[MDEV-34510] UBSAN: crc32 x86 - integer overflow - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.5.25
Fix Version/s: 10.5.26, 10.6.19, 10.11.9, 11.1.6, 11.2.5, 11.4.3
Component/s: Server
Labels:
- UBSAN

Description

clang-18 based UBSAN failure.

/source/mysys/crc32/crc32c_x86.cc:321:53: runtime error: addition of unsigned offset to 0x7fb8873160b0 overflowed to 0x7fb8873160aa

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /source/mysys/crc32/crc32c_x86.cc:321:53

code:

9ec7819c585d (Marko Mäkelä 2024-05-03 15:55:20 +0300 318)     size += 16;

9ec7819c585d (Marko Mäkelä 2024-05-03 15:55:20 +0300 319)     if (size) {

9ec7819c585d (Marko Mäkelä 2024-05-03 15:55:20 +0300 320)     get_last_two_xmms:

9ec7819c585d (Marko Mäkelä 2024-05-03 15:55:20 +0300 321)       const __m128i crc2 = crc_out, d = load128(buf + (size - 16));

9ec7819c585d (Marko Mäkelä 2024-05-03 15:55:20 +0300 322)       __m128i S = load128(reinterpret_cast<const char*>(shuffle128) + size);

9ec7819c585d (Marko Mäkelä 2024-05-03 15:55:20 +0300 323)       crc_out = _mm_shuffle_epi8(crc_out, S);

9ec7819c585d (Marko Mäkelä 2024-05-03 15:55:20 +0300 324)       S = xor128(S, _mm_set1_epi32(0x80808080));

Looks like it was jumped to by get_last_two_xmms in the processing of the last 32 bytes.

2024-07-04 14:41:42 0 [Note] InnoDB: Initializing buffer pool, total size = 134217728, chunk size = 134217728

2024-07-04 14:41:42 0 [Note] InnoDB: Completed initialization of buffer pool

2024-07-04 14:41:42 0 [Note] InnoDB: Setting log file ./ib_logfile101 size to 10485760 bytes

/home/dan/repos/mariadb-server-rebase/mysys/crc32/crc32c_x86.cc:321:53: runtime error: addition of unsigned offset to 0x5190000075f0 overflowed to 0x5190000075ec

Thread 1 hit Breakpoint 1, crc32_avx512 (crc=<optimized out>, buf=0x5190000075f0 "", size=12, tab=<optimized out>) at /home/dan/repos/mariadb-server-rebase/mysys/crc32/crc32c_x86.cc:321

321	      const __m128i crc2 = crc_out, d = load128(buf + (size - 16));

(rr) bt

#0  crc32_avx512 (crc=<optimized out>, buf=0x5190000075f0 "", size=12, tab=<optimized out>) at /home/dan/repos/mariadb-server-rebase/mysys/crc32/crc32c_x86.cc:321

#1  0x00000000026a09ab in ut_crc32 (s=0x519000007400 "PHYS", size=508) at /home/dan/repos/mariadb-server-rebase/storage/innobase/include/ut0crc32.h:34

#2  log_block_calc_checksum_crc32 (block=0x519000007400 "PHYS") at /home/dan/repos/mariadb-server-rebase/storage/innobase/include/log0log.inl:196

#3  log_block_store_checksum (block=0x519000007400 "PHYS") at /home/dan/repos/mariadb-server-rebase/storage/innobase/log/log0log.cc:488

#4  log_t::file::write_header_durable (this=<optimized out>, lsn=<optimized out>) at /home/dan/repos/mariadb-server-rebase/storage/innobase/log/log0log.cc:508

#5  0x00000000028d1bbe in create_log_file (create_new_db=<optimized out>, lsn=<optimized out>, logfile0=<optimized out>)

    at /home/dan/repos/mariadb-server-rebase/storage/innobase/srv/srv0start.cc:325

#6  0x00000000028cc718 in srv_start (create_new_db=true) at /home/dan/repos/mariadb-server-rebase/storage/innobase/srv/srv0start.cc:1331

#7  0x000000000256cc1d in innodb_init (p=<optimized out>) at /home/dan/repos/mariadb-server-rebase/storage/innobase/handler/ha_innodb.cc:4074

#8  0x000000000181f471 in ha_initialize_handlerton (plugin=0x52100002b810) at /home/dan/repos/mariadb-server-rebase/sql/handler.cc:651

#9  0x0000000000cb23fa in plugin_do_initialize (plugin=0x52100002b810, state=<optimized out>) at /home/dan/repos/mariadb-server-rebase/sql/sql_plugin.cc:1451

#10 0x0000000000cb1a7f in plugin_initialize (tmp_root=tmp_root@entry=0x7faf2db10110, plugin=plugin@entry=0x52100002b810, argc=argc@entry=0x53e0440 <remaining_argc>,

    argv=argv@entry=0x5160000000f8, options_only=false) at /home/dan/repos/mariadb-server-rebase/sql/sql_plugin.cc:1504

#11 0x0000000000cb1026 in plugin_init (argc=<optimized out>, argv=<optimized out>, flags=1) at /home/dan/repos/mariadb-server-rebase/sql/sql_plugin.cc:1761

#12 0x0000000000816b0d in init_server_components () at /home/dan/repos/mariadb-server-rebase/sql/mysqld.cc:4982

#13 0x0000000000810383 in mysqld_main (argc=<optimized out>, argv=<optimized out>) at /home/dan/repos/mariadb-server-rebase/sql/mysqld.cc:5573

#14 0x00007faf2f63d088 in __libc_start_call_main () from /lib64/libc.so.6

#15 0x00007faf2f63d14b in __libc_start_main_impl () from /lib64/libc.so.6

#16 0x000000000072ee95 in _start ()

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/dan/repos/mariadb-server-rebase/mysys/crc32/crc32c_x86.cc:321:53

Attachments

Issue Links

blocks

MDBF-741 Remove the gcc UBSAN builder to use the clang based UBSAN

Open

is caused by

MDEV-33817 Implement AVX512BW and VPCLMULQDQ based CRC-32 algorithms

Closed

is part of

MDEV-25454 Make MariaDB server UBSAN safe

Confirmed

Activity

Ascending order - Click to sort in descending order

Daniel Black created issue - 2024-07-02 06:49

Daniel Black made changes - 2024-07-02 06:49

Field	Original Value	New Value
Link		This issue is part of MDEV-25454 [ MDEV-25454 ]

Daniel Black made changes - 2024-07-02 06:49

Link

This issue is caused by ~~MDEV-33817~~ [ ~~MDEV-33817~~ ]

Daniel Black made changes - 2024-07-02 07:17

Link

This issue blocks MDBF-741 [ MDBF-741 ]

Daniel Black made changes - 2024-07-04 04:53

Description

clang-18 based UBSAN failure.

{noformat}
/source/mysys/crc32/crc32c_x86.cc:321:53: runtime error: addition of unsigned offset to 0x7fb8873160b0 overflowed to 0x7fb8873160aa
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /source/mysys/crc32/crc32c_x86.cc:321:53
{noformat}

code:
{code}
9ec7819c585d (Marko Mäkelä 2024-05-03 15:55:20 +0300 318) size += 16;
9ec7819c585d (Marko Mäkelä 2024-05-03 15:55:20 +0300 319) if (size) {
9ec7819c585d (Marko Mäkelä 2024-05-03 15:55:20 +0300 320) get_last_two_xmms:
9ec7819c585d (Marko Mäkelä 2024-05-03 15:55:20 +0300 321) const __m128i crc2 = crc_out, d = load128(buf + (size - 16));
9ec7819c585d (Marko Mäkelä 2024-05-03 15:55:20 +0300 322) __m128i S = load128(reinterpret_cast<const char*>(shuffle128) + size);
9ec7819c585d (Marko Mäkelä 2024-05-03 15:55:20 +0300 323) crc_out = _mm_shuffle_epi8(crc_out, S);
9ec7819c585d (Marko Mäkelä 2024-05-03 15:55:20 +0300 324) S = xor128(S, _mm_set1_epi32(0x80808080));
{code}

Looks like it was jumped to by get_last_two_xmms in the processing of the last 32 bytes.

{code}
2024-07-04 14:41:42 0 [Note] InnoDB: Initializing buffer pool, total size = 134217728, chunk size = 134217728
2024-07-04 14:41:42 0 [Note] InnoDB: Completed initialization of buffer pool
2024-07-04 14:41:42 0 [Note] InnoDB: Setting log file ./ib_logfile101 size to 10485760 bytes
/home/dan/repos/mariadb-server-rebase/mysys/crc32/crc32c_x86.cc:321:53: runtime error: addition of unsigned offset to 0x5190000075f0 overflowed to 0x5190000075ec

Thread 1 hit Breakpoint 1, crc32_avx512 (crc=<optimized out>, buf=0x5190000075f0 "", size=12, tab=<optimized out>) at /home/dan/repos/mariadb-server-rebase/mysys/crc32/crc32c_x86.cc:321
321 const __m128i crc2 = crc_out, d = load128(buf + (size - 16));
(rr) bt
#0 crc32_avx512 (crc=<optimized out>, buf=0x5190000075f0 "", size=12, tab=<optimized out>) at /home/dan/repos/mariadb-server-rebase/mysys/crc32/crc32c_x86.cc:321
#1 0x00000000026a09ab in ut_crc32 (s=0x519000007400 "PHYS", size=508) at /home/dan/repos/mariadb-server-rebase/storage/innobase/include/ut0crc32.h:34
#2 log_block_calc_checksum_crc32 (block=0x519000007400 "PHYS") at /home/dan/repos/mariadb-server-rebase/storage/innobase/include/log0log.inl:196
#3 log_block_store_checksum (block=0x519000007400 "PHYS") at /home/dan/repos/mariadb-server-rebase/storage/innobase/log/log0log.cc:488
#4 log_t::file::write_header_durable (this=<optimized out>, lsn=<optimized out>) at /home/dan/repos/mariadb-server-rebase/storage/innobase/log/log0log.cc:508
#5 0x00000000028d1bbe in create_log_file (create_new_db=<optimized out>, lsn=<optimized out>, logfile0=<optimized out>)
at /home/dan/repos/mariadb-server-rebase/storage/innobase/srv/srv0start.cc:325
#6 0x00000000028cc718 in srv_start (create_new_db=true) at /home/dan/repos/mariadb-server-rebase/storage/innobase/srv/srv0start.cc:1331
#7 0x000000000256cc1d in innodb_init (p=<optimized out>) at /home/dan/repos/mariadb-server-rebase/storage/innobase/handler/ha_innodb.cc:4074
#8 0x000000000181f471 in ha_initialize_handlerton (plugin=0x52100002b810) at /home/dan/repos/mariadb-server-rebase/sql/handler.cc:651
#9 0x0000000000cb23fa in plugin_do_initialize (plugin=0x52100002b810, state=<optimized out>) at /home/dan/repos/mariadb-server-rebase/sql/sql_plugin.cc:1451
#10 0x0000000000cb1a7f in plugin_initialize (tmp_root=tmp_root@entry=0x7faf2db10110, plugin=plugin@entry=0x52100002b810, argc=argc@entry=0x53e0440 <remaining_argc>,
argv=argv@entry=0x5160000000f8, options_only=false) at /home/dan/repos/mariadb-server-rebase/sql/sql_plugin.cc:1504
#11 0x0000000000cb1026 in plugin_init (argc=<optimized out>, argv=<optimized out>, flags=1) at /home/dan/repos/mariadb-server-rebase/sql/sql_plugin.cc:1761
#12 0x0000000000816b0d in init_server_components () at /home/dan/repos/mariadb-server-rebase/sql/mysqld.cc:4982
#13 0x0000000000810383 in mysqld_main (argc=<optimized out>, argv=<optimized out>) at /home/dan/repos/mariadb-server-rebase/sql/mysqld.cc:5573
#14 0x00007faf2f63d088 in __libc_start_call_main () from /lib64/libc.so.6
#15 0x00007faf2f63d14b in __libc_start_main_impl () from /lib64/libc.so.6
#16 0x000000000072ee95 in _start ()

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/dan/repos/mariadb-server-rebase/mysys/crc32/crc32c_x86.cc:321:53
{code}

Marko Mäkelä added a comment - 2024-07-08 06:48

The complaint seems to be that size - 16 is negative. The wrap-around of an unsigned integer is not UB, but apparently adding a wrapped-around offset to a pointer is. I think that we’d better explicitly tell the compiler that the offset is signed, by writing load128(buf + ssize_t(size - 16)).

Marko Mäkelä added a comment - 2024-07-08 06:48 The complaint seems to be that size - 16 is negative. The wrap-around of an unsigned integer is not UB, but apparently adding a wrapped-around offset to a pointer is. I think that we’d better explicitly tell the compiler that the offset is signed, by writing load128(buf + ssize_t(size - 16)) .

Marko Mäkelä made changes - 2024-07-08 07:32

Status

Open [ 1 ]

In Progress [ 3 ]

Marko Mäkelä made changes - 2024-07-08 07:32

Assignee	Marko Mäkelä [ marko ]	Daniel Black [ danblack ]
Status	In Progress [ 3 ]	In Review [ 10002 ]

Daniel Black added a comment - 2024-07-08 08:18

Thanks Marko. Looks good, tested locally with avx512 capabilties.

Daniel Black added a comment - 2024-07-08 08:18 Thanks Marko. Looks good, tested locally with avx512 capabilties.

Daniel Black made changes - 2024-07-08 08:18

Fix Version/s		10.5.26 [ 29832 ]
Fix Version/s	10.5 [ 23123 ]
Fix Version/s	10.11 [ 27614 ]
Assignee	Daniel Black [ danblack ]	Marko Mäkelä [ marko ]
Resolution		Fixed [ 1 ]
Status	In Review [ 10002 ]	Closed [ 6 ]

JiraAutomate made changes - 2024-07-08 08:18

Fix Version/s		10.6.19 [ 29833 ]
Fix Version/s		10.11.9 [ 29834 ]
Fix Version/s		11.1.6 [ 29835 ]
Fix Version/s		11.2.5 [ 29836 ]
Fix Version/s		11.4.3 [ 29837 ]

People

Assignee:: Marko Mäkelä

Reporter:: Daniel Black

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2024-07-02 06:49

Updated:: 2024-07-08 08:18

Resolved:: 2024-07-08 08:18

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration