[MDEV-22073] MSAN use-of-uninitialized-value in collect_statistics_for_table() - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.5
Fix Version/s: 10.5.4, 10.2.33, 10.3.24, 10.4.14
Component/s: Optimizer
Labels:
None

Description

When run with MSAN, the test innodb.analyze_table fails as follows:

10.5 6be56dd1c8a37eb98f4b7bc1507ca5991a2a1f61
CURRENT_TEST: innodb.analyze_table
mysqltest: At line 36: query 'ANALYZE TABLE t1' failed: 2013: Lost connection to MySQL server during query
…
Version: '10.5.3-MariaDB-debug-log' socket: '/dev/shm/10.5m/mysql-test/var/tmp/35/mysqld.1.sock' port: 16660 Source distribution
Uninitialized bytes in __interceptor_write at offset 3 inside [0x731000078018, 65536)
==1437866==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x564d8d0f0835 in my_write /mariadb/10.5m/mysys/my_write.c:49:19
#1 0x564d8d01e6de in inline_mysql_file_write /mariadb/10.5m/include/mysql/psi/mysql_file.h:1176:11
#2 0x564d8d01e6de in _my_b_cache_write /mariadb/10.5m/mysys/mf_iocache.c:1765:7
#3 0x564d8d012292 in my_b_flush_io_cache /mariadb/10.5m/mysys/mf_iocache.c:1964:18
#4 0x564d8d0139ba in _my_b_write /mariadb/10.5m/mysys/mf_iocache.c:612:7
#5 0x564d8a4eab61 in my_b_write(st_io_cache, unsigned char const, unsigned long) /mariadb/10.5m/include/my_sys.h:544:10
#6 0x564d8a4eab61 in unique_write_to_file_with_count(unsigned char, unsigned int, Unique) /mariadb/10.5m/sql/uniques.cc:56:10
#7 0x564d8d11e7a0 in tree_walk_left_root_right /mariadb/10.5m/mysys/tree.c:590:9
#8 0x564d8d11e6ac in tree_walk_left_root_right /mariadb/10.5m/mysys/tree.c:588:16
#9 0x564d8d11e6ac in tree_walk_left_root_right /mariadb/10.5m/mysys/tree.c:588:16
#10 0x564d8d11e6ac in tree_walk_left_root_right /mariadb/10.5m/mysys/tree.c:588:16
#11 0x564d8d11e6ac in tree_walk_left_root_right /mariadb/10.5m/mysys/tree.c:588:16
#12 0x564d8d11e6ac in tree_walk_left_root_right /mariadb/10.5m/mysys/tree.c:588:16
#13 0x564d8d11e6ac in tree_walk_left_root_right /mariadb/10.5m/mysys/tree.c:588:16
#14 0x564d8d11e6ac in tree_walk_left_root_right /mariadb/10.5m/mysys/tree.c:588:16
#15 0x564d8d11e49e in tree_walk /mariadb/10.5m/mysys/tree.c:576:12
#16 0x564d8a4ec7fc in Unique::flush() /mariadb/10.5m/sql/uniques.cc:385:7
#17 0x564d8a2e7a56 in Unique::unique_add(void*) /mariadb/10.5m/sql/uniques.h:64:50
#18 0x564d8a2c38bd in Column_statistics_collected::add() /mariadb/10.5m/sql/sql_statistics.cc:2466:28
#19 0x564d8a2c38bd in collect_statistics_for_table(THD, TABLE) /mariadb/10.5m/sql/sql_statistics.cc:2776:50
#20 0x564d8a5f50fe in mysql_admin_table(THD, TABLE_LIST, st_ha_check_opt, char const, thr_lock_type, bool, bool, unsigned int, int ()(THD, TABLE_LIST, st_ha_check_opt), int (handler::)(THD, st_ha_check_opt), int ()(THD, TABLE_LIST, st_ha_check_opt*)) /mariadb/10.5m/sql/sql_admin.cc:888:15
#21 0x564d8a5f8ca2 in Sql_cmd_analyze_table::execute(THD*) /mariadb/10.5m/sql/sql_admin.cc:1315:8
#22 0x564d89fa41d1 in mysql_execute_command(THD*) /mariadb/10.5m/sql/sql_parse.cc:5908:26
#23 0x564d89f8c17e in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /mariadb/10.5m/sql/sql_parse.cc:7953:18
#24 0x564d89f7e543 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /mariadb/10.5m/sql/sql_parse.cc:1839:7
#25 0x564d89f8ec74 in do_command(THD*) /mariadb/10.5m/sql/sql_parse.cc:1358:17
#26 0x564d8a5a76fb in do_handle_one_connection(CONNECT*, bool) /mariadb/10.5m/sql/sql_connect.cc:1422:11
#27 0x564d8a5a6d66 in handle_one_connection /mariadb/10.5m/sql/sql_connect.cc:1319:5
#28 0x564d8ba41287 in pfs_spawn_thread /mariadb/10.5m/storage/perfschema/pfs.cc:2201:3
#29 0x7f56d3931f26 in start_thread /build/glibc-WZtAaN/glibc-2.30/nptl/pthread_create.c:479:8
#30 0x7f56d34102ee in clone /build/glibc-WZtAaN/glibc-2.30/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Uninitialized value was stored to memory at
#0 0x564d89a32c26 in __msan_memcpy (/dev/shm/10.5m/sql/mariadbd+0x6f7c26)
#1 0x564d8a4eab9b in my_b_write(st_io_cache, unsigned char const, unsigned long) /mariadb/10.5m/include/my_sys.h:540:5
#2 0x564d8a4eab9b in unique_write_to_file_with_count(unsigned char, unsigned int, Unique) /mariadb/10.5m/sql/uniques.cc:56:10

Uninitialized value was stored to memory at
#0 0x564d89a32c26 in __msan_memcpy (/dev/shm/10.5m/sql/mariadbd+0x6f7c26)
#1 0x564d8d119ff6 in tree_insert /mariadb/10.5m/mysys/tree.c

Memory was marked as uninitialized
#0 0x564d89a393ae in __msan_allocated_memory (/dev/shm/10.5m/sql/mariadbd+0x6fe3ae)
#1 0x564d8c4e6ce9 in row_sel_field_store_in_mysql_format_func(unsigned char, mysql_row_templ_t const, dict_index_t const, unsigned long, unsigned char const, unsigned long) /mariadb/10.5m/storage/innobase/row/row0sel.cc:2703:2

It looks like the statistics are wrongly storing the unused tail of a VARCHAR buffer.

If we really think that writing such garbage is a good idea, then the buffer could be marked initialized somewhere outside InnoDB, by invoking MEM_MAKE_DEFINED().
Better options would be to avoid unnecessarily writing those bytes, or to actually initialize those unnecessarily written bytes.

Attachments

Issue Links

relates to

MDEV-20377 Make WITH_MSAN more usable

Closed

Activity

People

Assignee:: Michael Widenius

Reporter:: Marko Mäkelä

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2020-03-28 20:12

Updated:: 2020-05-15 12:19

Resolved:: 2020-05-15 12:19

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.