[MDEV-31845] UBSAN: runtime error: null pointer passed as argument 2, which is declared to never be null in my_strnncoll_binary on SELECT Created: 2023-08-04  Updated: 2023-11-28

Status: Confirmed
Project: MariaDB Server
Component/s: Data types
Affects Version/s: 10.6, 10.9, 10.10, 10.11, 11.0, 11.1, 11.2, 11.3
Fix Version/s: 10.6, 10.11, 11.0, 11.1, 11.2

Type: Bug Priority: Major
Reporter: Roel Van de Paar Assignee: Alexander Barkov
Resolution: Unresolved Votes: 0
Labels: UBSAN, regression-10.6

Issue Links:
Relates
relates to MDEV-28384 UBSAN: null pointer passed as argumen... Closed
relates to MDEV-30982 UBSAN: runtime error: null pointer pa... Closed
relates to MDEV-32479 UBSAN null pointer passed as argument... Open

 Description    

CREATE TABLE t (c SET(''),c2 INT,c3 INT,KEY(c)) ENGINE=InnoDB;
 
CREATE TABLE t2 (c BLOB,c2 BLOB,c3 BINARY) ENGINE=InnoDB;
 
INSERT INTO t VALUES (0,1,1);
 
INSERT INTO t2 VALUES (1,1,1);
 
SELECT * FROM t2 WHERE (c) IN (SELECT c FROM t WHERE c<1);

Leads to:

11.0.3 f2b4972bd4f9d3f0131f156a6cbc3e0317571944 (Optimized, UBASAN)

 
/test/11.0_opt_san/strings/ctype-bin.c:89:12: runtime error: null pointer passed as argument 2, which is declared to never be null

11.0.3 f2b4972bd4f9d3f0131f156a6cbc3e0317571944 (Optimized, UBASAN)

 
    #0 0x55a9a76e444c in my_strnncoll_binary /test/11.0_opt_san/strings/ctype-bin.c:89                                #1 0x55a9a76e444c in my_strnncollsp_binary /test/11.0_opt_san/strings/ctype-bin.c:128                         
    #2 0x55a9a997d632 in Arg_comparator::compare() /test/11.0_opt_san/sql/item_cmpfunc.h:103                          #3 0x55a9a997d632 in Item_func_eq::val_int() /test/11.0_opt_san/sql/item_cmpfunc.cc:1780                      
    #4 0x55a9a8cfaa3c in SQL_SELECT::skip_record(THD*) /test/11.0_opt_san/sql/opt_range.h:1914                        #5 0x55a9a8cfaa3c in JOIN_CACHE::check_match(unsigned char*) /test/11.0_opt_san/sql/sql_join_cache.cc:2560        #6 0x55a9a8cfaa3c in JOIN_CACHE::generate_full_extensions(unsigned char*) /test/11.0_opt_san/sql/sql_join_cache.cc:2503                                                                                                         
    #7 0x55a9a8cfd854 in JOIN_CACHE::join_matching_records(bool) /test/11.0_opt_san/sql/sql_join_cache.cc:2403        #8 0x55a9a8cf851d in JOIN_CACHE::join_records(bool) /test/11.0_opt_san/sql/sql_join_cache.cc:2158                 #9 0x55a9a848aab9 in sub_select_cache(JOIN*, st_join_table*, bool) /test/11.0_opt_san/sql/sql_select.cc:23121     #10 0x55a9a866c2d6 in do_select /test/11.0_opt_san/sql/sql_select.cc:22892                                    
    #11 0x55a9a866c2d6 in JOIN::exec_inner() /test/11.0_opt_san/sql/sql_select.cc:4924                                #12 0x55a9a8671bd3 in JOIN::exec() /test/11.0_opt_san/sql/sql_select.cc:4701                                  
    #13 0x55a9a865f960 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_opt_san/sql/sql_select.cc:5182                                                                                                    #14 0x55a9a86634f0 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_opt_san/sql/sql_select.cc:626                                                                                                        #15 0x55a9a81e04c0 in execute_sqlcom_select /test/11.0_opt_san/sql/sql_parse.cc:6279                          
    #16 0x55a9a8245393 in mysql_execute_command(THD*, bool) /test/11.0_opt_san/sql/sql_parse.cc:3949                  #17 0x55a9a8255fa2 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_opt_san/sql/sql_parse.cc:8019                                                                                                                #18 0x55a9a82615f5 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_opt_san/sql/sql_parse.cc:1894                                                                                               #19 0x55a9a826d208 in do_command(THD*, bool) /test/11.0_opt_san/sql/sql_parse.cc:1407                             #20 0x55a9a8b7e34c in do_handle_one_connection(CONNECT*, bool) /test/11.0_opt_san/sql/sql_connect.cc:1416     
    #21 0x55a9a8b8094c in handle_one_connection /test/11.0_opt_san/sql/sql_connect.cc:1318                        
    #22 0x14886d694b42 in start_thread nptl/pthread_create.c:442                                                  
    #23 0x14886d7269ff  (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)

11.0.3 f2b4972bd4f9d3f0131f156a6cbc3e0317571944 (Debug)

 
/test/11.0_dbg_san/strings/ctype-bin.c:89:12: runtime error: null pointer passed as argument 2, which is declared to never be null

11.0.3 f2b4972bd4f9d3f0131f156a6cbc3e0317571944 (Debug)

 
    #0 0x55f9ecdd2d9c in my_strnncoll_binary /test/11.0_dbg_san/strings/ctype-bin.c:89
 
    #1 0x55f9ecdd2dd7 in my_strnncollsp_binary /test/11.0_dbg_san/strings/ctype-bin.c:128
 
    #2 0x55f9e9575a03 in charset_info_st::strnncollsp(char const*, unsigned long, char const*, unsigned long) const /test/11.0_dbg_san/include/m_ctype.h:1020
 
    #3 0x55f9e9575a03 in sortcmp(Binary_string const*, Binary_string const*, charset_info_st const*) /test/11.0_dbg_san/sql/sql_string.cc:868
 
    #4 0x55f9ea929fa1 in Arg_comparator::compare_string() /test/11.0_dbg_san/sql/item_cmpfunc.cc:777
 
    #5 0x55f9ea937c7e in Arg_comparator::compare() /test/11.0_dbg_san/sql/item_cmpfunc.h:103
 
    #6 0x55f9ea937c7e in Item_func_eq::val_int() /test/11.0_dbg_san/sql/item_cmpfunc.cc:1780
 
    #7 0x55f9e9b473e2 in SQL_SELECT::skip_record(THD*) /test/11.0_dbg_san/sql/opt_range.h:1914
 
    #8 0x55f9e9b473e2 in JOIN_CACHE::check_match(unsigned char*) /test/11.0_dbg_san/sql/sql_join_cache.cc:2560
 
    #9 0x55f9e9b473e2 in JOIN_CACHE::generate_full_extensions(unsigned char*) /test/11.0_dbg_san/sql/sql_join_cache.cc:2503
 
    #10 0x55f9e9b4b965 in JOIN_CACHE::join_matching_records(bool) /test/11.0_dbg_san/sql/sql_join_cache.cc:2403
 
    #11 0x55f9e9b45350 in JOIN_CACHE::join_records(bool) /test/11.0_dbg_san/sql/sql_join_cache.cc:2158
 
    #12 0x55f9e91ebd2d in sub_select_cache(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23121
 
    #13 0x55f9e91e97d4 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23307
 
    #14 0x55f9e939956b in do_select /test/11.0_dbg_san/sql/sql_select.cc:22892
 
    #15 0x55f9e939956b in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4924
 
    #16 0x55f9e939ab9c in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4701
 
    #17 0x55f9e9389701 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5182
 
    #18 0x55f9e938db5c in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:626
 
    #19 0x55f9e8efcd0b in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6279
 
    #20 0x55f9e8f5d0ff in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949
 
    #21 0x55f9e8f8cb5e in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8019
 
    #22 0x55f9e8f9c906 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894
 
    #23 0x55f9e8faa84d in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407
 
    #24 0x55f9e997e92f in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416
 
    #25 0x55f9e997fe4a in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318
 
    #26 0x14ca63294b42 in start_thread nptl/pthread_create.c:442
 
    #27 0x14ca633269ff  (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)

Setup:

Compiled with GCC >=7.5.0 (I use GCC 11.3.0) and:
 
    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON
 
Set before execution:
 
    export UBSAN_OPTIONS=print_stacktrace=1

Bug confirmed present in:
MariaDB: 10.6.15 (dbg), 10.6.15 (opt), 10.9.8 (dbg), 10.9.8 (opt), 10.10.6 (dbg), 10.10.6 (opt), 10.11.5 (dbg), 10.11.5 (opt), 11.0.3 (dbg), 11.0.3 (opt), 11.1.2 (dbg), 11.1.2 (opt), 11.2.0 (dbg), 11.2.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.4.31 (dbg), 10.4.31 (opt), 10.5.22 (dbg), 10.5.22 (opt)

UniqueID's

UBSAN|null pointer passed as argument 2, which is declared to never be null|strings/ctype-bin.c|my_strnncoll_binary|my_strnncollsp_binary|Arg_comparator::compare|Item_func_eq::val_int
 
UBSAN|null pointer passed as argument 2, which is declared to never be null|strings/ctype-bin.c|my_strnncoll_binary|my_strnncollsp_binary|charset_info_st::strnncollsp|sortcmp



 Comments   
Comment by Roel Van de Paar [ 2023-08-04 ] 

SET sql_mode='';
 
CREATE TABLE t (c DOUBLE KEY,c2 SET('') CHARACTER SET 'BINARY' COLLATE 'BINARY',c3 INT) ENGINE=InnoDB;
 
INSERT INTO t VALUES ('A','B',0);
 
SELECT * FROM t WHERE c2>'';

Leads to:

11.0.3 f2b4972bd4f9d3f0131f156a6cbc3e0317571944 (Debug)

 
/test/11.0_dbg_san/strings/ctype-bin.c:89:12: runtime error: null pointer passed as argument 1, which is declared to never be null

11.0.3 f2b4972bd4f9d3f0131f156a6cbc3e0317571944 (Debug)

 
    #0 0x55f1b496ed8e in my_strnncoll_binary /test/11.0_dbg_san/strings/ctype-bin.c:89
 
    #1 0x55f1b496edd7 in my_strnncollsp_binary /test/11.0_dbg_san/strings/ctype-bin.c:128
 
    #2 0x55f1b1111a03 in charset_info_st::strnncollsp(char const*, unsigned long, char const*, unsigned long) const /test/11.0_dbg_san/include/m_ctype.h:1020
 
    #3 0x55f1b1111a03 in sortcmp(Binary_string const*, Binary_string const*, charset_info_st const*) /test/11.0_dbg_san/sql/sql_string.cc:868
 
    #4 0x55f1b24c5fa1 in Arg_comparator::compare_string() /test/11.0_dbg_san/sql/item_cmpfunc.cc:777
 
    #5 0x55f1b24d44ba in Arg_comparator::compare() /test/11.0_dbg_san/sql/item_cmpfunc.h:103
 
    #6 0x55f1b24d44ba in Item_func_gt::val_int() /test/11.0_dbg_san/sql/item_cmpfunc.cc:1820
 
    #7 0x55f1b0cbb589 in evaluate_join_record /test/11.0_dbg_san/sql/sql_select.cc:23474
 
    #8 0x55f1b0d8572b in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:23373
 
    #9 0x55f1b0f35455 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22890
 
    #10 0x55f1b0f35455 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4924
 
    #11 0x55f1b0f36b9c in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4701
 
    #12 0x55f1b0f25701 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5182
 
    #13 0x55f1b0f29b5c in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:626
 
    #14 0x55f1b0a98d0b in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6279
 
    #15 0x55f1b0af90ff in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949
 
    #16 0x55f1b0b28b5e in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:8019
 
    #17 0x55f1b0b38906 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894
 
    #18 0x55f1b0b4684d in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407
 
    #19 0x55f1b151a92f in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416
 
    #20 0x55f1b151be4a in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318
 
    #21 0x14ce56894b42 in start_thread nptl/pthread_create.c:442
 
    #22 0x14ce569269ff  (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)

Bug confirmed present in:
MariaDB: 10.6.15 (dbg), 10.6.15 (opt), 10.9.8 (dbg), 10.9.8 (opt), 10.10.6 (dbg), 10.10.6 (opt), 10.11.5 (dbg), 10.11.5 (opt), 11.0.3 (dbg), 11.0.3 (opt), 11.1.2 (dbg), 11.1.2 (opt), 11.2.0 (dbg), 11.2.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.4.31 (dbg), 10.4.31 (opt), 10.5.22 (dbg), 10.5.22 (opt)

UniqueID's seen across versions/build types

UBSAN|null pointer passed as argument 1, which is declared to never be null|strings/ctype-bin.c|my_strnncoll_binary|my_strnncollsp_binary|Arg_comparator::compare|Item_func_gt::val_int
 
UBSAN|null pointer passed as argument 1, which is declared to never be null|strings/ctype-bin.c|my_strnncoll_binary|my_strnncollsp_binary|charset_info_st::strnncollsp|sortcmp
 
UBSAN|null pointer passed as argument 1, which is declared to never be null|strings/ctype-bin.c|my_strnncoll_binary|my_strnncollsp_binary|Arg_comparator::compare|Item_func_lt::val_int

The last one can be obtained by changing > to < on the last line of the testcase above.

Generated at Thu Feb 08 10:26:54 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.