MySQL Lists are EOL. Please join:

List:Commits« Previous MessageNext Message »
From:knielsen Date:May 9 2006 3:40pm
Subject:bk commit into 5.1 tree (knielsen:1.2383) BUG#19633
View as plain text  
Below is the list of changes that have just been committed into a local
5.1 repository of knielsen. When knielsen does a push these changes will
be propagated to the main repository and, within 24 hours after the
push, to the public repository.
For information on how to access the public repository
see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html

ChangeSet
  1.2383 06/05/09 17:39:54 knielsen@stripped +5 -0
  BUG#19633: Fix stack corruption in THD::rollback_item_tree_changes().
  
  Stored procedure execution sometimes placed the address of auto variables
  in the list of Item changes to undo in THD::rollback_item_tree_changes().
  This could cause stack corruption.

  sql/sql_class.cc
    1.258 06/05/09 17:39:49 knielsen@stripped +1 -1
    Avoid storing address of auto variables in global rollback list, to
    prevent stack memory corruption.

  sql/sp_rcontext.h
    1.32 06/05/09 17:39:49 knielsen@stripped +4 -4
    Avoid storing address of auto variables in global rollback list, to
    prevent stack memory corruption.

  sql/sp_rcontext.cc
    1.42 06/05/09 17:39:49 knielsen@stripped +7 -6
    Avoid storing address of auto variables in global rollback list, to
    prevent stack memory corruption.

  sql/sp_head.h
    1.87 06/05/09 17:39:49 knielsen@stripped +1 -1
    Avoid storing address of auto variables in global rollback list, to
    prevent stack memory corruption.

  sql/sp_head.cc
    1.219 06/05/09 17:39:49 knielsen@stripped +15 -14
    Avoid storing address of auto variables in global rollback list, to
    prevent stack memory corruption.

# This is a BitKeeper patch.  What follows are the unified diffs for the
# set of deltas contained in the patch.  The rest of the patch, the part
# that BitKeeper cares about, is below these diffs.
# User:	knielsen
# Host:	rt.int.sifira.dk
# Root:	/usr/local/mysql/tmp-5.1

--- 1.257/sql/sql_class.cc	2006-05-05 19:08:37 +02:00
+++ 1.258/sql/sql_class.cc	2006-05-09 17:39:49 +02:00
@@ -1925,7 +1925,7 @@
       if ((yy=var_li++)) 
       {
 	if (thd->spcont->set_variable(current_thd, yy->get_var_idx(),
-                                      *it.ref()))
+                                      it.ref()))
 	  DBUG_RETURN(1);
       }
     }

--- 1.218/sql/sp_head.cc	2006-05-04 14:34:26 +02:00
+++ 1.219/sql/sp_head.cc	2006-05-09 17:39:49 +02:00
@@ -315,14 +315,15 @@
 */
 
 bool
-sp_eval_expr(THD *thd, Field *result_field, Item *expr_item)
+sp_eval_expr(THD *thd, Field *result_field, Item **expr_item_ptr)
 {
   DBUG_ENTER("sp_eval_expr");
 
-  if (!expr_item)
+  if (!*expr_item_ptr)
     DBUG_RETURN(TRUE);
 
-  if (!(expr_item= sp_prepare_func_item(thd, &expr_item)))
+  Item *expr_item = sp_prepare_func_item(thd, expr_item_ptr);
+  if (!expr_item)
     DBUG_RETURN(TRUE);
 
   bool err_status= FALSE;
@@ -1284,7 +1285,7 @@
       param_values[i]= Item_cache::get_cache(argp[i]->result_type());
       param_values[i]->store(argp[i]);
 
-      if (nctx->set_variable(thd, i, param_values[i]))
+      if (nctx->set_variable(thd, i, (struct Item **)&(param_values[i])))
       {
         err_status= TRUE;
         break;
@@ -1490,7 +1491,7 @@
         Item_null *null_item= new Item_null();
 
         if (!null_item ||
-            nctx->set_variable(thd, i, null_item))
+            nctx->set_variable(thd, i, (struct Item **)&null_item))
         {
           err_status= TRUE;
           break;
@@ -1498,7 +1499,7 @@
       }
       else
       {
-        if (nctx->set_variable(thd, i, *it_args.ref()))
+        if (nctx->set_variable(thd, i, it_args.ref()))
         {
           err_status= TRUE;
           break;
@@ -1570,7 +1571,7 @@
       {
         if (octx->set_variable(thd,
                                ((Item_splocal*) arg_item)->get_var_idx(),
-                               nctx->get_item(i)))
+                               nctx->get_item_addr(i)))
         {
           err_status= TRUE;
           break;
@@ -1582,15 +1583,15 @@
 
 	if (guv)
 	{
-	  Item *item= nctx->get_item(i);
+	  Item **item= nctx->get_item_addr(i);
 	  Item_func_set_user_var *suv;
 
-	  suv= new Item_func_set_user_var(guv->get_name(), item);
+	  suv= new Item_func_set_user_var(guv->get_name(), *item);
 	  /*
             Item_func_set_user_var is not fixed after construction,
             call fix_fields().
 	  */
-          if ((err_status= test(!suv || suv->fix_fields(thd, &item) ||
+          if ((err_status= test(!suv || suv->fix_fields(thd, item) ||
                                 suv->check() || suv->update())))
             break;
 	}
@@ -2372,7 +2373,7 @@
 int
 sp_instr_set::exec_core(THD *thd, uint *nextp)
 {
-  int res= thd->spcont->set_variable(thd, m_offset, m_value);
+  int res= thd->spcont->set_variable(thd, m_offset, &m_value);
 
   if (res && thd->spcont->found_handler_here())
   {
@@ -2647,7 +2648,7 @@
     do it in scope of execution the current context/block.
   */
 
-  return thd->spcont->set_return_value(thd, m_value);
+  return thd->spcont->set_return_value(thd, &m_value);
 }
 
 void
@@ -3091,7 +3092,7 @@
 int
 sp_instr_set_case_expr::exec_core(THD *thd, uint *nextp)
 {
-  int res= thd->spcont->set_case_expr(thd, m_case_expr_id, m_case_expr);
+  int res= thd->spcont->set_case_expr(thd, m_case_expr_id, &m_case_expr);
 
   if (res &&
       !thd->spcont->get_case_expr(m_case_expr_id) &&
@@ -3105,7 +3106,7 @@
     Item *null_item= new Item_null();
     
     if (!null_item ||
-        thd->spcont->set_case_expr(thd, m_case_expr_id, null_item))
+        thd->spcont->set_case_expr(thd, m_case_expr_id, &null_item))
     {
       /* If this also failed, we have to abort. */
 

--- 1.86/sql/sp_head.h	2006-05-04 14:34:26 +02:00
+++ 1.87/sql/sp_head.h	2006-05-09 17:39:49 +02:00
@@ -1170,6 +1170,6 @@
 sp_prepare_func_item(THD* thd, Item **it_addr);
 
 bool
-sp_eval_expr(THD *thd, Field *result_field, Item *expr_item);
+sp_eval_expr(THD *thd, Field *result_field, Item **expr_item_ptr);
 
 #endif /* _SP_HEAD_H_ */

--- 1.41/sql/sp_rcontext.cc	2006-04-07 16:53:11 +02:00
+++ 1.42/sql/sp_rcontext.cc	2006-05-09 17:39:49 +02:00
@@ -150,7 +150,7 @@
 
 
 bool
-sp_rcontext::set_return_value(THD *thd, Item *return_value_item)
+sp_rcontext::set_return_value(THD *thd, Item **return_value_item)
 {
   DBUG_ASSERT(m_return_value_fld);
 
@@ -279,14 +279,14 @@
 
 
 int
-sp_rcontext::set_variable(THD *thd, uint var_idx, Item *value)
+sp_rcontext::set_variable(THD *thd, uint var_idx, Item **value)
 {
   return set_variable(thd, m_var_table->field[var_idx], value);
 }
 
 
 int
-sp_rcontext::set_variable(THD *thd, Field *field, Item *value)
+sp_rcontext::set_variable(THD *thd, Field *field, Item **value)
 {
   if (!value)
   {
@@ -478,9 +478,10 @@
 */
 
 int
-sp_rcontext::set_case_expr(THD *thd, int case_expr_id, Item *case_expr_item)
+sp_rcontext::set_case_expr(THD *thd, int case_expr_id, Item **case_expr_item_ptr)
 {
-  if (!(case_expr_item= sp_prepare_func_item(thd, &case_expr_item)))
+  Item *case_expr_item= sp_prepare_func_item(thd, case_expr_item_ptr);
+  if (!case_expr_item)
     return TRUE;
 
   if (!m_case_expr_holders[case_expr_id] ||
@@ -542,7 +543,7 @@
   */
   for (; spvar= spvar_iter++, item= item_iter++; )
   {
-    if (thd->spcont->set_variable(thd, spvar->offset, item))
+    if (thd->spcont->set_variable(thd, spvar->offset, &item))
       return TRUE;
   }
   return FALSE;

--- 1.31/sql/sp_rcontext.h	2006-04-07 16:53:11 +02:00
+++ 1.32/sql/sp_rcontext.h	2006-05-09 17:39:49 +02:00
@@ -91,7 +91,7 @@
   ~sp_rcontext();
 
   int
-  set_variable(THD *thd, uint var_idx, Item *value);
+  set_variable(THD *thd, uint var_idx, Item **value);
 
   Item *
   get_item(uint var_idx);
@@ -100,7 +100,7 @@
   get_item_addr(uint var_idx);
 
   bool
-  set_return_value(THD *thd, Item *return_value_item);
+  set_return_value(THD *thd, Item **return_value_item);
 
   inline bool
   is_return_value_set() const
@@ -200,7 +200,7 @@
   */
 
   int
-  set_case_expr(THD *thd, int case_expr_id, Item *case_expr_item);
+  set_case_expr(THD *thd, int case_expr_id, Item **case_expr_item_ptr);
 
   Item *
   get_case_expr(int case_expr_id);
@@ -254,7 +254,7 @@
 
   Item_cache *create_case_expr_holder(THD *thd, Item_result result_type);
 
-  int set_variable(THD *thd, Field *field, Item *value);
+  int set_variable(THD *thd, Field *field, Item **value);
 }; // class sp_rcontext : public Sql_alloc
 
 
Thread
bk commit into 5.1 tree (knielsen:1.2383) BUG#19633knielsen9 May