[MDEV-20383] Use of uninitialized value in Datafile::find_space_id() for ROW_FORMAT=COMPRESSED Created: 2019-08-19  Updated: 2019-08-19  Resolved: 2019-08-19

Status: Closed
Project: MariaDB Server
Component/s: Storage Engine - InnoDB
Affects Version/s: 10.4.3
Fix Version/s: 10.4.8

Type: Bug Priority: Major
Reporter: Marko Mäkelä Assignee: Marko Mäkelä
Resolution: Fixed Votes: 0
Labels: regression, valgrind

Issue Links:
PartOf
is part of MDEV-20310 valgrind bugs found in 10.5 Open
Problem/Incident
is caused by MDEV-12026 Support encrypted SPATIAL INDEX Closed
Relates
relates to MDEV-20377 Make WITH_MSAN more usable Closed

 Description   

This was originally found with Valgrind, but only occasionally. With MSAN (set up as explained in MDEV-20377), the problem is repeatable all the time:

2019-08-19 15:18:43 0 [ERROR] InnoDB: Space ID in fsp header is 5, but in the page header it is 0.
 
2019-08-19 15:18:43 0 [Note] InnoDB: A bad Space ID was found in datafile: ./test/t1.ibd, Space ID:18446744073709551615, Flags: 20
 
2019-08-19 15:18:43 0 [Note] InnoDB: Page size:1024. Pages to analyze:48
 
==19192==WARNING: MemorySanitizer: use-of-uninitialized-value
 
    #0 0x3093e7c in buf_page_is_corrupted(bool, unsigned char const*, unsigned long) /mariadb/10.5/storage/innobase/buf/buf0buf.cc:1037:14
 
    #1 0x338b87b in Datafile::find_space_id() /mariadb/10.5/storage/innobase/fsp/fsp0file.cc:711:22
 
    #2 0x3389ba5 in Datafile::validate_for_recovery() /mariadb/10.5/storage/innobase/fsp/fsp0file.cc:461:9
 
    #3 0x331249d in fil_ibd_load(unsigned long, char const*, fil_space_t*&) /mariadb/10.5/storage/innobase/fil/fil0fil.cc:3746:15
 
  Uninitialized value was created by a heap allocation
 
    #0 0x6e79bd in __interceptor_malloc (/dev/shm/10.5/sql/mysqld+0x6e79bd)
 
    #1 0x338ad06 in Datafile::find_space_id() /mariadb/10.5/storage/innobase/fsp/fsp0file.cc:657:4

In the investigated case, only the first 1024 bytes of the buffer are valid, and we are trying to compute the checksum for a partially uninitialized buffer. The following patch fixes this:

diff --git a/storage/innobase/fsp/fsp0file.cc b/storage/innobase/fsp/fsp0file.cc
 
index 4143e246f99..4869160b883 100644
 
--- a/storage/innobase/fsp/fsp0file.cc
 
+++ b/storage/innobase/fsp/fsp0file.cc
 
@@ -699,7 +699,8 @@ Datafile::find_space_id()
 
 
 			/* For noncompressed pages, the page size must be
 
 			equal to srv_page_size. */
 
-			if (page_size == srv_page_size) {
 
+			if (page_size == srv_page_size
 
+			    && !fil_space_t::zip_size(fsp_flags)) {
 
 				noncompressed_ok = !buf_page_is_corrupted(
 
 					false, page, fsp_flags);
 
 			}
 
@@ -707,7 +708,7 @@ Datafile::find_space_id()
 
 			bool	compressed_ok = false;
 
 
 			if (srv_page_size <= UNIV_PAGE_SIZE_DEF
 
-			    && page_size <= srv_page_size) {
 
+			    && page_size == fil_space_t::zip_size(fsp_flags)) {
 
 				compressed_ok = !buf_page_is_corrupted(
 
 					false, page, fsp_flags);
 
 			}



 Comments   
Comment by Marko Mäkelä [ 2019-08-19 ]

The uninitialized value was found when running the test innodb.doublewrite. With the fix, the test on 10.5 passes with MSAN.

Comment by Marko Mäkelä [ 2019-08-19 ]

On 10.3 built with MSAN, the test innodb.doublewrite does not fail. So, this should indeed be related to MDEV-12026 and not earlier changes, such as the cleanup in 10.3 that replaced UNIV_PAGE_SIZE with srv_page_size.

Generated at Thu Feb 08 08:59:03 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.