diff options
| author | Sergei Petrunia <psergey@askmonty.org> | 2020-01-12 22:15:55 +0300 |
|---|---|---|
| committer | Sergei Petrunia <psergey@askmonty.org> | 2020-01-12 22:15:55 +0300 |
| commit | d531b4ee3a9bcd89a2fa6b49a2207eaf966f53e3 (patch) | |
| tree | fbdc8bb230c6d123f8b2484878acf234caf46810 /sql/sp_head.h | |
| parent | 9c3eca85141836548214e3c68f256b3868502509 (diff) | |
| download | mariadb-git-d531b4ee3a9bcd89a2fa6b49a2207eaf966f53e3.tar.gz | |
MDEV-21341: Fix UBSAN failures: Issue Sixbb-10.3-mdev21341-issueSix
(Variant #2 of the patch, which keeps the sp_head object inside the
MEM_ROOT that sp_head object owns)
(10.3 version of the fix, with handling for class sp_package)
sp_head::operator new() and operator delete() were dereferencing sp_head*
pointers to memory that didn't hold a valid sp_head object (it was
not created/already destroyed).
This caused UBSan to crash when looking up type information.
Fixed by providing static sp_head::create() and sp_head::destroy() methods.
Diffstat (limited to 'sql/sp_head.h')
| -rw-r--r-- | sql/sp_head.h | 23 |
1 files changed, 15 insertions, 8 deletions
diff --git a/sql/sp_head.h b/sql/sp_head.h index 75c95d6705d..7e00cf7a0d8 100644 --- a/sql/sp_head.h +++ b/sql/sp_head.h @@ -127,7 +127,8 @@ bool check_routine_name(const LEX_CSTRING *ident); class sp_head :private Query_arena, - public Database_qualified_name + public Database_qualified_name, + public Sql_alloc { sp_head(const sp_head &); /**< Prevent use of these */ void operator=(sp_head &); @@ -316,13 +317,14 @@ public: */ SQL_I_List<Item_trigger_field> m_trg_table_fields; - static void * - operator new(size_t size) throw (); +protected: + sp_head(MEM_ROOT *mem_root, sp_package *parent, const Sp_handler *handler); + virtual ~sp_head(); - static void - operator delete(void *ptr, size_t size) throw (); +public: + static void destroy(sp_head *sp); + static sp_head *create(sp_package *parent, const Sp_handler *handler); - sp_head(sp_package *parent, const Sp_handler *handler); /// Initialize after we have reset mem_root void @@ -340,7 +342,6 @@ public: void set_stmt_end(THD *thd); - virtual ~sp_head(); bool execute_trigger(THD *thd, @@ -964,10 +965,16 @@ public: bool m_is_instantiated; bool m_is_cloning_routine; - sp_package(LEX *top_level_lex, +private: + sp_package(MEM_ROOT *mem_root, + LEX *top_level_lex, const sp_name *name, const Sp_handler *sph); ~sp_package(); +public: + static sp_package *create(LEX *top_level_lex, const sp_name *name, + const Sp_handler *sph); + bool add_routine_declaration(LEX *lex) { return m_routine_declarations.check_dup_qualified(lex->sphead) || |