[MDEV-28384] UBSAN: null pointer passed as argument 1, which is declared to never be null in my_strnncoll_binary on SELECT ... COUNT or GROUP_CONCAT Created: 2022-04-22  Updated: 2023-08-04  Resolved: 2023-07-20

Status: Closed
Project: MariaDB Server
Component/s: Character Sets, Data types
Affects Version/s: 10.2, 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10, 10.11, 11.0
Fix Version/s: 10.8.8, 10.4.31, 10.5.22, 10.6.15, 10.9.8, 10.10.6, 10.11.5, 10.11.6, 11.0.3, 11.2.1

Type: Bug Priority: Major
Reporter: Roel Van de Paar Assignee: Alexander Barkov
Resolution: Fixed Votes: 0
Labels: ASAN, UBSAN, affects-tests, regression-10.6

Issue Links:
Duplicate
is duplicated by MDEV-30982 UBSAN: runtime error: null pointer pa... Closed
Relates
relates to MDEV-30982 UBSAN: runtime error: null pointer pa... Closed
relates to MDEV-20619 AddressSanitizer: heap-use-after-free... Closed
relates to MDEV-31845 UBSAN: runtime error: null pointer pa... Confirmed

 Description    

CREATE TABLE t (c BLOB NOT NULL) ENGINE=InnoDB;
 
INSERT IGNORE INTO t VALUES (0);
 
SELECT COUNT(*) FROM t WHERE EXTRACTVALUE(c,'a')='a';

Leads to:

10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Optimized)

 
/test/10.9_opt_san/strings/ctype-bin.c:89:12: runtime error: null pointer passed as argument 1, which is declared to never be null

10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Optimized)

 
    #0 0x5633c2674f25 in my_strnncoll_binary /test/10.9_opt_san/strings/ctype-bin.c:89
 
    #1 0x5633c2674f25 in my_strnncollsp_binary /test/10.9_opt_san/strings/ctype-bin.c:128
 
    #2 0x5633c493f6fb in Arg_comparator::compare() /test/10.9_opt_san/sql/item_cmpfunc.h:103
 
    #3 0x5633c493f6fb in Item_func_eq::val_int() /test/10.9_opt_san/sql/item_cmpfunc.cc:1762
 
    #4 0x5633c340c414 in evaluate_join_record /test/10.9_opt_san/sql/sql_select.cc:21193
 
    #5 0x5633c3459933 in sub_select(JOIN*, st_join_table*, bool) /test/10.9_opt_san/sql/sql_select.cc:21095
 
    #6 0x5633c3605123 in do_select /test/10.9_opt_san/sql/sql_select.cc:20640
 
    #7 0x5633c3605123 in JOIN::exec_inner() /test/10.9_opt_san/sql/sql_select.cc:4749
 
    #8 0x5633c36099f9 in JOIN::exec() /test/10.9_opt_san/sql/sql_select.cc:4527
 
    #9 0x5633c35f7b61 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.9_opt_san/sql/sql_select.cc:5007
 
    #10 0x5633c35fba73 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.9_opt_san/sql/sql_select.cc:543
 
    #11 0x5633c3212cdf in execute_sqlcom_select /test/10.9_opt_san/sql/sql_parse.cc:6268
 
    #12 0x5633c325288b in mysql_execute_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:3959
 
    #13 0x5633c31e20a8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.9_opt_san/sql/sql_parse.cc:8043
 
    #14 0x5633c3238439 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.9_opt_san/sql/sql_parse.cc:1910
 
    #15 0x5633c3243c92 in do_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:1407
 
    #16 0x5633c3b2ed3d in do_handle_one_connection(CONNECT*, bool) /test/10.9_opt_san/sql/sql_connect.cc:1418
 
    #17 0x5633c3b31834 in handle_one_connection /test/10.9_opt_san/sql/sql_connect.cc:1312
 
    #18 0x5633c5c2f1f9 in pfs_spawn_thread /test/10.9_opt_san/storage/perfschema/pfs.cc:2201
 
    #19 0x14edd0d6b608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
 
    #20 0x14edcffe0162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)

10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Debug)

 
/test/10.9_dbg_san/strings/ctype-bin.c:89:12: runtime error: null pointer passed as argument 1, which is declared to never be null

10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Debug)

 
    #0 0x55f42cc16597 in my_strnncoll_binary /test/10.9_dbg_san/strings/ctype-bin.c:89
 
    #1 0x55f42cc165dd in my_strnncollsp_binary /test/10.9_dbg_san/strings/ctype-bin.c:128
 
    #2 0x55f428a406c5 in charset_info_st::strnncollsp(char const*, unsigned long, char const*, unsigned long) const /test/10.9_dbg_san/include/m_ctype.h:864
 
    #3 0x55f428a406c5 in sortcmp(Binary_string const*, Binary_string const*, charset_info_st const*) /test/10.9_dbg_san/sql/sql_string.cc:853
 
    #4 0x55f429f237bf in Arg_comparator::compare_string() /test/10.9_dbg_san/sql/item_cmpfunc.cc:765
 
    #5 0x55f429f040f3 in Arg_comparator::compare() /test/10.9_dbg_san/sql/item_cmpfunc.h:103
 
    #6 0x55f429f040f3 in Item_func_eq::val_int() /test/10.9_dbg_san/sql/item_cmpfunc.cc:1762
 
    #7 0x55f4285b7d23 in evaluate_join_record /test/10.9_dbg_san/sql/sql_select.cc:21193
 
    #8 0x55f42865bffe in sub_select(JOIN*, st_join_table*, bool) /test/10.9_dbg_san/sql/sql_select.cc:21095
 
    #9 0x55f42882e362 in do_select /test/10.9_dbg_san/sql/sql_select.cc:20640
 
    #10 0x55f42882e362 in JOIN::exec_inner() /test/10.9_dbg_san/sql/sql_select.cc:4749
 
    #11 0x55f42882fc94 in JOIN::exec() /test/10.9_dbg_san/sql/sql_select.cc:4527
 
    #12 0x55f42881f58b in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.9_dbg_san/sql/sql_select.cc:5007
 
    #13 0x55f428820ef0 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.9_dbg_san/sql/sql_select.cc:543
 
    #14 0x55f42838dfc2 in execute_sqlcom_select /test/10.9_dbg_san/sql/sql_parse.cc:6268
 
    #15 0x55f4283f3216 in mysql_execute_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:3959
 
    #16 0x55f428355728 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.9_dbg_san/sql/sql_parse.cc:8043
 
    #17 0x55f4283cb44e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1910
 
    #18 0x55f4283e1fa9 in do_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1407
 
    #19 0x55f428eaec4b in do_handle_one_connection(CONNECT*, bool) /test/10.9_dbg_san/sql/sql_connect.cc:1418
 
    #20 0x55f428eb1ae5 in handle_one_connection /test/10.9_dbg_san/sql/sql_connect.cc:1312
 
    #21 0x55f42b40ac62 in pfs_spawn_thread /test/10.9_dbg_san/storage/perfschema/pfs.cc:2201
 
    #22 0x15066de74608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
 
    #23 0x15066d0e9162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)

Setup:

Compiled with GCC >=7.5.0 (I use GCC 9.4.0) and:
 
    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON
 
Set before execution:
 
    export UBSAN_OPTIONS=print_stacktrace=1

Bug confirmed present in:
MariaDB: 10.2.44 (dbg), 10.2.44 (opt), 10.3.35 (dbg), 10.3.35 (opt), 10.4.25 (dbg), 10.4.25 (opt), 10.5.16 (dbg), 10.5.16 (opt), 10.6.8 (dbg), 10.6.8 (opt), 10.7.4 (dbg), 10.7.4 (opt), 10.8.3 (dbg), 10.8.3 (opt), 10.9.0 (dbg), 10.9.0 (opt)

 Comments   
Comment by Roel Van de Paar [ 2022-04-22 ]

The various UniqueID's seen throughout the versions and dbg/opt

UBSAN|null pointer passed as argument 1, which is declared to never be null|strings/ctype-bin.c|my_strnncoll_binary|my_strnncollsp_binary|Arg_comparator::compare|Item_func_eq::val_int
 
UBSAN|null pointer passed as argument 1, which is declared to never be null|strings/ctype-bin.c|my_strnncoll_binary|my_strnncollsp_binary|charset_info_st::strnncollsp|sortcmp
 
UBSAN|null pointer passed as argument 1, which is declared to never be null|strings/ctype-bin.c|my_strnncoll_binary|my_strnncollsp_binary|sortcmp|Arg_comparator::compare_string

Comment by Roel Van de Paar [ 2022-04-29 ]

Additional different testcase with additional stacks:

SET sql_mode='';
 
CREATE TABLE t (c TEXT NOT NULL) ENGINE=InnoDB;
 
INSERT INTO t VALUES();
 
INSERT IGNORE INTO t VALUES (@VALUE);
 
SELECT GROUP_CONCAT(c ORDER BY BINARY c) FROM t GROUP BY c;

Leads to:

10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Optimized, UBASAN)

 
Version: '10.9.0-MariaDB'  socket: '/test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-opt/socket.sock'  port: 10345  MariaDB Server
 
/test/10.9_opt_san/strings/ctype-bin.c:89:12: runtime error: null pointer passed as argument 1, which is declared to never be null
 
    #0 0x55ce82c6ff25 in my_strnncoll_binary /test/10.9_opt_san/strings/ctype-bin.c:89
 
    #1 0x55ce82c6ff25 in my_strnncollsp_binary /test/10.9_opt_san/strings/ctype-bin.c:128
 
    #2 0x55ce85764b0f in group_concat_key_cmp_with_order /test/10.9_opt_san/sql/item_sum.cc:3673
 
    #3 0x55ce879f2ece in tree_insert /test/10.9_opt_san/mysys/tree.c:249
 
    #4 0x55ce857d14cb in Item_func_group_concat::add(bool) /test/10.9_opt_san/sql/item_sum.cc:4208
 
    #5 0x55ce83b1d693 in Aggregator_simple::add() /test/10.9_opt_san/sql/item_sum.h:720
 
    #6 0x55ce83b1d693 in Item_sum::aggregator_add() /test/10.9_opt_san/sql/item_sum.h:564
 
    #7 0x55ce83b1d693 in update_sum_func /test/10.9_opt_san/sql/sql_select.cc:26272
 
    #8 0x55ce83b1d693 in end_send_group(JOIN*, st_join_table*, bool) /test/10.9_opt_san/sql/sql_select.cc:22560
 
    #9 0x55ce83a07ca9 in evaluate_join_record /test/10.9_opt_san/sql/sql_select.cc:21325
 
    #10 0x55ce83a54b31 in sub_select(JOIN*, st_join_table*, bool) /test/10.9_opt_san/sql/sql_select.cc:21134
 
    #11 0x55ce83c00123 in do_select /test/10.9_opt_san/sql/sql_select.cc:20640
 
    #12 0x55ce83c00123 in JOIN::exec_inner() /test/10.9_opt_san/sql/sql_select.cc:4749
 
    #13 0x55ce83c049f9 in JOIN::exec() /test/10.9_opt_san/sql/sql_select.cc:4527
 
    #14 0x55ce83bf2b61 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.9_opt_san/sql/sql_select.cc:5007
 
    #15 0x55ce83bf6a73 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.9_opt_san/sql/sql_select.cc:543
 
    #16 0x55ce8380dcdf in execute_sqlcom_select /test/10.9_opt_san/sql/sql_parse.cc:6268
 
    #17 0x55ce8384d88b in mysql_execute_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:3959
 
    #18 0x55ce837dd0a8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.9_opt_san/sql/sql_parse.cc:8043
 
    #19 0x55ce83833439 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.9_opt_san/sql/sql_parse.cc:1910
 
    #20 0x55ce8383ec92 in do_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:1407
 
    #21 0x55ce84129d3d in do_handle_one_connection(CONNECT*, bool) /test/10.9_opt_san/sql/sql_connect.cc:1418
 
    #22 0x55ce8412c834 in handle_one_connection /test/10.9_opt_san/sql/sql_connect.cc:1312
 
    #23 0x55ce8622a1f9 in pfs_spawn_thread /test/10.9_opt_san/storage/perfschema/pfs.cc:2201
 
    #24 0x1510429db608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
 
    #25 0x151041c50162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)
 
 
 
/test/10.9_opt_san/strings/ctype-bin.c:89:12: runtime error: null pointer passed as argument 2, which is declared to never be null
 
    #0 0x55ce82c6ff46 in my_strnncoll_binary /test/10.9_opt_san/strings/ctype-bin.c:89
 
    #1 0x55ce82c6ff46 in my_strnncollsp_binary /test/10.9_opt_san/strings/ctype-bin.c:128
 
    #2 0x55ce85764b0f in group_concat_key_cmp_with_order /test/10.9_opt_san/sql/item_sum.cc:3673
 
    #3 0x55ce879f2ece in tree_insert /test/10.9_opt_san/mysys/tree.c:249
 
    #4 0x55ce857d14cb in Item_func_group_concat::add(bool) /test/10.9_opt_san/sql/item_sum.cc:4208
 
    #5 0x55ce83b1d693 in Aggregator_simple::add() /test/10.9_opt_san/sql/item_sum.h:720
 
    #6 0x55ce83b1d693 in Item_sum::aggregator_add() /test/10.9_opt_san/sql/item_sum.h:564
 
    #7 0x55ce83b1d693 in update_sum_func /test/10.9_opt_san/sql/sql_select.cc:26272
 
    #8 0x55ce83b1d693 in end_send_group(JOIN*, st_join_table*, bool) /test/10.9_opt_san/sql/sql_select.cc:22560
 
    #9 0x55ce83a07ca9 in evaluate_join_record /test/10.9_opt_san/sql/sql_select.cc:21325
 
    #10 0x55ce83a54b31 in sub_select(JOIN*, st_join_table*, bool) /test/10.9_opt_san/sql/sql_select.cc:21134
 
    #11 0x55ce83c00123 in do_select /test/10.9_opt_san/sql/sql_select.cc:20640
 
    #12 0x55ce83c00123 in JOIN::exec_inner() /test/10.9_opt_san/sql/sql_select.cc:4749
 
    #13 0x55ce83c049f9 in JOIN::exec() /test/10.9_opt_san/sql/sql_select.cc:4527
 
    #14 0x55ce83bf2b61 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.9_opt_san/sql/sql_select.cc:5007
 
    #15 0x55ce83bf6a73 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.9_opt_san/sql/sql_select.cc:543
 
    #16 0x55ce8380dcdf in execute_sqlcom_select /test/10.9_opt_san/sql/sql_parse.cc:6268
 
    #17 0x55ce8384d88b in mysql_execute_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:3959
 
    #18 0x55ce837dd0a8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.9_opt_san/sql/sql_parse.cc:8043
 
    #19 0x55ce83833439 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.9_opt_san/sql/sql_parse.cc:1910
 
    #20 0x55ce8383ec92 in do_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:1407
 
    #21 0x55ce84129d3d in do_handle_one_connection(CONNECT*, bool) /test/10.9_opt_san/sql/sql_connect.cc:1418
 
    #22 0x55ce8412c834 in handle_one_connection /test/10.9_opt_san/sql/sql_connect.cc:1312
 
    #23 0x55ce8622a1f9 in pfs_spawn_thread /test/10.9_opt_san/storage/perfschema/pfs.cc:2201
 
    #24 0x1510429db608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
 
    #25 0x151041c50162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)

10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Debug)

 
Version: '10.9.0-MariaDB-debug'  socket: '/test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-dbg/socket.sock'  port: 11078  MariaDB Server
 
/test/10.9_dbg_san/strings/ctype-bin.c:89:12: runtime error: null pointer passed as argument 1, which is declared to never be null
 
    #0 0x5629564a5597 in my_strnncoll_binary /test/10.9_dbg_san/strings/ctype-bin.c:89
 
    #1 0x5629564a55dd in my_strnncollsp_binary /test/10.9_dbg_san/strings/ctype-bin.c:128
 
    #2 0x5629533afd90 in charset_info_st::strnncollsp(unsigned char const*, unsigned long, unsigned char const*, unsigned long) const /test/10.9_dbg_san/include/m_ctype.h:859
 
    #3 0x5629533afd90 in Field_blob::cmp(unsigned char const*, unsigned int, unsigned char const*, unsigned int) const /test/10.9_dbg_san/sql/field.cc:8761
 
    #4 0x5629533b0160 in Field_blob::cmp(unsigned char const*, unsigned char const*) const /test/10.9_dbg_san/sql/field.cc:8771
 
    #5 0x56295413f1bb in group_concat_key_cmp_with_order /test/10.9_dbg_san/sql/item_sum.cc:3673
 
    #6 0x562956426586 in tree_insert /test/10.9_dbg_san/mysys/tree.c:249
 
    #7 0x5629541bb96d in Item_func_group_concat::add(bool) /test/10.9_dbg_san/sql/item_sum.cc:4208
 
    #8 0x562952ac1eac in Item_func_group_concat::add() /test/10.9_dbg_san/sql/item_sum.h:2043
 
    #9 0x5629541c4262 in Aggregator_simple::add() /test/10.9_dbg_san/sql/item_sum.h:720
 
    #10 0x562951e1ee72 in Item_sum::aggregator_add() /test/10.9_dbg_san/sql/item_sum.h:564
 
    #11 0x562951e1ee72 in update_sum_func /test/10.9_dbg_san/sql/sql_select.cc:26272
 
    #12 0x562951ff446f in end_send_group(JOIN*, st_join_table*, bool) /test/10.9_dbg_san/sql/sql_select.cc:22560
 
    #13 0x562951e47e43 in evaluate_join_record /test/10.9_dbg_san/sql/sql_select.cc:21325
 
    #14 0x562951eeb7dc in sub_select(JOIN*, st_join_table*, bool) /test/10.9_dbg_san/sql/sql_select.cc:21134
 
    #15 0x5629520bd362 in do_select /test/10.9_dbg_san/sql/sql_select.cc:20640
 
    #16 0x5629520bd362 in JOIN::exec_inner() /test/10.9_dbg_san/sql/sql_select.cc:4749
 
    #17 0x5629520bec94 in JOIN::exec() /test/10.9_dbg_san/sql/sql_select.cc:4527
 
    #18 0x5629520ae58b in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.9_dbg_san/sql/sql_select.cc:5007
 
    #19 0x5629520afef0 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.9_dbg_san/sql/sql_select.cc:543
 
    #20 0x562951c1cfc2 in execute_sqlcom_select /test/10.9_dbg_san/sql/sql_parse.cc:6268
 
    #21 0x562951c82216 in mysql_execute_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:3959
 
    #22 0x562951be4728 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.9_dbg_san/sql/sql_parse.cc:8043
 
    #23 0x562951c5a44e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1910
 
    #24 0x562951c70fa9 in do_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1407
 
    #25 0x56295273dc4b in do_handle_one_connection(CONNECT*, bool) /test/10.9_dbg_san/sql/sql_connect.cc:1418
 
    #26 0x562952740ae5 in handle_one_connection /test/10.9_dbg_san/sql/sql_connect.cc:1312
 
    #27 0x562954c99c62 in pfs_spawn_thread /test/10.9_dbg_san/storage/perfschema/pfs.cc:2201
 
    #28 0x14d8896f0608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
 
    #29 0x14d888965162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)
 
 
 
/test/10.9_dbg_san/strings/ctype-bin.c:89:12: runtime error: null pointer passed as argument 2, which is declared to never be null
 
    #0 0x5629564a55a5 in my_strnncoll_binary /test/10.9_dbg_san/strings/ctype-bin.c:89
 
    #1 0x5629564a55dd in my_strnncollsp_binary /test/10.9_dbg_san/strings/ctype-bin.c:128
 
    #2 0x5629533afd90 in charset_info_st::strnncollsp(unsigned char const*, unsigned long, unsigned char const*, unsigned long) const /test/10.9_dbg_san/include/m_ctype.h:859
 
    #3 0x5629533afd90 in Field_blob::cmp(unsigned char const*, unsigned int, unsigned char const*, unsigned int) const /test/10.9_dbg_san/sql/field.cc:8761
 
    #4 0x5629533b0160 in Field_blob::cmp(unsigned char const*, unsigned char const*) const /test/10.9_dbg_san/sql/field.cc:8771
 
    #5 0x56295413f1bb in group_concat_key_cmp_with_order /test/10.9_dbg_san/sql/item_sum.cc:3673
 
    #6 0x562956426586 in tree_insert /test/10.9_dbg_san/mysys/tree.c:249
 
    #7 0x5629541bb96d in Item_func_group_concat::add(bool) /test/10.9_dbg_san/sql/item_sum.cc:4208
 
    #8 0x562952ac1eac in Item_func_group_concat::add() /test/10.9_dbg_san/sql/item_sum.h:2043
 
    #9 0x5629541c4262 in Aggregator_simple::add() /test/10.9_dbg_san/sql/item_sum.h:720
 
    #10 0x562951e1ee72 in Item_sum::aggregator_add() /test/10.9_dbg_san/sql/item_sum.h:564
 
    #11 0x562951e1ee72 in update_sum_func /test/10.9_dbg_san/sql/sql_select.cc:26272
 
    #12 0x562951ff446f in end_send_group(JOIN*, st_join_table*, bool) /test/10.9_dbg_san/sql/sql_select.cc:22560
 
    #13 0x562951e47e43 in evaluate_join_record /test/10.9_dbg_san/sql/sql_select.cc:21325
 
    #14 0x562951eeb7dc in sub_select(JOIN*, st_join_table*, bool) /test/10.9_dbg_san/sql/sql_select.cc:21134
 
    #15 0x5629520bd362 in do_select /test/10.9_dbg_san/sql/sql_select.cc:20640
 
    #16 0x5629520bd362 in JOIN::exec_inner() /test/10.9_dbg_san/sql/sql_select.cc:4749
 
    #17 0x5629520bec94 in JOIN::exec() /test/10.9_dbg_san/sql/sql_select.cc:4527
 
    #18 0x5629520ae58b in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.9_dbg_san/sql/sql_select.cc:5007
 
    #19 0x5629520afef0 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.9_dbg_san/sql/sql_select.cc:543
 
    #20 0x562951c1cfc2 in execute_sqlcom_select /test/10.9_dbg_san/sql/sql_parse.cc:6268
 
    #21 0x562951c82216 in mysql_execute_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:3959
 
    #22 0x562951be4728 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.9_dbg_san/sql/sql_parse.cc:8043
 
    #23 0x562951c5a44e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1910
 
    #24 0x562951c70fa9 in do_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1407
 
    #25 0x56295273dc4b in do_handle_one_connection(CONNECT*, bool) /test/10.9_dbg_san/sql/sql_connect.cc:1418
 
    #26 0x562952740ae5 in handle_one_connection /test/10.9_dbg_san/sql/sql_connect.cc:1312
 
    #27 0x562954c99c62 in pfs_spawn_thread /test/10.9_dbg_san/storage/perfschema/pfs.cc:2201
 
    #28 0x14d8896f0608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
 
    #29 0x14d888965162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)

Bug confirmed present in:
MariaDB: 10.2.44 (dbg), 10.2.44 (opt), 10.3.35 (dbg), 10.3.35 (opt), 10.4.25 (dbg), 10.4.25 (opt), 10.5.16 (dbg), 10.5.16 (opt), 10.6.8 (dbg), 10.6.8 (opt), 10.7.4 (dbg), 10.7.4 (opt), 10.8.3 (dbg), 10.8.3 (opt), 10.9.0 (dbg), 10.9.0 (opt)

UniqueID's/stacks seen for this one:

UBSAN|null pointer passed as argument 1, which is declared to never be null|strings/ctype-bin.c|my_strnncoll_binary|my_strnncollsp_binary|Field_blob::cmp|Field_blob::cmp
 
UBSAN|null pointer passed as argument 1, which is declared to never be null|strings/ctype-bin.c|my_strnncoll_binary|my_strnncollsp_binary|charset_info_st::strnncollsp|Field_blob::cmp
 
UBSAN|null pointer passed as argument 1, which is declared to never be null|strings/ctype-bin.c|my_strnncoll_binary|my_strnncollsp_binary|group_concat_key_cmp_with_order|tree_insert

Comment by Alice Sherepa [ 2022-07-18 ]

with ASAN- heap-use-after-free 

=================================================================
 
==652286==ERROR: AddressSanitizer: heap-use-after-free on address 0x6100000883c8 at pc 0x7f2b530ffd10 bp 0x7f2b2e3f83a0 sp 0x7f2b2e3f7b48
 
READ of size 45 at 0x6100000883c8 thread T23
 
    #0 0x7f2b530ffd0f in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:825
 
    #1 0x55f37a8a2db7 in my_strnncoll_binary /10.10/strings/ctype-bin.c:89
 
    #2 0x55f37a8a2e42 in my_strnncollsp_binary /10.10/strings/ctype-bin.c:128
 
    #3 0x55f3793e8be3 in charset_info_st::strnncollsp(unsigned char const*, unsigned long, unsigned char const*, unsigned long) const /10.10/include/m_ctype.h:859
 
    #4 0x55f3793d19e6 in Field_blob::cmp(unsigned char const*, unsigned int, unsigned char const*, unsigned int) const /10.10/sql/field.cc:8793
 
    #5 0x55f3793d1cef in Field_blob::cmp(unsigned char const*, unsigned char const*) const /10.10/sql/field.cc:8803
 
    #6 0x55f379711f59 in group_concat_key_cmp_with_order /10.10/sql/item_sum.cc:3682
 
    #7 0x55f37a83af69 in tree_insert /10.10/mysys/tree.c:249
 
    #8 0x55f3797179a2 in Item_func_group_concat::add(bool) /10.10/sql/item_sum.cc:4217
 
    #9 0x55f37914f37c in Item_func_group_concat::add() /10.10/sql/item_sum.h:2043
 
    #10 0x55f37971ca5d in Aggregator_simple::add() /10.10/sql/item_sum.h:720
 
    #11 0x55f3788251ab in Item_sum::aggregator_add() (/10.10/sql/mariadbd+0x18e21ab)
 
    #12 0x55f378cfb8e3 in update_sum_func /10.10/sql/sql_select.cc:26860
 
    #13 0x55f378ce0580 in end_send_group(JOIN*, st_join_table*, bool) /10.10/sql/sql_select.cc:23141
 
    #14 0x55f378cd6263 in evaluate_join_record /10.10/sql/sql_select.cc:21906
 
    #15 0x55f378cd519a in sub_select(JOIN*, st_join_table*, bool) /10.10/sql/sql_select.cc:21715
 
    #16 0x55f378cd2b3b in do_select /10.10/sql/sql_select.cc:21221
 
    #17 0x55f378c5b639 in JOIN::exec_inner() /10.10/sql/sql_select.cc:4794
 
    #18 0x55f378c58b39 in JOIN::exec() /10.10/sql/sql_select.cc:4572
 
    #19 0x55f378c5d0a8 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.10/sql/sql_select.cc:5052
 
    #20 0x55f378c2d2da in handle_select(THD*, LEX*, select_result*, unsigned long) /10.10/sql/sql_select.cc:583
 
    #21 0x55f378b51cda in execute_sqlcom_select /10.10/sql/sql_parse.cc:6260
 
    #22 0x55f378b4070f in mysql_execute_command(THD*, bool) /10.10/sql/sql_parse.cc:3944
 
    #23 0x55f378b5cfba in mysql_parse(THD*, char*, unsigned int, Parser_state*) /10.10/sql/sql_parse.cc:8036
 
    #24 0x55f378b32f9f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /10.10/sql/sql_parse.cc:1894
 
    #25 0x55f378b2fd20 in do_command(THD*, bool) /10.10/sql/sql_parse.cc:1407
 
    #26 0x55f378fe68e9 in do_handle_one_connection(CONNECT*, bool) /10.10/sql/sql_connect.cc:1418
 
    #27 0x55f378fe6175 in handle_one_connection /10.10/sql/sql_connect.cc:1312
 
    #28 0x55f379c0c455 in pfs_spawn_thread /10.10/storage/perfschema/pfs.cc:2201
 
    #29 0x7f2b52ba6608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
 
    #30 0x7f2b52777132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
 
 
 
0x6100000883c8 is located 136 bytes inside of 188-byte region [0x610000088340,0x6100000883fc)
 
freed by thread T23 here:
 
    #0 0x7f2b5313240f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
 
    #1 0x55f37a849d64 in free_memory /10.10/mysys/safemalloc.c:297
 
    #2 0x55f37a8491a1 in sf_free /10.10/mysys/safemalloc.c:203
 
    #3 0x55f37a816ba2 in my_free /10.10/mysys/my_malloc.c:211
 
    #4 0x55f378791c27 in Binary_string::free_buffer() /10.10/sql/sql_string.h:227
 
    #5 0x55f378de58c5 in Binary_string::real_alloc(unsigned long) /10.10/sql/sql_string.cc:44
 
    #6 0x55f378858348 in Binary_string::alloc(unsigned long) /10.10/sql/sql_string.h:703
 
    #7 0x55f378de6fc1 in Binary_string::copy(char const*, unsigned long) /10.10/sql/sql_string.cc:258
 
    #8 0x55f3787924ab in String::copy(char const*, unsigned long, charset_info_st const*) /10.10/sql/sql_string.h:890
 
    #9 0x55f3792104b4 in Field_geom::store(char const*, unsigned long, charset_info_st const*) /10.10/sql/sql_type_geom.cc:891
 
    #10 0x55f3793fb3d6 in do_save_blob /10.10/sql/field_conv.cc:359
 
    #11 0x55f3793fa35a in do_copy_null /10.10/sql/field_conv.cc:246
 
    #12 0x55f378cf8915 in copy_fields(TMP_TABLE_PARAM*) /10.10/sql/sql_select.cc:26470
 
    #13 0x55f379716fb8 in Item_func_group_concat::add(bool) /10.10/sql/item_sum.cc:4162
 
    #14 0x55f37914f37c in Item_func_group_concat::add() /10.10/sql/item_sum.h:2043
 
    #15 0x55f37971ca5d in Aggregator_simple::add() /10.10/sql/item_sum.h:720
 
    #16 0x55f3788251ab in Item_sum::aggregator_add() (/10.10/sql/mariadbd+0x18e21ab)
 
    #17 0x55f378cfb8e3 in update_sum_func /10.10/sql/sql_select.cc:26860
 
    #18 0x55f378ce0580 in end_send_group(JOIN*, st_join_table*, bool) /10.10/sql/sql_select.cc:23141
 
    #19 0x55f378cd6263 in evaluate_join_record /10.10/sql/sql_select.cc:21906
 
    #20 0x55f378cd519a in sub_select(JOIN*, st_join_table*, bool) /10.10/sql/sql_select.cc:21715
 
    #21 0x55f378cd2b3b in do_select /10.10/sql/sql_select.cc:21221
 
    #22 0x55f378c5b639 in JOIN::exec_inner() /10.10/sql/sql_select.cc:4794
 
    #23 0x55f378c58b39 in JOIN::exec() /10.10/sql/sql_select.cc:4572
 
    #24 0x55f378c5d0a8 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.10/sql/sql_select.cc:5052
 
    #25 0x55f378c2d2da in handle_select(THD*, LEX*, select_result*, unsigned long) /10.10/sql/sql_select.cc:583
 
    #26 0x55f378b51cda in execute_sqlcom_select /10.10/sql/sql_parse.cc:6260
 
    #27 0x55f378b4070f in mysql_execute_command(THD*, bool) /10.10/sql/sql_parse.cc:3944
 
    #28 0x55f378b5cfba in mysql_parse(THD*, char*, unsigned int, Parser_state*) /10.10/sql/sql_parse.cc:8036
 
    #29 0x55f378b32f9f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /10.10/sql/sql_parse.cc:1894
 
 
 
previously allocated by thread T23 here:
 
    #0 0x7f2b53132808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
 
    #1 0x55f37a848b55 in sf_malloc /10.10/mysys/safemalloc.c:126
 
    #2 0x55f37a815d7c in my_malloc /10.10/mysys/my_malloc.c:90
 
    #3 0x55f378de5969 in Binary_string::real_alloc(unsigned long) /10.10/sql/sql_string.cc:45
 
    #4 0x55f378858348 in Binary_string::alloc(unsigned long) /10.10/sql/sql_string.h:703
 
    #5 0x55f378de6fc1 in Binary_string::copy(char const*, unsigned long) /10.10/sql/sql_string.cc:258
 
    #6 0x55f3787924ab in String::copy(char const*, unsigned long, charset_info_st const*) /10.10/sql/sql_string.h:890
 
    #7 0x55f3792104b4 in Field_geom::store(char const*, unsigned long, charset_info_st const*) /10.10/sql/sql_type_geom.cc:891
 
    #8 0x55f3793fb3d6 in do_save_blob /10.10/sql/field_conv.cc:359
 
    #9 0x55f3793fa35a in do_copy_null /10.10/sql/field_conv.cc:246
 
    #10 0x55f378cf8915 in copy_fields(TMP_TABLE_PARAM*) /10.10/sql/sql_select.cc:26470
 
    #11 0x55f379716fb8 in Item_func_group_concat::add(bool) /10.10/sql/item_sum.cc:4162
 
    #12 0x55f37914f37c in Item_func_group_concat::add() /10.10/sql/item_sum.h:2043
 
    #13 0x55f37971ca5d in Aggregator_simple::add() /10.10/sql/item_sum.h:720
 
    #14 0x55f3788251ab in Item_sum::aggregator_add() (/10.10/sql/mariadbd+0x18e21ab)
 
    #15 0x55f378824ff9 in Item_sum::reset_and_add() /10.10/sql/item_sum.h:445
 
    #16 0x55f378cfb828 in init_sum_functions /10.10/sql/sql_select.cc:26842
 
    #17 0x55f378ce0356 in end_send_group(JOIN*, st_join_table*, bool) /10.10/sql/sql_select.cc:23132
 
    #18 0x55f378cd6263 in evaluate_join_record /10.10/sql/sql_select.cc:21906
 
    #19 0x55f378cd4b28 in sub_select(JOIN*, st_join_table*, bool) /10.10/sql/sql_select.cc:21676
 
    #20 0x55f378cd2b3b in do_select /10.10/sql/sql_select.cc:21221
 
    #21 0x55f378c5b639 in JOIN::exec_inner() /10.10/sql/sql_select.cc:4794
 
    #22 0x55f378c58b39 in JOIN::exec() /10.10/sql/sql_select.cc:4572
 
    #23 0x55f378c5d0a8 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.10/sql/sql_select.cc:5052
 
    #24 0x55f378c2d2da in handle_select(THD*, LEX*, select_result*, unsigned long) /10.10/sql/sql_select.cc:583
 
    #25 0x55f378b51cda in execute_sqlcom_select /10.10/sql/sql_parse.cc:6260
 
    #26 0x55f378b4070f in mysql_execute_command(THD*, bool) /10.10/sql/sql_parse.cc:3944
 
    #27 0x55f378b5cfba in mysql_parse(THD*, char*, unsigned int, Parser_state*) /10.10/sql/sql_parse.cc:8036
 
    #28 0x55f378b32f9f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /10.10/sql/sql_parse.cc:1894
 
    #29 0x55f378b2fd20 in do_command(THD*, bool) /10.10/sql/sql_parse.cc:1407
 
 
 
Thread T23 created by T0 here:
 
    #0 0x7f2b5305f815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
 
    #1 0x55f379c08032 in my_thread_create /10.10/storage/perfschema/my_thread.h:52
 
    #2 0x55f379c0c848 in pfs_spawn_thread_v1 /10.10/storage/perfschema/pfs.cc:2252
 
    #3 0x55f37876cca8 in inline_mysql_thread_create /10.10/include/mysql/psi/mysql_thread.h:1139
 
    #4 0x55f378784c83 in create_thread_to_handle_connection(CONNECT*) /10.10/sql/mysqld.cc:6015
 
    #5 0x55f3787852ff in create_new_thread(CONNECT*) /10.10/sql/mysqld.cc:6074
 
    #6 0x55f37878566c in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.10/sql/mysqld.cc:6136
 
    #7 0x55f378786041 in handle_connections_sockets() /10.10/sql/mysqld.cc:6260
 
    #8 0x55f378784490 in mysqld_main(int, char**) /10.10/sql/mysqld.cc:5910
 
    #9 0x55f37876bfcc in main /10.10/sql/main.cc:34
 
    #10 0x7f2b5267c082 in __libc_start_main ../csu/libc-start.c:308
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:825 in __interceptor_memcmp
 
Shadow bytes around the buggy address:
 
  0x0c2080009020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c2080009030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c2080009040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c2080009050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c2080009060: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
 
=>0x0c2080009070: fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd
 
  0x0c2080009080: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
 
  0x0c2080009090: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c20800090a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c20800090b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c20800090c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc
 
==652286==ABORTING

Comment by Roel Van de Paar [ 2023-03-31 ]

An additional UBSAN issue, this time on argument 2:

SET sql_mode='';
 
CREATE TABLE t (c INT) ENGINE=InnoDB;
 
INSERT INTO t VALUES();
 
ALTER TABLE t ADD c2 BLOB NOT NULL;
 
CREATE TABLE t2 SELECT * FROM t;
 
DELETE FROM t;
 
INSERT INTO t VALUES (0,0);
 
INSERT INTO t SELECT * FROM t2;
 
SELECT (SELECT GROUP_CONCAT(DISTINCT c2) FROM t);

Leads to:

11.0.2 a79abb6517f2fa68b48e61aa3354a0631e3a63f7 (Debug)

 
/test/11.0_dbg_san/strings/ctype-bin.c:89:12: runtime error: null pointer passed as argument 2, which is declared to never be null
 
    #0 0x5583340c52c1 in my_strnncoll_binary /test/11.0_dbg_san/strings/ctype-bin.c:89
 
    #1 0x5583340c52fc in my_strnncollsp_binary /test/11.0_dbg_san/strings/ctype-bin.c:128
 
    #2 0x558331891ea4 in charset_info_st::strnncollsp(unsigned char const*, unsigned long, unsigned char const*, unsigned long) const /test/11.0_dbg_san/include/m_ctype.h:1013
 
    #3 0x558331891ea4 in Field_blob::cmp(unsigned char const*, unsigned int, unsigned char const*, unsigned int) const /test/11.0_dbg_san/sql/field.cc:8801
 
    #4 0x558331892264 in Field_blob::cmp(unsigned char const*, unsigned char const*) const /test/11.0_dbg_san/sql/field.cc:8811
 
    #5 0x558332553756 in group_concat_key_cmp_with_distinct /test/11.0_dbg_san/sql/item_sum.cc:3584
 
    #6 0x558334050bd7 in tree_insert /test/11.0_dbg_san/mysys/tree.c:249
 
    #7 0x5583325ceca0 in Unique::unique_add(void*) /test/11.0_dbg_san/sql/uniques.h:66
 
    #8 0x5583325ceca0 in Item_func_group_concat::add(bool) /test/11.0_dbg_san/sql/item_sum.cc:4213
 
    #9 0x55833100cc35 in Item_func_group_concat::add() /test/11.0_dbg_san/sql/item_sum.h:2051
 
    #10 0x5583325d75e5 in Aggregator_simple::add() /test/11.0_dbg_san/sql/item_sum.h:727
 
    #11 0x55833043a778 in Item_sum::aggregator_add() /test/11.0_dbg_san/sql/item_sum.h:571
 
    #12 0x55833043a778 in update_sum_func /test/11.0_dbg_san/sql/sql_select.cc:28279
 
    #13 0x5583305ffc51 in end_send_group(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:24534
 
    #14 0x55833045ca53 in evaluate_join_record /test/11.0_dbg_san/sql/sql_select.cc:23269
 
    #15 0x55833050468a in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23073
 
    #16 0x5583306c5dde in do_select /test/11.0_dbg_san/sql/sql_select.cc:22568
 
    #17 0x5583306c5dde in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4895
 
    #18 0x5583306c757a in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4672
 
    #19 0x558332488a07 in subselect_single_select_engine::exec() /test/11.0_dbg_san/sql/item_subselect.cc:4157
 
    #20 0x558332498f29 in Item_subselect::exec() /test/11.0_dbg_san/sql/item_subselect.cc:812
 
    #21 0x5583324762a6 in Item_singlerow_subselect::val_str(String*) /test/11.0_dbg_san/sql/item_subselect.cc:1484
 
    #22 0x5583311d25a1 in Type_handler::Item_send_str(Item*, Protocol*, st_value*) const /test/11.0_dbg_san/sql/sql_type.cc:7446
 
    #23 0x558330c20aa2 in Type_handler_string_result::Item_send(Item*, Protocol*, st_value*) const /test/11.0_dbg_san/sql/sql_type.h:5455
 
    #24 0x55832f9c459c in Item::send(Protocol*, st_value*) /test/11.0_dbg_san/sql/item.h:1235
 
    #25 0x55832fb8005c in Protocol::send_result_set_row(List<Item>*) /test/11.0_dbg_san/sql/protocol.cc:1332
 
    #26 0x55832ff499ca in select_send::send_data(List<Item>&) /test/11.0_dbg_san/sql/sql_class.cc:3102
 
    #27 0x5583306c0b03 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.0_dbg_san/sql/sql_class.h:5748
 
    #28 0x5583306c0b03 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4761
 
    #29 0x5583306c757a in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4672
 
    #30 0x5583306b5d38 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5153
 
    #31 0x5583306ba193 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:611
 
    #32 0x558330239973 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6267
 
    #33 0x55833029acce in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949
 
    #34 0x5583302ca5e6 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:7999
 
    #35 0x5583302da37a in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894
 
    #36 0x5583302e817f in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407
 
    #37 0x558330cac459 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416
 
    #38 0x558330cad974 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318
 
    #39 0x150abc01db42 in start_thread nptl/pthread_create.c:442
 
    #40 0x150abc0af9ff  (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)

Setup:

Compiled with GCC >=7.5.0 (I use GCC 11.3.0) and:
 
    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON
 
Set before execution:
 
    export ASAN_OPTIONS=quarantine_size_mb=512:atexit=0:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1:allocator_may_return_null=1

Bug confirmed present in:
MariaDB: 10.3.39 (dbg), 10.3.39 (opt), 10.4.29 (dbg), 10.4.29 (opt), 10.5.20 (dbg), 10.5.20 (opt), 10.6.13 (dbg), 10.6.13 (opt), 10.7.8 (dbg), 10.7.8 (opt), 10.8.8 (dbg), 10.8.8 (opt), 10.9.6 (dbg), 10.9.6 (opt), 10.10.4 (dbg), 10.10.4 (opt), 10.11.3 (dbg), 10.11.3 (opt), 11.0.2 (dbg), 11.0.2 (opt)

Three new UBSAN stacks/UniqueID's seen across versions and build types with this testcase:

UBSAN|null pointer passed as argument 2, which is declared to never be null|strings/ctype-bin.c|my_strnncoll_binary|my_strnncollsp_binary|Field_blob::cmp|Field_blob::cmp
 
UBSAN|null pointer passed as argument 2, which is declared to never be null|strings/ctype-bin.c|my_strnncoll_binary|my_strnncollsp_binary|charset_info_st::strnncollsp|Field_blob::cmp
 
UBSAN|null pointer passed as argument 2, which is declared to never be null|strings/ctype-bin.c|my_strnncoll_binary|my_strnncollsp_binary|group_concat_key_cmp_with_distinct|tree_insert

Comment by Roel Van de Paar [ 2023-06-14 ]

Additional testcase which produces a new stack on optimized builds:

SET sql_mode='';
 
CREATE TABLE t (c DECIMAL(2,2) ZEROFILL,c2 SET('') CHARACTER SET 'BINARY' COLLATE 'BINARY',c3 TIMESTAMP,KEY(c)) ENGINE=InnoDB;
 
INSERT INTO t VALUES (1,0,0);
 
SELECT * FROM t WHERE c2 BETWEEN ':1:1' AND ':1:1' ORDER BY c2;

Leads to:

11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Optimized)

 
/test/11.0_opt_san/strings/ctype-bin.c:89:12: runtime error: null pointer passed as argument 1, which is declared to never be null

11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Optimized)

 
    #0 0x5573b84c9547 in my_strnncoll_binary /test/11.0_opt_san/strings/ctype-bin.c:89
 
    #1 0x5573b84c9547 in my_strnncollsp_binary /test/11.0_opt_san/strings/ctype-bin.c:128
 
    #2 0x5573ba7fd2c7 in Item_func_between::val_int_cmp_string() /test/11.0_opt_san/sql/item_cmpfunc.cc:2238
 
    #3 0x5573ba4f8532 in SQL_SELECT::skip_record(THD*) /test/11.0_opt_san/sql/opt_range.h:1913
 
    #4 0x5573ba4f8532 in find_all_keys /test/11.0_opt_san/sql/filesort.cc:1004
 
    #5 0x5573ba4f8532 in filesort(THD*, TABLE*, Filesort*, Filesort_tracker*, JOIN*, unsigned long long) /test/11.0_opt_san/sql/filesort.cc:408
 
    #6 0x5573b9342ed1 in create_sort_index(THD*, JOIN*, st_join_table*, Filesort*) /test/11.0_opt_san/sql/sql_select.cc:26630
 
    #7 0x5573b934490d in st_join_table::sort_table() /test/11.0_opt_san/sql/sql_select.cc:24293
 
    #8 0x5573b9344ea9 in join_init_read_record(st_join_table*) /test/11.0_opt_san/sql/sql_select.cc:24213
 
    #9 0x5573b9285934 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_opt_san/sql/sql_select.cc:23249
 
    #10 0x5573b94672e3 in do_select /test/11.0_opt_san/sql/sql_select.cc:22780
 
    #11 0x5573b94672e3 in JOIN::exec_inner() /test/11.0_opt_san/sql/sql_select.cc:4900
 
    #12 0x5573b946c743 in JOIN::exec() /test/11.0_opt_san/sql/sql_select.cc:4677
 
    #13 0x5573b945a1f0 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_opt_san/sql/sql_select.cc:5158
 
    #14 0x5573b945dd80 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_opt_san/sql/sql_select.cc:616
 
    #15 0x5573b8fdeb80 in execute_sqlcom_select /test/11.0_opt_san/sql/sql_parse.cc:6279
 
    #16 0x5573b90445f6 in mysql_execute_command(THD*, bool) /test/11.0_opt_san/sql/sql_parse.cc:3949
 
    #17 0x5573b90554d2 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_opt_san/sql/sql_parse.cc:8014
 
    #18 0x5573b9062f5d in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_opt_san/sql/sql_parse.cc:1894
 
    #19 0x5573b906c728 in do_command(THD*, bool) /test/11.0_opt_san/sql/sql_parse.cc:1407
 
    #20 0x5573b997b80c in do_handle_one_connection(CONNECT*, bool) /test/11.0_opt_san/sql/sql_connect.cc:1416
 
    #21 0x5573b997de0c in handle_one_connection /test/11.0_opt_san/sql/sql_connect.cc:1318
 
    #22 0x14b655894b42 in start_thread nptl/pthread_create.c:442
 
    #23 0x14b6559269ff  (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)

This one is present in 10.6+ only

Comment by Alexander Barkov [ 2023-07-20 ]

The same problem is repeatable with a binary collation of a 8bit character set, e.g.:

CREATE TABLE t (c TEXT CHARACTER SET latin1 COLLATE latin1_bin NOT NULL);
 
INSERT IGNORE INTO t VALUES (0);
 
SELECT COUNT(*) FROM t WHERE EXTRACTVALUE(c,'a')='a';
 
DROP TABLE t;


SET sql_mode='';
 
CREATE TABLE t (c TEXT CHARACTER SET latin1 COLLATE latin1_bin NOT NULL);
 
INSERT INTO t VALUES();
 
INSERT IGNORE INTO t VALUES (NULL);
 
SELECT GROUP_CONCAT(c ORDER BY BINARY c) FROM t GROUP BY c;
 
DROP TABLE t;

Generated at Thu Feb 08 10:00:19 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.