• Sergey Vojtovich's avatar
    BUG#48438 - crash with error in unioned query against merge · 9d0c1ce5
    Sergey Vojtovich authored
                table and view...
    
    Invalid memory reads after a query referencing MyISAM table
    multiple times with write lock. Invalid memory reads may
    lead to server crash, valgrind warnings, incorrect values
    in INFORMATION_SCHEMA.TABLES.{TABLE_ROWS, DATA_LENGTH,
    INDEX_LENGTH, ...}.
    
    This may happen when one of the table instances gets closed
    after a query, e.g. out of slots in open tables cache. UNION,
    MERGE and VIEW are irrelevant.
    
    The problem was that MyISAM didn't restore state info
    pointer to default value.
    
    myisam/mi_locking.c:
      When a query is referencing MyISAM table multiple times
      with a write lock, all table instances share the same
      state info, pointing to MI_INFO::save_state of
      "primary" table instance.
      
      When lock is released, state pointer was restored only
      for the primary table instance. Secondary table instances
      are still pointing to save_state of primary table
      instance.
      
      Primary table instance may get closed, leaving secondary
      table instances state pointer pointing to freed memory.
      
      That's mostly ok, since next lock will update state info
      pointer to correct value. But there're some cases, when
      this secondary table instance state info is accessed
      without a lock, e.g. INFORMATION_SCHEMA, MERGE (in 5.1
      and up), MyISAM itself for DBUG purposes.
      
      Restore default value of state pointer unconditionally,
      for both primary and secondary table instances.
    mysql-test/r/myisam.result:
      A test case for BUG#48438.
    mysql-test/t/myisam.test:
      A test case for BUG#48438.
    9d0c1ce5
mi_locking.c 16 KB