From c2ebb0ac882feadedd0bbca71277fd2de66aa957 Mon Sep 17 00:00:00 2001
From: Alexey Kopytov <Alexey.Kopytov@Sun.com>
Date: Fri, 21 May 2010 15:23:48 +0400
Subject: Bug #42064: low memory crash when importing hex strings, in          
   Item_hex_string::Item_hex_string

The status of memory allocation in the Lex_input_stream (called
from the Parser_state constructor) was not checked which led to
a parser crash in case of the out-of-memory error.

The solution is to introduce new init() member function in
Parser_state and Lex_input_stream so that status of memory
allocation can be returned to the caller.

mysql-test/r/error_simulation.result:
  Added a test case for bug #42064.
mysql-test/t/error_simulation.test:
  Added a test case for bug #42064.
mysys/my_alloc.c:
  Added error injection code for the regression test.
mysys/my_malloc.c:
  Added error injection code for the regression test.
mysys/safemalloc.c:
  Added error injection code for the regression test.
sql/event_data_objects.cc:
  Use the new init() member function of Parser_state and check
  its return value to handle memory allocation failures.
sql/mysqld.cc:
  Added error injection code for the regression test.
sql/sp.cc:
  Use the new init() member function of Parser_state and check
  its return value to handle memory allocation failures.
sql/sql_lex.cc:
  Moved memory allocation from constructor to the separate init()
  member function.
  Added error injection code for the regression test.
sql/sql_lex.h:
  Moved memory allocation from constructor to the separate init()
  member function.
sql/sql_parse.cc:
  Use the new init() member function of Parser_state and check
  its return value to handle memory allocation failures.
sql/sql_partition.cc:
  Use the new init() member function of Parser_state and check
  its return value to handle memory allocation failures.
sql/sql_prepare.cc:
  Use the new init() member function of Parser_state and check
  its return value to handle memory allocation failures.
sql/sql_trigger.cc:
  Use the new init() member function of Parser_state and check
  its return value to handle memory allocation failures.
sql/sql_view.cc:
  Use the new init() member function of Parser_state and check
  its return value to handle memory allocation failures..
sql/thr_malloc.cc:
  Added error injection code for the regression test.
---
 sql/sp.cc | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'sql/sp.cc')

diff --git a/sql/sp.cc b/sql/sp.cc
index ef69edb96c6..0eb652d5b16 100644
--- a/sql/sp.cc
+++ b/sql/sp.cc
@@ -782,7 +782,12 @@ db_load_routine(THD *thd, int type, sp_name *name, sp_head **sphp,
   thd->spcont= NULL;
 
   {
-    Parser_state parser_state(thd, defstr.c_ptr(), defstr.length());
+    Parser_state parser_state;
+    if (parser_state.init(thd, defstr.c_ptr(), defstr.length()))
+    {
+      ret= SP_INTERNAL_ERROR;
+      goto end;
+    }
 
     lex_start(thd);
 
-- 
cgit v1.2.1


From 0f9ddfa9d8bb8d071266bcc63e92813cf18ccd2b Mon Sep 17 00:00:00 2001
From: Davi Arnaut <Davi.Arnaut@Sun.COM>
Date: Thu, 10 Jun 2010 17:45:22 -0300
Subject: Bug#42733: Type-punning warnings when compiling MySQL --            
 strict aliasing violations.

One somewhat major source of strict-aliasing violations and
related warnings is the SQL_LIST structure. For example,
consider its member function `link_in_list` which takes
a pointer to pointer of type T (any type) as a pointer to
pointer to unsigned char. Dereferencing this pointer, which
is done to reset the next field, violates strict-aliasing
rules and might cause problems for surrounding code that
uses the next field of the object being added to the list.

The solution is to use templates to parametrize the SQL_LIST
structure in order to deference the pointers with compatible
types. As a side bonus, it becomes possible to remove quite
a few casts related to acessing data members of SQL_LIST.

sql/handler.h:
  Use the appropriate template type argument.
sql/item.cc:
  Remove now-unnecessary cast.
sql/item_subselect.cc:
  Remove now-unnecessary casts.
sql/item_sum.cc:
  Use the appropriate template type argument.
  Remove now-unnecessary cast.
sql/mysql_priv.h:
  Move SQL_LIST structure to sql_list.h
  Use the appropriate template type argument.
sql/sp.cc:
  Remove now-unnecessary casts.
sql/sql_delete.cc:
  Use the appropriate template type argument.
  Remove now-unnecessary casts.
sql/sql_derived.cc:
  Remove now-unnecessary casts.
sql/sql_lex.cc:
  Remove now-unnecessary casts.
sql/sql_lex.h:
  SQL_LIST now takes a template type argument which must
  match the type of the elements of the list. Use forward
  declaration when the type is not available, it is used
  in pointers anyway.
sql/sql_list.h:
  Rename SQL_LIST to SQL_I_List. The template parameter is
  the type of object that is stored in the list.
sql/sql_olap.cc:
  Remove now-unnecessary casts.
sql/sql_parse.cc:
  Remove now-unnecessary casts.
sql/sql_prepare.cc:
  Remove now-unnecessary casts.
sql/sql_select.cc:
  Remove now-unnecessary casts.
sql/sql_show.cc:
  Remove now-unnecessary casts.
sql/sql_table.cc:
  Remove now-unnecessary casts.
sql/sql_trigger.cc:
  Remove now-unnecessary casts.
sql/sql_union.cc:
  Remove now-unnecessary casts.
sql/sql_update.cc:
  Remove now-unnecessary casts.
sql/sql_view.cc:
  Remove now-unnecessary casts.
sql/sql_yacc.yy:
  Remove now-unnecessary casts.
storage/myisammrg/ha_myisammrg.cc:
  Remove now-unnecessary casts.
---
 sql/sp.cc | 24 ++++++++++--------------
 1 file changed, 10 insertions(+), 14 deletions(-)

(limited to 'sql/sp.cc')

diff --git a/sql/sp.cc b/sql/sp.cc
index ef69edb96c6..e0c1fcfa378 100644
--- a/sql/sp.cc
+++ b/sql/sp.cc
@@ -1630,8 +1630,7 @@ extern "C" uchar* sp_sroutine_key(const uchar *ptr, size_t *plen,
 void sp_get_prelocking_info(THD *thd, bool *need_prelocking, 
                             bool *first_no_prelocking)
 {
-  Sroutine_hash_entry *routine;
-  routine= (Sroutine_hash_entry*)thd->lex->sroutines_list.first;
+  Sroutine_hash_entry *routine= thd->lex->sroutines_list.first;
 
   DBUG_ASSERT(routine);
   bool first_is_procedure= (routine->key.str[0] == TYPE_ENUM_PROCEDURE);
@@ -1694,7 +1693,7 @@ static bool add_used_routine(LEX *lex, Query_arena *arena,
     memcpy(rn->key.str, key->str, key->length + 1);
     if (my_hash_insert(&lex->sroutines, (uchar *)rn))
       return FALSE;
-    lex->sroutines_list.link_in_list((uchar *)rn, (uchar **)&rn->next);
+    lex->sroutines_list.link_in_list(rn, &rn->next);
     rn->belong_to_view= belong_to_view;
     return TRUE;
   }
@@ -1740,7 +1739,7 @@ void sp_add_used_routine(LEX *lex, Query_arena *arena,
 void sp_remove_not_own_routines(LEX *lex)
 {
   Sroutine_hash_entry *not_own_rt, *next_rt;
-  for (not_own_rt= *(Sroutine_hash_entry **)lex->sroutines_list_own_last;
+  for (not_own_rt= *lex->sroutines_list_own_last;
        not_own_rt; not_own_rt= next_rt)
   {
     /*
@@ -1751,7 +1750,7 @@ void sp_remove_not_own_routines(LEX *lex)
     hash_delete(&lex->sroutines, (uchar *)not_own_rt);
   }
 
-  *(Sroutine_hash_entry **)lex->sroutines_list_own_last= NULL;
+  *lex->sroutines_list_own_last= NULL;
   lex->sroutines_list.next= lex->sroutines_list_own_last;
   lex->sroutines_list.elements= lex->sroutines_list_own_elements;
 }
@@ -1832,11 +1831,11 @@ sp_update_stmt_used_routines(THD *thd, LEX *lex, HASH *src,
     It will also add elements to end of 'LEX::sroutines_list' list.
 */
 
-static void sp_update_stmt_used_routines(THD *thd, LEX *lex, SQL_LIST *src,
+static void sp_update_stmt_used_routines(THD *thd, LEX *lex,
+                                         SQL_I_List<Sroutine_hash_entry> *src,
                                          TABLE_LIST *belong_to_view)
 {
-  for (Sroutine_hash_entry *rt= (Sroutine_hash_entry *)src->first;
-       rt; rt= rt->next)
+  for (Sroutine_hash_entry *rt= src->first; rt; rt= rt->next)
     (void)add_used_routine(lex, thd->stmt_arena, &rt->key, belong_to_view);
 }
 
@@ -1971,8 +1970,7 @@ int
 sp_cache_routines_and_add_tables(THD *thd, LEX *lex, bool first_no_prelock)
 {
   return sp_cache_routines_and_add_tables_aux(thd, lex,
-           (Sroutine_hash_entry *)lex->sroutines_list.first,
-           first_no_prelock);
+           lex->sroutines_list.first, first_no_prelock);
 }
 
 
@@ -1996,8 +1994,7 @@ sp_cache_routines_and_add_tables(THD *thd, LEX *lex, bool first_no_prelock)
 int
 sp_cache_routines_and_add_tables_for_view(THD *thd, LEX *lex, TABLE_LIST *view)
 {
-  Sroutine_hash_entry **last_cached_routine_ptr=
-                          (Sroutine_hash_entry **)lex->sroutines_list.next;
+  Sroutine_hash_entry **last_cached_routine_ptr= lex->sroutines_list.next;
   sp_update_stmt_used_routines(thd, lex, &view->view->sroutines_list,
                                view->top_table());
   return sp_cache_routines_and_add_tables_aux(thd, lex,
@@ -2026,8 +2023,7 @@ sp_cache_routines_and_add_tables_for_triggers(THD *thd, LEX *lex,
 {
   int ret= 0;
 
-  Sroutine_hash_entry **last_cached_routine_ptr=
-    (Sroutine_hash_entry **)lex->sroutines_list.next;
+  Sroutine_hash_entry **last_cached_routine_ptr= lex->sroutines_list.next;
 
   if (static_cast<int>(table->lock_type) >=
       static_cast<int>(TL_WRITE_ALLOW_WRITE))
-- 
cgit v1.2.1