Yay! They are working!!!

Bug found and fixed by ASAN

The ASAN CI job introduced by this PR immediately caught a real memory bug in the driver.

What ASAN reported

The first ASAN run failed on DataTypeTest.SmallintRoundTrip with:

AddressSanitizer: heap-buffer-overflow
WRITE of size 6 at ... (0 bytes past end of 5-byte region)
  #0 __interceptor_strcpy
  #1 OdbcError::sqlGetDiagRec
  #2 SQLGetDiagRecW

The full output is in the CI job log: GitHub Actions -> Build and Test -> job ubuntu-22.04 / Debug / Asan -> step Run build script.

Root cause

SQLGetDiagRecW allocates a narrow-char work buffer for the SQL state:

ConvertingString<> State( 12, sqlState );

In ConvertingString's constructor, the byte-count to char-count conversion was:

lengthString = length / sizeof(wchar_t);   // BUG

On Windows sizeof(wchar_t) == sizeof(SQLWCHAR) == 2, so 12/2 = 6 -> 8-byte buffer, no overflow.
On Linux sizeof(wchar_t) == 4 but sizeof(SQLWCHAR) == 2 (unixODBC defines SQLWCHAR as unsigned short), so 12/4 = 3 -> 5-byte buffer.

OdbcError::sqlGetDiagRec then copies the SQL state ("HY000\0", 6 bytes) into that 5-byte buffer via strcpy -> 1-byte heap overflow. The same latent bug exists in SQLErrorW (same State(12, sqlState) pattern).

The bug was silently harmless on Windows and went undetected for years.

Fix

One-line change in MainUnicode.cpp (commit 636972b):

// Before
lengthString = length / sizeof(wchar_t);
// After
lengthString = length / sizeof(SQLWCHAR);

sizeof(SQLWCHAR) == 2 on all platforms, giving a correct 8-byte buffer on Linux.

CI after fix

All 4 matrix jobs now pass with no continue-on-error guard:

This is a concrete demonstration that ASAN integration pays off immediately.

@irodushka Enjoy! 😉

Hi @fdcastel

Can you please resolve the conflicts after merging PR#286
I'll look at this PR after Orthodox Easter)

Cheers!

Can you please resolve the conflicts after merging PR#286 I'll look at this PR after Orthodox Easter)

Sure! I’ll look into this in a few hours.

@irodushka Rebased onto current master.

Conflicts were in build-and-test.yml and firebird-odbc-driver.build.ps1, caused by the expanded matrix (Windows ARM64, Windows x86/WoW64, Linux ARM64, multi-Firebird-version runs) introduced by master.

Resolution: kept all new upstream matrix entries and added the sanitizer entries on top; merged the Architecture and Sanitizer params in the build script so both features coexist.

@irodushka Thanks for the valuable insights.

I’ve just pushed all the changes. Please take a look when you have a moment.

@fdcastel

We have a bug!

-- Git describe: 52f0495
CMake Warning at cmake/GetVersionFromGit.cmake:75 (message):
  Could not parse git describe output: 52f0495
Call Stack (most recent call first):
  CMakeLists.txt:15 (include)


CMake Warning at cmake/GetVersionFromGit.cmake:76 (message):
  Using fallback version 0.0.0.0
Call Stack (most recent call first):
  CMakeLists.txt:15 (include)

The reason is in the --exclude "*-*" option -
git describe --tags --match "v[0-9]*.[0-9]*.[0-9]*" --long --always returns v3.5.0-rc1-8-g52f0495, but git describe --tags --match "v[0-9]*.[0-9]*.[0-9]*" --long --always --exclude "*-*" returns just the tail 52f0495

Can you please remind me what do you expect specifying the --exclude option here?.. And what's the purpose of the logic - first try with the --exclude, and if we got an error (GIT_DESCRIBE_RESULT==0) try without --exclude?
Obviously this logic is not working.

@irodushka you're right, good catch. Fixed in b7aa955.

Intent of the logic

• --match "v[0-9]*.[0-9]*.[0-9]*" restricts candidates to semver tags, skipping legacy v1-1-release etc.
• --exclude "*-*" was meant to further restrict to stable vX.Y.Z tags (excluding prereleases like v3.5.0-rc5) so that a local build would be numbered off the latest stable release.
• If there is no stable vX.Y.Z tag yet (currently the case — every tag in the repo has a prerelease suffix), the second call drops --exclude and picks up the prerelease tag. The parser regex already handles the optional -<prerelease> suffix.

Why it was broken

• --always on the first call tells git describe to fall back to the short commit hash when nothing matches, and in that case the command exits 0. So GIT_DESCRIBE_RESULT was 0, the if(NOT ... EQUAL 0) branch never fired, and GIT_DESCRIBE_OUTPUT ended up as just 52f0495, which then failed to match the parser regex → fallback to 0.0.0.0.

The fix

• Drop --always from both calls. The first call now exits non-zero when every tag is excluded, correctly triggering the fallback. If the fallback also finds no tags, the existing message(WARNING "git describe failed") path reports it cleanly.

Verified locally: -- Git describe: v3.5.0-rc5-10-g52f0495 / -- Firebird ODBC Driver version: 3.5.0.11. All 11 CI jobs green on run 24527813786.

Aha. Great)

Another note - let's exclude -DDEBUG from ASAN/Valgrind builds too, this macro adds some extra logging we actually don't need

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 748b82b..0769b1d 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -130,7 +130,7 @@ else()
 
     # Compiler optimization flags (from PR #248 / old makefile.linux)
     add_compile_options(
-        "$<$<CONFIG:Debug>:-O0;-g3;-D_DEBUG;-DDEBUG;-fexceptions>"
+        "$<$<CONFIG:Debug>:-O0;-g3;-D_DEBUG;-fexceptions>"
         "$<$<CONFIG:Release>:-O3;-DNDEBUG;-ftree-loop-vectorize>"
         "$<$<CONFIG:RelWithDebInfo>:-O2;-g;-DNDEBUG>"
         "$<$<CONFIG:MinSizeRel>:-Os;-DNDEBUG>"
@@ -139,6 +139,7 @@ else()
     # LOGGING: Debug builds only; sanitizer builds strip it for cleaner output.
     if(CMAKE_BUILD_TYPE STREQUAL "Debug" AND NOT BUILD_WITH_ASAN AND NOT BUILD_WITH_VALGRIND)
         add_definitions(-DLOGGING)
+        add_definitions(-DDEBUG)
     endif()
 
     # SSE4.1 for x86/x86_64 (from PR #248)

@fdcastel

Bad thing happens.
Your fix

// Before
lengthString = length / sizeof(wchar_t);
// After
lengthString = length / sizeof(SQLWCHAR);

is not good. I get

...
SQLGetDiagRecW
SQLGetDiagRecW
*** stack smashing detected ***: terminated
Aborted (core dumped)

while running ./firebird_odbc_tests, every time, with ASAN, without ASAN, doesn't matter.
Without the fix (lengthString = length / sizeof(wchar_t);) the test suite runs OK but obviously the ASAN build is failing.
I wonder why don't you see this and why we don't see this in the CI logs.

So it's not such a trivial case with that bug.

I will investigate tomorrow for it's a bit late here now. But you understand, I'm holding off on this PR until we solve this mystery.

Please wait. Trying one more thing...

Okay, I'm in no hurry)

Just one thing to say - I looked into PR #283 and, frankly, I don't like what I see in the MainUnicode.cpp and in the reworked class ConvertingString in particular. Overcomplicated, all that redundant(?) logic with multi-bytes (surrogates etc)... Do I understand right you gonna refactor it after our last investigations?

Okay, I'm in no hurry)

🤣

I looked into PR #283 and, frankly, I don't like what I see in the MainUnicode.cpp and in the reworked class ConvertingString in particular. Overcomplicated, all that redundant(?) logic with multi-bytes (surrogates etc)... Do I understand right you gonna refactor it after our last investigations?

That was just the first attempt 😉 -- no worries!

SURE, We will fix all that. ConvertingString as it is today should be killed with fire.

Reverted back to length / sizeof(wchar_t) -- the destructor's mbstowcs writeback is now safe again (no more stack smash).

P.S: Added a minimum-size floor in Alloc().

internal byteString is now at least 8 bytes, so OdbcError::sqlGetDiagRec's strcpy("HY000\0") no longer overflows even when lengthString=3.

This closes the original heap-buffer-overflow without touching the mbstowcs bound.

@fdcastel

I really appreciate your work, but I think we're taking a wrong turn.

1. I remember we decided to separate the ASAN/VALGRING stuff from the unicode fixes. But now you are mixing it all up again.
2. When I wrote That means - all the ASAN builds will fail, and the driver itself continues to be "toxic"... I meant that it's better to fix the unicode issue asap, not postponing it until some 9.* phase, but a separation is still mandatory. It can be two subsequent PRs, for instance.
3. When I have to choose between the development speed and code quality, I always (almost always:) choose the latter. You know the saying "Measure twice, cut once"?) We have a Russian very close equivalent, but with "measure seven times", not twice:)

So. What about following the plan written below?)

1. No need to rush! Very important bullet!
2. Clean up this PR - leave only ASAN/Valgrind issues. And merge it. ASAN build will fail - ignore it.
3. Open the separated PR for unicode issues.
4. Develop a bundle of tests for widechar ODBC calls. These tests must cover the both usage scenarios of ConvertingString class (both of the ctor calls). I suppose that initially all those tests will fail on Linux.
5. Then I myself will try to implement the correct logic. Having the tests is critical here.
6. After that you'll merge these changes back into your branch.
7. Everyone is happy and gay no you cannot say "gay" in that meaning no no no.

Updated #287: Moved Tasks from Tier 9.1 to Tier 1b.

I’ll be working on the split PRs over the next few hours.

Updated #287: Moved Tasks from Tier 9.1 to Tier 1b.

I’ll be working on the split PRs over the next few hours.

The primary task (after the asan/valgrind PR cleaning) is to develop the widechar odbc tests. Okay?

The primary task (after the asan/valgrind PR cleaning) is to develop the widechar odbc tests. Okay?

Yep. Loud and clear! 😉

@irodushka — split done per your plan:

• Add ASAN and Valgrind integration for CI test suite #289 (this PR) trimmed to ASAN/Valgrind CI only. MainUnicode.cpp reverted to master. ASAN job is continue-on-error while the Unicode fix is pending (Valgrind stays strict). Ready to merge.
• Add widechar ODBC call tests (driving Unicode fix) #290 — widechar ODBC call tests covering both ConvertingString ctor paths (output: SQLGetDiagRecW/SQLErrorW; input: SQLExecDirectW/SQLPrepareW). Linux runs skip with a pointer back here; Windows runs them for real.
• Fix SQLWCHAR conversion paths on Linux (draft) #291 — draft reference implementation of the Linux Unicode fix against Add widechar ODBC call tests (driving Unicode fix) #290's tests. Yours to approve, rewrite on top of, or close-and-replace — whichever fits step 5 of your plan.

Suggested order: merge #289 → review #290 → take over #291.

Just a reminder: these are items that were intentionally left out of scope for this plan/PR.

• The connection->MbsToWcs / WcsToMbs Linux branch in MainUnicode.cpp (around lines 129 and 195) is still incorrect in the same way, but it is not exercised by the current test surface.
• True iconv / UTF-8 correctness for non-ASCII input.
• Redesign of ConvertingString (destructor-as-converter, silent error handling, etc.).

All of these belong in #287 (Tier 1b). After #291 has landed.

P.S.: As expected, ASAN is failing now. It will be green after #291, too. 😉

I think we should remove the Draft tag, disable (temporarily) the ASAN build&test and merge this PR to the master branch.
Are you ok with it?

Agreed. Done in 98115a1:

• ASAN matrix entry commented out (with a pointer back to Fix SQLWCHAR conversion paths on Linux (draft) #291 / [EPIC] vNext Migration Plan #287 Tier 1b for re-enabling).
• continue-on-error hack removed — no longer needed.
• Valgrind stays strict.
• PR marked ready for review.

Leaving the merge to you 😉.

I need a beer! 🤣

P.S; @irodushka Thank you very much for your patience and guidance. Much appreciated! 🤗

I need a beer! 🤣

Come to Moscow))

Come to Moscow))

Second invite in less than a month. Adding it to my ever-growing “dangerously tempting ideas” list. 😅