List:Commits« Previous MessageNext Message »
From:kroki Date:July 25 2006 9:09pm
Subject:bk commit into 5.0 tree (kroki:1.2241) BUG#21206
View as plain text  
Below is the list of changes that have just been committed into a local
5.0 repository of tomash. When tomash does a push these changes will
be propagated to the main repository and, within 24 hours after the
push, to the public repository.
For information on how to access the public repository
see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html

ChangeSet@stripped, 2006-07-25 23:09:08+04:00, kroki@stripped +2 -0
  BUG#21206: memory corruption when too many prepared statements are
             opened at once
  
  The cause of a bug was that random memory was overwritten in
  bitmap_set_next() due to out-of-bound memory access.
  
  No test case is provided for the reasons:
    - In SQL, when you reuse prepared statement, the previous one
      is freed
    - We could write a testcase in C, but crash is not guaranteed
    - Looking to the patch, I doubt the fix requires a test case
      at all.

  mysys/my_bitmap.c@stripped, 2006-07-25 23:09:05+04:00, kroki@stripped +2 -2
    Local 'bitmap_size' is measured in bytes, no need to multiply in to 8.

  sql/sql_select.cc@stripped, 2006-07-25 23:09:05+04:00, kroki@stripped +8 -4
    Reset the bit only if we set it previously.

# This is a BitKeeper patch.  What follows are the unified diffs for the
# set of deltas contained in the patch.  The rest of the patch, the part
# that BitKeeper cares about, is below these diffs.
# User:	kroki
# Host:	moonlight.intranet
# Root:	/home/tomash/src/mysql_ab/mysql-5.0-bug21206

--- 1.429/sql/sql_select.cc	2006-07-25 23:09:16 +04:00
+++ 1.430/sql/sql_select.cc	2006-07-25 23:09:16 +04:00
@@ -8414,13 +8414,15 @@ create_tmp_table(THD *thd,TMP_TABLE_PARA
                         param->group_length : 0,
                         NullS))
   {
-    bitmap_clear_bit(&temp_pool, temp_pool_slot);
+    if (temp_pool_slot != MY_BIT_NONE)
+      bitmap_clear_bit(&temp_pool, temp_pool_slot);
     DBUG_RETURN(NULL);				/* purecov: inspected */
   }
   /* Copy_field belongs to TMP_TABLE_PARAM, allocate it in THD mem_root */
   if (!(param->copy_field= copy= new (thd->mem_root) Copy_field[field_count]))
   {
-    bitmap_clear_bit(&temp_pool, temp_pool_slot);
+    if (temp_pool_slot != MY_BIT_NONE)
+      bitmap_clear_bit(&temp_pool, temp_pool_slot);
     free_root(&own_root, MYF(0));               /* purecov: inspected */
     DBUG_RETURN(NULL);				/* purecov: inspected */
   }
@@ -8944,7 +8946,8 @@ create_tmp_table(THD *thd,TMP_TABLE_PARA
 err:
   thd->mem_root= mem_root_save;
   free_tmp_table(thd,table);                    /* purecov: inspected */
-  bitmap_clear_bit(&temp_pool, temp_pool_slot);
+  if (temp_pool_slot != MY_BIT_NONE)
+    bitmap_clear_bit(&temp_pool, temp_pool_slot);
   DBUG_RETURN(NULL);				/* purecov: inspected */
 }
 
@@ -9232,7 +9235,8 @@ free_tmp_table(THD *thd, TABLE *entry)
     (*ptr)->free();
   free_io_cache(entry);
 
-  bitmap_clear_bit(&temp_pool, entry->temp_pool_slot);
+  if (entry->temp_pool_slot != MY_BIT_NONE)
+    bitmap_clear_bit(&temp_pool, entry->temp_pool_slot);
 
   free_root(&own_root, MYF(0)); /* the table is allocated in its own root */
   thd->proc_info=save_proc_info;

--- 1.30/mysys/my_bitmap.c	2006-07-25 23:09:16 +04:00
+++ 1.31/mysys/my_bitmap.c	2006-07-25 23:09:16 +04:00
@@ -159,7 +159,7 @@ uint bitmap_set_next(MY_BITMAP *map)
 {
   uchar *bitmap=map->bitmap;
   uint bit_found = MY_BIT_NONE;
-  uint bitmap_size=map->bitmap_size*8;
+  uint bitmap_size=map->bitmap_size;
   uint i;
 
   DBUG_ASSERT(map->bitmap);
@@ -445,7 +445,7 @@ uint bitmap_get_first(const MY_BITMAP *m
 {
   uchar *bitmap=map->bitmap;
   uint bit_found = MY_BIT_NONE;
-  uint bitmap_size=map->bitmap_size*8;
+  uint bitmap_size=map->bitmap_size;
   uint i;
 
   DBUG_ASSERT(map->bitmap);
Thread
bk commit into 5.0 tree (kroki:1.2241) BUG#21206kroki25 Jul