From: Date: November 7 2008 1:04pm
Subject: bzr commit into mysql-5.1 branch (kristofer.pettersson:2686) Bug#38883
List-Archive: http://lists.mysql.com/commits/58172
X-Bug: 38883
Message-Id: <0K9Y00D3TPJH8140@fe-emea-10.sun.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7BIT

#At file:///home/thek/Development/cpp/mysqlbzr/mysql-5.1-bug38883/

 2686 Kristofer Pettersson	2008-11-07
      Bug#38883 thd_security_context is not thread safe, crashes?
                  
      Innodb monitor could cause a server crash because of invalid access to a
      shared variable in a concurrent environment.
                        
      This patch adds a guard to protect against crashes but not against
      inconsistent values because of performance reasons.
modified:
  sql/sql_class.cc

per-file messages:
  sql/sql_class.cc
    * Attempt snapshot of static memory pointer proc_info to avoid null pointers.
=== modified file 'sql/sql_class.cc'
--- a/sql/sql_class.cc	2008-10-24 13:58:48 +0000
+++ b/sql/sql_class.cc	2008-11-07 12:12:56 +0000
@@ -306,20 +306,25 @@ void thd_inc_row_count(THD *thd)
   thd->row_count++;
 }
 
-/*
+
+/**
   Dumps a text description of a thread, its security context
   (user, host) and the current query.
 
-  SYNOPSIS
-    thd_security_context()
-    thd                 current thread context
-    buffer              pointer to preferred result buffer
-    length              length of buffer
-    max_query_len       how many chars of query to copy (0 for all)
+  @param thd current thread context
+  @param buffer pointer to preferred result buffer
+  @param length length of buffer
+  @param max_query_len how many chars of query to copy (0 for all)
 
-  RETURN VALUES
-    pointer to string
+  @req LOCK_thread_count
+  
+  @note LOCK_thread_count mutex is not necessary when the function is invoked on
+   the currently running thread (current_thd) or if the caller in some other
+   way guarantees that access to thd->query is serialized.
+ 
+  @return Pointer to string
 */
+
 extern "C"
 char *thd_security_context(THD *thd, char *buffer, unsigned int length,
                            unsigned int max_query_len)
@@ -328,6 +333,16 @@ char *thd_security_context(THD *thd, cha
   const Security_context *sctx= &thd->main_security_ctx;
   char header[64];
   int len;
+  /*
+    The pointers thd->query and thd->proc_info might change since they are
+    being modified concurrently. This is acceptable for proc_info since its
+    values doesn't have to very accurate and the memory it points to is static,
+    but we need to attempt a snapshot on the pointer values to avoid using NULL
+    values. The pointer to thd->query however, doesn't point to static memory
+    and has to be protected by LOCK_thread_count or risk pointing to
+    uninitialized memory.
+  */
+  const char *proc_info= thd->proc_info;
 
   len= my_snprintf(header, sizeof(header),
                    "MySQL thread id %lu, query id %lu",
@@ -353,10 +368,10 @@ char *thd_security_context(THD *thd, cha
     str.append(sctx->user);
   }
 
-  if (thd->proc_info)
+  if (proc_info)
   {
     str.append(' ');
-    str.append(thd->proc_info);
+    str.append(proc_info);
   }
 
   if (thd->query)