Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Undefined behavior in tidb_query_datatype's RowSlice #7613

Closed
brson opened this issue Apr 22, 2020 · 3 comments · Fixed by #7635
Closed

Undefined behavior in tidb_query_datatype's RowSlice #7613

brson opened this issue Apr 22, 2020 · 3 comments · Fixed by #7635
Assignees
@zhongzc
Labels
type/bug Type: Issue - Confirmed a bug
Milestone
v4.0.0-rc.2

Comments

@brson
Copy link
Contributor

brson commented Apr 22, 2020
edited

Bug Report

RowSlice does an unsafe pointer cast that is often unaligned. This is undefined behavior, which could potentially lead to miscompilation.

Here is the source:

tikv/components/tidb_query_datatype/src/codec/row/v2/row_slice.rs

Line 149 in 7565efc

let slice = unsafe { std::slice::from_raw_parts(buf.as_ptr() as *const T, len) };

The fix isn't simple, so I'm just filing a bug cc @breeswish.

Potential fixes are to accumulate the casted items into a new buffer instead of slicing the original buffer, but that costs an allocation. Another fix would be to change the serialization such that the cast always ends up aligned, while adding an assertion here that the alignment is correct.

Tested against commit adf3a94

Found with miri (cc @oli-obk 👍 ).
@brson brson added the type/bug Type: Issue - Confirmed a bug label Apr 22, 2020
@breezewish
Copy link
Member

Maybe we can drop the usage of slice at all. The slice is constructed to reuse the binary search method from std. We can write our own binary search using explicitly unaligned memory access.

@breezewish
Copy link
Member

@zhongzc PTAL

@breezewish breezewish added this to the v4.0.0-rc.2 milestone Apr 22, 2020
@zhongzc
Copy link
Contributor

zhongzc commented Apr 22, 2020

Maybe we can drop the usage of slice at all. The slice is constructed to reuse the binary search method from std. We can write our own binary search using explicitly unaligned memory access.

Writing our own binary search has to deal with the endian at every comparison. Or any other good idea?

@zhongzc zhongzc self-assigned this Apr 23, 2020
@zhongzc zhongzc mentioned this issue Apr 23, 2020
Merged
@MyonKeminta MyonKeminta modified the milestones: v4.0.0-rc.1, v4.0.0 Apr 24, 2020
@sre-bot sre-bot mentioned this issue May 2, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zhongzc zhongzc

Labels
type/bug Type: Issue - Confirmed a bug
Projects
None yet
Milestone
v4.0.0-rc.2
Development

Successfully merging a pull request may close this issue.

tidb_query: fix UB causing by from_raw_parts zhongzc/tikv
4 participants
@brson @breezewish @MyonKeminta @zhongzc