Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-22073

MSAN use-of-uninitialized-value in collect_statistics_for_table()

Details

    Description

      When run with MSAN, the test innodb.analyze_table fails as follows:

      10.5 6be56dd1c8a37eb98f4b7bc1507ca5991a2a1f61

      		 
      CURRENT_TEST: innodb.analyze_table
      		 
      mysqltest: At line 36: query 'ANALYZE TABLE t1' failed: 2013: Lost connection to MySQL server during query
      		 
      Version: '10.5.3-MariaDB-debug-log'  socket: '/dev/shm/10.5m/mysql-test/var/tmp/35/mysqld.1.sock'  port: 16660  Source distribution
      		 
      Uninitialized bytes in __interceptor_write at offset 3 inside [0x731000078018, 65536)
      		 
      ==1437866==WARNING: MemorySanitizer: use-of-uninitialized-value
      		 
          #0 0x564d8d0f0835 in my_write /mariadb/10.5m/mysys/my_write.c:49:19
      		 
          #1 0x564d8d01e6de in inline_mysql_file_write /mariadb/10.5m/include/mysql/psi/mysql_file.h:1176:11
      		 
          #2 0x564d8d01e6de in _my_b_cache_write /mariadb/10.5m/mysys/mf_iocache.c:1765:7
      		 
          #3 0x564d8d012292 in my_b_flush_io_cache /mariadb/10.5m/mysys/mf_iocache.c:1964:18
      		 
          #4 0x564d8d0139ba in _my_b_write /mariadb/10.5m/mysys/mf_iocache.c:612:7
      		 
          #5 0x564d8a4eab61 in my_b_write(st_io_cache*, unsigned char const*, unsigned long) /mariadb/10.5m/include/my_sys.h:544:10
      		 
          #6 0x564d8a4eab61 in unique_write_to_file_with_count(unsigned char*, unsigned int, Unique*) /mariadb/10.5m/sql/uniques.cc:56:10
      		 
          #7 0x564d8d11e7a0 in tree_walk_left_root_right /mariadb/10.5m/mysys/tree.c:590:9
      		 
          #8 0x564d8d11e6ac in tree_walk_left_root_right /mariadb/10.5m/mysys/tree.c:588:16
      		 
          #9 0x564d8d11e6ac in tree_walk_left_root_right /mariadb/10.5m/mysys/tree.c:588:16
      		 
          #10 0x564d8d11e6ac in tree_walk_left_root_right /mariadb/10.5m/mysys/tree.c:588:16
      		 
          #11 0x564d8d11e6ac in tree_walk_left_root_right /mariadb/10.5m/mysys/tree.c:588:16
      		 
          #12 0x564d8d11e6ac in tree_walk_left_root_right /mariadb/10.5m/mysys/tree.c:588:16
      		 
          #13 0x564d8d11e6ac in tree_walk_left_root_right /mariadb/10.5m/mysys/tree.c:588:16
      		 
          #14 0x564d8d11e6ac in tree_walk_left_root_right /mariadb/10.5m/mysys/tree.c:588:16
      		 
          #15 0x564d8d11e49e in tree_walk /mariadb/10.5m/mysys/tree.c:576:12
      		 
          #16 0x564d8a4ec7fc in Unique::flush() /mariadb/10.5m/sql/uniques.cc:385:7
      		 
          #17 0x564d8a2e7a56 in Unique::unique_add(void*) /mariadb/10.5m/sql/uniques.h:64:50
      		 
          #18 0x564d8a2c38bd in Column_statistics_collected::add() /mariadb/10.5m/sql/sql_statistics.cc:2466:28
      		 
          #19 0x564d8a2c38bd in collect_statistics_for_table(THD*, TABLE*) /mariadb/10.5m/sql/sql_statistics.cc:2776:50
      		 
          #20 0x564d8a5f50fe in mysql_admin_table(THD*, TABLE_LIST*, st_ha_check_opt*, char const*, thr_lock_type, bool, bool, unsigned int, int (*)(THD*, TABLE_LIST*, st_ha_check_opt*), int (handler::*)(THD*, st_ha_check_opt*), int (*)(THD*, TABLE_LIST*, st_ha_check_opt*)) /mariadb/10.5m/sql/sql_admin.cc:888:15
      		 
          #21 0x564d8a5f8ca2 in Sql_cmd_analyze_table::execute(THD*) /mariadb/10.5m/sql/sql_admin.cc:1315:8
      		 
          #22 0x564d89fa41d1 in mysql_execute_command(THD*) /mariadb/10.5m/sql/sql_parse.cc:5908:26
      		 
          #23 0x564d89f8c17e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /mariadb/10.5m/sql/sql_parse.cc:7953:18
      		 
          #24 0x564d89f7e543 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /mariadb/10.5m/sql/sql_parse.cc:1839:7
      		 
          #25 0x564d89f8ec74 in do_command(THD*) /mariadb/10.5m/sql/sql_parse.cc:1358:17
      		 
          #26 0x564d8a5a76fb in do_handle_one_connection(CONNECT*, bool) /mariadb/10.5m/sql/sql_connect.cc:1422:11
      		 
          #27 0x564d8a5a6d66 in handle_one_connection /mariadb/10.5m/sql/sql_connect.cc:1319:5
      		 
          #28 0x564d8ba41287 in pfs_spawn_thread /mariadb/10.5m/storage/perfschema/pfs.cc:2201:3
      		 
          #29 0x7f56d3931f26 in start_thread /build/glibc-WZtAaN/glibc-2.30/nptl/pthread_create.c:479:8
      		 
          #30 0x7f56d34102ee in clone /build/glibc-WZtAaN/glibc-2.30/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
      		 
       
      		 
        Uninitialized value was stored to memory at
      		 
          #0 0x564d89a32c26 in __msan_memcpy (/dev/shm/10.5m/sql/mariadbd+0x6f7c26)
      		 
          #1 0x564d8a4eab9b in my_b_write(st_io_cache*, unsigned char const*, unsigned long) /mariadb/10.5m/include/my_sys.h:540:5
      		 
          #2 0x564d8a4eab9b in unique_write_to_file_with_count(unsigned char*, unsigned int, Unique*) /mariadb/10.5m/sql/uniques.cc:56:10
      		 
       
      		 
        Uninitialized value was stored to memory at
      		 
          #0 0x564d89a32c26 in __msan_memcpy (/dev/shm/10.5m/sql/mariadbd+0x6f7c26)
      		 
          #1 0x564d8d119ff6 in tree_insert /mariadb/10.5m/mysys/tree.c
      		 
       
      		 
        Memory was marked as uninitialized
      		 
          #0 0x564d89a393ae in __msan_allocated_memory (/dev/shm/10.5m/sql/mariadbd+0x6fe3ae)
      		 
          #1 0x564d8c4e6ce9 in row_sel_field_store_in_mysql_format_func(unsigned char*, mysql_row_templ_t const*, dict_index_t const*, unsigned long, unsigned char const*, unsigned long) /mariadb/10.5m/storage/innobase/row/row0sel.cc:2703:2

      It looks like the statistics are wrongly storing the unused tail of a VARCHAR buffer.

      If we really think that writing such garbage is a good idea, then the buffer could be marked initialized somewhere outside InnoDB, by invoking MEM_MAKE_DEFINED().
      Better options would be to avoid unnecessarily writing those bytes, or to actually initialize those unnecessarily written bytes.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-20377 Make WITH_MSAN more usable

          • Major - Major loss of function.
          • Closed

          Activity

            monty Michael Widenius added a comment -

            The problem was that varchar's where pushed to unique() to be potentially stored on disk without
            properly initializing the not used memory part, which confused MSAN and valgrind.

            Fixed by adding a new Field function that marks the not used memory as defined.

            monty Michael Widenius added a comment - The problem was that varchar's where pushed to unique() to be potentially stored on disk without properly initializing the not used memory part, which confused MSAN and valgrind. Fixed by adding a new Field function that marks the not used memory as defined.

            People

              monty Michael Widenius
              marko Marko Mäkelä
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.