diff options
| author | Sergei Petrunia <psergey@askmonty.org> | 2020-01-12 20:50:12 +0200 |
|---|---|---|
| committer | Sergei Petrunia <psergey@askmonty.org> | 2020-01-14 18:15:32 +0300 |
| commit | 5e5ae51b730aa67f9efb87af4f4921309eac51f1 (patch) | |
| tree | c4f5bfbf4a0c73e90a3b935caedc2c6dc943c10d /sql/sp_head.cc | |
| parent | cb204e11eaf4c473ce5d5a10a21de147430057dc (diff) | |
| download | mariadb-git-5e5ae51b730aa67f9efb87af4f4921309eac51f1.tar.gz | |
MDEV-21341: Fix UBSAN failures: Issue Six
(Variant #2 of the patch, which keeps the sp_head object inside the
MEM_ROOT that sp_head object owns)
(10.3 requires extra work due to sp_package, will commit a separate
patch for it)
sp_head::operator new() and operator delete() were dereferencing sp_head*
pointers to memory that didn't hold a valid sp_head object (it was
not created/already destroyed).
This caused UBSan to crash when looking up type information.
Fixed by providing static sp_head::create() and sp_head::destroy() methods.
Diffstat (limited to 'sql/sp_head.cc')
| -rw-r--r-- | sql/sp_head.cc | 62 |
1 files changed, 27 insertions, 35 deletions
diff --git a/sql/sp_head.cc b/sql/sp_head.cc index 5c5688be4a3..f940040b480 100644 --- a/sql/sp_head.cc +++ b/sql/sp_head.cc @@ -550,51 +550,41 @@ check_routine_name(LEX_STRING *ident) } -/* - * - * sp_head - * - */ - -void * -sp_head::operator new(size_t size) throw() +sp_head* sp_head::create() { - DBUG_ENTER("sp_head::operator new"); MEM_ROOT own_root; + init_sql_alloc(&own_root, MEM_ROOT_BLOCK_SIZE, MEM_ROOT_PREALLOC, MYF(0)); sp_head *sp; + if (!(sp= new (&own_root) sp_head(&own_root))) + free_root(&own_root, MYF(0)); - init_sql_alloc(&own_root, MEM_ROOT_BLOCK_SIZE, MEM_ROOT_PREALLOC, MYF(0)); - sp= (sp_head *) alloc_root(&own_root, size); - if (sp == NULL) - DBUG_RETURN(NULL); - sp->main_mem_root= own_root; - DBUG_PRINT("info", ("mem_root 0x%lx", (ulong) &sp->mem_root)); - DBUG_RETURN(sp); + return sp; } -void -sp_head::operator delete(void *ptr, size_t size) throw() -{ - DBUG_ENTER("sp_head::operator delete"); - MEM_ROOT own_root; - if (ptr == NULL) - DBUG_VOID_RETURN; - - sp_head *sp= (sp_head *) ptr; - - /* Make a copy of main_mem_root as free_root will free the sp */ - own_root= sp->main_mem_root; - DBUG_PRINT("info", ("mem_root 0x%lx moved to 0x%lx", - (ulong) &sp->mem_root, (ulong) &own_root)); - free_root(&own_root, MYF(0)); +void sp_head::destroy(sp_head *sp) +{ + if (sp) + { + /* Make a copy of main_mem_root as free_root will free the sp */ + MEM_ROOT own_root= sp->main_mem_root; + delete sp; - DBUG_VOID_RETURN; + DBUG_PRINT("info", ("mem_root 0x%lx moved to 0x%lx", + (ulong) &sp->mem_root, (ulong) &own_root)); + free_root(&own_root, MYF(0)); + } } +/* + * + * sp_head + * + */ -sp_head::sp_head() - :Query_arena(&main_mem_root, STMT_INITIALIZED_FOR_SP), +sp_head::sp_head(MEM_ROOT *mem_root_arg) + :Query_arena(NULL, STMT_INITIALIZED_FOR_SP), + main_mem_root(*mem_root_arg), // todo: std::move operator. m_flags(0), m_sp_cache_version(0), m_creation_ctx(0), @@ -603,6 +593,8 @@ sp_head::sp_head() m_next_cached_sp(0), m_cont_level(0) { + mem_root= &main_mem_root; + m_first_instance= this; m_first_free_instance= this; m_last_cached_sp= this; @@ -848,7 +840,7 @@ sp_head::~sp_head() my_hash_free(&m_sptabs); my_hash_free(&m_sroutines); - delete m_next_cached_sp; + sp_head::destroy(m_next_cached_sp); DBUG_VOID_RETURN; } |