From: Date: July 26 2006 2:23pm Subject: bk commit into 4.1 tree (kroki:1.2528) BUG#21206 List-Archive: http://lists.mysql.com/commits/9583 X-Bug: 21206 Message-Id: <200607261223.k6QCNBGS005216@moonlight.intranet> Below is the list of changes that have just been committed into a local 4.1 repository of tomash. When tomash does a push these changes will be propagated to the main repository and, within 24 hours after the push, to the public repository. For information on how to access the public repository see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html ChangeSet@stripped, 2006-07-26 16:23:07+04:00, kroki@stripped +2 -0 BUG#21206: memory corruption when too many cursors are opened at once Too many cursors (more than 1024) could lead to memory corruption. This affects both, stored routines and C API cursors, and the threshold is per-server, not per-connection. Similarly, the corruption could happen when the server was under heavy load (executing more than 1024 simultaneous complex queries), and this is the reason why this bug is fixed in 4.1, which doesn't support cursors. The corruption was caused by a bug in the temporary tables code, when an attempt to create a table could lead to a write beyond allocated space. Note, that only internal tables were affected (the tables created internally by the server to resolve the query), not tables created with CREATE TEMPORARY TABLE. Another pre-condition for the bug is TRUE value of --temp-pool startup option, which, however, is a default. The cause of a bug was that random memory was overwritten in bitmap_set_next() due to out-of-bound memory access. mysys/my_bitmap.c@stripped, 2006-07-26 16:23:05+04:00, kroki@stripped +1 -1 Local 'bitmap_size' is measured in bytes, no need to multiply it by 8. sql/sql_select.cc@stripped, 2006-07-26 16:23:05+04:00, kroki@stripped +8 -4 Clear the temp_pool_slot bit only if we have set it previously. # This is a BitKeeper patch. What follows are the unified diffs for the # set of deltas contained in the patch. The rest of the patch, the part # that BitKeeper cares about, is below these diffs. # User: kroki # Host: moonlight.intranet # Root: /home/tomash/src/mysql_ab/mysql-4.1-bug21206 --- 1.460/sql/sql_select.cc 2006-07-26 16:23:12 +04:00 +++ 1.461/sql/sql_select.cc 2006-07-26 16:23:12 +04:00 @@ -5240,12 +5240,14 @@ create_tmp_table(THD *thd,TMP_TABLE_PARA param->group_length : 0, NullS)) { - bitmap_clear_bit(&temp_pool, temp_pool_slot); + if (temp_pool_slot != MY_BIT_NONE) + bitmap_clear_bit(&temp_pool, temp_pool_slot); DBUG_RETURN(NULL); /* purecov: inspected */ } if (!(param->copy_field=copy=new Copy_field[field_count])) { - bitmap_clear_bit(&temp_pool, temp_pool_slot); + if (temp_pool_slot != MY_BIT_NONE) + bitmap_clear_bit(&temp_pool, temp_pool_slot); my_free((gptr) table,MYF(0)); /* purecov: inspected */ DBUG_RETURN(NULL); /* purecov: inspected */ } @@ -5668,7 +5670,8 @@ create_tmp_table(THD *thd,TMP_TABLE_PARA */ *table->blob_field= 0; free_tmp_table(thd,table); /* purecov: inspected */ - bitmap_clear_bit(&temp_pool, temp_pool_slot); + if (temp_pool_slot != MY_BIT_NONE) + bitmap_clear_bit(&temp_pool, temp_pool_slot); DBUG_RETURN(NULL); /* purecov: inspected */ } @@ -5831,7 +5834,8 @@ free_tmp_table(THD *thd, TABLE *entry) my_free((gptr) entry->record[0],MYF(0)); free_io_cache(entry); - bitmap_clear_bit(&temp_pool, entry->temp_pool_slot); + if (entry->temp_pool_slot != MY_BIT_NONE) + bitmap_clear_bit(&temp_pool, entry->temp_pool_slot); my_free((gptr) entry,MYF(0)); thd->proc_info=save_proc_info; --- 1.21/mysys/my_bitmap.c 2006-07-26 16:23:12 +04:00 +++ 1.22/mysys/my_bitmap.c 2006-07-26 16:23:12 +04:00 @@ -110,7 +110,7 @@ uint bitmap_set_next(MY_BITMAP *map) { uchar *bitmap=map->bitmap; uint bit_found = MY_BIT_NONE; - uint bitmap_size=map->bitmap_size*8; + uint bitmap_size=map->bitmap_size; uint i; DBUG_ASSERT(map->bitmap);