Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-22060

MSAN use-of-uninitialized-value in main.query_cache_innodb

    XMLWordPrintable

    Details

      Description

      MemorySanitizer (see MDEV-20377 how to use it) revealed a use of an uninitialized value in the test main.query_cache_innodb:

      10.5 53aabda6b5ac6af989a97a00ff97efda9ff8772e

      CURRENT_TEST: main.query_cache_innodb
      mysqltest: At line 43: query 'select * from `t2$ї`' failed: 2013: Lost connection to MySQL server during query
      Version: '10.5.3-MariaDB-debug-log'  socket: '/dev/shm/10.5ms/mysql-test/var/tmp/11/mysqld.1.sock'  port: 16200  Source distribution
      Uninitialized bytes in MemcmpInterceptorCommon at offset 14 inside [0x7fbbb6ff0f00, 17)
      ==2528976==WARNING: MemorySanitizer: use-of-uninitialized-value
          #0 0x5608be9a9adc in bcmp (/dev/shm/10.5ms/sql/mariadbd+0x6deadc)
          #1 0x5608c18e5d0b in dict_table_t* dict_acquire_mdl_shared<false>(dict_table_t*, THD*,MDL_ticket**, dict_table_op_t) /mariadb/10.5m/storage/innobase/dict/dict0dict.cc:892:10
          #2 0x5608c1892a20 in dict_table_open_on_id(unsigned long, bool, dict_table_op_t, THD*, MDL_ticket**) /mariadb/10.5m/storage/innobase/dict/dict0dict.cc:947:12
          #3 0x5608c129fdeb in row_purge_parse_undo_rec(purge_node_t*, unsigned char*, que_thr_t*, bool*) /mariadb/10.5m/storage/innobase/row/row0purge.cc:933:16
          #4 0x5608c129fdeb in row_purge(purge_node_t*, unsigned char*, que_thr_t*) /mariadb/10.5m/storage/innobase/row/row0purge.cc:1107:10
          #5 0x5608c129fdeb in row_purge_step(que_thr_t*) /mariadb/10.5m/storage/innobase/row/row0purge.cc:1159:3
        Uninitialized value was created by an allocation of 'db_buf' in the stack frame of function '_Z23dict_acquire_mdl_sharedILb0EEP12dict_table_tS1_P3THDPP10MDL_ticket15dict_table_op_t'
          #0 0x5608c18e4de0 in dict_table_t* dict_acquire_mdl_shared<false>(dict_table_t*, THD*, MDL_ticket**, dict_table_op_t) /mariadb/10.5m/storage/innobase/dict/dict0dict.cc:790
      

      Only 16 bytes of the db_buf are initialized, but we are comparing 20 of them. The reason is that the name shrunk in dict_table_t::parse_name(), but the length was not adjusted accordingly. Something similar was fixed in MDEV-21344, but only for the table name.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              marko Marko Mäkelä
              Reporter:
              marko Marko Mäkelä
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: