mirror of
https://github.com/MariaDB/server.git
synced 2025-01-29 02:05:57 +01:00
MDEV-21341: Fix UBSAN failures: Issue Six
(Variant #2 of the patch, which keeps the sp_head object inside the MEM_ROOT that sp_head object owns) (10.3 requires extra work due to sp_package, will commit a separate patch for it) sp_head::operator new() and operator delete() were dereferencing sp_head* pointers to memory that didn't hold a valid sp_head object (it was not created/already destroyed). This caused UBSan to crash when looking up type information. Fixed by providing static sp_head::create() and sp_head::destroy() methods.
This commit is contained in:
Sergei Petrunia
parent
cb204e11ea
commit
5e5ae51b73
10 changed files with 52 additions and 59 deletions
|
|
@ -754,7 +754,7 @@ static sp_head *sp_compile(THD *thd, String *defstr, ulonglong sql_mode,
|
|||
if (parse_sql(thd, & parser_state, creation_ctx) || thd->lex == NULL)
|
||||
{
|
||||
sp= thd->lex->sphead;
|
||||
delete sp;
|
||||
sp_head::destroy(sp);
|
||||
sp= 0;
|
||||
}
|
||||
else
|
||||
|
|
|
|||
|
|
@ -284,7 +284,7 @@ uchar *hash_get_key_for_sp_head(const uchar *ptr, size_t *plen,
|
|||
void hash_free_sp_head(void *p)
|
||||
{
|
||||
sp_head *sp= (sp_head *)p;
|
||||
delete sp;
|
||||
sp_head::destroy(sp);
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -550,51 +550,41 @@ check_routine_name(LEX_STRING *ident)
|
|||
}
|
||||
|
||||
|
||||
sp_head* sp_head::create()
|
||||
{
|
||||
MEM_ROOT own_root;
|
||||
init_sql_alloc(&own_root, MEM_ROOT_BLOCK_SIZE, MEM_ROOT_PREALLOC, MYF(0));
|
||||
sp_head *sp;
|
||||
if (!(sp= new (&own_root) sp_head(&own_root)))
|
||||
free_root(&own_root, MYF(0));
|
||||
|
||||
return sp;
|
||||
}
|
||||
|
||||
|
||||
void sp_head::destroy(sp_head *sp)
|
||||
{
|
||||
if (sp)
|
||||
{
|
||||
/* Make a copy of main_mem_root as free_root will free the sp */
|
||||
MEM_ROOT own_root= sp->main_mem_root;
|
||||
delete sp;
|
||||
|
||||
DBUG_PRINT("info", ("mem_root 0x%lx moved to 0x%lx",
|
||||
(ulong) &sp->mem_root, (ulong) &own_root));
|
||||
free_root(&own_root, MYF(0));
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
*
|
||||
* sp_head
|
||||
*
|
||||
*/
|
||||
|
||||
void *
|
||||
sp_head::operator new(size_t size) throw()
|
||||
{
|
||||
DBUG_ENTER("sp_head::operator new");
|
||||
MEM_ROOT own_root;
|
||||
sp_head *sp;
|
||||
|
||||
init_sql_alloc(&own_root, MEM_ROOT_BLOCK_SIZE, MEM_ROOT_PREALLOC, MYF(0));
|
||||
sp= (sp_head *) alloc_root(&own_root, size);
|
||||
if (sp == NULL)
|
||||
DBUG_RETURN(NULL);
|
||||
sp->main_mem_root= own_root;
|
||||
DBUG_PRINT("info", ("mem_root 0x%lx", (ulong) &sp->mem_root));
|
||||
DBUG_RETURN(sp);
|
||||
}
|
||||
|
||||
void
|
||||
sp_head::operator delete(void *ptr, size_t size) throw()
|
||||
{
|
||||
DBUG_ENTER("sp_head::operator delete");
|
||||
MEM_ROOT own_root;
|
||||
|
||||
if (ptr == NULL)
|
||||
DBUG_VOID_RETURN;
|
||||
|
||||
sp_head *sp= (sp_head *) ptr;
|
||||
|
||||
/* Make a copy of main_mem_root as free_root will free the sp */
|
||||
own_root= sp->main_mem_root;
|
||||
DBUG_PRINT("info", ("mem_root 0x%lx moved to 0x%lx",
|
||||
(ulong) &sp->mem_root, (ulong) &own_root));
|
||||
free_root(&own_root, MYF(0));
|
||||
|
||||
DBUG_VOID_RETURN;
|
||||
}
|
||||
|
||||
|
||||
sp_head::sp_head()
|
||||
:Query_arena(&main_mem_root, STMT_INITIALIZED_FOR_SP),
|
||||
sp_head::sp_head(MEM_ROOT *mem_root_arg)
|
||||
:Query_arena(NULL, STMT_INITIALIZED_FOR_SP),
|
||||
main_mem_root(*mem_root_arg), // todo: std::move operator.
|
||||
m_flags(0),
|
||||
m_sp_cache_version(0),
|
||||
m_creation_ctx(0),
|
||||
|
|
@ -603,6 +593,8 @@ sp_head::sp_head()
|
|||
m_next_cached_sp(0),
|
||||
m_cont_level(0)
|
||||
{
|
||||
mem_root= &main_mem_root;
|
||||
|
||||
m_first_instance= this;
|
||||
m_first_free_instance= this;
|
||||
m_last_cached_sp= this;
|
||||
|
|
@ -848,7 +840,7 @@ sp_head::~sp_head()
|
|||
my_hash_free(&m_sptabs);
|
||||
my_hash_free(&m_sroutines);
|
||||
|
||||
delete m_next_cached_sp;
|
||||
sp_head::destroy(m_next_cached_sp);
|
||||
|
||||
DBUG_VOID_RETURN;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -142,7 +142,7 @@ public:
|
|||
bool
|
||||
check_routine_name(LEX_STRING *ident);
|
||||
|
||||
class sp_head :private Query_arena
|
||||
class sp_head :private Query_arena, public Sql_alloc
|
||||
{
|
||||
sp_head(const sp_head &); /**< Prevent use of these */
|
||||
void operator=(sp_head &);
|
||||
|
|
@ -301,14 +301,16 @@ public:
|
|||
being opened is probably enough).
|
||||
*/
|
||||
SQL_I_List<Item_trigger_field> m_trg_table_fields;
|
||||
private:
|
||||
// users must use sp= sp_head::create()
|
||||
sp_head(MEM_ROOT *mem_root_arg);
|
||||
|
||||
static void *
|
||||
operator new(size_t size) throw ();
|
||||
// users must use sp_head::destroy(sp)
|
||||
virtual ~sp_head();
|
||||
|
||||
static void
|
||||
operator delete(void *ptr, size_t size) throw ();
|
||||
|
||||
sp_head();
|
||||
public:
|
||||
static sp_head* create();
|
||||
static void destroy(sp_head *sp);
|
||||
|
||||
/// Initialize after we have reset mem_root
|
||||
void
|
||||
|
|
@ -326,7 +328,6 @@ public:
|
|||
void
|
||||
set_stmt_end(THD *thd);
|
||||
|
||||
virtual ~sp_head();
|
||||
|
||||
bool
|
||||
execute_trigger(THD *thd,
|
||||
|
|
|
|||
|
|
@ -785,7 +785,7 @@ void lex_end_stage1(LEX *lex)
|
|||
}
|
||||
else
|
||||
{
|
||||
delete lex->sphead;
|
||||
sp_head::destroy(lex->sphead);
|
||||
lex->sphead= NULL;
|
||||
}
|
||||
|
||||
|
|
@ -2781,7 +2781,7 @@ void LEX::cleanup_lex_after_parse_error(THD *thd)
|
|||
if (thd->lex->sphead)
|
||||
{
|
||||
thd->lex->sphead->restore_thd_mem_root(thd);
|
||||
delete thd->lex->sphead;
|
||||
sp_head::destroy(thd->lex->sphead);
|
||||
thd->lex->sphead= NULL;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -4347,7 +4347,7 @@ mysql_execute_command(THD *thd)
|
|||
/* Don't do it, if we are inside a SP */
|
||||
if (!thd->spcont)
|
||||
{
|
||||
delete lex->sphead;
|
||||
sp_head::destroy(lex->sphead);
|
||||
lex->sphead= NULL;
|
||||
}
|
||||
/* lex->unit.cleanup() is called outside, no need to call it here */
|
||||
|
|
|
|||
|
|
@ -3607,7 +3607,7 @@ Prepared_statement::~Prepared_statement()
|
|||
free_items();
|
||||
if (lex)
|
||||
{
|
||||
delete lex->sphead;
|
||||
sp_head::destroy(lex->sphead);
|
||||
delete lex->result;
|
||||
delete (st_lex_local *) lex;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -5863,7 +5863,7 @@ bool store_schema_params(THD *thd, TABLE *table, TABLE *proc_table,
|
|||
{
|
||||
free_table_share(&share);
|
||||
if (free_sp_head)
|
||||
delete sp;
|
||||
sp_head::destroy(sp);
|
||||
DBUG_RETURN(1);
|
||||
}
|
||||
}
|
||||
|
|
@ -5919,7 +5919,7 @@ bool store_schema_params(THD *thd, TABLE *table, TABLE *proc_table,
|
|||
}
|
||||
}
|
||||
if (free_sp_head)
|
||||
delete sp;
|
||||
sp_head::destroy(sp);
|
||||
}
|
||||
free_table_share(&share);
|
||||
DBUG_RETURN(error);
|
||||
|
|
@ -6012,7 +6012,7 @@ bool store_schema_proc(THD *thd, TABLE *table, TABLE *proc_table,
|
|||
store_column_type(table, field, cs, 5);
|
||||
free_table_share(&share);
|
||||
if (free_sp_head)
|
||||
delete sp;
|
||||
sp_head::destroy(sp);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -1063,7 +1063,7 @@ Table_triggers_list::~Table_triggers_list()
|
|||
{
|
||||
for (int i= 0; i < (int)TRG_EVENT_MAX; i++)
|
||||
for (int j= 0; j < (int)TRG_ACTION_MAX; j++)
|
||||
delete bodies[i][j];
|
||||
sp_head::destroy(bodies[i][j]);
|
||||
|
||||
/* Free blobs used in insert */
|
||||
if (record0_field)
|
||||
|
|
|
|||
|
|
@ -224,7 +224,7 @@ static sp_head *make_sp_head(THD *thd, sp_name *name,
|
|||
sp_head *sp;
|
||||
|
||||
/* Order is important here: new - reset - init */
|
||||
if ((sp= new sp_head()))
|
||||
if ((sp= sp_head::create()))
|
||||
{
|
||||
sp->reset_thd_mem_root(thd);
|
||||
sp->init(lex);
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue