summaryrefslogtreecommitdiff
path: root/mysys/thr_rwlock.c
diff options
context:
space:
mode:
authorAhmad Abdullateef <ahmad.abdullateef@oracle.com>2012-12-18 22:16:12 +0530
committerAhmad Abdullateef <ahmad.abdullateef@oracle.com>2012-12-18 22:16:12 +0530
commitb12fe50226f89f3543904291c76e9b058aec38e1 (patch)
tree1e2f70b9a6345050493a1f0064dba21db9a5e2ba /mysys/thr_rwlock.c
parent5395f4a59721c0de8934d693f9d393f6e2393d68 (diff)
parentfebe03c2dbc3b9cab4f7e083274619f6bb96ec4a (diff)
downloadmariadb-git-b12fe50226f89f3543904291c76e9b058aec38e1.tar.gz
BUG#14727815 - CRASH IN PTHREAD_RWLOCK_WRLOCK/SRW_UNLOCK
IN QUERY CACHE CODE DESCRIPTION: MySQL Server crashes sporadically when Query Caching is on and the server has high contention among clients. ANALYSIS : Scenario 1: In Query_cache::move_by_type() when handling RESULT or its related blocks, Write Lock is acquired on its parent Query block. However the next and prev pointers are cached in local variables before lock acquisition. In an extremely high contention scenario there exists a possibility that Query_cache::append_result_data() is operating on the same query block and as a consequence might append a new Result block to the end of Result blocks Linked List of the Query. This would manipulate the next, prev pointers of the Block being processed in move_by_type(), however the local pointers still point to previous nodes there by causing Data Corruption leading to crash. Scenario 2: In Windows SDK "BOOL" is typedefed as "int" and BOOLEAN is typedefed as "usigned char". The function pointer definition "srw_bool_func" mistakenly uses BOOL instead of BOOLEAN thereby virtually making the function my_TryAcquireSRWLockExclusive() always succeed because only the LSB of EAX has the actual result of the call, however due to type mismatch all bytes of EAX are used for evaluation. Again during high contention scenarios in Query_cache::free_old_query() calls try_lock_writing() on a Query, this call always succeeds and the query is freed, even though it is used by some other thread, in this case Query_cache::send_result_to_client() was using it and the code causes a crash because it accessed free or reallocated memory. FIX : Scenario 1: The next, prev pointers are now accessed only after Lock acquisition in Query_cache::move_by_type(). Scenario 2: In the definition of "srw_bool_func" BOOL has been replaced with "BOOLEAN"
Diffstat (limited to 'mysys/thr_rwlock.c')
-rw-r--r--mysys/thr_rwlock.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/mysys/thr_rwlock.c b/mysys/thr_rwlock.c
index 10ed9a7776e..9bfaa8b63d2 100644
--- a/mysys/thr_rwlock.c
+++ b/mysys/thr_rwlock.c
@@ -24,7 +24,7 @@
static BOOL have_srwlock= FALSE;
/* Prototypes and function pointers for windows functions */
typedef VOID (WINAPI* srw_func) (PSRWLOCK SRWLock);
-typedef BOOL (WINAPI* srw_bool_func) (PSRWLOCK SRWLock);
+typedef BOOLEAN (WINAPI* srw_bool_func) (PSRWLOCK SRWLock);
static srw_func my_InitializeSRWLock;
static srw_func my_AcquireSRWLockExclusive;