From 2500fac48015a2f00547a402107c25b00eb49120 Mon Sep 17 00:00:00 2001
From: unknown <kroki/tomash@moonlight.home>
Date: Tue, 9 Jan 2007 12:24:25 +0300
Subject: BUG#23443: user-defined variables can consume too much memory in the 
           server

The problem was that when memory was exhausted HEAP engine could crash
(GROUP BY uses HEAP TABLE).  Alternatively, if SET was used, it could
report an error "You may only use constant expressions with SET" instead
of "Out of memory (Needed NNNNNN bytes)".

The solution is:
 - pass MY_WME to (some) calls to my_malloc() to get correct message.
 - fix heap_write() so that the first key is skipped during cleanup
   on ENOMEM because it wasn't inserted and doesn't have to be
   deleted.

No test case is provided because we can't test out-of-memory behaviour
in our current test framework.


heap/hp_block.c:
  If allocation fails, write an error message.
heap/hp_write.c:
  On ENOMEM, skip the first key in cleanup, as it wasn't inserted yet.
sql/item_func.cc:
  Add MY_WME so that OOM error will be reported.
---
 heap/hp_block.c  |  2 +-
 heap/hp_write.c  | 15 ++++++++++++---
 sql/item_func.cc |  5 +++--
 3 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/heap/hp_block.c b/heap/hp_block.c
index 5c052218e58..8afcaf8d945 100644
--- a/heap/hp_block.c
+++ b/heap/hp_block.c
@@ -47,7 +47,7 @@ int _hp_get_new_block(HP_BLOCK *block, ulong *alloc_length)
       break;
 
   *alloc_length=sizeof(HP_PTRS)*i+block->records_in_block* block->recbuffer;
-  if (!(root=(HP_PTRS*) my_malloc(*alloc_length,MYF(0))))
+  if (!(root=(HP_PTRS*) my_malloc(*alloc_length,MYF(MY_WME))))
     return 1;
 
   if (i == 0)
diff --git a/heap/hp_write.c b/heap/hp_write.c
index 18fa95e7760..b5349d74691 100644
--- a/heap/hp_write.c
+++ b/heap/hp_write.c
@@ -66,13 +66,22 @@ int heap_write(HP_INFO *info, const byte *record)
   DBUG_RETURN(0);
 
 err:
-  DBUG_PRINT("info",("Duplicate key: %d",key));
+  if (my_errno == HA_ERR_FOUND_DUPP_KEY)
+    DBUG_PRINT("info",("Duplicate key: %d",key));
   info->errkey= key;
-  do
+  /*
+    Because 'key' is unsigned, we increase it before the loop, unless
+    we have to skip the key that wasn't inserted yet due to OOM.  In
+    the loop we test 'key' before decreasing it as the protection
+    against value wraparound.
+  */
+  if (my_errno != ENOMEM)
+    key++;
+  while (key-- > 0)
   {
     if (_hp_delete_key(info,share->keydef+key,record,pos,0))
       break;
-  } while (key-- > 0);
+  }
 
   share->deleted++;
   *((byte**) pos)=share->del_link;
diff --git a/sql/item_func.cc b/sql/item_func.cc
index e83d1f35db8..421f72ab69b 100644
--- a/sql/item_func.cc
+++ b/sql/item_func.cc
@@ -1892,8 +1892,9 @@ bool Item_func_set_user_var::update_hash(const void *ptr, uint length,
 	char *pos= (char*) entry+ ALIGN_SIZE(sizeof(user_var_entry));
 	if (entry->value == pos)
 	  entry->value=0;
-	if (!(entry->value=(char*) my_realloc(entry->value, length,
-					      MYF(MY_ALLOW_ZERO_PTR))))
+        entry->value= (char*) my_realloc(entry->value, length,
+                                         MYF(MY_ALLOW_ZERO_PTR | MY_WME));
+        if (!entry->value)
 	  goto err;
       }
     }
-- 
cgit v1.2.1