[MDEV-31338] UBSAN: runtime error: member access within null pointer of type 'struct SPIDER_FIELD_CHAIN' and SIGSEGV in spider_db_open_item_ident on SELECT Created: 2023-05-25  Updated: 2023-09-12  Resolved: 2023-06-14

Status: Closed
Project: MariaDB Server
Component/s: Storage Engine - Spider
Affects Version/s: 10.4, 10.5, 10.6, 10.9, 10.10, 10.11, 11.0, 11.1
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: Roel Van de Paar Assignee: Yuchen Pei
Resolution: Duplicate Votes: 0
Labels: UBSAN

Issue Links:
Duplicate
duplicates MDEV-29447 SIGSEGV in spider_db_open_item_field ... Closed
Relates

 Description    

INSTALL PLUGIN Spider SONAME 'ha_spider.so';
 
CREATE SERVER s FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock',DATABASE'',USER'',PASSWORD'');
 
CREATE TABLE t (c BLOB) ENGINE=InnoDB;
 
CREATE TABLE ts (c BLOB) ENGINE=Spider COMMENT='WRAPPER "mysql",srv "s",TABLE "t"';
 
SELECT TRIM(BOTH ' ' FROM c) FROM ts ORDER BY c;

Leads to:

11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Debug)

 
/test/11.0_dbg_san/storage/spider/spd_db_conn.cc:7624:32: runtime error: member access within null pointer of type 'struct SPIDER_FIELD_CHAIN'

11.0.2 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a (Debug)

 
    #0 0x150d1b92ad7d in spider_db_open_item_ident(Item_ident*, ha_spider*, spider_string*, char const*, unsigned int, unsigned int, bool, spider_fields*) /test/11.0_dbg_san/storage/spider/spd_db_conn.cc:7624
 
    #1 0x150d1b92d7cd in spider_db_open_item_field(Item_field*, ha_spider*, spider_string*, char const*, unsigned int, unsigned int, bool, spider_fields*) /test/11.0_dbg_san/storage/spider/spd_db_conn.cc:7759
 
    #2 0x150d1b932a4c in spider_db_print_item_type(Item*, Field*, ha_spider*, spider_string*, char const*, unsigned int, unsigned int, bool, spider_fields*) /test/11.0_dbg_san/storage/spider/spd_db_conn.cc:7387
 
    #3 0x150d1bc59e48 in spider_mbase_handler::append_order_by(st_order*, spider_string*, char const*, unsigned int, bool, spider_fields*) /test/11.0_dbg_san/storage/spider/spd_db_mysql.cc:15213
 
    #4 0x150d1bc5a095 in spider_mbase_handler::append_order_by_part(st_order*, char const*, unsigned int, bool, spider_fields*, unsigned long) /test/11.0_dbg_san/storage/spider/spd_db_mysql.cc:15190
 
    #5 0x150d1bc768d2 in spider_group_by_handler::init_scan() /test/11.0_dbg_san/storage/spider/spd_group_by_handler.cc:1347
 
    #6 0x55f4e0f82c9a in Pushdown_query::execute(JOIN*) /test/11.0_dbg_san/sql/group_by_handler.cc:49
 
    #7 0x55f4e0e0c68f in do_select /test/11.0_dbg_san/sql/sql_select.cc:22665
 
    #8 0x55f4e0e0c68f in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4900
 
    #9 0x55f4e0e0f916 in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4677
 
    #10 0x55f4e0dfe0c1 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5158
 
    #11 0x55f4e0e0251c in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:616
 
    #12 0x55f4e0974a01 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6279
 
    #13 0x55f4e09d5ef5 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949
 
    #14 0x55f4e0a05973 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8014
 
    #15 0x55f4e0a15707 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894
 
    #16 0x55f4e0a23542 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407
 
    #17 0x55f4e13f88b5 in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416
 
    #18 0x55f4e13f9dd0 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318
 
    #19 0x150d3ea94b42 in start_thread nptl/pthread_create.c:442
 
    #20 0x150d3eb269ff  (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)

Setup:

Compiled with GCC >=7.5.0 (I use GCC 11.3.0) and:
 
    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON
 
Set before execution:
 
    export UBSAN_OPTIONS=print_stacktrace=1

Bug confirmed present in:
MariaDB: 10.4.30 (dbg), 10.4.30 (opt), 10.5.21 (dbg), 10.5.21 (opt), 10.6.14 (dbg), 10.6.14 (opt), 10.9.7 (dbg), 10.9.7 (opt), 10.10.5 (dbg), 10.10.5 (opt), 10.11.4 (dbg), 10.11.4 (opt), 11.0.2 (dbg), 11.0.2 (opt), 11.1.0 (dbg), 11.1.0 (opt)

 Comments   
Comment by Roel Van de Paar [ 2023-05-25 ]

MTR testcase:

IF (`SELECT NOT(COUNT(*)) FROM information_schema.system_variables WHERE variable_name='have_sanitizer' AND global_value LIKE "%UBSAN%"`)
 
{
 
--skip Test needs to be run with an UBSAN build
 
}
 
--source include/have_innodb.inc
 
--let $SOCKET= `SELECT @@global.socket`
 
INSTALL PLUGIN Spider SONAME 'ha_spider.so';
 
CREATE USER spider@localhost IDENTIFIED BY 'pwd';
 
GRANT ALL ON test.* TO spider@localhost;
 
eval CREATE SERVER s FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET "$SOCKET",DATABASE 'test',USER 'spider',PASSWORD 'pwd');
 
CREATE TABLE t (c BLOB) ENGINE=InnoDB;
 
CREATE TABLE ts (c BLOB) ENGINE=Spider COMMENT='WRAPPER "mysql",srv "s",TABLE "t"';
 
SELECT TRIM(BOTH ' ' FROM c) FROM ts ORDER BY c;

Comment by Yuchen Pei [ 2023-05-25 ]

I can get a sigsegv without a ubsan/asan build at 11.0 368dd22a816f3b437bccd0b9ff28b9de9b1abf0a. Judging from the query that caused it and the backtrace, I suspect it is related to MDEV-29447, if not caused by the same problem / duplicate.

Comment by Roel Van de Paar [ 2023-05-27 ]

It indeed looks related to MDEV-29447. Here is the UniqueID/stack summary from this bug (without UBSAN):

SIGSEGV|spider_db_open_item_ident|spider_db_open_item_field|spider_db_print_item_type|spider_mbase_handler::append_order_by

And here is the one from MDEV-29447:

SIGSEGV|spider_db_open_item_field|spider_db_print_item_type|spider_db_mbase_util::open_item_func|spider_db_open_item_func

Similar, though not identical (also note _ident vs _field in first frame).
Sidenote: the crash/UniqueID produced by this SQL was not known yet (the bug was registered as an UBSAN issue only thus far).

Comment by Roel Van de Paar [ 2023-05-27 ]

Across versions and build types the SQL in this bug produces the following UniqueID's/stacks:

SIGSEGV|spider_db_open_item_ident|spider_db_open_item_field|spider_db_print_item_type|spider_mbase_handler::append_order_by
 
SIGSEGV|spider_db_open_item_ident|spider_mbase_handler::append_order_by|spider_mbase_handler::append_order_by|spider_group_by_handler::init_scan
 
UBSAN|member access within null pointer of type 'struct SPIDER_FIELD_CHAIN'|storage/spider/spd_db_conn.cc
 
UBSAN|member access within null pointer of type 'struct SPIDER_FIELD_CHAIN'|storage/spider/spd_db_conn.cc|spider_db_open_item_ident|spider_db_open_item_field|spider_db_print_item_type|spider_mbase_handler::append_order_by
 
UBSAN|member access within null pointer of type 'struct SPIDER_FIELD_CHAIN'|storage/spider/spd_db_conn.cc|spider_db_open_item_ident|spider_db_open_item_field|spider_mbase_handler::append_order_by|spider_mbase_handler::append_order_by

Comment by Yuchen Pei [ 2023-06-14 ]

As I suspected, the patch for MDEV-29447 fixes this bug too. Here's a
MDEV-29447 patch with an added test for this bug:
https://github.com/MariaDB/server/commit/2c8f45a2d5e.

So let's mark this as a duplicate to that ticket. I will add the
testcase in the patches for that ticket for all versions so it is
covered.

mtr case:

--echo #
 
--echo # MDEV-31338 UBSAN: runtime error: member access within null pointer of type 'struct SPIDER_FIELD_CHAIN' and SIGSEGV in spider_db_open_item_ident on SELECT
 
--echo #
 
--source include/have_innodb.inc
 
 
 
--disable_query_log
 
--disable_result_log
 
--source ../../t/test_init.inc
 
--enable_result_log
 
--enable_query_log
 
 
 
eval CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET "$MASTER_1_MYSOCK", DATABASE 'test',user 'root');
 
CREATE TABLE t (c BLOB) ENGINE=InnoDB;
 
CREATE TABLE ts (c BLOB) ENGINE=Spider COMMENT='WRAPPER "mysql",srv "srv",TABLE "t"';
 
SELECT TRIM(BOTH ' ' FROM c) FROM ts ORDER BY c;
 
drop table t, ts;
 
 
 
--disable_query_log
 
--disable_result_log
 
--source ../../t/test_deinit.inc
 
--enable_result_log
 
--enable_query_log

Generated at Thu Feb 08 10:23:05 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.