysql_do(THD*, List<Item>&) /test/10.8_dbg_san/sql/sql_do.cc:35
 
    #9 0x55d20939966b in mysql_execute_command(THD*, bool) /test/10.8_dbg_san/sql/sql_parse.cc:3973
 
    #10 0x55d2092fb9f6 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.8_dbg_san/sql/sql_parse.cc:8028
 
    #11 0x55d209370fd8 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.8_dbg_san/sql/sql_parse.cc:1894
 
    #12 0x55d209387a3c in do_command(THD*, bool) /test/10.8_dbg_san/sql/sql_parse.cc:1402
 
    #13 0x55d209e424f5 in do_handle_one_connection(CONNECT*, bool) /test/10.8_dbg_san/sql/sql_connect.cc:1418
 
    #14 0x55d209e4538f in handle_one_connection /test/10.8_dbg_san/sql/sql_connect.cc:1312
 
    #15 0x55d20c331990 in pfs_spawn_thread /test/10.8_dbg_san/storage/perfschema/pfs.cc:2201
 
    #16 0x147aa4d65608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
    #17 0x147aa3fdb292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

10.8.0 5566cbadb03856aba9c236b131f544490cd2bee4 (Optimized, UBASAN)

 
/test/10.8_opt_san/strings/ctype-tis620.c:613:3: runtime error: null pointer passed as argument 2, which is declared to never be null

10.8.0 5566cbadb03856aba9c236b131f544490cd2bee4 (Optimized)

 
    #0 0x558d8e653c6a in my_strnxfrm_tis620 /test/10.8_opt_san/strings/ctype-tis620.c:613
 
    #1 0x558d90dae166 in charset_info_st::strnxfrm(char*, unsigned long, unsigned int, char const*, unsigned long, unsigned int) const /test/10.8_opt_san/include/m_ctype.h:816
 
    #2 0x558d90dae166 in Item_func_weight_string::val_str(String*) /test/10.8_opt_san/sql/item_strfunc.cc:3859
 
    #3 0x558d90d94a75 in Item_str_func::val_int() /test/10.8_opt_san/sql/item_strfunc.cc:160
 
    #4 0x558d90dc2560 in Item_func_char::val_str(String*) /test/10.8_opt_san/sql/item_strfunc.cc:3095
 
    #5 0x558d8fe278b3 in Type_handler_string_result::Item_update_null_value(Item*) const /test/10.8_opt_san/sql/sql_type.cc:4269
 
    #6 0x558d8ea810a2 in Item_func::is_null() /test/10.8_opt_san/sql/item_func.h:176
 
    #7 0x558d9149d81a in mysql_do(THD*, List<Item>&) /test/10.8_opt_san/sql/sql_do.cc:35
 
    #8 0x558d8f19b579 in mysql_execute_command(THD*, bool) /test/10.8_opt_san/sql/sql_parse.cc:3973
 
    #9 0x558d8f120e28 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.8_opt_san/sql/sql_parse.cc:8028
 
    #10 0x558d8f176bb9 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.8_opt_san/sql/sql_parse.cc:1894
 
    #11 0x558d8f182412 in do_command(THD*, bool) /test/10.8_opt_san/sql/sql_parse.cc:1402
 
    #12 0x558d8fa4e5ed in do_handle_one_connection(CONNECT*, bool) /test/10.8_opt_san/sql/sql_connect.cc:1418
 
    #13 0x558d8fa510e4 in handle_one_connection /test/10.8_opt_san/sql/sql_connect.cc:1312
 
    #14 0x558d91ace461 in pfs_spawn_thread /test/10.8_opt_san/storage/perfschema/pfs.cc:2201
 
    #15 0x14f116fe0608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
    #16 0x14f116256292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

Setup:

Compiled with GCC >=7.5.0 (I use GCC 9.3.0) and:
 
    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON
 
Set before execution:
 
    export UBSAN_OPTIONS=print_stacktrace=1

Bug confirmed present in:
MariaDB: 10.2.42 (dbg), 10.2.42 (opt), 10.3.33 (dbg), 10.3.33 (opt), 10.4.23 (dbg), 10.4.23 (opt), 10.5.14 (dbg), 10.5.14 (opt), 10.6.6 (dbg), 10.6.6 (opt), 10.7.2 (dbg), 10.7.2 (opt), 10.8.0 (dbg), 10.8.0 (opt)

 Comments   
Comment by Roel Van de Paar [ 2022-09-28 ]

Updated versions with additional testcase:

SET collation_connection='tis620_thai_ci';
 
DO CHAR((WEIGHT_STRING (EXTRACTVALUE ((0),('tX')) LEVEL 7)) USING cp852);

Leads to:

UBSAN|null pointer passed as argument 2, which is declared to never be null|strings/ctype-tis620.c|my_strnxfrm_tis620|Item_func_weight_string::val_str|Item_str_func::val_int|Item_func_char::val_str
 
UBSAN|null pointer passed as argument 2, which is declared to never be null|strings/ctype-tis620.c|my_strnxfrm_tis620|charset_info_st::strnxfrm|Item_func_weight_string::val_str|Item_str_func::val_int

Bug confirmed present in:
MariaDB: 10.3.37 (dbg), 10.3.37 (opt), 10.4.27 (dbg), 10.4.27 (opt), 10.5.18 (dbg), 10.5.18 (opt), 10.6.10 (dbg), 10.6.10 (opt), 10.7.6 (dbg), 10.7.6 (opt), 10.8.5 (dbg), 10.8.5 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.2 (dbg), 10.10.2 (opt), 10.11.0 (dbg), 10.11.0 (opt)

Generated at Thu Feb 08 09:50:49 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.