Bug #34598 "Invalid address alignment" crash on hpita
Submitted: 15 Feb 2008 15:56 Modified: 16 Apr 2008 0:29
Reporter: Sergei Golubchik Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:5.1 OS:Any
Assigned to: Antony Curtis CPU Architecture:Any

[15 Feb 2008 15:56] Sergei Golubchik 
Description:
check build logs on hpita (the error is visible on maria tree, at least).
that's what gdb says:

Program received signal SIGBUS, Bus error
  si_code: 1 - BUS_ADRALN - Invalid address alignment.
0x40000000023be350:1 in plugin_opt_set_limits (options=0x60000000017dbbe0, 
    opt=0x60000000000e4680) at sql_plugin.cc:2759
2759        options->def_value= *(ulong*) ((int*) (opt + 1) + 1);

How to repeat:
.
[15 Feb 2008 15:57] Sergei Golubchik 
as a result - the server crashes on startup
[19 Feb 2008 12:24] Guilhem Bichot 
static void plugin_opt_set_limits(struct my_option *options,
                                  const struct st_mysql_sys_var *opt)
{
  options->sub_size= 0;

  switch (opt->flags & (PLUGIN_VAR_TYPEMASK |
                        PLUGIN_VAR_UNSIGNED | PLUGIN_VAR_THDLOCAL)) {
<cut>
  case PLUGIN_VAR_ENUM:
    options->var_type= GET_ENUM;
    options->typelib= ((sysvar_enum_t*) opt)->typelib;
$    options->def_value= *(ulong*) ((int*) (opt + 1) + 1);
    options->min_value= options->block_size= 0;
    options->max_value= options->typelib->count - 1;
    break;

It causes sigbus in the Maria tree at the line I marked with $.
Looking at this line, this is not so surprising:
- ulong is 8 bytes, int is 4 bytes, on this machine
- 'opt' is 8-byte aligned (it is 4303335288)
- opt+1 is too (4303335328, because sizeof(st_mysql_sys_var) is 40)
- (int*)(opt+1) is too
- (int*)(opt+1)+1 is 4 bytes after, so not 8-byte aligned (4303335332)
- so *(ulong*) is not aligned on the size of ulong and fails on SPARC
as expected.
[19 Feb 2008 21:12] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/42592

ChangeSet@1.2546, 2008-02-19 12:55:13-08:00, acurtis@xiphis.org +2 -0
  Bug#34598
    "crash on hpita: Invalid address alignment"
    Replace dangerous pointer arithmetic - it may occurr where sizeof(int) is
    less than size of machine alignment requirement.
[19 Feb 2008 21:57] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/42601

ChangeSet@1.2546, 2008-02-19 12:55:13-08:00, acurtis@xiphis.org +2 -0
  Bug#34598
    "crash on hpita: Invalid address alignment"
    Replace dangerous pointer arithmetic - it may occurr where sizeof(int) is
    less than size of machine alignment requirement.
[19 Feb 2008 22:06] Antony Curtis 
pushed into 5.1-engines and 6.0-engines repositories.
[27 Mar 2008 11:21] Bugs System 
Pushed into 5.1.24-rc
[27 Mar 2008 17:53] Bugs System 
Pushed into 6.0.5-alpha
[2 Apr 2008 19:59] Jon Stephens 
Pushed into 5.1.23-ndb-6.3.11.
[16 Apr 2008 0:29] Paul DuBois 
Noted in 5.1.24, 6.0.5 changelogs.

Dangerous pointer arithmetic crashed the server on some systems.