Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-35537

UBSAN: runtime error: pointer-overflow: subtraction of unsigned offset from 0x154383601000 overflowed to 0x154383801000, and addition of unsigned offset to 0x7ffc4767b000 overflowed to 0x55dec10ca000, in my_get_stack_bounds from THD::store_globals()

Details

    Description

      export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1
      rm -Rf data tmp 
      mkdir tmp 
      ./scripts/mariadb-install-db --no-defaults --force --auth-root-authentication-method=normal --basedir=${PWD} --tmpdir=${PWD}/tmp --datadir=${PWD}/data
      

      Leads to:

      CS 10.11.11 e81ed928ff57658d71be360813a87325fbda8e03 (Debug, UBASAN)

      /test/10.11_dbg_san/mysys/my_stack.c:60:30: runtime error: subtraction of unsigned offset from 0x154383601000 overflowed to 0x154383801000
          #0 0x55debadf5c97 in my_get_stack_bounds /test/10.11_dbg_san/mysys/my_stack.c:60:30
          #1 0x55deb4955b39 in THD::store_globals() /test/10.11_dbg_san/sql/sql_class.cc:2266:3
          #2 0x55deb49b66a8 in thd_attach_thd(THD*) /test/10.11_dbg_san/sql/sql_class.cc:5129:8
          #3 0x55deb9e243aa in acquire_thd(void**) /test/10.11_dbg_san/storage/innobase/srv/srv0srv.cc:1550:9
          #4 0x55deb9e18fcc in purge_coordinator_callback(void*) /test/10.11_dbg_san/storage/innobase/srv/srv0srv.cc:1584:13
          #5 0x55deba95d4e9 in tpool::task_group::execute(tpool::task*) /test/10.11_dbg_san/tpool/task_group.cc:70:9
          #6 0x55deba95edd4 in tpool::task::execute() /test/10.11_dbg_san/tpool/task.cc:32:16
          #7 0x55deba934c00 in tpool::thread_pool_generic::worker_main(tpool::worker_data*) /test/10.11_dbg_san/tpool/tpool_generic.cc:583:11
          #8 0x55deba9501a6 in void std::__invoke_impl<void, void (tpool::thread_pool_generic::*)(tpool::worker_data*), tpool::thread_pool_generic*, tpool::worker_data*>(std::__invoke_memfun_deref, void (tpool::thread_pool_generic::*&&)(tpool::worker_data*), tpool::thread_pool_generic*&&, tpool::worker_data*&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/14/../../../../include/c++/14/bits/invoke.h:74:14
          #9 0x55deba94fc25 in std::__invoke_result<void (tpool::thread_pool_generic::*)(tpool::worker_data*), tpool::thread_pool_generic*, tpool::worker_data*>::type std::__invoke<void (tpool::thread_pool_generic::*)(tpool::worker_data*), tpool::thread_pool_generic*, tpool::worker_data*>(void (tpool::thread_pool_generic::*&&)(tpool::worker_data*), tpool::thread_pool_generic*&&, tpool::worker_data*&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/14/../../../../include/c++/14/bits/invoke.h:96:14
          #10 0x55deba94faf4 in void std::thread::_Invoker<std::tuple<void (tpool::thread_pool_generic::*)(tpool::worker_data*), tpool::thread_pool_generic*, tpool::worker_data*>>::_M_invoke<0ul, 1ul, 2ul>(std::_Index_tuple<0ul, 1ul, 2ul>) /usr/bin/../lib/gcc/x86_64-linux-gnu/14/../../../../include/c++/14/bits/std_thread.h:292:13
          #11 0x55deba94f8bf in std::thread::_Invoker<std::tuple<void (tpool::thread_pool_generic::*)(tpool::worker_data*), tpool::thread_pool_generic*, tpool::worker_data*>>::operator()() /usr/bin/../lib/gcc/x86_64-linux-gnu/14/../../../../include/c++/14/bits/std_thread.h:299:11
          #12 0x55deba94ede7 in std::thread::_State_impl<std::thread::_Invoker<std::tuple<void (tpool::thread_pool_generic::*)(tpool::worker_data*), tpool::thread_pool_generic*, tpool::worker_data*>>>::_M_run() /usr/bin/../lib/gcc/x86_64-linux-gnu/14/../../../../include/c++/14/bits/std_thread.h:244:13
          #13 0x15439deeabb3 in execute_native_thread_routine /build/gcc-14-OQFzmN/gcc-14-14-20240412/build/x86_64-linux-gnu/libstdc++-v3/src/c++11/../../../../../src/libstdc++-v3/src/c++11/thread.cc:104:18
          #14 0x55deb3fdd5ac in asan_thread_start(void*) asan_interceptors.cpp.o
          #15 0x15439da9ca93 in start_thread nptl/pthread_create.c:447:8
          #16 0x15439db29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
       
      SUMMARY: UndefinedBehaviorSanitizer: pointer-overflow /test/10.11_dbg_san/mysys/my_stack.c:60:30
      

      And:

      CS 10.11.11 e81ed928ff57658d71be360813a87325fbda8e03 (Debug, UBASAN)

      /test/10.11_dbg_san/mysys/my_stack.c:79:28: runtime error: addition of unsigned offset to 0x7ffc4767b000 overflowed to 0x55dec10ca000
          #0 0x55debadf5e71 in my_get_stack_bounds /test/10.11_dbg_san/mysys/my_stack.c:79:28
          #1 0x55deb4955b39 in THD::store_globals() /test/10.11_dbg_san/sql/sql_class.cc:2266:3
          #2 0x55deb4882740 in mysql_rm_tmp_tables() /test/10.11_dbg_san/sql/sql_base.cc:9423:8
          #3 0x55deb4036153 in mysqld_main(int, char**) /test/10.11_dbg_san/sql/mysqld.cc:5948:7
          #4 0x55deb40204a3 in main /test/10.11_dbg_san/sql/main.cc:34:10
          #5 0x15439da2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
          #6 0x15439da2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
          #7 0x55deb3f44c74 in _start (/test/UBASAN_MD271124-mariadb-10.11.11-linux-x86_64-dbg/bin/mariadbd+0x4021c74) (BuildId: 5e8dece04fe64eae845a13648766a67a7887439d)
       
      SUMMARY: UndefinedBehaviorSanitizer: pointer-overflow /test/10.11_dbg_san/mysys/my_stack.c:79:28 
      

      Observed using UBSAN with Clang and LLMV 18.1.3:

      sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev llvm-17-linker-tools  # llvm-17-linker-tools installs /usr/lib/llvm-17/lib/LLVMgold.so, which is needed for compilation, and LLVMgold.so is no longer included in LLVM 18
      sudo ln -s /usr/lib/llvm-17/lib/LLVMgold.so /usr/lib/llvm-18/lib/LLVMgold.so
      ...
      export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1
      

      Attachments

        Activity

          A global UBSAN supression filter for pointer-overflow:my_get_stack_bounds was added for this issue.

          Roel Roel Van de Paar added a comment - A global UBSAN supression filter for pointer-overflow:my_get_stack_bounds was added for this issue.

          This bug looks fixed in 10.11 post the 10.5->10.6 and 10.11 upmerges. Apparently fixed due to some changes made by wlad in 10.5 w/ thanks danblack for the info. The filter (required for testing; bugs version validation) will be removed once all versions are fully upmerged to 11.8.

          Roel Roel Van de Paar added a comment - This bug looks fixed in 10.11 post the 10.5-> 10.6 and 10.11 upmerges. Apparently fixed due to some changes made by wlad in 10.5 w/ thanks danblack for the info. The filter (required for testing; bugs version validation) will be removed once all versions are fully upmerged to 11.8.

          People

            Unassigned Unassigned
            Roel Roel Van de Paar
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.