|
If I compile 10.4 or 10.5 (or presumably earlier versions) with clang-9 and cmake -DWITH_UBSAN=ON, the server will crash very early at bootstrap.
With GCC 9.2.1, I have more luck. I usually build
cmake -DCMAKE_C{,XX}_FLAGS='-O2 -march=native -mtune=native' \
|
-DCMAKE_BUILD_TYPE=Debug -DWITH_UBSAN=ON \
|
-DCONC_WITH_{UNITTEST,SSL}=OFF -DWITH_EMBEDDED_SERVER=OFF -DWITH_UNIT_TESTS=OFF \
|
-DPLUGIN_{ARCHIVE,TOKUDB,MROONGA,OQGRAPH,ROCKSDB,CONNECT,SPIDER}=NO \
|
-DWITH_SAFEMALLOC=OFF -DWITH_{SSL,ZLIB}=system /path/to/mariadb/10.5
|
make -j$(nproc)
|
Note: you will probably have to apply the following patch:
diff --git a/cmake/maintainer.cmake b/cmake/maintainer.cmake
|
index 49ef80ed11c..eb513ef2e2b 100644
|
--- a/cmake/maintainer.cmake
|
+++ b/cmake/maintainer.cmake
|
@@ -33,7 +33,6 @@ SET(MY_WARNING_FLAGS
|
-Wnon-virtual-dtor
|
-Wvla
|
-Wwrite-strings
|
- -Werror
|
)
|
|
IF(CMAKE_COMPILER_IS_GNUCC AND CMAKE_C_COMPILER_VERSION VERSION_LESS "6.0.0")
|
I do not recommend adding -DMYSQL_MAINTAINER_MODE=OFF, because that will disable many useful warnings (which you should pay attention to while compiling the code).
Finally, to run the test, I do
cd mysql-test
|
./mtr --parallel=auto --force --retry=0 --max-test-fail=0 --big-test
|
grep 'runtime error' var/*/log/mysqld*err* |cut -d: -f2-|
|
sed -e 's/0x[0-9a-f]*/0xXXX/'|sort|uniq -c|
|
sort -nr>10.5-WITH_UBSAN.txt
|
|
|
The first error happens here:
/home/psergey/dev-git2/10.5/sql/sql_class.h:4168:24: runtime error: load of value 2779096485, which is not a valid value for type 'enum_binlog_format'
|
#0 0x555557b6c113 in THD::set_current_stmt_binlog_format_stmt() /home/psergey/dev-git2/10.5/sql/sql_class.h:4168
|
#1 0x555557b6c113 in THD::reset_current_stmt_binlog_format_row() /home/psergey/dev-git2/10.5/sql/sql_class.h:4207
|
#2 0x555557b6c113 in THD::init() /home/psergey/dev-git2/10.5/sql/sql_class.cc:1285
|
#3 0x555557b83e0b in THD::THD(unsigned long long, bool) /home/psergey/dev-git2/10.5/sql/sql_class.cc:840
|
#4 0x555557b875fb in create_background_thd() /home/psergey/dev-git2/10.5/sql/sql_class.cc:4827
|
#5 0x5555591a45dd in innobase_create_background_thd(char const*) /home/psergey/dev-git2/10.5/storage/innobase/handler/ha_innodb.cc:1524
|
#6 0x55555990976d in fts_optimize_init() /home/psergey/dev-git2/10.5/storage/innobase/fts/fts0opt.cc:2969
|
#7 0x555559550227 in srv_start(bool) /home/psergey/dev-git2/10.5/storage/innobase/srv/srv0start.cc:2144
|
#8 0x5555591c8d8e in innodb_init /home/psergey/dev-git2/10.5/storage/innobase/handler/ha_innodb.cc:4047
|
#9 0x55555860268c in ha_initialize_handlerton(st_plugin_int*) /home/psergey/dev-git2/10.5/sql/handler.cc:550
|
#10 0x555557d21b64 in plugin_initialize /home/psergey/dev-git2/10.5/sql/sql_plugin.cc:1452
|
#11 0x555557d24526 in plugin_init(int*, char**, int) /home/psergey/dev-git2/10.5/sql/sql_plugin.cc:1734
|
#12 0x555557976c28 in init_server_components /home/psergey/dev-git2/10.5/sql/mysqld.cc:5024
|
#13 0x555557981f77 in mysqld_main(int, char**) /home/psergey/dev-git2/10.5/sql/mysqld.cc:5552
|
#14 0x7ffff4722b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
|
#15 0x55555796a059 in _start (/optane/dev-git2/10.5/sql/mysqld+0x2416059)
|
|
|
The second here: (FIX Pushed to 10.1)
/home/psergey/dev-git2/10.5/sql/sql_select.cc:15749:26: runtime error: downcast of address 0x55555e29d398 which does not point to an object of type 'Item_cond'
|
0x55555e29d398: note: object is of type 'Item_func_eq'
|
8f 8f 8f 8f 50 57 5e 5a 55 55 00 00 01 00 00 00 00 00 00 00 00 a5 a5 a5 a5 a5 a5 a5 20 d3 9b 5c
|
^~~~~~~~~~~~~~~~~~~~~~~
|
vptr for 'Item_func_eq'
|
#0 0x555557defcad in substitute_for_best_equal_field /home/psergey/dev-git2/10.5/sql/sql_select.cc:15749
|
#1 0x555557dee769 in substitute_for_best_equal_field /home/psergey/dev-git2/10.5/sql/sql_select.cc:15679
|
#2 0x555557e2c1b3 in JOIN::optimize_stage2() /home/psergey/dev-git2/10.5/sql/sql_select.cc:2398
|
#3 0x555557e419f7 in JOIN::optimize_inner() /home/psergey/dev-git2/10.5/sql/sql_select.cc:2281
|
#4 0x555557e43bcb in JOIN::optimize() /home/psergey/dev-git2/10.5/sql/sql_select.cc:1604
|
#5 0x555558a4314b in subselect_single_select_engine::exec() /home/psergey/dev-git2/10.5/sql/item_subselect.cc:3854
|
#6 0x555558a4e890 in Item_subselect::exec() /home/psergey/dev-git2/10.5/sql/item_subselect.cc:748
|
#7 0x555558a3a65f in Item_singlerow_subselect::val_int() /home/psergey/dev-git2/10.5/sql/item_subselect.cc:1341
|
#8 0x5555588be193 in Item_func_set_user_var::check(bool) /home/psergey/dev-git2/10.5/sql/item_func.cc:4863
|
#9 0x5555579bf616 in set_var_user::check(THD*) /home/psergey/dev-git2/10.5/sql/set_var.cc:873
|
#10 0x5555579c8989 in sql_set_variables(THD*, List<set_var_base>*, bool) /home/psergey/dev-git2/10.5/sql/set_var.cc:732
|
#11 0x555557ce4105 in mysql_execute_command(THD*) /home/psergey/dev-git2/10.5/sql/sql_parse.cc:4961
|
#12 0x555557cf9b87 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/psergey/dev-git2/10.5/sql/sql_parse.cc:7988
|
#13 0x555557cfaf38 in bootstrap(st_mysql_file*) /home/psergey/dev-git2/10.5/sql/sql_parse.cc:1097
|
#14 0x555557982dc1 in mysqld_main(int, char**) /home/psergey/dev-git2/10.5/sql/mysqld.cc:5640
|
#15 0x7ffff4722b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
|
#16 0x55555796a0c9 in _start (/optane/dev-git2/10.5/sql/mysqld+0x24160c9)
|
|
|
Third (Fixed in 10.1)
/home/psergey/dev-git2/10.5/sql/unireg.cc:541:9: runtime error: null pointer passed as argument 2, which is declared to never be null
|
#0 0x555558025f12 in build_frm_image(THD*, st_mysql_const_lex_string const&, HA_CREATE_INFO*, List<Create_field>&, unsigned int, st_key*, handler*) /home/psergey/dev-git2/10.5/sql/unireg.cc:541
|
#1 0x555557f1d8d6 in mysql_create_frm_image(THD*, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, HA_CREATE_INFO*, Alter_info*, int, st_key**, unsigned int*, st_mysql_const_unsigned_lex_string*) /home/psergey/dev-git2/10.5/sql/sql_table.cc:4817
|
#2 0x555557f2d635 in create_table_impl /home/psergey/dev-git2/10.5/sql/sql_table.cc:5056
|
#3 0x555557f2ecaa in mysql_create_table_no_lock(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /home/psergey/dev-git2/10.5/sql/sql_table.cc:5159
|
#4 0x555557f2f6cb in mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*) /home/psergey/dev-git2/10.5/sql/sql_table.cc:5251
|
#5 0x555557f33be9 in Sql_cmd_create_table_like::execute(THD*) /home/psergey/dev-git2/10.5/sql/sql_table.cc:11510
|
#6 0x555557ce1319 in mysql_execute_command(THD*) /home/psergey/dev-git2/10.5/sql/sql_parse.cc:5959
|
#7 0x555557cf9ae7 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/psergey/dev-git2/10.5/sql/sql_parse.cc:7988
|
#8 0x555557cfae98 in bootstrap(st_mysql_file*) /home/psergey/dev-git2/10.5/sql/sql_parse.cc:1097
|
#9 0x555557982d21 in mysqld_main(int, char**) /home/psergey/dev-git2/10.5/sql/mysqld.cc:5640
|
#10 0x7ffff4722b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
|
#11 0x55555796a029 in _start (/optane/dev-git2/10.5/sql/mysqld+0x2416029)
|
|
|
|
Fourth
/home/psergey/dev-git2/10.5/sql/sql_select.h:1668:11: runtime error: null pointer passed as argument 2, which is declared to never be null
|
#0 0x5605cdbb6593 in JOIN::copy_ref_ptr_array(Bounds_checked_array<Item*>, Bounds_checked_array<Item*>) /home/psergey/dev-git2/10.5/sql/sql_select.h:1668
|
#1 0x5605cdb82c88 in JOIN::set_items_ref_array(Bounds_checked_array<Item*>) /home/psergey/dev-git2/10.5/sql/sql_select.h:1674
|
#2 0x5605cdb82c88 in JOIN::make_aggr_tables_info() /home/psergey/dev-git2/10.5/sql/sql_select.cc:3703
|
#3 0x5605cdb8aeeb in JOIN::optimize_stage2() /home/psergey/dev-git2/10.5/sql/sql_select.cc:2983
|
#4 0x5605cdb9c887 in JOIN::optimize_inner() /home/psergey/dev-git2/10.5/sql/sql_select.cc:2281
|
#5 0x5605cdb9ea5b in JOIN::optimize() /home/psergey/dev-git2/10.5/sql/sql_select.cc:1604
|
#6 0x5605ce79dfeb in subselect_single_select_engine::exec() /home/psergey/dev-git2/10.5/sql/item_subselect.cc:3854
|
#7 0x5605ce7a9730 in Item_subselect::exec() /home/psergey/dev-git2/10.5/sql/item_subselect.cc:748
|
#8 0x5605ce795c9c in Item_singlerow_subselect::val_str(String*) /home/psergey/dev-git2/10.5/sql/item_subselect.cc:1358
|
#9 0x5605ce619287 in Item_func_set_user_var::check(bool) /home/psergey/dev-git2/10.5/sql/item_func.cc:4872
|
#10 0x5605cd71a576 in set_var_user::check(THD*) /home/psergey/dev-git2/10.5/sql/set_var.cc:873
|
#11 0x5605cd7238e9 in sql_set_variables(THD*, List<set_var_base>*, bool) /home/psergey/dev-git2/10.5/sql/set_var.cc:732
|
#12 0x5605cda3f065 in mysql_execute_command(THD*) /home/psergey/dev-git2/10.5/sql/sql_parse.cc:4961
|
#13 0x5605cda54ae7 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/psergey/dev-git2/10.5/sql/sql_parse.cc:7988
|
#14 0x5605cda55e98 in bootstrap(st_mysql_file*) /home/psergey/dev-git2/10.5/sql/sql_parse.cc:1097
|
#15 0x5605cd6ddd21 in mysqld_main(int, char**) /home/psergey/dev-git2/10.5/sql/mysqld.cc:5640
|
#16 0x7f94e26e3b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
|
#17 0x5605cd6c5029 in _start (/optane/dev-git2/10.5/sql/mysqld+0x2416029)
|
|
|
Fifth (Fix pushed to 10.1)
/home/psergey/dev-git2/10.5/sql/sql_lex.h:1675:7: runtime error: load of value 2779096485, which is not a valid value for type 'enum_lock_tables_state'
|
#0 0x55ad52ac0104 in Query_tables_list::operator=(Query_tables_list const&) /home/psergey/dev-git2/10.5/sql/sql_lex.h:1675
|
#1 0x55ad52ac0104 in Query_tables_list::set_query_tables_list(Query_tables_list*) /home/psergey/dev-git2/10.5/sql/sql_lex.h:1758
|
#2 0x55ad52ac0104 in LEX::reset_n_backup_query_tables_list(Query_tables_list*) /home/psergey/dev-git2/10.5/sql/sql_lex.cc:4405
|
#3 0x55ad529ae296 in open_system_tables_for_read(THD*, TABLE_LIST*, Open_tables_backup*) /home/psergey/dev-git2/10.5/sql/sql_base.cc:8996
|
#4 0x55ad52d5edee in open_stat_tables /home/psergey/dev-git2/10.5/sql/sql_statistics.cc:243
|
#5 0x55ad52d6e061 in delete_statistics_for_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*) /home/psergey/dev-git2/10.5/sql/sql_statistics.cc:3407
|
#6 0x55ad52d9f230 in mysql_rm_table(THD*, TABLE_LIST*, bool, bool, bool) /home/psergey/dev-git2/10.5/sql/sql_table.cc:2110
|
#7 0x55ad52b7a197 in mysql_execute_command(THD*) /home/psergey/dev-git2/10.5/sql/sql_parse.cc:4875
|
#8 0x55ad52b8bca7 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/psergey/dev-git2/10.5/sql/sql_parse.cc:7988
|
#9 0x55ad52b8d058 in bootstrap(st_mysql_file*) /home/psergey/dev-git2/10.5/sql/sql_parse.cc:1097
|
#10 0x55ad52814ee1 in mysqld_main(int, char**) /home/psergey/dev-git2/10.5/sql/mysqld.cc:5640
|
#11 0x7ff888cd3b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
|
#12 0x55ad527fc1e9 in _start (/optane/dev-git2/10.5/sql/mysqld+0x24161e9)
|
|
|
Issue Six: Now pushed (https://github.com/MariaDB/server/tree/bb-10.1-mdev21341, waiting on Sanja)
Thread 1 "mysqld" received signal SIGSEGV, Segmentation fault.
|
|
0x00007ffff4d16153 in ?? () from /usr/lib/x86_64-linux-gnu/libubsan.so.0
|
(gdb) wher
|
#0 0x00007ffff4d16153 in ?? () from /usr/lib/x86_64-linux-gnu/libubsan.so.0
|
#1 0x00007ffff4d14df6 in ?? () from /usr/lib/x86_64-linux-gnu/libubsan.so.0
|
#2 0x00007ffff4d155a1 in __ubsan_handle_dynamic_type_cache_miss () from /usr/lib/x86_64-linux-gnu/libubsan.so.0
|
#3 0x0000555557a2658e in sp_head::operator new (size=size@entry=2352) at /home/psergey/dev-git2/10.5/sql/sp_head.cc:466
|
#4 0x0000555557c6a887 in LEX::make_sp_head (this=this@entry=0x55555d61f4a0, thd=thd@entry=0x55555d61b618, name=0x55555e29c560, sph=0x55555bb674b8 <sp_handler_procedure>, agg_type=agg_type@entry=DEFAULT_AGGREGATE) at /home/psergey/dev-git2/10.5/sql/sql_lex.cc:7046
|
#5 0x0000555557c6b8b0 in LEX::make_sp_head_no_recursive (this=this@entry=0x55555d61f4a0, thd=thd@entry=0x55555d61b618, name=<optimized out>, sph=<optimized out>, agg_type=agg_type@entry=DEFAULT_AGGREGATE) at /home/psergey/dev-git2/10.5/sql/sql_lex.cc:7088
|
#6 0x0000555558402543 in MYSQLparse (thd=0x55555d61b618) at /home/psergey/dev-git2/10.5/sql/sql_yacc.yy:17825
|
#7 0x0000555557cdae0d in parse_sql (thd=thd@entry=0x55555d61b618, parser_state=parser_state@entry=0x7fffffff60e0, creation_ctx=creation_ctx@entry=0x0, do_pfs_digest=do_pfs_digest@entry=true) at /home/psergey/dev-git2/10.5/sql/sql_parse.cc:10294
|
#8 0x0000555557cf98c2 in mysql_parse (thd=thd@entry=0x55555d61b618,
|
rawbuf=0x55555e29c160 "CREATE DEFINER=`root`@`localhost` PROCEDURE AddGeometryColumn(catalog varchar(64), t_schema varchar(64),\n t_name varchar(64), geometry_column varchar(64), t_srid int) SQL SECURITY INVOKER\nbegin\n se"..., length=length@entry=378,
|
parser_state=parser_state@entry=0x7fffffff60e0, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /home/psergey/dev-git2/10.5/sql/sql_parse.cc:7941
|
#9 0x0000555557cfb059 in bootstrap (file=0x55555d504760 <instrumented_stdin>) at /home/psergey/dev-git2/10.5/sql/sql_parse.cc:1097
|
#10 0x0000555557982ee2 in mysqld_main (argc=<optimized out>, argv=<optimized out>) at /home/psergey/dev-git2/10.5/sql/mysqld.cc:5640
|
#11 0x00007ffff4722b97 in __libc_start_main (main=0x5555579190d0 <main(int, char**)>, argc=59, argv=0x7fffffffb628, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffb618) at ../csu/libc-start.c:310
|
#12 0x000055555796a1ea in _start ()
|
(gdb)
|
...
Trying to get some variables.
|
Some pointers may be invalid and cause the dump to abort.
|
Query (0x56466f5d8290): CREATE DEFINER=`root`@`localhost` PROCEDURE AddGeometryColumn(catalog varchar(64), t_schema varchar(64), t_name varchar(64), geometry_column varchar(64), t_srid int) SQL SECURITY INVOKER begin set @qwe= concat('ALTER TABLE ', t_schema, '.', t_name, ' ADD ', geometry_column,' GEOMETRY REF_SYSTEM_ID=', t_srid); PREPARE ls from @qwe; execute ls; deallocate prepare ls; end ;
|
Connection ID (thread ID): 1
|
Status: NOT_KILLED
|
The code which causes the problem:
sp_head::operator new(size_t size) throw()
|
{
|
DBUG_ENTER("sp_head::operator new");
|
MEM_ROOT own_root;
|
sp_head *sp;
|
init_sql_alloc(&own_root, "sp_head",
|
MEM_ROOT_BLOCK_SIZE, MEM_ROOT_PREALLOC, MYF(0));
|
sp= (sp_head *) alloc_root(&own_root, size);
|
if (sp == NULL)
|
DBUG_RETURN(NULL);
|
sp->main_mem_root= own_root;
|
DBUG_PRINT("info", ("mem_root %p", &sp->mem_root));
|
DBUG_RETURN(sp);
|
}
|

|
UBSan crashes when trying to lookup a vtable for sphead* here:
sp= (sp_head *) alloc_root(&own_root, size);
|
Class sp_head has virtual functions, but here sp is not pointing to a valid sp_head object.
Then, problematic behavior continues:
sp->main_mem_root= own_root;
|
What we're doing here is basically we have 'operator new' return the memory for sp_head object which already has some data for sp_head::main_mem_root.
sp_head::operator delete continues this mis-use.
One way to fix this is to
- create a MEM_ROOT $MR outside sp_head class.
- create sp_head object on $MR. Pass $MR as an argument to the constructor.
- Instead of just calling "delete sp" everywhere, add a "deleter function" which will free the MEM_ROOT after the object is deleted.
^ All of the above should also cover "class sp_package" which inherits from SP.
And all of this to save one malloc call for the sp_head object ? Doesn't seem worth it.
|
|
Issue Seven: (in bb-10.1-mdev21341, tree)
/home/psergey/dev-git2/10.5/sql/item_func.cc:127:11: runtime error: null pointer passed as argument 2, which is declared to never be null
|
#0 0x55555889a9cd in Item_args::Item_args(THD*, Item_args const*) /home/psergey/dev-git2/10.5/sql/item_func.cc:127
|
#1 0x555558791118 in Item_func_or_sum::Item_func_or_sum(THD*, Item_func_or_sum*) /home/psergey/dev-git2/10.5/sql/item.h:5053
|
#2 0x555558791118 in Item_func::Item_func(THD*, Item_func*) /home/psergey/dev-git2/10.5/sql/item_func.h:146
|
#3 0x555558791118 in Item_int_func::Item_int_func(THD*, Item_int_func*) /home/psergey/dev-git2/10.5/sql/item_func.h:1055
|
#4 0x555558791118 in Item_bool_func::Item_bool_func(THD*, Item_bool_func*) /home/psergey/dev-git2/10.5/sql/item_cmpfunc.h:225
|
#5 0x555558791118 in Item_cond::Item_cond(THD*, Item_cond*) /home/psergey/dev-git2/10.5/sql/item_cmpfunc.cc:4776
|
#6 0x555558792d02 in Item_cond_and::Item_cond_and(THD*, Item_cond_and*) /home/psergey/dev-git2/10.5/sql/item_cmpfunc.h:3356
|
#7 0x555558792d02 in Item_cond_and::copy_andor_structure(THD*) /home/psergey/dev-git2/10.5/sql/item_cmpfunc.cc:4795
|
#8 0x555557e401eb in JOIN::optimize_inner() /home/psergey/dev-git2/10.5/sql/sql_select.cc:1927
|
#9 0x555557e43d1b in JOIN::optimize() /home/psergey/dev-git2/10.5/sql/sql_select.cc:1604
|
#10 0x555558a43adb in subselect_single_select_engine::exec() /home/psergey/dev-git2/10.5/sql/item_subselect.cc:3854
|
#11 0x555558a4f220 in Item_subselect::exec() /home/psergey/dev-git2/10.5/sql/item_subselect.cc:748
|
#12 0x555558a3afef in Item_singlerow_subselect::val_int() /home/psergey/dev-git2/10.5/sql/item_subselect.cc:1341
|
#13 0x5555588beb23 in Item_func_set_user_var::check(bool) /home/psergey/dev-git2/10.5/sql/item_func.cc:4863
|
#14 0x5555579bf7f6 in set_var_user::check(THD*) /home/psergey/dev-git2/10.5/sql/set_var.cc:873
|
#15 0x5555579c8b69 in sql_set_variables(THD*, List<set_var_base>*, bool) /home/psergey/dev-git2/10.5/sql/set_var.cc:732
|
#16 0x555557ce42e5 in mysql_execute_command(THD*) /home/psergey/dev-git2/10.5/sql/sql_parse.cc:4962
|
#17 0x555557cf9d67 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/psergey/dev-git2/10.5/sql/sql_parse.cc:7989
|
#18 0x555557cfb118 in bootstrap(st_mysql_file*) /home/psergey/dev-git2/10.5/sql/sql_parse.cc:1098
|
#19 0x555557982fa1 in mysqld_main(int, char**) /home/psergey/dev-git2/10.5/sql/mysqld.cc:5640
|
#20 0x7ffff4722b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
|
#21 0x55555796a2a9 in _start (/optane/dev-git2/10.5/sql/mysqld+0x24162a9)
|
The query:
set @have_innodb= (select count(engine) from information_schema.engines where engine='INNODB' and support != 'NO');
Item_cond inherits from Item_func which inherits from Item_args, but its arguments are not stored in Item_args as function arguments..
|
|
Issue Eight ( fix is in bb-10.1-mdev21341 tree)
the query:
SET @broken_routines = (select count(*) from mysql.proc where db='performance_schema');
|
/home/psergey/dev-git2/10.5/sql/sql_select.cc:15247:54: runtime error: downcast of address 0x55c8ef9cb900 which does not point to an object of type 'Item_field'
|
0x55c8ef9cb900: note: object is of type 'Item_string'
|
c8 55 00 00 f0 18 a0 eb c8 55 00 00 36 00 00 00 27 00 00 00 00 a5 a5 a5 a5 a5 a5 a5 60 3c f3 ed
|
^~~~~~~~~~~~~~~~~~~~~~~
|
vptr for 'Item_string'
|
#0 0x55c8e9234dc0 in compare_fields_by_table_order /home/psergey/dev-git2/10.5/sql/sql_select.cc:15247
|
#1 0x55c8e9bd322d in void bubble_sort<Item>(List<Item>*, int (*)(Item*, Item*, void*), void*) /home/psergey/dev-git2/10.5/sql/sql_list.h:655
|
#2 0x55c8e9bd322d in Item_equal::sort(int (*)(Item*, Item*, void*), void*) /home/psergey/dev-git2/10.5/sql/item_cmpfunc.cc:6952
|
#3 0x55c8e921e8ad in substitute_for_best_equal_field /home/psergey/dev-git2/10.5/sql/sql_select.cc:15752
|
#4 0x55c8e925bef3 in JOIN::optimize_stage2() /home/psergey/dev-git2/10.5/sql/sql_select.cc:2398
|
#5 0x55c8e9271737 in JOIN::optimize_inner() /home/psergey/dev-git2/10.5/sql/sql_select.cc:2281
|
#6 0x55c8e927390b in JOIN::optimize() /home/psergey/dev-git2/10.5/sql/sql_select.cc:1604
|
#7 0x55c8e9e7367b in subselect_single_select_engine::exec() /home/psergey/dev-git2/10.5/sql/item_subselect.cc:3854
|
#8 0x55c8e9e7edc0 in Item_subselect::exec() /home/psergey/dev-git2/10.5/sql/item_subselect.cc:748
|
#9 0x55c8e9e6ab8f in Item_singlerow_subselect::val_int() /home/psergey/dev-git2/10.5/sql/item_subselect.cc:1341
|
#10 0x55c8e9cee6c3 in Item_func_set_user_var::check(bool) /home/psergey/dev-git2/10.5/sql/item_func.cc:4863
|
#11 0x55c8e8def6f6 in set_var_user::check(THD*) /home/psergey/dev-git2/10.5/sql/set_var.cc:873
|
#12 0x55c8e8df8a69 in sql_set_variables(THD*, List<set_var_base>*, bool) /home/psergey/dev-git2/10.5/sql/set_var.cc:732
|
#13 0x55c8e9113ed5 in mysql_execute_command(THD*) /home/psergey/dev-git2/10.5/sql/sql_parse.cc:4962
|
#14 0x55c8e9129957 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/psergey/dev-git2/10.5/sql/sql_parse.cc:7989
|
#15 0x55c8e912ad08 in bootstrap(st_mysql_file*) /home/psergey/dev-git2/10.5/sql/sql_parse.cc:1098
|
#16 0x55c8e8db2ea1 in mysqld_main(int, char**) /home/psergey/dev-git2/10.5/sql/mysqld.cc:5640
|
#17 0x7fba8ca02b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
|
#18 0x55c8e8d9a1a9 in _start (/optane/dev-git2/10.5/sql/mysqld+0x24161a9)
|
|
|
For "Issue Six":
Discussed it with Sanja, there's a lot of resistance towards a solution where the "sp_head" object is on the heap, while all its dependent objects (instructions, arguments, etc) are on sp_head::main_mem_root.
Sp_head needs to reside on the memory that belongs to the sp_head::main_mem_root (in Baron Munchausen-like way).
Here are the patches that achieve that:
https://github.com/MariaDB/server/tree/bb-10.1-mdev21341-issueSix
https://github.com/MariaDB/server/tree/bb-10.3-mdev21341-issueSix
10.3 needs a separate patch as it introduces sp_package object which inherits from sp_head.
sanja, please review.
|
|
Now it is OK
|
|
Thanks to MDEV-21014 now looking for all sanitizer messages in the server error logs, a test of WITH_UBSAN instrumented executables will abort abruptly without displaying any summary, and almost all tests will fail with "Found warnings/errors". To revert this and to let all tests run despite the numerous WITH_UBSAN messages, and to let the compilation pass, I applied the following patch:
diff --git a/cmake/maintainer.cmake b/cmake/maintainer.cmake
|
index 8c2deeb8e40..12be16b9a2f 100644
|
--- a/cmake/maintainer.cmake
|
+++ b/cmake/maintainer.cmake
|
@@ -28,7 +28,6 @@ SET(MY_WARNING_FLAGS
|
-Woverloaded-virtual
|
-Wvla
|
-Wwrite-strings
|
- -Werror
|
)
|
|
IF(CMAKE_COMPILER_IS_GNUCC AND CMAKE_C_COMPILER_VERSION VERSION_LESS "6.0.0")
|
diff --git a/mysql-test/mysql-test-run.pl b/mysql-test/mysql-test-run.pl
|
index adc693bb29d..5bb1bb59281 100755
|
--- a/mysql-test/mysql-test-run.pl
|
+++ b/mysql-test/mysql-test-run.pl
|
@@ -4621,8 +4621,6 @@ sub extract_warning_lines ($$) {
|
qr/missing DBUG_RETURN/,
|
qr/Attempting backtrace/,
|
qr/Assertion .* failed/,
|
- qr/Sanitizer/,
|
- qr/runtime error:/,
|
);
|
# These are taken from the include/mtr_warnings.sql global suppression
|
# list. They occur delayed, so they can be parsed during shutdown rather
|
With the work-around, all tests complete for me:
|
10.2 07e34cddb66da2e9e4ab5bdd8d52d1a72c2d2e8e
|
Completed: Failed 4/4482 tests, 99.91% were successful.
|
|
Failing test(s): main.plugin_auth main.connect_debug main.myisampack main.mysql
|
I slightly revised my script for aggregating the reported errors:
./mtr --parallel=auto --force --retry=0 --max-test-fail=0 --big-test
|
grep 'runtime error' var/*/log/mysqld*err* |cut -d: -f2-|
|
sed -e 's/0x[0-9a-f]*/0xXXX/g;s/\(negative value\) -[1-9][0-9]*/\1/;s/overflow: .* cannot/overflow: cannot/;'|
|
sort|uniq -c|sort -nr
|
Below are all errors that were reported for more than 10 times:
|
10.2 07e34cddb66da2e9e4ab5bdd8d52d1a72c2d2e8e
|
3644 /mariadb/10.2o/mysys/mf_iocache.c:807:3: runtime error: null pointer passed as argument 1, which is declared to never be null
|
3643 /mariadb/10.2o/sql/sql_select.h:1559:11: runtime error: null pointer passed as argument 2, which is declared to never be null
|
3086 /mariadb/10.2o/sql/sql_class.h:3848:24: runtime error: load of value 2779096485, which is not a valid value for type 'enum_binlog_format'
|
2782 /mariadb/10.2o/sql/debug_sync.cc:322:9: runtime error: null pointer passed as argument 2, which is declared to never be null
|
2776 /mariadb/10.2o/sql/sql_string.h:554:11: runtime error: null pointer passed as argument 2, which is declared to never be null
|
2763 /mariadb/10.2o/mysys/my_alloc.c:452:5: runtime error: null pointer passed as argument 2, which is declared to never be null
|
1452 /mariadb/10.2o/sql/protocol.cc:61:9: runtime error: null pointer passed as argument 2, which is declared to never be null
|
933 /mariadb/10.2o/sql/unireg.cc:960:32: runtime error: load of value 2779096485, which is not a valid value for type 'geometry_type'
|
772 /mariadb/10.2o/sql-common/client.c:3282:51: runtime error: left shift of 49599 by 16 places cannot be represented in type 'int'
|
760 /mariadb/10.2o/sql/protocol.cc:718:9: runtime error: null pointer passed as argument 2, which is declared to never be null
|
516 /mariadb/10.2o/sql/sql_string.cc:829:18: runtime error: null pointer passed as argument 2, which is declared to never be null
|
231 /mariadb/10.2o/sql/sql_select.cc:22702:22: runtime error: load of value 2779096485, which is not a valid value for type 'enum_parsing_place'
|
225 /mariadb/10.2o/mysys/my_lib.c:186:3: runtime error: member access within null pointer of type 'struct MY_DIR_HANDLE'
|
163 /mariadb/10.2o/strings/ctype-mb.c:410:3: runtime error: null pointer passed as argument 2, which is declared to never be null
|
122 /mariadb/10.2o/sql/sql_string.cc:829:18: runtime error: null pointer passed as argument 1, which is declared to never be null
|
100 /mariadb/10.2o/sql/partition_element.h:92:7: runtime error: load of value 165, which is not a valid value for type 'bool'
|
97 /mariadb/10.2o/sql/net_serv.cc:595:9: runtime error: null pointer passed as argument 2, which is declared to never be null
|
85 /mariadb/10.2o/sql/sql_select.cc:17520:3: runtime error: null pointer passed as argument 1, which is declared to never be null
|
82 /mariadb/10.2o/sql/sql_select.cc:18521:5: runtime error: null pointer passed as argument 1, which is declared to never be null
|
56 /mariadb/10.2o/sql/records.cc:212:5: runtime error: null pointer passed as argument 1, which is declared to never be null
|
43 /mariadb/10.2o/sql/field.h:3883:7: runtime error: load of value 2779096485, which is not a valid value for type 'geometry_type'
|
42 /mariadb/10.2o/mysys/my_compare.c:310:12: runtime error: left shift of negative value
|
37 /mariadb/10.2o/mysys/my_compare.c:309:12: runtime error: left shift of negative value
|
31 /mariadb/10.2o/mysys/my_compare.c:302:12: runtime error: left shift of negative value
|
30 /mariadb/10.2o/sql/field.h:3836:14: runtime error: pointer index expression with base 0xXXX overflowed to 0xXXX
|
30 /mariadb/10.2o/mysys/my_compare.c:301:12: runtime error: left shift of negative value
|
23 /mariadb/10.2o/strings/decimal.c:1388:10: runtime error: left shift of negative value
|
22 /mariadb/10.2o/strings/decimal.c:1088:8: runtime error: signed integer overflow: cannot be represented in type 'long long int'
|
20 /mariadb/10.2o/sql/sql_select.cc:26755:5: runtime error: null pointer passed as argument 1, which is declared to never be null
|
20 /mariadb/10.2o/sql/handler.h:588:11: runtime error: null pointer passed as argument 2, which is declared to never be null
|
17 /mariadb/10.2o/sql/sql_select.cc:26053:11: runtime error: null pointer passed as argument 2, which is declared to never be null
|
15 /mariadb/10.2o/sql/table.h:2827:3: runtime error: null pointer passed as argument 1, which is declared to never be null
|
14 /mariadb/10.2o/sql/unireg.cc:917:13: runtime error: null pointer passed as argument 2, which is declared to never be null
|
13 /mariadb/10.2o/strings/decimal.c:1412:17: runtime error: left shift of negative value
|
13 /mariadb/10.2o/sql/field.cc:8396:14: runtime error: null pointer passed as argument 2, which is declared to never be null
|
12 /mariadb/10.2o/strings/decimal.c:1371:17: runtime error: left shift of negative value
|
12 /mariadb/10.2o/sql/sql_string.cc:179:3: runtime error: null pointer passed as argument 2, which is declared to never be null
|
11 /mariadb/10.2o/sql/item_func.cc:4891:12: runtime error: null pointer passed as argument 2, which is declared to never be null
|
11 /mariadb/10.2o/sql/item_func.cc:1498:29: runtime error: signed integer overflow: cannot be represented in type 'long long int'
|
11 /mariadb/10.2o/sql/compat56.cc:159:14: runtime error: left shift of negative value
|
Here are the source code files with more than 10 failures reported:
grep 'runtime error' var/*/log/mysqld*err* |cut -d: -f2|sort|uniq -c|sort -nr
|
|
10.2 07e34cddb66da2e9e4ab5bdd8d52d1a72c2d2e8e
|
3691 /mariadb/10.2o/sql/sql_select.h
|
3644 /mariadb/10.2o/mysys/mf_iocache.c
|
3086 /mariadb/10.2o/sql/sql_class.h
|
2782 /mariadb/10.2o/sql/debug_sync.cc
|
2776 /mariadb/10.2o/sql/sql_string.h
|
2763 /mariadb/10.2o/mysys/my_alloc.c
|
2212 /mariadb/10.2o/sql/protocol.cc
|
947 /mariadb/10.2o/sql/unireg.cc
|
772 /mariadb/10.2o/sql-common/client.c
|
653 /mariadb/10.2o/sql/sql_string.cc
|
437 /mariadb/10.2o/sql/sql_select.cc
|
225 /mariadb/10.2o/mysys/my_lib.c
|
163 /mariadb/10.2o/strings/ctype-mb.c
|
155 /mariadb/10.2o/mysys/my_compare.c
|
100 /mariadb/10.2o/sql/partition_element.h
|
97 /mariadb/10.2o/sql/net_serv.cc
|
84 /mariadb/10.2o/strings/decimal.c
|
73 /mariadb/10.2o/sql/field.h
|
56 /mariadb/10.2o/sql/records.cc
|
39 /mariadb/10.2o/sql/item_func.cc
|
28 /mariadb/10.2o/sql/field.cc
|
20 /mariadb/10.2o/sql/handler.h
|
20 /mariadb/10.2o/sql/compat56.cc
|
17 /mariadb/10.2o/plugin/auth_ed25519/ref10/sc_reduce.c
|
15 /mariadb/10.2o/sql/table.h
|
12 /mariadb/10.2o/plugin/auth_ed25519/ref10/fe_sq.c
|
12 /mariadb/10.2o/plugin/auth_ed25519/ref10/fe_sq2.c
|
12 /mariadb/10.2o/plugin/auth_ed25519/ref10/fe_mul.c
|
11 /mariadb/10.2o/plugin/auth_ed25519/ref10/fe_tobytes.c
|
|
|
I setup my runs like this;
Compiled with GCC >=7.5.0 and:
|
-DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF
|
Set before execution:
|
export ASAN_OPTIONS=quarantine_size_mb=512:atexit=true:detect_invalid_pointer_pairs=1:dump_instruction_bytes=true:abort_on_error=1
|
|
|
Roel, do you have evidence that both WITH_ASAN and WITH_UBSAN can really be enabled simultaneously? I thought that the various -fsanitize= options are mutually exclusive. How does the actual compiler invocation look like?
I believe that -fsanitize=undefined is a little different from the others, until all flagged errors have been fixed. When it comes to WITH_ASAN, we should be clean, and aborting on the first error makes perfect sense. For WITH_MSAN we are almost there (see MDEV-20377) and might consider running with MSAN_OPTIONS=abort_on_error=1, but for WITH_UBSAN and especially WITH_TSAN I am afraid that we still have a long way to go. It might help to file more WITH_UBSAN bugs.
|
|
It seems from testing thus far that combined ASAN+UBSAN builds work fine. Combining with TSAN does not work. So now using combined ASAN+UBSAN builds and TSAN builds.
|
|
cmake -DWITH_UBSAN=ON with clang detects more UB than GCC. Recent examples: MDEV-33158, MDEV-33159, MDEV-33160, MDEV-33161.
|
10.5-WITH_UBSAN.txt