MySQL Lists are EOL. Please join:

List:Commits« Previous MessageNext Message »
From:Davi Arnaut Date:April 1 2010 1:15pm
Subject:bzr commit into mysql-5.1-bugteam branch (davi:3439) Bug#50755
View as plain text  
# At a local mysql-5.1-bugteam repository of davi

 3439 Davi Arnaut	2010-04-01
      Bug#50755: Crash if stored routine def contains version comments
      
      The problem was that a syntactically invalid trigger could cause
      the server to crash when trying to list triggers. The crash would
      happen due to a mishap in the backup/restore procedure that should
      protect parser items which are not associated with the trigger. The
      backup/restore is used to isolate the parse tree (and context) of
      a statement from the load (and parsing) of a trigger. In this case,
      a error during the parsing of a trigger could cause the improper
      backup/restore sequence.
      
      The solution is to properly restore the original statement context
      before the parser is exited due to syntax errors in the trigger body.
     @ mysql-test/r/trigger.result
        Add test case result for Bug#50755
     @ mysql-test/t/trigger.test
        Add test case for Bug#50755
     @ sql/sp_head.cc
        Merge sp_head::destroy() and sp_head destructor. Retrieve THD
        from the LEX so that m_thd is not necessary.
     @ sql/sql_lex.cc
        Explicitly restore the original environment.

    modified:
      mysql-test/r/trigger.result
      mysql-test/t/trigger.test
      sql/sp_head.cc
      sql/sp_head.h
      sql/sql_lex.cc
=== modified file 'mysql-test/r/trigger.result'
--- a/mysql-test/r/trigger.result	2010-03-29 02:32:30 +0000
+++ b/mysql-test/r/trigger.result	2010-04-01 13:15:22 +0000
@@ -2128,4 +2128,27 @@ Warning	1048	Column 'id' cannot be null
 Warning	1048	Column 'id' cannot be null
 DROP TRIGGER t1_bu;
 DROP TABLE t1,t2;
+#
+# Bug#50755: Crash if stored routine def contains version comments
+#
+DROP DATABASE IF EXISTS db1;
+DROP TRIGGER IF EXISTS trg1;
+DROP TABLE IF EXISTS t1, t2;
+CREATE DATABASE db1;
+USE db1;
+CREATE TABLE t1 (b INT);
+CREATE TABLE t2 (a INT);
+CREATE TRIGGER trg1 BEFORE INSERT ON t2 FOR EACH ROW INSERT/*!INTO*/t1 VALUES (1);
+# Used to crash
+SHOW TRIGGERS IN db1;
+Trigger	Event	Table	Statement	Timing	Created	sql_mode	Definer	character_set_client	collation_connection	Database Collation
+Warnings:
+Warning	1064	You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'VALUES (1)' at line 1
+INSERT INTO t2 VALUES (1);
+ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'VALUES (1)' at line 1
+SELECT * FROM t1;
+b
+# Work around Bug#45235
+DROP DATABASE db1;
+USE test;
 End of 5.1 tests.

=== modified file 'mysql-test/t/trigger.test'
--- a/mysql-test/t/trigger.test	2010-03-29 02:32:30 +0000
+++ b/mysql-test/t/trigger.test	2010-04-01 13:15:22 +0000
@@ -2439,4 +2439,35 @@ UPDATE t1 SET id=NULL;
 DROP TRIGGER t1_bu;
 DROP TABLE t1,t2;
 
+--echo #
+--echo # Bug#50755: Crash if stored routine def contains version comments
+--echo #
+
+--disable_warnings
+DROP DATABASE IF EXISTS db1;
+DROP TRIGGER IF EXISTS trg1;
+DROP TABLE IF EXISTS t1, t2;
+--enable_warnings
+
+CREATE DATABASE db1;
+USE db1;
+
+CREATE TABLE t1 (b INT);
+CREATE TABLE t2 (a INT);
+
+CREATE TRIGGER trg1 BEFORE INSERT ON t2 FOR EACH ROW INSERT/*!INTO*/t1 VALUES (1);
+--echo # Used to crash
+SHOW TRIGGERS IN db1;
+--error ER_PARSE_ERROR
+INSERT INTO t2 VALUES (1);
+SELECT * FROM t1;
+
+--echo # Work around Bug#45235
+let $MYSQLD_DATADIR = `select @@datadir`;
+--remove_file $MYSQLD_DATADIR/db1/t2.TRG
+--remove_file $MYSQLD_DATADIR/db1/trg1.TRN
+
+DROP DATABASE db1;
+USE test;
+
 --echo End of 5.1 tests.

=== modified file 'sql/sp_head.cc'
--- a/sql/sp_head.cc	2010-03-29 02:32:30 +0000
+++ b/sql/sp_head.cc	2010-04-01 13:15:22 +0000
@@ -745,21 +745,12 @@ sp_head::create(THD *thd)
 
 sp_head::~sp_head()
 {
+  LEX *lex;
+  sp_instr *i;
   DBUG_ENTER("sp_head::~sp_head");
-  destroy();
-  delete m_next_cached_sp;
-  if (m_thd)
-    restore_thd_mem_root(m_thd);
-  DBUG_VOID_RETURN;
-}
 
-void
-sp_head::destroy()
-{
-  sp_instr *i;
-  LEX *lex;
-  DBUG_ENTER("sp_head::destroy");
-  DBUG_PRINT("info", ("name: %s", m_name.str));
+  /* sp_head::restore_thd_mem_root() must already have been called. */
+  DBUG_ASSERT(m_thd == NULL);
 
   for (uint ip = 0 ; (i = get_instr(ip)) ; ip++)
     delete i;
@@ -770,21 +761,22 @@ sp_head::destroy()
   /*
     If we have non-empty LEX stack then we just came out of parser with
     error. Now we should delete all auxilary LEXes and restore original
-    THD::lex (In this case sp_head::restore_thd_mem_root() was not called
-    too, so m_thd points to the current thread context).
-    It is safe to not update LEX::ptr because further query string parsing
-    and execution will be stopped anyway.
+    THD::lex. It is safe to not update LEX::ptr because further query
+    string parsing and execution will be stopped anyway.
   */
-  DBUG_ASSERT(m_lex.is_empty() || m_thd);
   while ((lex= (LEX *)m_lex.pop()))
   {
-    lex_end(m_thd->lex);
-    delete m_thd->lex;
-    m_thd->lex= lex;
+    THD *thd= lex->thd;
+    lex_end(thd->lex);
+    delete thd->lex;
+    thd->lex= lex;
   }
 
   hash_free(&m_sptabs);
   hash_free(&m_sroutines);
+
+  delete m_next_cached_sp;
+
   DBUG_VOID_RETURN;
 }
 

=== modified file 'sql/sp_head.h'
--- a/sql/sp_head.h	2009-11-20 15:18:01 +0000
+++ b/sql/sp_head.h	2010-04-01 13:15:22 +0000
@@ -289,10 +289,6 @@ public:
 
   virtual ~sp_head();
 
-  /// Free memory
-  void
-  destroy();
-
   bool
   execute_trigger(THD *thd,
                   const LEX_STRING *db_name,

=== modified file 'sql/sql_lex.cc'
--- a/sql/sql_lex.cc	2010-02-06 19:54:30 +0000
+++ b/sql/sql_lex.cc	2010-04-01 13:15:22 +0000
@@ -2106,6 +2106,7 @@ void st_lex::cleanup_lex_after_parse_err
   */
   if (thd->lex->sphead)
   {
+    thd->lex->sphead->restore_thd_mem_root(thd);
     delete thd->lex->sphead;
     thd->lex->sphead= NULL;
   }


Attachment: [text/bzr-bundle] bzr/davi.arnaut@sun.com-20100401131522-efm33pplutytnz73.bundle
Thread
bzr commit into mysql-5.1-bugteam branch (davi:3439) Bug#50755Davi Arnaut1 Apr
  • Re: bzr commit into mysql-5.1-bugteam branch (davi:3439) Bug#50755Konstantin Osipov27 Apr