Bug #87131 stack-buffer-overflow in RelopsTest/1.CodeCoverage
Submitted: 20 Jul 2017 6:29 Modified: 24 Aug 2017 4:12
Reporter: Laurynas Biveinis Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: GIS Severity:S3 (Non-critical)
Version:8.0.2 OS:Any
Assigned to: CPU Architecture:Any
Tags: asan, boost, gis, unit tests

[20 Jul 2017 6:29] Laurynas Biveinis
Description:
cmake ... -DWITH_ASAN=ON -DWITH_DEBUG=ON
...
./unittest/gunit/merge_large_tests-t
...
# Run 259 RelopsTest/1.CodeCoverage
=================================================================
==2578==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd98a61458 at pc 0x560b4d562795 bp 0x7ffd98a61270 sp 0x7ffd98a61260
READ of size 8 at 0x7ffd98a61458 thread T0
    #0 0x560b4d562794 in double boost::geometry::srs::spheroid<double>::get_radius<2ul>() const /home/laurynas/mysql-boost/boost_1_64_0/boost/geometry/core/srs.hpp:62
    #1 0x560b4d562794 in boost::geometry::traits::radius_access<boost::geometry::srs::spheroid<double>, 2ul>::get(boost::geometry::srs::spheroid<double> const&) /home/laurynas/mysql-boost/boost_1_64_0/boost/geometry/core/srs.hpp:103
    #2 0x560b4d562794 in boost::geometry::detail::radius_access<boost::geometry::srs_spheroid_tag, boost::geometry::srs::spheroid<double>, 2ul>::get(boost::geometry::srs::spheroid<double> const&) /home/laurynas/mysql-boost/boost_1_64_0/boost/geometry/core/radius.hpp:168
...
#21 0x560b4d68b673 in bool boost::geometry::disjoint<gis::Geographic_polygon, gis::Geographic_polygon, boost::geometry::strategy::intersection::geographic_segments<boost::geometry::strategy::andoyer, 1u, boost::geometry::srs::spheroid<double>, void> >(gis::Geographic_polygon const&, gis::Geographic_polygon const&, boost::geometry::strategy::intersection::geographic_segments<boost::geometry::strategy::andoyer, 1u, boost::geometry::srs::spheroid<double>, void> const&) /home/laurynas/mysql-boost/boost_1_64_0/boost/geometry/algorithms/detail/disjoint/interface.hpp:217
    #22 0x560b4d68b673 in gis::Disjoint::eval(gis::Geographic_polygon const*, gis::Geographic_polygon const*) const /home/laurynas/mysql-server/sql/gis/disjoint.cc:460
    #23 0x560b4d71717f in bool gis::Functor<bool>::apply<gis::Disjoint const>(gis::Disjoint const&, gis::Geometry const*, gis::Geometry const*) (/home/laurynas/obj-8.0-asan-debug-openssl/unittest/gunit/merge_large_tests-t+0x2e6d17f)
    #24 0x560b4d68b924 in gis::Disjoint::operator()(gis::Geometry const*, gis::Geometry const*) const /home/laurynas/mysql-server/sql/gis/disjoint.cc:77
    #25 0x560b4d68bda0 in gis::disjoint(dd::Spatial_reference_system const*, gis::Geometry const*, gis::Geometry const*, char const*, bool*, bool*) /home/laurynas/mysql-server/sql/gis/disjoint.cc:655
    #26 0x560b4bf4b310 in gis_relops_unittest::RelopsTest_CodeCoverage_Test<gis_relops_unittest::Geographic_types>::TestBody() /home/laurynas/mysql-server/unittest/gunit/gis_relops-t.cc:150
...
Address 0x7ffd98a61458 is located in stack of thread T0 at offset 296 in frame
    #0 0x560b4d5622c1 in int boost::geometry::strategy::side::geographic<boost::geometry::strategy::andoyer, boost::geometry::srs::spheroid<double>, void>::apply<gis::Geographic_point, gis::Geographic_point, gis::Geographic_point>(gis::Geographic_point const&, gis::Geographic_point const&, gis::Geographic_point const&) const /home/laurynas/mysql-boost/boost_1_64_0/boost/geometry/strategies/geographic/side.hpp:67

  This frame has 5 object(s):
    [32, 40) 'a1p'
    [96, 104) 'c0'
    [160, 168) 'cos_lat1'
    [224, 232) 'cos_lat2'
    [288, 296) 'sin_d' <== Memory access at offset 296 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/laurynas/mysql-boost/boost_1_64_0/boost/geometry/core/srs.hpp:62 in double boost::geometry::srs::spheroid<double>::get_radius<2ul>() const
Shadow bytes around the buggy address:
  0x100033144230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100033144240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100033144250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100033144260: 00 00 00 00 00 00 f1 f1 f1 f1 00 f4 f4 f4 f2 f2
  0x100033144270: f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2
=>0x100033144280: f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00[f4]f4 f4 00 00
  0x100033144290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000331442a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000331442b0: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 f4 f4 f4
  0x1000331442c0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000331442d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f4 f4
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2578==ABORTING

How to repeat:
See above
[24 Jul 2017 6:00] MySQL Verification Team
Hello Laurynas,

Thank you for the report.
Verified as described.

Thanks,
Umesh
[24 Jul 2017 6:00] MySQL Verification Team
test results

Attachment: 87131_8.0.2.results (application/octet-stream, text), 298.14 KiB.

[2 Aug 2017 11:23] Tor Didriksen
Posted by developer:
 
Current head of trunk has:

// Bug#26336467 ASAN FAILURE IN UNIT TEST RELOPSTEST/1.CODECOVERAGE
// Disable test until bug can be fixed.
#ifndef HAVE_ASAN
      gis::disjoint(this->m_srs, g1, g2, "unittest", &result, &is_null);

So this is a duplicate of an internal bug.
[24 Aug 2017 4:12] Erlend Dahl
Fixed in the upcoming 8.0.4 release.