From e73e7bb9aec760edf7b142ac57696d44da149d86 Mon Sep 17 00:00:00 2001 From: Marc Alff Date: Mon, 14 Jul 2008 15:41:30 -0600 Subject: Bug#35577 (CREATE PROCEDURE causes either crash or syntax error depending on build) The crash was caused by freeing the internal parser stack during the parser execution. This occured only for complex stored procedures, after reallocating the parser stack using my_yyoverflow(), with the following C call stack: - MYSQLparse() - any rule calling sp_head::restore_lex() - lex_end() - x_free(lex->yacc_yyss), xfree(lex->yacc_yyvs) The root cause is the implementation of stored procedures, which breaks the assumption from 4.1 that there is only one LEX structure per parser call. The solution is to separate the LEX structure into: - attributes that represent a statement (the current LEX structure), - attributes that relate to the syntax parser itself (Yacc_state), so that parsing multiple statements in stored programs can create multiple LEX structures while not changing the unique Yacc_state. Now, Yacc_state and the existing Lex_input_stream are aggregated into Parser_state, a structure that represent the complete state of the (Lexical + Syntax) parser. mysql-test/r/parser_stack.result: Bug#35577 (CREATE PROCEDURE causes either crash or syntax error depending on build) mysql-test/t/parser_stack.test: Bug#35577 (CREATE PROCEDURE causes either crash or syntax error depending on build) sql/sp.cc: Bug#35577 (CREATE PROCEDURE causes either crash or syntax error depending on build) sql/sp_head.cc: Bug#35577 (CREATE PROCEDURE causes either crash or syntax error depending on build) sql/sql_class.cc: Bug#35577 (CREATE PROCEDURE causes either crash or syntax error depending on build) sql/sql_class.h: Bug#35577 (CREATE PROCEDURE causes either crash or syntax error depending on build) sql/sql_lex.cc: Bug#35577 (CREATE PROCEDURE causes either crash or syntax error depending on build) sql/sql_lex.h: Bug#35577 (CREATE PROCEDURE causes either crash or syntax error depending on build) sql/sql_parse.cc: Bug#35577 (CREATE PROCEDURE causes either crash or syntax error depending on build) sql/sql_prepare.cc: Bug#35577 (CREATE PROCEDURE causes either crash or syntax error depending on build) sql/sql_trigger.cc: Bug#35577 (CREATE PROCEDURE causes either crash or syntax error depending on build) sql/sql_view.cc: Bug#35577 (CREATE PROCEDURE causes either crash or syntax error depending on build) sql/sql_yacc.yy: Bug#35577 (CREATE PROCEDURE causes either crash or syntax error depending on build) --- sql/sql_lex.h | 54 +++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 53 insertions(+), 1 deletion(-) (limited to 'sql/sql_lex.h') diff --git a/sql/sql_lex.h b/sql/sql_lex.h index cde4c3a97b3..df0db2e209d 100644 --- a/sql/sql_lex.h +++ b/sql/sql_lex.h @@ -1004,7 +1004,6 @@ typedef struct st_lex : public Query_tables_list LEX_STRING comment, ident; LEX_USER *grant_user; XID *xid; - gptr yacc_yyss,yacc_yyvs; THD *thd; CHARSET_INFO *charset, *underscore_charset; bool text_string_is_7bit; @@ -1290,6 +1289,59 @@ typedef struct st_lex : public Query_tables_list } } LEX; + +/** + The internal state of the syntax parser. + This object is only available during parsing, + and is private to the syntax parser implementation (sql_yacc.yy). +*/ +class Yacc_state +{ +public: + Yacc_state() + : yacc_yyss(NULL), yacc_yyvs(NULL) + {} + + ~Yacc_state(); + + /** + Bison internal state stack, yyss, when dynamically allocated using + my_yyoverflow(). + */ + gptr yacc_yyss; + + /** + Bison internal semantic value stack, yyvs, when dynamically allocated using + my_yyoverflow(). + */ + gptr yacc_yyvs; + + /* + TODO: move more attributes from the LEX structure here. + */ +}; + +/** + Internal state of the parser. + The complete state consist of: + - state data used during lexical parsing, + - state data used during syntactic parsing. +*/ +class Parser_state +{ +public: + Parser_state(THD *thd, const char* buff, unsigned int length) + : m_lip(thd, buff, length), m_yacc() + {} + + ~Parser_state() + {} + + Lex_input_stream m_lip; + Yacc_state m_yacc; +}; + + struct st_lex_local: public st_lex { static void *operator new(size_t size) throw() -- cgit v1.2.1 From e04dfffb591b7533a3c31eec56df4fb7fedc3986 Mon Sep 17 00:00:00 2001 From: Marc Alff Date: Mon, 11 Aug 2008 10:10:00 -0600 Subject: Bug#38296 (low memory crash with many conditions in a query) This fix is for 5.0 only : back porting the 6.0 patch manually The parser code in sql/sql_yacc.yy needs to be more robust to out of memory conditions, so that when parsing a query fails due to OOM, the thread gracefully returns an error. Before this fix, a new/alloc returning NULL could: - cause a crash, if dereferencing the NULL pointer, - produce a corrupted parsed tree, containing NULL nodes, - alter the semantic of a query, by silently dropping token values or nodes With this fix: - C++ constructors are *not* executed with a NULL "this" pointer when operator new fails. This is achieved by declaring "operator new" with a "throw ()" clause, so that a failed new gracefully returns NULL on OOM conditions. - calls to new/alloc are tested for a NULL result, - The thread diagnostic area is set to an error status when OOM occurs. This ensures that a request failing in the server properly returns an ER_OUT_OF_RESOURCES error to the client. - OOM conditions cause the parser to stop immediately (MYSQL_YYABORT). This prevents causing further crashes when using a partially built parsed tree in further rules in the parser. No test scripts are provided, since automating OOM failures is not instrumented in the server. Tested under the debugger, to verify that an error in alloc_root cause the thread to returns gracefully all the way to the client application, with an ER_OUT_OF_RESOURCES error. --- sql/sql_lex.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'sql/sql_lex.h') diff --git a/sql/sql_lex.h b/sql/sql_lex.h index df0db2e209d..563172594d2 100644 --- a/sql/sql_lex.h +++ b/sql/sql_lex.h @@ -331,11 +331,11 @@ public: bool no_table_names_allowed; /* used for global order by */ bool no_error; /* suppress error message (convert it to warnings) */ - static void *operator new(size_t size) + static void *operator new(size_t size) throw () { return (void*) sql_alloc((uint) size); } - static void *operator new(size_t size, MEM_ROOT *mem_root) + static void *operator new(size_t size, MEM_ROOT *mem_root) throw () { return (void*) alloc_root(mem_root, (uint) size); } static void operator delete(void *ptr,size_t size) { TRASH(ptr, size); } static void operator delete(void *ptr, MEM_ROOT *mem_root) {} -- cgit v1.2.1 From f48b42e77657dd2e27380201631fd0f137863b85 Mon Sep 17 00:00:00 2001 From: Gleb Shchepa Date: Wed, 8 Oct 2008 02:34:00 +0500 Subject: Bug #38691: segfault/abort in ``UPDATE ...JOIN'' while ``FLUSH TABLES WITH READ LOCK'' Concurrent execution of 1) multitable update with a NATURAL/USING join and 2) a such query as "FLUSH TABLES WITH READ LOCK" or "ALTER TABLE" of updating table led to a server crash. The mysql_multi_update_prepare() function call is optimized to lock updating tables only, so it postpones locking to the last, and if locking fails, it does cleanup of modified syntax structures and repeats a query analysis. However, that cleanup procedure was incomplete for NATURAL/USING join syntax data: 1) some Field_item items pointed into freed table structures, and 2) the TABLE_LIST::join_columns fields was not reset. Major change: short-living Field *Natural_join_column::table_field has been replaced with long-living Item*. mysql-test/r/lock_multi.result: Added test case for bug #38691. mysql-test/t/lock_multi.test: Added test case for bug #38691. sql/item.cc: Bug #38691: segfault/abort in ``UPDATE ...JOIN'' while ``FLUSH TABLES WITH READ LOCK'' The Item_field constructor has been modified to allocate and copy original database/table/field names always (not during PS preparation/1st execution only), because an initialization of Item_field items with a pointer to short-living Field structures is a common practice. sql/sql_base.cc: Bug #38691: segfault/abort in ``UPDATE ...JOIN'' while ``FLUSH TABLES WITH READ LOCK'' 1) Type adjustment for Natural_join_column::table_field (Field to Item_field); 2) The setup_natural_join_row_types function has been updated to take into account new first_natural_join_processing flag to skip unnecessary reinitialization of Natural_join_column::join_columns during table reopening after lock_tables() failure (like the 'first_execution' flag for PS). sql/sql_lex.cc: Bug #38691: segfault/abort in ``UPDATE ...JOIN'' while ``FLUSH TABLES WITH READ LOCK'' Initialization of the new st_select_lex::first_natural_join_processing flag has been added. sql/sql_lex.h: Bug #38691: segfault/abort in ``UPDATE ...JOIN'' while ``FLUSH TABLES WITH READ LOCK'' The st_select_lex::first_natural_join_processing flag has been added to skip unnecessary rebuilding of NATURAL/USING JOIN structures during table reopening after lock_tables failure. sql/sql_update.cc: Bug #38691: segfault/abort in ``UPDATE ...JOIN'' while ``FLUSH TABLES WITH READ LOCK'' Extra cleanup calls have been added to reset Natural_join_column::table_field items. sql/table.cc: Bug #38691: segfault/abort in ``UPDATE ...JOIN'' while ``FLUSH TABLES WITH READ LOCK'' Type adjustment for Natural_join_column::table_field (Field to Item_field). sql/table.h: Bug #38691: segfault/abort in ``UPDATE ...JOIN'' while ``FLUSH TABLES WITH READ LOCK'' Type of the Natural_join_column::table_field field has been changed from Field that points into short-living TABLE memory to long-living Item_field that can be linked to (fixed) reopened table. --- sql/sql_lex.h | 1 + 1 file changed, 1 insertion(+) (limited to 'sql/sql_lex.h') diff --git a/sql/sql_lex.h b/sql/sql_lex.h index 563172594d2..9f020f4adc5 100644 --- a/sql/sql_lex.h +++ b/sql/sql_lex.h @@ -586,6 +586,7 @@ public: case of an error during prepare the PS is not created. */ bool first_execution; + bool first_natural_join_processing; bool first_cond_optimization; /* do not wrap view fields with Item_ref */ bool no_wrap_view_item; -- cgit v1.2.1