Details
-
Bug
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL), 11.1(EOL), 11.8.2
Description
Recently, MSAN_OPTIONS=poison_in_dtor=1 was enabled by default. This caught some foul play in InnoDB (to be fixed in MDEV-30936) as well as massive amounts of failures in free_root(), because the root->used or root->free lists could be marked as uninitialized in various destructors for objects that are allocated from a MEM_ROOT.
It would be good programming style to make sure that MemorySanitizer does not report any errors when MSAN_OPTIONS=poison_in_dtor=1 is set.
It is possible to work around the errors with the following patch:
diff --git a/mysys/my_alloc.c b/mysys/my_alloc.c
|
index aa0182c755e..b9071ad7eee 100644
|
--- a/mysys/my_alloc.c
|
+++ b/mysys/my_alloc.c
|
@@ -415,14 +415,26 @@ void free_root(MEM_ROOT *root, myf MyFlags)
|
if (!(MyFlags & MY_KEEP_PREALLOC))
|
root->pre_alloc=0;
|
|
+#if __has_feature(memory_sanitizer)
|
+ /* Work around MSAN_OPTIONS=poison_in_dtor=1 */
|
+ MEM_MAKE_DEFINED(&root->used, sizeof root->used);
|
+ MEM_MAKE_DEFINED(&root->free, sizeof root->free);
|
+#endif
|
+
|
for (next=root->used; next ;)
|
{
|
+#if __has_feature(memory_sanitizer)
|
+ MEM_MAKE_DEFINED(&next->next, sizeof next->next);
|
+#endif
|
old=next; next= next->next ;
|
if (old != root->pre_alloc)
|
my_free(old);
|
}
|
for (next=root->free ; next ;)
|
{
|
+#if __has_feature(memory_sanitizer)
|
+ MEM_MAKE_DEFINED(&next->next, sizeof next->next);
|
+#endif
|
old=next; next= next->next;
|
if (old != root->pre_alloc)
|
my_free(old); |
I think that explicitly setting MSAN_OPTIONS=poison_in_dtor=0 when using Clang 15 or later is a lesser evil. The above patch could mask other errors as well.
Attachments
Issue Links
- relates to
-
-
- Open
-
-
-
- Closed
-
-
-
- Closed
-
Activity
|
11.8-9e3a541d1ecb8b05a32dab1a8c3b8e945c2fbfe4 main.ctype_utf8 |
CURRENT_TEST: main.ctype_utf8
|
mysqltest: In included file "./include/ctype_unescape.inc":
|
included from /source/mysql-test/main/ctype_utf8.test at line 1867:
|
At line 306: query 'CALL p2()' failed: <Unknown> (2013): Lost connection to server during query
|
|
|
==47043==WARNING: MemorySanitizer: use-of-uninitialized-value
|
#0 0x55765621a4e0 in free_root /source/mysys/my_alloc.c:507:3
|
#1 0x5576546f7b2e in Server_side_cursor::operator delete(void*, unsigned long) /source/sql/sql_cursor.cc:213:3
|
#2 0x5576546f7b2e in Materialized_cursor::~Materialized_cursor() /source/sql/sql_cursor.cc:394:1
|
#3 0x5576545e2d14 in sp_cursor::destroy() /source/sql/sp_rcontext.cc:747:3
|
#4 0x5576545e2d14 in sp_cursor::close(THD*) /source/sql/sp_rcontext.cc:740:3
|
#5 0x557654e0693f in sp_instr_cclose::execute(THD*, unsigned int*) /source/sql/sp_instr.cc:1945:13
|
#6 0x5576545c0ddf in sp_head::execute(THD*, bool) /source/sql/sp_head.cc:1289:20
|
#7 0x5576545c6339 in sp_head::execute_procedure(THD*, List<Item>*) /source/sql/sp_head.cc:2312:5
|
#8 0x55765480711d in do_execute_sp(THD*, sp_head*) /source/sql/sql_parse.cc:3086:16
|
#9 0x557654806781 in Sql_cmd_call::execute(THD*) /source/sql/sql_parse.cc:3309:9
|
#10 0x55765480a789 in mysql_execute_command(THD*, bool) /source/sql/sql_parse.cc:5886:26
|
#11 0x5576547fb538 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /source/sql/sql_parse.cc:7915:18
|
#12 0x5576547f4b24 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /source/sql/sql_parse.cc:1903:7
|
#13 0x5576547fc62b in do_command(THD*, bool) /source/sql/sql_parse.cc:1416:17
|
#14 0x557654c3de5c in do_handle_one_connection(CONNECT*, bool) /source/sql/sql_connect.cc:1415:11
|
#15 0x557654c3d931 in handle_one_connection /source/sql/sql_connect.cc:1327:5
|
#16 0x5576558b7464 in pfs_spawn_thread /source/storage/perfschema/pfs.cc:2198:3
|
#17 0x7febf2bc2082 (/lib/x86_64-linux-gnu/libc.so.6+0x92082) (BuildId: f9c500643e31d8f3ffee3ec045eb7546b3ff86c9)
|
#18 0x7febf2c407b7 (/lib/x86_64-linux-gnu/libc.so.6+0x1107b7) (BuildId: f9c500643e31d8f3ffee3ec045eb7546b3ff86c9)
|
|
|
Uninitialized value was stored to memory at
|
#0 0x55765442716e in __msan_memcpy (/build/sql/mariadbd+0x85316e) (BuildId: a9062c94089fb97fad3f97af66fe47de91e6d13d)
|
#1 0x5576546f7b16 in Server_side_cursor::operator delete(void*, unsigned long) /source/sql/sql_cursor.cc:203:22
|
#2 0x5576546f7b16 in Materialized_cursor::~Materialized_cursor() /source/sql/sql_cursor.cc:394:1
|
#3 0x5576545e2d14 in sp_cursor::destroy() /source/sql/sp_rcontext.cc:747:3
|
#4 0x5576545e2d14 in sp_cursor::close(THD*) /source/sql/sp_rcontext.cc:740:3
|
#5 0x557654e0693f in sp_instr_cclose::execute(THD*, unsigned int*) /source/sql/sp_instr.cc:1945:13
|
#6 0x5576545c0ddf in sp_head::execute(THD*, bool) /source/sql/sp_head.cc:1289:20
|
#7 0x5576545c6339 in sp_head::execute_procedure(THD*, List<Item>*) /source/sql/sp_head.cc:2312:5
|
#8 0x55765480711d in do_execute_sp(THD*, sp_head*) /source/sql/sql_parse.cc:3086:16
|
#9 0x557654806781 in Sql_cmd_call::execute(THD*) /source/sql/sql_parse.cc:3309:9
|
#10 0x55765480a789 in mysql_execute_command(THD*, bool) /source/sql/sql_parse.cc:5886:26
|
#11 0x5576547fb538 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /source/sql/sql_parse.cc:7915:18
|
#12 0x5576547f4b24 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /source/sql/sql_parse.cc:1903:7
|
#13 0x5576547fc62b in do_command(THD*, bool) /source/sql/sql_parse.cc:1416:17
|
#14 0x557654c3de5c in do_handle_one_connection(CONNECT*, bool) /source/sql/sql_connect.cc:1415:11
|
#15 0x557654c3d931 in handle_one_connection /source/sql/sql_connect.cc:1327:5
|
#16 0x5576558b7464 in pfs_spawn_thread /source/storage/perfschema/pfs.cc:2198:3
|
#17 0x7febf2bc2082 (/lib/x86_64-linux-gnu/libc.so.6+0x92082) (BuildId: f9c500643e31d8f3ffee3ec045eb7546b3ff86c9)
|
|
|
Member fields were destroyed
|
#0 0x557654432041 in __sanitizer_dtor_callback_fields (/build/sql/mariadbd+0x85e041) (BuildId: a9062c94089fb97fad3f97af66fe47de91e6d13d)
|
#1 0x5576546f7a14 in Materialized_cursor::~Materialized_cursor() /source/sql/sql_cursor.cc:37:12
|
#2 0x5576546f7a14 in Materialized_cursor::~Materialized_cursor() /source/sql/sql_cursor.cc:397:1
|
#3 0x5576546f7ac2 in Materialized_cursor::~Materialized_cursor() /source/sql/sql_cursor.cc:394:1
|
#4 0x5576545e2d14 in sp_cursor::destroy() /source/sql/sp_rcontext.cc:747:3
|
#5 0x5576545e2d14 in sp_cursor::close(THD*) /source/sql/sp_rcontext.cc:740:3
|
#6 0x557654e0693f in sp_instr_cclose::execute(THD*, unsigned int*) /source/sql/sp_instr.cc:1945:13
|
#7 0x5576545c0ddf in sp_head::execute(THD*, bool) /source/sql/sp_head.cc:1289:20
|
#8 0x5576545c6339 in sp_head::execute_procedure(THD*, List<Item>*) /source/sql/sp_head.cc:2312:5
|
#9 0x55765480711d in do_execute_sp(THD*, sp_head*) /source/sql/sql_parse.cc:3086:16
|
#10 0x557654806781 in Sql_cmd_call::execute(THD*) /source/sql/sql_parse.cc:3309:9
|
#11 0x55765480a789 in mysql_execute_command(THD*, bool) /source/sql/sql_parse.cc:5886:26
|
#12 0x5576547fb538 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /source/sql/sql_parse.cc:7915:18
|
#13 0x5576547f4b24 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /source/sql/sql_parse.cc:1903:7
|
#14 0x5576547fc62b in do_command(THD*, bool) /source/sql/sql_parse.cc:1416:17
|
#15 0x557654c3de5c in do_handle_one_connection(CONNECT*, bool) /source/sql/sql_connect.cc:1415:11
|
#16 0x557654c3d931 in handle_one_connection /source/sql/sql_connect.cc:1327:5
|
#17 0x5576558b7464 in pfs_spawn_thread /source/storage/perfschema/pfs.cc:2198:3
|
#18 0x7febf2bc2082 (/lib/x86_64-linux-gnu/libc.so.6+0x92082) (BuildId: f9c500643e31d8f3ffee3ec045eb7546b3ff86c9)
|
|
|
SUMMARY: MemorySanitizer: use-of-uninitialized-value /source/mysys/my_alloc.c:507:3 in free_root
|
Exiting
|
With a proper MSAN_SYMBOLIZER_PATH wrapper script (see
MDEV-30936), we can get nice traces:10.5 402f36dd652b57a48d2d3e18949f5d7a1450363d
==2878081==WARNING: MemorySanitizer: use-of-uninitialized-value#0 0x557ba37746de in free_root /mariadb/10.5/mysys/my_alloc.c:418:3#1 0x557ba12cb046 in Server_side_cursor::operator delete(void*, unsigned long) /mariadb/10.5/sql/sql_cursor.cc:216:3#2 0x557ba12cb046 in Materialized_cursor::~Materialized_cursor() /mariadb/10.5/sql/sql_cursor.cc:396:1#3 0x557ba0f49607 in sp_cursor::destroy() /mariadb/10.5/sql/sp_rcontext.cc:783:3#4 0x557ba0f49607 in sp_cursor::close(THD*) /mariadb/10.5/sql/sp_rcontext.cc:776:3#5 0x557ba0f27ca4 in sp_instr_cclose::execute(THD*, unsigned int*) /mariadb/10.5/sql/sp_head.cc:4561:13#6 0x557ba0efa7b4 in sp_head::execute(THD*, bool) /mariadb/10.5/sql/sp_head.cc:1438:20#7 0x557ba0f033c6 in sp_head::execute_procedure(THD*, List<Item>*) /mariadb/10.5/sql/sp_head.cc:2450:5#8 0x557ba144caf3 in do_execute_sp(THD*, sp_head*) /mariadb/10.5/sql/sql_parse.cc:3089:16#9 0x557ba144bdc4 in Sql_cmd_call::execute(THD*) /mariadb/10.5/sql/sql_parse.cc:3335:9#10 0x557ba1452955 in mysql_execute_command(THD*) /mariadb/10.5/sql/sql_parse.cc:6061:26#11 0x557ba143bb06 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /mariadb/10.5/sql/sql_parse.cc:8091:18#12 0x557ba14311ec in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /mariadb/10.5/sql/sql_parse.cc:1891:7#13 0x557ba143d208 in do_command(THD*) /mariadb/10.5/sql/sql_parse.cc:1375:17#14 0x557ba1aa472e in do_handle_one_connection(CONNECT*, bool) /mariadb/10.5/sql/sql_connect.cc:1416:11#15 0x557ba1aa3e47 in handle_one_connection /mariadb/10.5/sql/sql_connect.cc:1318:5#16 0x557ba22fe547 in pfs_spawn_thread /mariadb/10.5/storage/perfschema/pfs.cc:2201:3#17 0x7f4934887fd3 in start_thread nptl/pthread_create.c:442:8#18 0x7f493490866b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81Uninitialized value was stored to memory at#0 0x557ba055cec9 in __msan_memcpy (/dev/shm/10.5msan/sql/mariadbd+0xfc7ec9) (BuildId: 54a87c1c8e383aaa)#1 0x557ba12cafff in Server_side_cursor::operator delete(void*, unsigned long) /mariadb/10.5/sql/sql_cursor.cc:206:22#2 0x557ba12cafff in Materialized_cursor::~Materialized_cursor() /mariadb/10.5/sql/sql_cursor.cc:396:1Memory was marked as uninitialized#0 0x557ba0563cfd in __sanitizer_dtor_callback (/dev/shm/10.5msan/sql/mariadbd+0xfcecfd) (BuildId: 54a87c1c8e383aaa)#1 0x557ba12caf0d in Materialized_cursor::~Materialized_cursor() /mariadb/10.5/sql/sql_cursor.cc:399:1