[MDEV-33158] The macro MYSQL_THDVAR_ULONG leads to undefined behaviour, calling mysql_sys_var_long - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL), 11.1(EOL), 11.2(EOL), 11.3(EOL), 11.8
Fix Version/s: 10.5.28, 10.6.21, 10.11.11, 11.4.5, 11.7.2
Component/s: Embedded Server, Server
Labels:
- UBSAN
- affects-tests

Description

Now that ~~MDEV-26272~~ has been fixed and a cmake -DWITH_UBSAN=ON build with clang can pass the server bootstrap, we can find more undefined behaviour that is not flagged by GCC. Here is an example:

10.4 832e96deb6f368591dcb35a4fa33b2fd770aa17a
/mariadb/10.4/storage/innobase/handler/ha_innodb.cc:1821:9: runtime error: call to function mysql_sys_var_long(THD, int) through pointer to incorrect function type 'unsigned long ()(THD , int)'

This is flagged for the function thd_lock_wait_timeout(), which simply accesses a data member that has been defined as follows:

static MYSQL_THDVAR_ULONG(lock_wait_timeout, PLUGIN_VAR_RQCMDARG,

  "Timeout in seconds an InnoDB transaction may wait for a lock before being rolled back. Values above 100000000 disable the timeout.",

  NULL, NULL, 50, 0, 1024 * 1024 * 1024, 0);

// ...

static struct st_mysql_sys_var* innobase_system_variables[]= {

// ...

  MYSQL_SYSVAR(lock_wait_timeout),

// ...

  NULL

};

maria_declare_plugin(innobase)

// ...

innobase_system_variables

// ...

},

// ...

maria_declare_plugin_end;

Attachments

Issue Links

duplicates

MDEV-35623 UBSAN: function-type-mismatch in spider_param_conn_recycle[_mode/_strict], spider_param_internal_xa_snapshot, and spider_param_block_size

Closed

MDEV-35698 UBSAN: runtime error: call to function mysql_sys_var_int through pointer to incorrect function type in spider_param_force_commit

Closed

MDEV-35726 runtime error: call to function mysql_sys_var_int through pointer to incorrect function type in thd_lock_wait_timeout on ALTER

Closed

MDEV-35736 UBSAN: runtime error: call to function mysql_sys_var_long through pointer to incorrect function type in myrocks::get_or_create_tx and other myrocks::* functions

Closed

is blocked by

MDEV-26272 The macro MASTER_INFO_VAR invokes undefined behaviour

Closed

relates to

MDEV-25454 Make MariaDB server UBSAN safe

Confirmed

MDEV-34512 UBSAN system variable type mismatches for ha_myisam.cc and ha_maria.cc

Confirmed

(2 relates to)

Activity

Ascending order - Click to sort in descending order

Marko Mäkelä added a comment - 2024-01-03 08:46

A similar problem affects MYSQL_THDVAR_ULONGLONG and mysql_sys_var_longlong.

Marko Mäkelä added a comment - 2024-01-03 08:46 A similar problem affects MYSQL_THDVAR_ULONGLONG and mysql_sys_var_longlong .

Roel Van de Paar added a comment - 2024-11-24 21:43

Re-observed the same after the ~~MDEV-34348~~ patch using a Clang 18/libstdc++-14-dev (with LLVMgold.so from LLVM-17 symlinked as it is no longer available in Clang 18) build:

CS 10.5.28 773cb726a8437d911d3f7ceedf4839dab6124484 (Debug, UBASAN)
/test/clang_new/10.5_dbg_san/storage/innobase/handler/ha_innodb.cc:2377:9: runtime error: call to function mysql_sys_var_long(THD, int) through pointer to incorrect function type 'unsigned long ()(THD , int)'
/test/clang_new/10.5_dbg_san/sql/sql_plugin.cc:3231: note: mysql_sys_var_long(THD*, int) defined here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /test/clang_new/10.5_dbg_san/storage/innobase/handler/ha_innodb.cc:2377:9

It can be reproduced by a simple mariadb-install-db call:

rm -Rf /test/CLANG_UBASAN_MD251124-mariadb-10.5.28-linux-x86_64-dbg/data /test/CLANG_UBASAN_MD251124-mariadb-10.5.28-linux-x86_64-dbg/tmp

mkdir /test/CLANG_UBASAN_MD251124-mariadb-10.5.28-linux-x86_64-dbg/tmp

/test/CLANG_UBASAN_MD251124-mariadb-10.5.28-linux-x86_64-dbg/scripts/mariadb-install-db --no-defaults --force --auth-root-authentication-method=normal --tmpdir=/test/CLANG_UBASAN_MD251124-mariadb-10.5.28-linux-x86_64-dbg/tmp --basedir=/test/CLANG_UBASAN_MD251124-mariadb-10.5.28-linux-x86_64-dbg --datadir=/test/CLANG_UBASAN_MD251124-mariadb-10.5.28-linux-x86_64-dbg/data

When fixing this please also look into MDEV-34512 at the same time. Thank you!

Roel Van de Paar added a comment - 2024-11-24 21:43 Re-observed the same after the MDEV-34348 patch using a Clang 18/libstdc++-14-dev (with LLVMgold.so from LLVM-17 symlinked as it is no longer available in Clang 18) build: CS 10.5.28 773cb726a8437d911d3f7ceedf4839dab6124484 (Debug, UBASAN) /test/clang_new/10.5_dbg_san/storage/innobase/handler/ha_innodb.cc:2377:9: runtime error: call to function mysql_sys_var_long(THD*, int) through pointer to incorrect function type 'unsigned long *(*)(THD *, int)' /test/clang_new/10.5_dbg_san/sql/sql_plugin.cc:3231: note: mysql_sys_var_long(THD*, int) defined here SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /test/clang_new/10.5_dbg_san/storage/innobase/handler/ha_innodb.cc:2377:9 It can be reproduced by a simple mariadb-install-db call: rm -Rf /test/CLANG_UBASAN_MD251124-mariadb-10 .5.28-linux-x86_64-dbg /data /test/CLANG_UBASAN_MD251124-mariadb-10 .5.28-linux-x86_64-dbg /tmp mkdir /test/CLANG_UBASAN_MD251124-mariadb-10 .5.28-linux-x86_64-dbg /tmp /test/CLANG_UBASAN_MD251124-mariadb-10 .5.28-linux-x86_64-dbg /scripts/mariadb-install-db --no-defaults --force --auth-root-authentication-method=normal --tmpdir= /test/CLANG_UBASAN_MD251124-mariadb-10 .5.28-linux-x86_64-dbg /tmp --basedir= /test/CLANG_UBASAN_MD251124-mariadb-10 .5.28-linux-x86_64-dbg --datadir= /test/CLANG_UBASAN_MD251124-mariadb-10 .5.28-linux-x86_64-dbg /data When fixing this please also look into MDEV-34512 at the same time. Thank you!

Roel Van de Paar added a comment - 2024-11-24 23:44 - edited

The following UBSAN supression filter was added (which will be removed once the bug is fixed):

## MDEV-33158

function:innobase_trx_init

Roel Van de Paar added a comment - 2024-11-24 23:44 - edited The following UBSAN supression filter was added (which will be removed once the bug is fixed): ## MDEV-33158 function:innobase_trx_init

Roel Van de Paar added a comment - 2024-12-01 18:58

As expected, also observed in 10.6 post the merge of ~~MDEV-34348~~ at revision 507323abe6d0cf61abb608b87b25fb5f6141aff2 (Debug, UBASAN, Clang/LLVM 18.1.3)

Roel Van de Paar added a comment - 2024-12-01 18:58 As expected, also observed in 10.6 post the merge of MDEV-34348 at revision 507323abe6d0cf61abb608b87b25fb5f6141aff2 (Debug, UBASAN, Clang/LLVM 18.1.3)

Roel Van de Paar added a comment - 2024-12-02 19:26 - edited

Issue also present in 11.8. Tested at commit f0961301c81c7f5b009c012c076abc326b203b4a (Debug, UBASAN, Clang).

Roel Van de Paar added a comment - 2024-12-02 19:26 - edited Issue also present in 11.8. Tested at commit f0961301c81c7f5b009c012c076abc326b203b4a (Debug, UBASAN, Clang).

Daniel Black added a comment - 2025-01-09 07:22

Brandon can I get a review please, this fix is appended to the back of https://github.com/MariaDB/server/pull/3737

Innodb encryption test can now pass UBSAN with these fixes:

binlog_encryption.rpl_temporal_format_mariadb53_to_mysql56 'row' w6 [ skipped ]  Neither MIXED nor STATEMENT binlog format

binlog_encryption.rpl_temporal_format_mariadb53_to_mysql56 'stmt' w1 [ pass ]    211

binlog_encryption.rpl_temporal_format_mysql56_to_mariadb53 'mix' w4 [ pass ]    215

binlog_encryption.rpl_temporal_format_mysql56_to_mariadb53 'row' w8 [ pass ]    213

binlog_encryption.rpl_temporal_format_mysql56_to_mariadb53 'stmt' w2 [ pass ]    208

encryption.tempfiles 'cbc,crc32'         w8 [ pass ]     53

encryption.tempfiles 'crc32,ctr'         w2 [ pass ]     56

encryption.tempfiles 'cbc,none'          w8 [ pass ]     59

encryption.tempfiles 'ctr,none'          w2 [ pass ]     74

encryption.innodb_encryption 'undo0'     w6 [ pass ]   2138

Daniel Black added a comment - 2025-01-09 07:22 Brandon can I get a review please, this fix is appended to the back of https://github.com/MariaDB/server/pull/3737 Innodb encryption test can now pass UBSAN with these fixes: binlog_encryption.rpl_temporal_format_mariadb53_to_mysql56 'row' w6 [ skipped ] Neither MIXED nor STATEMENT binlog format binlog_encryption.rpl_temporal_format_mariadb53_to_mysql56 'stmt' w1 [ pass ] 211 binlog_encryption.rpl_temporal_format_mysql56_to_mariadb53 'mix' w4 [ pass ] 215 binlog_encryption.rpl_temporal_format_mysql56_to_mariadb53 'row' w8 [ pass ] 213 binlog_encryption.rpl_temporal_format_mysql56_to_mariadb53 'stmt' w2 [ pass ] 208 encryption.tempfiles 'cbc,crc32' w8 [ pass ] 53 encryption.tempfiles 'crc32,ctr' w2 [ pass ] 56 encryption.tempfiles 'cbc,none' w8 [ pass ] 59 encryption.tempfiles 'ctr,none' w2 [ pass ] 74 encryption.innodb_encryption 'undo0' w6 [ pass ] 2138

Brandon Nesterenko added a comment - 2025-01-11 15:22

Looks good overall, thanks danblack! Note I left a couple notes on the PR for your consideration.

Brandon Nesterenko added a comment - 2025-01-11 15:22 Looks good overall, thanks danblack ! Note I left a couple notes on the PR for your consideration.

People

Assignee:: Daniel Black

Reporter:: Marko Mäkelä

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2024-01-03 07:05

Updated:: 2025-01-12 02:42

Resolved:: 2025-01-12 02:42

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server