Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-21521

UBSan crashes in MYSQL_BIN_LOG::open

Details

    Description

      Attempt to run MTR under UBSan causes crashes like this one:

      Thread 1 (Thread 0x7f585614f380 (LWP 14002)):
      		 
      #0  __pthread_kill (threadid=<optimized out>, signo=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
      		 
      #1  0x0000559f4b17eb78 in my_write_core (sig=11) at /home/psergey/dev-git2/10.5/mysys/stacktrace.c:518
      		 
      #2  0x0000559f49ae241c in handle_fatal_signal (sig=11) at /home/psergey/dev-git2/10.5/sql/signal_handler.cc:343
      		 
      #3  <signal handler called>
      		 
      #4  0x00007f5852e82153 in ?? () from /usr/lib/x86_64-linux-gnu/libubsan.so.0
      		 
      #5  0x00007f5852e80df6 in ?? () from /usr/lib/x86_64-linux-gnu/libubsan.so.0
      		 
      #6  0x00007f5852e815a1 in __ubsan_handle_dynamic_type_cache_miss () from /usr/lib/x86_64-linux-gnu/libubsan.so.0
      		 
      #7  0x0000559f4a08bfdf in MYSQL_BIN_LOG::open (this=0x559f4f6a75e0 <mysql_bin_log>, log_name=0x559f50722bf8 "master-bin", new_name=0x0, next_log_number=0, io_cache_type_arg=WRITE_CACHE, max_size_arg=1073741824, null_created_arg=false, need_mutex=true) at /home/psergey/dev-git2/10.5/sql/log.cc:3681
      		 
      #8  0x0000559f48a81cc8 in init_server_components () at /home/psergey/dev-git2/10.5/sql/mysqld.cc:5198
      		 
      #9  0x0000559f48a82d3c in mysqld_main (argc=156, argv=0x559f50608c20) at /home/psergey/dev-git2/10.5/sql/mysqld.cc:5552
      		 
      #10 0x0000559f48a6fcaa in main (argc=25, argv=0x7ffe494fbc88) at /home/psergey/dev-git2/10.5/sql/main.cc:25

      a few tests that crashed here:

      main.mysqlbinlog_row_compressed
      		 
      main.session_tracker_last_gtid 'innodb'  w4 [ fail ]
      		 
      main.mysqlbinlog-innodb 'innodb'         w1 [ fail ]
      		 
      main.tc_heuristic_recover 'innodb'       w4 [ fail ]

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. MDEV-20923 UBSAN: member access within address … which does not point to an object of type 'xid_count_per_binlog'

          • Major - Major loss of function.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-21341 Fix UBSAN failures

          • Major - Major loss of function.
          • Confirmed

          Activity

            Ascending order - Click to sort in descending order
            psergei Sergei Petrunia added a comment -

            The crash happens here:

                    if (!(new_xid_list_entry = (xid_count_per_binlog *)
            		 
                          my_multi_malloc(MYF(MY_WME),
            		 
                                          &entry_mem, sizeof(xid_count_per_binlog),
            		 
                                          &name_mem, len,
            		 
                                          NULL)))
            		 
                      goto err;
            		 
                    memcpy(name_mem, log_file_name+off, len);
            		 
                    new_xid_list_entry->binlog_name= name_mem;

            xid_count_per_binlog itself looks like a POD object

              struct xid_count_per_binlog : public ilink {
            		 
                char *binlog_name;
            		 
                uint binlog_name_len;
            		 
                ulong binlog_id;
            		 
                /* Total prepared XIDs and pending checkpoint requests in this binlog. */
            		 
                long xid_count;
            		 
                long notify_count;
            		 
                /* For linking in requests to the binlog background thread. */
            		 
                xid_count_per_binlog *next_in_queue;
            		 
                xid_count_per_binlog();   /* Give link error if constructor used. */
            		 
              };

            but struct ilink has this

              virtual ~ilink() { unlink(); }		/*lint -e1740 */

            which makes it non-POD.

            psergei Sergei Petrunia added a comment - The crash happens here: if (!(new_xid_list_entry = (xid_count_per_binlog *) my_multi_malloc(MYF(MY_WME), &entry_mem, sizeof (xid_count_per_binlog), &name_mem, len, NULL))) goto err; memcpy (name_mem, log_file_name+off, len); new_xid_list_entry->binlog_name= name_mem; xid_count_per_binlog itself looks like a POD object struct xid_count_per_binlog : public ilink { char *binlog_name; uint binlog_name_len; ulong binlog_id; /* Total prepared XIDs and pending checkpoint requests in this binlog. */ long xid_count; long notify_count; /* For linking in requests to the binlog background thread. */ xid_count_per_binlog *next_in_queue; xid_count_per_binlog(); /* Give link error if constructor used. */ }; but struct ilink has this virtual ~ilink() { unlink(); } /*lint -e1740 */ which makes it non-POD.
            sujatha.sivakumar Sujatha Sivakumar (Inactive) added a comment -

            Fix for this issue is implemented as part MDEV-20923. Fixed version is 10.1.45.

            sujatha.sivakumar Sujatha Sivakumar (Inactive) added a comment - Fix for this issue is implemented as part MDEV-20923 . Fixed version is 10.1.45.

            People

              sujatha.sivakumar Sujatha Sivakumar (Inactive)
              psergei Sergei Petrunia
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.