diff options
author | Yuchen Pei <yuchen.pei@mariadb.com> | 2023-01-10 12:48:09 +1100 |
---|---|---|
committer | Yuchen Pei <yuchen.pei@mariadb.com> | 2023-01-19 09:39:00 +1100 |
commit | 8d91e3f614383a010c74072b4ae876309be3995c (patch) | |
tree | 6895627862bad6ef51048438cc73a9ef21eef4fb | |
parent | da798c951182c7afdbf04948dccbc7d4705cc224 (diff) | |
download | mariadb-git-8d91e3f614383a010c74072b4ae876309be3995c.tar.gz |
MDEV-30191 Remove the to-be-freed spider condition in an sp call
The condition is freed in sp_head::execute, after calling
ha_spider::reset. This commit partially reverts the change in commit
e954d9de886aebc68c39240304fe97ae88276dbb, so that the condition is
always freed regardless of the wide_handler->sql_command, which will
prevent access to the freed condition later.
Signed-off-by: Yuchen Pei <yuchen.pei@mariadb.com>
4 files changed, 100 insertions, 4 deletions
diff --git a/storage/spider/ha_spider.cc b/storage/spider/ha_spider.cc index 42ee1041c60..1700cd0557e 100644 --- a/storage/spider/ha_spider.cc +++ b/storage/spider/ha_spider.cc @@ -1365,10 +1365,8 @@ int ha_spider::reset() #endif result_list.direct_distinct = FALSE; store_error_num = 0; - if ( - wide_handler && - wide_handler->sql_command != SQLCOM_END - ) { + if (wide_handler) + { wide_handler->sql_command = SQLCOM_END; wide_handler->between_flg = FALSE; wide_handler->idx_bitmap_is_set = FALSE; diff --git a/storage/spider/mysql-test/spider/bugfix/r/mdev_30191.result b/storage/spider/mysql-test/spider/bugfix/r/mdev_30191.result new file mode 100644 index 00000000000..941f210cbbe --- /dev/null +++ b/storage/spider/mysql-test/spider/bugfix/r/mdev_30191.result @@ -0,0 +1,44 @@ +# +# MDEV-30191 SIGSEGV & heap-use-after-free in spider_db_print_item_type, SIGABRT in __cxa_pure_virtual/spider_db_print_item_type, Got error 128 "Out of memory in engine", 56/112 memory not freed, and Assertion `fixed()' failed in Item_sp_variable::val_str on SP call +# +for master_1 +for child2 +child2_1 +child2_2 +child2_3 +for child3 +connection child2_1; +CREATE DATABASE auto_test_remote; +USE auto_test_remote; +CREATE TABLE tbl_a (c INT); +connection master_1; +CREATE DATABASE auto_test_local; +USE auto_test_local; +CREATE TABLE tbl_a ( +c INT +) ENGINE=Spider DEFAULT CHARSET=utf8 COMMENT='table "tbl_a", srv "s_2_1"'; +CREATE TABLE tbl_b (c INT); +CREATE PROCEDURE sp() BEGIN +DECLARE v1 DATE; +WHILE EXISTS (SELECT 1 FROM tbl_a WHERE c>v1 AND c<=v1) DO +SELECT 1; +END WHILE; +WHILE EXISTS (SELECT 1 +FROM tbl_a +WHERE c<v1 AND EXISTS (SELECT 1 +FROM tbl_b +WHERE tbl_a.c=tbl_b.c)) DO +SELECT 1; +END WHILE; +END $$ +CALL sp(); +connection master_1; +DROP DATABASE IF EXISTS auto_test_local; +connection child2_1; +DROP DATABASE IF EXISTS auto_test_remote; +for master_1 +for child2 +child2_1 +child2_2 +child2_3 +for child3 diff --git a/storage/spider/mysql-test/spider/bugfix/t/mdev_30191.cnf b/storage/spider/mysql-test/spider/bugfix/t/mdev_30191.cnf new file mode 100644 index 00000000000..05dfd8a0bce --- /dev/null +++ b/storage/spider/mysql-test/spider/bugfix/t/mdev_30191.cnf @@ -0,0 +1,3 @@ +!include include/default_mysqld.cnf +!include ../my_1_1.cnf +!include ../my_2_1.cnf diff --git a/storage/spider/mysql-test/spider/bugfix/t/mdev_30191.test b/storage/spider/mysql-test/spider/bugfix/t/mdev_30191.test new file mode 100644 index 00000000000..8d19a3515cf --- /dev/null +++ b/storage/spider/mysql-test/spider/bugfix/t/mdev_30191.test @@ -0,0 +1,51 @@ +--echo # +--echo # MDEV-30191 SIGSEGV & heap-use-after-free in spider_db_print_item_type, SIGABRT in __cxa_pure_virtual/spider_db_print_item_type, Got error 128 "Out of memory in engine", 56/112 memory not freed, and Assertion `fixed()' failed in Item_sp_variable::val_str on SP call +--echo # + +--disable_query_log +--disable_result_log +--source ../../t/test_init.inc +--enable_result_log +--enable_query_log + +--connection child2_1 +CREATE DATABASE auto_test_remote; +USE auto_test_remote; +CREATE TABLE tbl_a (c INT); + +--connection master_1 +CREATE DATABASE auto_test_local; +USE auto_test_local; + +eval CREATE TABLE tbl_a ( + c INT +) $MASTER_1_ENGINE $MASTER_1_CHARSET COMMENT='table "tbl_a", srv "s_2_1"'; +CREATE TABLE tbl_b (c INT); + +--delimiter $$ +CREATE PROCEDURE sp() BEGIN + DECLARE v1 DATE; + WHILE EXISTS (SELECT 1 FROM tbl_a WHERE c>v1 AND c<=v1) DO + SELECT 1; + END WHILE; + WHILE EXISTS (SELECT 1 + FROM tbl_a + WHERE c<v1 AND EXISTS (SELECT 1 + FROM tbl_b + WHERE tbl_a.c=tbl_b.c)) DO + SELECT 1; + END WHILE; +END $$ +--delimiter ; +CALL sp(); + +--connection master_1 +DROP DATABASE IF EXISTS auto_test_local; +--connection child2_1 +DROP DATABASE IF EXISTS auto_test_remote; + +--disable_query_log +--disable_result_log +--source ../t/test_deinit.inc +--enable_query_log +--enable_result_log |