[MDEV-34510] UBSAN: crc32 x86 - integer overflow - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.5.25
Fix Version/s: 10.5.26, 10.6.19, 10.11.9, 11.1.6, 11.2.5, 11.4.3
Component/s: Server
Labels:
- UBSAN

Description

clang-18 based UBSAN failure.

/source/mysys/crc32/crc32c_x86.cc:321:53: runtime error: addition of unsigned offset to 0x7fb8873160b0 overflowed to 0x7fb8873160aa

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /source/mysys/crc32/crc32c_x86.cc:321:53

code:

9ec7819c585d (Marko Mäkelä 2024-05-03 15:55:20 +0300 318)     size += 16;

9ec7819c585d (Marko Mäkelä 2024-05-03 15:55:20 +0300 319)     if (size) {

9ec7819c585d (Marko Mäkelä 2024-05-03 15:55:20 +0300 320)     get_last_two_xmms:

9ec7819c585d (Marko Mäkelä 2024-05-03 15:55:20 +0300 321)       const __m128i crc2 = crc_out, d = load128(buf + (size - 16));

9ec7819c585d (Marko Mäkelä 2024-05-03 15:55:20 +0300 322)       __m128i S = load128(reinterpret_cast<const char*>(shuffle128) + size);

9ec7819c585d (Marko Mäkelä 2024-05-03 15:55:20 +0300 323)       crc_out = _mm_shuffle_epi8(crc_out, S);

9ec7819c585d (Marko Mäkelä 2024-05-03 15:55:20 +0300 324)       S = xor128(S, _mm_set1_epi32(0x80808080));

Looks like it was jumped to by get_last_two_xmms in the processing of the last 32 bytes.

2024-07-04 14:41:42 0 [Note] InnoDB: Initializing buffer pool, total size = 134217728, chunk size = 134217728

2024-07-04 14:41:42 0 [Note] InnoDB: Completed initialization of buffer pool

2024-07-04 14:41:42 0 [Note] InnoDB: Setting log file ./ib_logfile101 size to 10485760 bytes

/home/dan/repos/mariadb-server-rebase/mysys/crc32/crc32c_x86.cc:321:53: runtime error: addition of unsigned offset to 0x5190000075f0 overflowed to 0x5190000075ec

Thread 1 hit Breakpoint 1, crc32_avx512 (crc=<optimized out>, buf=0x5190000075f0 "", size=12, tab=<optimized out>) at /home/dan/repos/mariadb-server-rebase/mysys/crc32/crc32c_x86.cc:321

321	      const __m128i crc2 = crc_out, d = load128(buf + (size - 16));

(rr) bt

#0  crc32_avx512 (crc=<optimized out>, buf=0x5190000075f0 "", size=12, tab=<optimized out>) at /home/dan/repos/mariadb-server-rebase/mysys/crc32/crc32c_x86.cc:321

#1  0x00000000026a09ab in ut_crc32 (s=0x519000007400 "PHYS", size=508) at /home/dan/repos/mariadb-server-rebase/storage/innobase/include/ut0crc32.h:34

#2  log_block_calc_checksum_crc32 (block=0x519000007400 "PHYS") at /home/dan/repos/mariadb-server-rebase/storage/innobase/include/log0log.inl:196

#3  log_block_store_checksum (block=0x519000007400 "PHYS") at /home/dan/repos/mariadb-server-rebase/storage/innobase/log/log0log.cc:488

#4  log_t::file::write_header_durable (this=<optimized out>, lsn=<optimized out>) at /home/dan/repos/mariadb-server-rebase/storage/innobase/log/log0log.cc:508

#5  0x00000000028d1bbe in create_log_file (create_new_db=<optimized out>, lsn=<optimized out>, logfile0=<optimized out>)

    at /home/dan/repos/mariadb-server-rebase/storage/innobase/srv/srv0start.cc:325

#6  0x00000000028cc718 in srv_start (create_new_db=true) at /home/dan/repos/mariadb-server-rebase/storage/innobase/srv/srv0start.cc:1331

#7  0x000000000256cc1d in innodb_init (p=<optimized out>) at /home/dan/repos/mariadb-server-rebase/storage/innobase/handler/ha_innodb.cc:4074

#8  0x000000000181f471 in ha_initialize_handlerton (plugin=0x52100002b810) at /home/dan/repos/mariadb-server-rebase/sql/handler.cc:651

#9  0x0000000000cb23fa in plugin_do_initialize (plugin=0x52100002b810, state=<optimized out>) at /home/dan/repos/mariadb-server-rebase/sql/sql_plugin.cc:1451

#10 0x0000000000cb1a7f in plugin_initialize (tmp_root=tmp_root@entry=0x7faf2db10110, plugin=plugin@entry=0x52100002b810, argc=argc@entry=0x53e0440 <remaining_argc>,

    argv=argv@entry=0x5160000000f8, options_only=false) at /home/dan/repos/mariadb-server-rebase/sql/sql_plugin.cc:1504

#11 0x0000000000cb1026 in plugin_init (argc=<optimized out>, argv=<optimized out>, flags=1) at /home/dan/repos/mariadb-server-rebase/sql/sql_plugin.cc:1761

#12 0x0000000000816b0d in init_server_components () at /home/dan/repos/mariadb-server-rebase/sql/mysqld.cc:4982

#13 0x0000000000810383 in mysqld_main (argc=<optimized out>, argv=<optimized out>) at /home/dan/repos/mariadb-server-rebase/sql/mysqld.cc:5573

#14 0x00007faf2f63d088 in __libc_start_call_main () from /lib64/libc.so.6

#15 0x00007faf2f63d14b in __libc_start_main_impl () from /lib64/libc.so.6

#16 0x000000000072ee95 in _start ()

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/dan/repos/mariadb-server-rebase/mysys/crc32/crc32c_x86.cc:321:53

Attachments

Issue Links

blocks

MDBF-741 Remove the gcc UBSAN builder to use the clang based UBSAN

Open

is caused by

MDEV-33817 Implement AVX512BW and VPCLMULQDQ based CRC-32 algorithms

Closed

is part of

MDEV-25454 Make MariaDB server UBSAN safe

Confirmed

Activity

People

Assignee:: Marko Mäkelä

Reporter:: Daniel Black

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2024-07-02 06:49

Updated:: 2024-07-08 08:18

Resolved:: 2024-07-08 08:18

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.