Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-37148

Unaligned access in strings/ctype.c, crashes with upcoming GCC 16 (or UBSAN)

    XMLWordPrintable

Details

    • Bug
    • Status: Open (View Workflow)
    • Critical
    • Resolution: Unresolved
    • 10.6, 10.11, 11.4, 11.8
    • 10.6, 10.11, 11.4, 11.8
    • None
    • None
    • Gentoo
      x86_64
      gcc version 16.0.0 20250703 (experimental) b8a7d51253695febe6598069ccd89280b45d0abe (Gentoo Hardened 16.0.9999 p, commit 9fdf5a30ded9c691d9fcdb787e72f8dd0f111f8a)

    Description

      I filed this downstream in Gentoo first at https://bugs.gentoo.org/959423.

      Built 11.8.2 with:

      CFLAGS="-O3 -march=znver2 -ggdb3"
      		 
      CXXFLAGS="-O3 -march=znver2 -ggdb3"

      But the code is the same in git.

      This shows up in a few places, but taking the Perl module DBD-MariaDB-1.240.0's testsuite as an example:

      (gdb) thread 15
      		 
      [Switching to thread 15 (Thread 0x7f89701a66c0 (LWP 96))]
      		 
      #0  my_convert (to=<optimized out>, to_length=380, to_cs=0x55b72c1bf828, from=<optimized out>, from_length=95, from_cs=0x55b721aea600 <my_charset_utf8mb3_general_ci>,
      		 
          errors=0x7f89701a3cac) at /usr/src/debug/dev-db/mariadb-11.8.2/mysql/strings/ctype.c:1256
      		 
      1256        if ((*(uint32*)from) & 0x80808080)
      		 
      (gdb) bt
      		 
      #0  my_convert (to=<optimized out>, to_length=380, to_cs=0x55b72c1bf828, from=<optimized out>, from_length=95, from_cs=0x55b721aea600 <my_charset_utf8mb3_general_ci>,
      		 
          errors=0x7f89701a3cac) at /usr/src/debug/dev-db/mariadb-11.8.2/mysql/strings/ctype.c:1256
      		 
      #1  0x000055b7202d838f in copy_and_convert (to=<optimized out>, to_length=<optimized out>, to_cs=0x55b72c1bf828,
      		 
          from=0x7f89241240c6 "Crash-safe tables with MyISAM heritage. Used for internal temporary tables and privilege tables", from_length=95,
      		 
          from_cs=0x55b721aea600 <my_charset_utf8mb3_general_ci>, errors=0x7f89701a3cac) at /usr/src/debug/dev-db/mariadb-11.8.2/mysql/sql/sql_string.h:53
      		 
      #2  String::copy (this=0x7f8924001468, str=0x7f89241240c6 "Crash-safe tables with MyISAM heritage. Used for internal temporary tables and privilege tables", arg_length=95,
      		 
          from_cs=0x55b721aea600 <my_charset_utf8mb3_general_ci>, to_cs=0x55b72c1bf828, errors=0x7f89701a3cac) at /usr/src/debug/dev-db/mariadb-11.8.2/mysql/sql/sql_string.cc:472
      		 
      #3  String::copy (this=0x7f8924001468, str=str@entry=0x7f89241240c6 "Crash-safe tables with MyISAM heritage. Used for internal temporary tables and privilege tables",
      		 
          arg_length=arg_length@entry=95, from_cs=0x55b721aea600 <my_charset_utf8mb3_general_ci>, to_cs=0x55b72c1bf828, errors=errors@entry=0x7f89701a3cac)
      		 
          at /usr/src/debug/dev-db/mariadb-11.8.2/mysql/sql/sql_string.cc:452
      		 
      #4  0x000055b720131773 in Protocol::net_store_data_cs (this=0x7f89240011f0,
      		 
          from=0x7f89241240c6 "Crash-safe tables with MyISAM heritage. Used for internal temporary tables and privilege tables", length=95, from_cs=<optimized out>, to_cs=0x55b72c1bf828)
      		 
          at /usr/src/debug/dev-db/mariadb-11.8.2/mysql/sql/protocol.cc:100
      		 
      #5  0x000055b72013340f in Protocol::send_result_set_row (this=this@entry=0x7f89240011f0, row_items=row_items@entry=0x7f8924005aa0)
      		 
          at /usr/src/debug/dev-db/mariadb-11.8.2/mysql/sql/protocol.cc:1359
      		 
      #6  0x000055b7201ae472 in select_send::send_data (this=0x7f8924036860, items=...) at /usr/src/debug/dev-db/mariadb-11.8.2/mysql/sql/sql_class.cc:3294
      		 
      #7  0x000055b72028c239 in select_result_sink::send_data_with_check (u=<optimized out>, sent=<optimized out>, this=<optimized out>, items=...)
      		 
          at /usr/src/debug/dev-db/mariadb-11.8.2/mysql/sql/sql_class.h:6248
      		 
      #8  select_result_sink::send_data_with_check (this=<optimized out>, items=..., u=<optimized out>, sent=<optimized out>)
      		 
          at /usr/src/debug/dev-db/mariadb-11.8.2/mysql/sql/sql_class.h:6238
      		 
      #9  end_send (join=<optimized out>, join_tab=<optimized out>, end_of_records=<optimized out>) at /usr/src/debug/dev-db/mariadb-11.8.2/mysql/sql/sql_select.cc:25604
      		 
      #10 0x000055b720256c30 in evaluate_join_record (join=join@entry=0x7f8924036888, join_tab=join_tab@entry=0x7f89240381c8, error=<optimized out>)
      		 
          at /usr/src/debug/dev-db/mariadb-11.8.2/mysql/sql/sql_select.cc:24505
      		 
      #11 0x000055b7202706b7 in sub_select (join=0x7f8924036888, join_tab=0x7f89240381c8, end_of_records=<optimized out>) at /usr/src/debug/dev-db/mariadb-11.8.2/mysql/sql/sql_select.cc:24309
      		 
      #12 0x000055b7202a6cef in do_select (join=0x7f8924036888, procedure=<optimized out>) at /usr/src/debug/dev-db/mariadb-11.8.2/mysql/sql/sql_select.cc:23783
      		 
      #13 JOIN::exec_inner (this=this@entry=0x7f8924036888) at /usr/src/debug/dev-db/mariadb-11.8.2/mysql/sql/sql_select.cc:5059
      		 
      #14 0x000055b7202a7162 in JOIN::exec (this=this@entry=0x7f8924036888) at /usr/src/debug/dev-db/mariadb-11.8.2/mysql/sql/sql_select.cc:4842
      		 
      #15 0x000055b7202a5064 in mysql_select (thd=thd@entry=0x7f8924000c68, tables=0x7f8924035c80, fields=..., conds=0x0, og_num=0, order=<optimized out>, group=0x0, having=0x0,
      		 
          proc_param=0x0, select_options=2701396736, result=0x7f8924036860, unit=0x7f8924004f98, select_lex=0x7f89240057e8)
      		 
          at /usr/src/debug/dev-db/mariadb-11.8.2/mysql/sql/sql_select.cc:5375
      		 
      #16 0x000055b7202a5885 in handle_select (thd=thd@entry=0x7f8924000c68, lex=lex@entry=0x7f8924004eb8, result=result@entry=0x7f8924036860,
      		 
          setup_tables_done_option=setup_tables_done_option@entry=0) at /usr/src/debug/dev-db/mariadb-11.8.2/mysql/sql/sql_select.cc:633
      		 
      #17 0x000055b72020d16f in execute_sqlcom_select (thd=thd@entry=0x7f8924000c68, all_tables=0x7f8924035c80) at /usr/src/debug/dev-db/mariadb-11.8.2/mysql/sql/sql_parse.cc:6191
      		 
      #18 0x000055b72021bb7a in mysql_execute_command (thd=thd@entry=0x7f8924000c68, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false)
      		 
          at /usr/src/debug/dev-db/mariadb-11.8.2/mysql/sql/sql_parse.cc:3979
      		 
      #19 0x000055b72021c97b in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, thd=0x7f8924000c68, parser_state=<optimized out>)
      		 
          at /usr/src/debug/dev-db/mariadb-11.8.2/mysql/sql/sql_parse.cc:7906
      		 
      #20 mysql_parse (thd=0x7f8924000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /usr/src/debug/dev-db/mariadb-11.8.2/mysql/sql/sql_parse.cc:7828
      		 
      #21 0x000055b72021e7f9 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7f8924000c68, packet=packet@entry=0x7f8924008069 "", packet_length=12,
      		 
          blocking=blocking@entry=true) at /usr/src/debug/dev-db/mariadb-11.8.2/mysql/sql/sql_class.h:258
      		 
      #22 0x000055b72021fac9 in do_command (thd=thd@entry=0x7f8924000c68, blocking=blocking@entry=true) at /usr/src/debug/dev-db/mariadb-11.8.2/mysql/sql/sql_parse.cc:1415
      		 
      #23 0x000055b72036b625 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55b72cac1718, put_in_cache=put_in_cache@entry=true)
      		 
          at /usr/src/debug/dev-db/mariadb-11.8.2/mysql/sql/sql_connect.cc:1415
      		 
      #24 0x000055b72036ba2d in handle_one_connection (arg=arg@entry=0x55b72cac1718) at /usr/src/debug/dev-db/mariadb-11.8.2/mysql/sql/sql_connect.cc:1327
      		 
      #25 0x000055b720754b45 in pfs_spawn_thread (arg=0x55b72ca65528) at /usr/src/debug/dev-db/mariadb-11.8.2/mysql/storage/perfschema/pfs.cc:2198
      		 
      #26 0x00007f897ac85d5c in start_thread (arg=<optimized out>) at pthread_create.c:448
      		 
      #27 0x00007f897ad204d8 in __GI___clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

      There's clearly unaligned access at https://github.com/MariaDB/server/blob/mariadb-11.8.2/strings/ctype.c#L1246.

      GCC trunk vectorises more and then it falls afoul of that.

      It was fixed in MySQL in https://github.com/mysql/mysql-server/commit/78fa0426b39ccb5adf205fc668707ba3d973c8f8, so MariaDB just needs to mirror that change.

      Attachments

        Issue Links

          blocks

          Task - A task that needs to be done. MDEV-25454 Make MariaDB server UBSAN safe

          • Major - Major loss of function.
          • Confirmed
          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. MDEV-37786 my_convert randomly crashes when converting from utf8mb3 to utf8mb4

          • Critical - Crashes, loss of data, severe memory leak.
          • Open
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-21816 Suboptimal implementation of my_convert() for ARM64

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Bug - A problem which impairs or prevents the functions of the product. MDEV-37717 UBSAN: runtime error: store to misaligned address for type 'uint32' (aka 'unsigned int'), which requires 4 byte alignment in extra/comp_err

          • Major - Major loss of function.
          • Open

          Bug - A problem which impairs or prevents the functions of the product. MDEV-37788 fix uintNkorr in byte_order_generic.h, avoid unaligned access

          • Major - Major loss of function.
          • Open

          Activity

            People

              bar Alexander Barkov
              thesamesam Sam James
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.