[MDEV-21521] UBSan crashes in MYSQL_BIN_LOG::open Created: 2020-01-17  Updated: 2021-10-13  Resolved: 2020-01-29

Status: Closed
Project: MariaDB Server
Component/s: Replication
Affects Version/s: 10.1, 10.2, 10.3, 10.4, 10.5
Fix Version/s: 10.1.45, 10.2.32, 10.3.23, 10.4.13

Type: Bug Priority: Major
Reporter: Sergei Petrunia Assignee: Sujatha Sivakumar (Inactive)
Resolution: Fixed Votes: 0
Labels: UBSAN, xid_count_per_binlog

Issue Links:
Duplicate
duplicates MDEV-20923 UBSAN: member access within address …... Closed
Relates
relates to MDEV-21341 Fix UBSAN failures Confirmed

 Description   

Attempt to run MTR under UBSan causes crashes like this one:

Thread 1 (Thread 0x7f585614f380 (LWP 14002)):
 
#0  __pthread_kill (threadid=<optimized out>, signo=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
 
#1  0x0000559f4b17eb78 in my_write_core (sig=11) at /home/psergey/dev-git2/10.5/mysys/stacktrace.c:518
 
#2  0x0000559f49ae241c in handle_fatal_signal (sig=11) at /home/psergey/dev-git2/10.5/sql/signal_handler.cc:343
 
#3  <signal handler called>
 
#4  0x00007f5852e82153 in ?? () from /usr/lib/x86_64-linux-gnu/libubsan.so.0
 
#5  0x00007f5852e80df6 in ?? () from /usr/lib/x86_64-linux-gnu/libubsan.so.0
 
#6  0x00007f5852e815a1 in __ubsan_handle_dynamic_type_cache_miss () from /usr/lib/x86_64-linux-gnu/libubsan.so.0
 
#7  0x0000559f4a08bfdf in MYSQL_BIN_LOG::open (this=0x559f4f6a75e0 <mysql_bin_log>, log_name=0x559f50722bf8 "master-bin", new_name=0x0, next_log_number=0, io_cache_type_arg=WRITE_CACHE, max_size_arg=1073741824, null_created_arg=false, need_mutex=true) at /home/psergey/dev-git2/10.5/sql/log.cc:3681
 
#8  0x0000559f48a81cc8 in init_server_components () at /home/psergey/dev-git2/10.5/sql/mysqld.cc:5198
 
#9  0x0000559f48a82d3c in mysqld_main (argc=156, argv=0x559f50608c20) at /home/psergey/dev-git2/10.5/sql/mysqld.cc:5552
 
#10 0x0000559f48a6fcaa in main (argc=25, argv=0x7ffe494fbc88) at /home/psergey/dev-git2/10.5/sql/main.cc:25

a few tests that crashed here:

main.mysqlbinlog_row_compressed
 
main.session_tracker_last_gtid 'innodb'  w4 [ fail ]
 
main.mysqlbinlog-innodb 'innodb'         w1 [ fail ]
 
main.tc_heuristic_recover 'innodb'       w4 [ fail ]



 Comments   
Comment by Sergei Petrunia [ 2020-01-17 ]

The crash happens here:

        if (!(new_xid_list_entry = (xid_count_per_binlog *)
 
              my_multi_malloc(MYF(MY_WME),
 
                              &entry_mem, sizeof(xid_count_per_binlog),
 
                              &name_mem, len,
 
                              NULL)))
 
          goto err;
 
        memcpy(name_mem, log_file_name+off, len);
 
        new_xid_list_entry->binlog_name= name_mem;

xid_count_per_binlog itself looks like a POD object

  struct xid_count_per_binlog : public ilink {
 
    char *binlog_name;
 
    uint binlog_name_len;
 
    ulong binlog_id;
 
    /* Total prepared XIDs and pending checkpoint requests in this binlog. */
 
    long xid_count;
 
    long notify_count;
 
    /* For linking in requests to the binlog background thread. */
 
    xid_count_per_binlog *next_in_queue;
 
    xid_count_per_binlog();   /* Give link error if constructor used. */
 
  };

but struct ilink has this

  virtual ~ilink() { unlink(); }		/*lint -e1740 */

which makes it non-POD.

Comment by Sujatha Sivakumar (Inactive) [ 2020-01-29 ]

Fix for this issue is implemented as part MDEV-20923. Fixed version is 10.1.45.

Generated at Thu Feb 08 09:07:46 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.