maria-developers team mailing list archive

Thread
Date

Re: ASAN segfaults on vcol case

To: Aleksey Midenkov <midenok@xxxxxxxxx>
From: Marko Mäkelä <marko.makela@xxxxxxxxxxx>
Date: Mon, 18 Mar 2019 17:48:18 +0200
Cc: "MariaDB Developers \(maria-developers@xxxxxxxxxxxxxxxxxxx\)" <maria-developers@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CAF8BazD3A=+xYRMY4ixwGSQWJa2JQLabhhzu3GMoon6o+2T+Uw@mail.gmail.com>

The test case does not fail for me when building 10.3
397b6b13d062b28d12e9263710224bfb2269f19f with clang-7, using
-DCMAKE_BUILD_TYPE=Debug -DWITH_ASAN=ON and -O2 level.

When copying your SQL to a .test file I had to append the current
delimiter to the "delimiter" lines. For some reason, mysql-test-run
uses a different syntax for delimiters.

On a related note, ASAN builds with clang-8 always complain to me and
refuse to run any tests:

Could not execute 'check-testcase' before testcase '…' (res: 1):
mysqltest: Logging to '/dev/shm/10.3/mysql-test/var/tmp/check-mysqld_1.log'.
mysqltest: Results saved in
'/dev/shm/10.3/mysql-test/var/tmp/check-mysqld_1.result'.
=================================================================
==38044==ERROR: AddressSanitizer: global-buffer-overflow on address
0x561084541bb8 at pc 0x56108350463f bp 0x7ffe571f2390 sp
0x7ffe571f1b20
WRITE of size 64 at 0x561084541bb8 thread T0
    #0 0x56108350463e in __interceptor_regcomp
(/dev/shm/10.3/client/mysqltest+0x1df63e)
    #1 0x56108358c6c3 in init_re_comp(regex_t*, char const*)
/mariadb/10.3/client/mysqltest.cc:8830:12
    #2 0x56108358c6c3 in init_re() /mariadb/10.3/client/mysqltest.cc:8912
    #3 0x56108358c6c3 in main /mariadb/10.3/client/mysqltest.cc:9301
    #4 0x7f137d63a09a in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #5 0x561083480c79 in _start (/dev/shm/10.3/client/mysqltest+0x15bc79)

0x561084541bb8 is located 40 bytes to the left of global variable
'epbuf' defined in '/mariadb/10.3/client/mysqltest.cc:8821:15'
(0x561084541be0) of size 100
0x561084541bb8 is located 0 bytes to the right of global variable
'ps_re' defined in '/mariadb/10.3/client/mysqltest.cc:261:16'
(0x561084541ba0) of size 24

When I tried a simple test program that invokes regcomp(), clang-8’s
ASAN did not complain about it. I cannot immediately recognize what
might be wrong in mysqltest.cc. Maybe there is some macro obfuscation
at play.

Marko

On Mon, Mar 18, 2019 at 4:59 PM Aleksey Midenkov <midenok@xxxxxxxxx> wrote:
>
> This case segfaults in ASAN code:
>
> delimiter ~~
> create or replace procedure t1()
> begin
>     create or replace table t1 (
>         b tinytext,
>         v text as (b) virtual
>     );
> end~~
> delimiter ;
> call t1;
>
> Both in 10.3 and 10.4 in different places. Does someone know about such ASAN faults?
>
> --
> All the best,
>
> Aleksey Midenkov
> @midenok
> _______________________________________________
> Mailing list: https://launchpad.net/~maria-developers
> Post to     : maria-developers@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~maria-developers
> More help   : https://help.launchpad.net/ListHelp



-- 
Marko Mäkelä, Lead Developer InnoDB
MariaDB Corporation

Follow ups

Re: ASAN segfaults on vcol case
From: Aleksey Midenkov, 2019-03-18

References

ASAN segfaults on vcol case
From: Aleksey Midenkov, 2019-03-18