MySQL Lists are EOL. Please join:

List:Commits« Previous MessageNext Message »
From:kroki Date:July 27 2006 9:59am
Subject:bk commit into 5.0 tree (kroki:1.2234) BUG#21206
View as plain text  
Below is the list of changes that have just been committed into a local
5.0 repository of tomash. When tomash does a push these changes will
be propagated to the main repository and, within 24 hours after the
push, to the public repository.
For information on how to access the public repository
see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html

ChangeSet@stripped, 2006-07-27 13:59:15+04:00, kroki@stripped +3 -0
  BUG#21206: memory corruption when too many cursors are opened at once
  
  Too many cursors (more than 1024) could lead to memory corruption.
  This affects both, stored routines and C API cursors, and the
  threshold is per-server, not per-connection.  Similarly, the
  corruption could happen when the server was under heavy load
  (executing more than 1024 simultaneous complex queries), and this is
  the reason why this bug is fixed in 4.1, which doesn't support
  cursors.
  
  The corruption was caused by a bug in the temporary tables code, when
  an attempt to create a table could lead to a write beyond allocated
  space.  Note, that only internal tables were affected (the tables
  created internally by the server to resolve the query), not tables
  created with CREATE TEMPORARY TABLE.  Another pre-condition for the
  bug is TRUE value of --temp-pool startup option, which, however, is a
  default.
  
  The cause of a bug was that random memory was overwritten in
  bitmap_set_next() due to out-of-bound memory access.

  mysys/my_bitmap.c@stripped, 2006-07-27 13:59:12+04:00, kroki@stripped +2 -2
    Local 'bitmap_size' is measured in bytes, no need to multiply it by 8.

  sql/sql_select.cc@stripped, 2006-07-27 13:59:12+04:00, kroki@stripped +8 -4
    Clear the temp_pool_slot bit only if we have set it previously.

  tests/mysql_client_test.c@stripped, 2006-07-27 13:59:13+04:00, kroki@stripped +48 -1
    Add test case for bug#21206: memory corruption when too many cursors
    are opened at once.

# This is a BitKeeper patch.  What follows are the unified diffs for the
# set of deltas contained in the patch.  The rest of the patch, the part
# that BitKeeper cares about, is below these diffs.
# User:	kroki
# Host:	moonlight.intranet
# Root:	/home/tomash/src/mysql_ab/mysql-5.0-release

--- 1.426/sql/sql_select.cc	2006-07-27 13:59:22 +04:00
+++ 1.427/sql/sql_select.cc	2006-07-27 13:59:22 +04:00
@@ -8375,13 +8375,15 @@ create_tmp_table(THD *thd,TMP_TABLE_PARA
                         param->group_length : 0,
                         NullS))
   {
-    bitmap_clear_bit(&temp_pool, temp_pool_slot);
+    if (temp_pool_slot != MY_BIT_NONE)
+      bitmap_clear_bit(&temp_pool, temp_pool_slot);
     DBUG_RETURN(NULL);				/* purecov: inspected */
   }
   /* Copy_field belongs to TMP_TABLE_PARAM, allocate it in THD mem_root */
   if (!(param->copy_field= copy= new (thd->mem_root) Copy_field[field_count]))
   {
-    bitmap_clear_bit(&temp_pool, temp_pool_slot);
+    if (temp_pool_slot != MY_BIT_NONE)
+      bitmap_clear_bit(&temp_pool, temp_pool_slot);
     free_root(&own_root, MYF(0));               /* purecov: inspected */
     DBUG_RETURN(NULL);				/* purecov: inspected */
   }
@@ -8905,7 +8907,8 @@ create_tmp_table(THD *thd,TMP_TABLE_PARA
 err:
   thd->mem_root= mem_root_save;
   free_tmp_table(thd,table);                    /* purecov: inspected */
-  bitmap_clear_bit(&temp_pool, temp_pool_slot);
+  if (temp_pool_slot != MY_BIT_NONE)
+    bitmap_clear_bit(&temp_pool, temp_pool_slot);
   DBUG_RETURN(NULL);				/* purecov: inspected */
 }
 
@@ -9193,7 +9196,8 @@ free_tmp_table(THD *thd, TABLE *entry)
     (*ptr)->free();
   free_io_cache(entry);
 
-  bitmap_clear_bit(&temp_pool, entry->temp_pool_slot);
+  if (entry->temp_pool_slot != MY_BIT_NONE)
+    bitmap_clear_bit(&temp_pool, entry->temp_pool_slot);
 
   free_root(&own_root, MYF(0)); /* the table is allocated in its own root */
   thd->proc_info=save_proc_info;

--- 1.30/mysys/my_bitmap.c	2006-07-27 13:59:22 +04:00
+++ 1.31/mysys/my_bitmap.c	2006-07-27 13:59:22 +04:00
@@ -159,7 +159,7 @@ uint bitmap_set_next(MY_BITMAP *map)
 {
   uchar *bitmap=map->bitmap;
   uint bit_found = MY_BIT_NONE;
-  uint bitmap_size=map->bitmap_size*8;
+  uint bitmap_size=map->bitmap_size;
   uint i;
 
   DBUG_ASSERT(map->bitmap);
@@ -445,7 +445,7 @@ uint bitmap_get_first(const MY_BITMAP *m
 {
   uchar *bitmap=map->bitmap;
   uint bit_found = MY_BIT_NONE;
-  uint bitmap_size=map->bitmap_size*8;
+  uint bitmap_size=map->bitmap_size;
   uint i;
 
   DBUG_ASSERT(map->bitmap);

--- 1.187/tests/mysql_client_test.c	2006-07-27 13:59:22 +04:00
+++ 1.188/tests/mysql_client_test.c	2006-07-27 13:59:22 +04:00
@@ -14929,7 +14929,53 @@ static void test_bug14169()
 
   rc= mysql_query(mysql, "drop table t1");
   myquery(rc);
-}/*
+}
+
+
+/*
+  Bug#21206: memory corruption when too many cursors are opened at once
+
+  Memory corruption happens when more than 1024 cursors are open
+  simultaneously.
+*/
+static void test_bug21206()
+{
+  const size_t cursor_count= 1025;
+
+  const char *create_table[]=
+  {
+    "DROP TABLE IF EXISTS t1",
+    "CREATE TABLE t1 (i INT)",
+    "INSERT INTO t1 VALUES (1), (2), (3)"
+  };
+  const char *query= "SELECT * FROM t1";
+
+  Stmt_fetch *fetch_array=
+    (Stmt_fetch*) calloc(cursor_count, sizeof(Stmt_fetch));
+
+  Stmt_fetch *fetch;
+
+  DBUG_ENTER("test_bug21206");
+  myheader("test_bug21206");
+
+  fill_tables(create_table, sizeof(create_table) / sizeof(*create_table));
+
+  for (fetch= fetch_array; fetch < fetch_array + cursor_count; ++fetch)
+  {
+    /* Init will exit(1) in case of error */
+    stmt_fetch_init(fetch, fetch - fetch_array, query);
+  }
+
+  for (fetch= fetch_array; fetch < fetch_array + cursor_count; ++fetch)
+    stmt_fetch_close(fetch);
+
+  free(fetch_array);
+
+  DBUG_VOID_RETURN;
+}
+
+
+/*
   Read and parse arguments and MySQL options from my.cnf
 */
 
@@ -15195,6 +15241,7 @@ static struct my_tests_st my_tests[]= {
   { "test_bug15613", test_bug15613 },
   { "test_bug14169", test_bug14169 },
   { "test_bug17667", test_bug17667 },
+  { "test_bug21206", test_bug21206 },
   { 0, 0 }
 };
 
Thread
bk commit into 5.0 tree (kroki:1.2234) BUG#21206kroki27 Jul