summaryrefslogtreecommitdiff
path: root/sql/sp_rcontext.cc
diff options
context:
space:
mode:
authormalff@lambda.hsd1.co.comcast.net. <>2008-01-23 13:26:41 -0700
committermalff@lambda.hsd1.co.comcast.net. <>2008-01-23 13:26:41 -0700
commitc3ad0cac751943ab7d8918b95688ffa87244acf6 (patch)
treefe23ef00f598a60c172f4f220f65dfc072babbb2 /sql/sp_rcontext.cc
parent4bb503568dc598d1e16fead04c9cebc4e78725df (diff)
downloadmariadb-git-c3ad0cac751943ab7d8918b95688ffa87244acf6.tar.gz
Bug#33618 (Crash in sp_rcontext)
Bug 33983 (Stored Procedures: wrong end <label> syntax is accepted) The server used to crash when REPEAT or another control instruction was used in conjunction with labels and a LEAVE instruction. The crash was caused by a missing "pop" of handlers or cursors in the code representing the stored program. When executing the code in a loop, this missing "pop" would result in a stack overflow, corrupting memory. Code generation has been fixed to produce the missing h_pop/c_pop instructions. Also, the logic checking that labels at the beginning and the end of a statement are matched was incorrect, causing Bug 33983. End labels, when used, must match the label used at the beginning of a block.
Diffstat (limited to 'sql/sp_rcontext.cc')
-rw-r--r--sql/sp_rcontext.cc76
1 files changed, 75 insertions, 1 deletions
diff --git a/sql/sp_rcontext.cc b/sql/sp_rcontext.cc
index 54e016f6099..129aaa46de6 100644
--- a/sql/sp_rcontext.cc
+++ b/sql/sp_rcontext.cc
@@ -334,17 +334,91 @@ sp_rcontext::handle_error(uint sql_errno,
void
sp_rcontext::push_cursor(sp_lex_keeper *lex_keeper, sp_instr_cpush *i)
{
+ DBUG_ENTER("sp_rcontext::push_cursor");
+ DBUG_ASSERT(m_ccount < m_root_parsing_ctx->max_cursor_index());
m_cstack[m_ccount++]= new sp_cursor(lex_keeper, i);
+ DBUG_PRINT("info", ("m_ccount: %d", m_ccount));
+ DBUG_VOID_RETURN;
}
-
void
sp_rcontext::pop_cursors(uint count)
{
+ DBUG_ENTER("sp_rcontext::pop_cursors");
+ DBUG_ASSERT(m_ccount >= count);
while (count--)
{
delete m_cstack[--m_ccount];
}
+ DBUG_PRINT("info", ("m_ccount: %d", m_ccount));
+ DBUG_VOID_RETURN;
+}
+
+void
+sp_rcontext::push_handler(struct sp_cond_type *cond, uint h, int type, uint f)
+{
+ DBUG_ENTER("sp_rcontext::push_handler");
+ DBUG_ASSERT(m_hcount < m_root_parsing_ctx->max_handler_index());
+
+ m_handler[m_hcount].cond= cond;
+ m_handler[m_hcount].handler= h;
+ m_handler[m_hcount].type= type;
+ m_handler[m_hcount].foffset= f;
+ m_hcount+= 1;
+
+ DBUG_PRINT("info", ("m_hcount: %d", m_hcount));
+ DBUG_VOID_RETURN;
+}
+
+void
+sp_rcontext::pop_handlers(uint count)
+{
+ DBUG_ENTER("sp_rcontext::pop_handlers");
+ DBUG_ASSERT(m_hcount >= count);
+ m_hcount-= count;
+ DBUG_PRINT("info", ("m_hcount: %d", m_hcount));
+ DBUG_VOID_RETURN;
+}
+
+void
+sp_rcontext::push_hstack(uint h)
+{
+ DBUG_ENTER("sp_rcontext::push_hstack");
+ DBUG_ASSERT(m_hsp < m_root_parsing_ctx->max_handler_index());
+ m_hstack[m_hsp++]= h;
+ DBUG_PRINT("info", ("m_hsp: %d", m_hsp));
+ DBUG_VOID_RETURN;
+}
+
+uint
+sp_rcontext::pop_hstack()
+{
+ uint handler;
+ DBUG_ENTER("sp_rcontext::pop_hstack");
+ DBUG_ASSERT(m_hsp);
+ handler= m_hstack[--m_hsp];
+ DBUG_PRINT("info", ("m_hsp: %d", m_hsp));
+ DBUG_RETURN(handler);
+}
+
+void
+sp_rcontext::enter_handler(int hid)
+{
+ DBUG_ENTER("sp_rcontext::enter_handler");
+ DBUG_ASSERT(m_ihsp < m_root_parsing_ctx->max_handler_index());
+ m_in_handler[m_ihsp++]= hid;
+ DBUG_PRINT("info", ("m_ihsp: %d", m_ihsp));
+ DBUG_VOID_RETURN;
+}
+
+void
+sp_rcontext::exit_handler()
+{
+ DBUG_ENTER("sp_rcontext::exit_handler");
+ DBUG_ASSERT(m_ihsp);
+ m_ihsp-= 1;
+ DBUG_PRINT("info", ("m_ihsp: %d", m_ihsp));
+ DBUG_VOID_RETURN;
}