[MDEV-37014] UBSAN: member access within address X which does not point to an object of type 'THD' in sql/semisync_master.cc | signal_waiting_transaction | Active_tranx::clear_active_tranx_nodes - Jira

Details

Type: Bug
Status: Open (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.6, 10.11, 11.4, 11.8, 12.0(EOL), 12.1
Fix Version/s: 10.6, 10.11, 11.4, 11.8, 12.0(EOL)
Component/s: Replication
Labels:
- Memory_leak
- UBSAN

Description

--source include/have_log_bin.inc

CREATE OR REPLACE TABLE t (a INT);

SET GLOBAL rpl_semi_sync_master_wait_no_slave=0;

SET GLOBAL rpl_semi_sync_master_enabled=ON;

INSERT DELAYED INTO t VALUES ();

CREATE OR REPLACE TABLE t (a INT);

SET GLOBAL rpl_semi_sync_master_enabled=0;

Leads to:

CS 12.1.0 247e2f8d4dd4124356a337f6b903b176c6780440 (Debug, UBASAN, Clang) Build 16/06/2025
/test/12.1_dbg_san/sql/semisync_master.cc:80:5: runtime error: member access within address 0x52c0001c8238 which does not point to an object of type 'THD'
0x52c0001c8238: note: object is of type 'ilink'
0d 00 00 00 a0 94 b2 71 e7 55 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 96 b3 71
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'ilink'
#0 0x55e76e6c77b8 in signal_waiting_transaction(THD, char const, unsigned long long) /test/12.1_dbg_san/sql/semisync_master.cc:80:5
#1 0x55e76e6c88a7 in Active_tranx::clear_active_tranx_nodes(char const, unsigned long long, int ()(THD, char const, unsigned long long)) /test/12.1_dbg_san/sql/semisync_master.cc:266:5
#2 0x55e76e6c9d46 in Repl_semi_sync_master::switch_off() /test/12.1_dbg_san/sql/semisync_master.cc:1120:22
#3 0x55e76e6c9d46 in Repl_semi_sync_master::disable_master() /test/12.1_dbg_san/sql/semisync_master.cc:496:5
#4 0x55e76e46aa89 in fix_rpl_semi_sync_master_enabled(sys_var, THD, enum_var_type) /test/12.1_dbg_san/sql/sys_vars.cc:3799:26
#5 0x55e76d8a9b99 in sys_var::update(THD, set_var) /test/12.1_dbg_san/sql/set_var.cc:212:21
#6 0x55e76d8b2196 in set_var::update(THD*) /test/12.1_dbg_san/sql/set_var.cc:871:23
#7 0x55e76d8afc4d in sql_set_variables(THD, List<set_var_base>, bool) /test/12.1_dbg_san/sql/set_var.cc:752:20
#8 0x55e76dd4a263 in mysql_execute_command(THD*, bool) /test/12.1_dbg_san/sql/sql_parse.cc:4859:9
#9 0x55e76dd22968 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/12.1_dbg_san/sql/sql_parse.cc:7882:18
#10 0x55e76dd168d1 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/12.1_dbg_san/sql/sql_parse.cc:1877:7
#11 0x55e76dd2538d in do_command(THD*, bool) /test/12.1_dbg_san/sql/sql_parse.cc:1416:17
#12 0x55e76e3f5c9c in do_handle_one_connection(CONNECT*, bool) /test/12.1_dbg_san/sql/sql_connect.cc:1414:11
#13 0x55e76e3f5557 in handle_one_connection /test/12.1_dbg_san/sql/sql_connect.cc:1326:5
#14 0x55e76d6ef35c in asan_thread_start(void*) asan_interceptors.cpp.o
#15 0x7fc49189caa3 in start_thread nptl/pthread_create.c:447:8
#16 0x7fc491929c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

SUMMARY: UndefinedBehaviorSanitizer: dynamic-type-mismatch /test/12.1_dbg_san/sql/semisync_master.cc:80:5
2025-06-16 19:20:13 5 [Note] Semi-sync replication switched OFF.
2025-06-16 19:20:13 6 [Note] Stopping ack receiver thread
2025-06-16 19:20:15 0 [Note] /test/UBASAN_MD160625-mariadb-12.1.0-linux-x86_64-dbg/bin/mariadbd (initiated by: root[root] @ localhost []): Normal shutdown
2025-06-16 19:20:15 0 [Note] InnoDB: FTS optimize thread exiting.
2025-06-16 19:20:15 0 [Note] InnoDB: Starting shutdown...
2025-06-16 19:20:15 0 [Note] InnoDB: Dumping buffer pool(s) to /test/UBASAN_MD160625-mariadb-12.1.0-linux-x86_64-dbg/data/ib_buffer_pool
2025-06-16 19:20:15 0 [Note] InnoDB: Buffer pool(s) dump completed at 250616 19:20:15
2025-06-16 19:20:15 0 [Note] InnoDB: Removed temporary tablespace data file: "./ibtmp1"
2025-06-16 19:20:15 0 [Note] InnoDB: Shutdown completed; log sequence number 59603; transaction id 20
2025-06-16 19:20:15 0 [Note] /test/UBASAN_MD160625-mariadb-12.1.0-linux-x86_64-dbg/bin/mariadbd: Shutdown complete

=================================================================
==1651633==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 16 byte(s) in 2 object(s) allocated from:
#0 0x55e76d6f1c90 in realloc (/test/UBASAN_MD160625-mariadb-12.1.0-linux-x86_64-dbg/bin/mariadbd+0x2597c90) (BuildId: 655851dc484fe5bfb33210ab177ea22d58ed5ad1)
#1 0x7fc491cbda62 in d_growable_string_resize /build/gcc-14-ig5ci0/gcc-14-14.2.0/build/x86_64-linux-gnu/libstdc++-v3/libsupc++/cp-demangle.c:4327:21
#2 0x7fc491cbda62 in d_growable_string_append_buffer /build/gcc-14-ig5ci0/gcc-14-14.2.0/build/x86_64-linux-gnu/libstdc++-v3/libsupc++/cp-demangle.c:4351:5
#3 0x7fc491cbda62 in d_growable_string_callback_adapter /build/gcc-14-ig5ci0/gcc-14-14.2.0/build/x86_64-linux-gnu/libstdc++-v3/libsupc++/cp-demangle.c:4368:3
#4 0x7fc491cc93f0 in d_print_flush /build/gcc-14-ig5ci0/gcc-14-14.2.0/build/x86_64-linux-gnu/libstdc++-v3/libsupc++/cp-demangle.c:4585:3
#5 0x7fc491cc93f0 in d_print_callback /build/gcc-14-ig5ci0/gcc-14-14.2.0/build/x86_64-linux-gnu/libstdc++-v3/libsupc++/cp-demangle.c:4671:3
#6 0x7fc491cc93f0 in d_demangle_callback /build/gcc-14-ig5ci0/gcc-14-14.2.0/build/x86_64-linux-gnu/libstdc++-v3/libsupc++/cp-demangle.c:6896:16
#7 0x7fc491cc9ea8 in d_demangle /build/gcc-14-ig5ci0/gcc-14-14.2.0/build/x86_64-linux-gnu/libstdc++-v3/libsupc++/cp-demangle.c:6918:12
#8 0x7fc491cc9ea8 in __cxa_demangle /build/gcc-14-ig5ci0/gcc-14-14.2.0/build/x86_64-linux-gnu/libstdc++-v3/libsupc++/cp-demangle.c:6982:15
#9 0x55e76d722ce8 in __sanitizer::Symbolizer::PlatformDemangle(char const*) (/test/UBASAN_MD160625-mariadb-12.1.0-linux-x86_64-dbg/bin/mariadbd+0x25c8ce8) (BuildId: 655851dc484fe5bfb33210ab177ea22d58ed5ad1)

SUMMARY: AddressSanitizer: 16 byte(s) leaked in 2 allocation(s).

Setup:

Compiled with a recent version of Clang (I used Clang 18.1.3) with LLVM 18. Ubuntu instructions:

  # Note: It is strongly recommended to uninstall all old Clang & LLVM packages (ref  dpkg --list | grep -iE 'clang|llvm'  and use  apt purge  and  dpkg --purge  to remove the packages), before installing Clang/LLVM 18

     sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev

Compiled with: "-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++ -DCMAKE_C{,XX}_FLAGS='-march=native -mtune=native'" and:

    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON

Set before execution:

    export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1   # And you may also want to supress UBSAN startup issues using 'suppressions=UBSAN.filter' in UBSAN_OPTIONS. For an example of UBSAN.filter, which includes current startup issues see: https://github.com/mariadb-corporation/mariadb-qa/blob/master/UBSAN.filter

    export ASAN_OPTIONS=quarantine_size_mb=512:atexit=0:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1:allocator_may_return_null=1

SAN Bug Detection Matrix
Rel o/d Build Commit UniqueID observed
CS 10.6 dbg 150525 60f046d7e6b0a61f9b0762fe05c4021cff1b79d8 UBSAN\|member access within address X which does not point to an object of type 'THD'\|sql/semisync_master.cc\|signal_waiting_transaction\|Active_tranx::clear_active_tranx_nodes\|Repl_semi_sync_master::switch_off\|Repl_semi_sync_master::disable_master
CS 10.6 opt 150525 60f046d7e6b0a61f9b0762fe05c4021cff1b79d8 UBSAN\|member access within address X which does not point to an object of type 'THD'\|sql/semisync_master.cc\|signal_waiting_transaction\|Active_tranx::clear_active_tranx_nodes\|Repl_semi_sync_master::switch_off\|Repl_semi_sync_master::disable_master
CS 10.11 dbg 150525 84dd2437c507ed194da03fe04fea14e261e47bc5 UBSAN\|member access within address X which does not point to an object of type 'THD'\|sql/semisync_master.cc\|signal_waiting_transaction\|Active_tranx::clear_active_tranx_nodes\|Repl_semi_sync_master::switch_off\|Repl_semi_sync_master::disable_master
CS 10.11 opt 150525 84dd2437c507ed194da03fe04fea14e261e47bc5 UBSAN\|member access within address X which does not point to an object of type 'THD'\|sql/semisync_master.cc\|signal_waiting_transaction\|Active_tranx::clear_active_tranx_nodes\|Repl_semi_sync_master::switch_off\|Repl_semi_sync_master::disable_master
CS 11.4 dbg 150525 da5a4d05b9da58705498a42b6ffa5d9211f446af UBSAN\|member access within address X which does not point to an object of type 'THD'\|sql/semisync_master.cc\|signal_waiting_transaction\|Active_tranx::clear_active_tranx_nodes\|Repl_semi_sync_master::switch_off\|Repl_semi_sync_master::disable_master
CS 11.4 opt 150525 da5a4d05b9da58705498a42b6ffa5d9211f446af UBSAN\|member access within address X which does not point to an object of type 'THD'\|sql/semisync_master.cc\|signal_waiting_transaction\|Active_tranx::clear_active_tranx_nodes\|Repl_semi_sync_master::switch_off\|Repl_semi_sync_master::disable_master
CS 11.8 dbg 150525 865b05bf4acf10e0d4b3359019ed7b2efe0be81d UBSAN\|member access within address X which does not point to an object of type 'THD'\|sql/semisync_master.cc\|signal_waiting_transaction\|Active_tranx::clear_active_tranx_nodes\|Repl_semi_sync_master::switch_off\|Repl_semi_sync_master::disable_master
CS 11.8 opt 150525 865b05bf4acf10e0d4b3359019ed7b2efe0be81d UBSAN\|member access within address X which does not point to an object of type 'THD'\|sql/semisync_master.cc\|signal_waiting_transaction\|Active_tranx::clear_active_tranx_nodes\|Repl_semi_sync_master::switch_off\|Repl_semi_sync_master::disable_master
CS 12.0 dbg 140525 00a9afb5818433c26537ccaf6b2c59ad493dd473 UBSAN\|member access within address X which does not point to an object of type 'THD'\|sql/semisync_master.cc\|signal_waiting_transaction\|Active_tranx::clear_active_tranx_nodes\|Repl_semi_sync_master::switch_off\|Repl_semi_sync_master::disable_master
CS 12.0 opt 140525 00a9afb5818433c26537ccaf6b2c59ad493dd473 UBSAN\|member access within address X which does not point to an object of type 'THD'\|sql/semisync_master.cc\|signal_waiting_transaction\|Active_tranx::clear_active_tranx_nodes\|Repl_semi_sync_master::switch_off\|Repl_semi_sync_master::disable_master
CS 12.1 dbg 160625 247e2f8d4dd4124356a337f6b903b176c6780440 UBSAN\|member access within address X which does not point to an object of type 'THD'\|sql/semisync_master.cc\|signal_waiting_transaction\|Active_tranx::clear_active_tranx_nodes\|Repl_semi_sync_master::switch_off\|Repl_semi_sync_master::disable_master
CS 12.1 opt 160625 247e2f8d4dd4124356a337f6b903b176c6780440 UBSAN\|member access within address X which does not point to an object of type 'THD'\|sql/semisync_master.cc\|signal_waiting_transaction\|Active_tranx::clear_active_tranx_nodes\|Repl_semi_sync_master::switch_off\|Repl_semi_sync_master::disable_master
ES 10.6 opt 150525 6111fbaf7bdcb6f1170f556ffd05d6e1a4159f62 UBSAN\|member access within address X which does not point to an object of type 'THD'\|sql/semisync_master.cc\|signal_waiting_transaction\|Active_tranx::clear_active_tranx_nodes\|Repl_semi_sync_master::switch_off\|Repl_semi_sync_master::disable_master
ES 11.4 dbg 150525 9cd12544ebfd0d52d2158af66b5aced58121cf1f UBSAN\|member access within address X which does not point to an object of type 'THD'\|sql/semisync_master.cc\|signal_waiting_transaction\|Active_tranx::clear_active_tranx_nodes\|Repl_semi_sync_master::switch_off\|Repl_semi_sync_master::disable_master
ES 11.4 opt 150525 9cd12544ebfd0d52d2158af66b5aced58121cf1f UBSAN\|member access within address X which does not point to an object of type 'THD'\|sql/semisync_master.cc\|signal_waiting_transaction\|Active_tranx::clear_active_tranx_nodes\|Repl_semi_sync_master::switch_off\|Repl_semi_sync_master::disable_master

UBSAN: member access within address X which does not point to an object of type 'THD' in sql/semisync_master.cc | signal_waiting_transaction | Active_tranx::clear_active_tranx_nodes

Details

Description

Attachments

Activity

People

Dates

Git Integration