Bug#38883 thd_security_context is not thread safe, crashes?

Innodb monitor could cause a server crash because of invalid access to a shared variable in a concurrent environment. This patch adds a guard to protect against crashes but not against inconsistent values because of performance reasons. sql/sql_class.cc: * Attempt snapshot of static memory pointer proc_info to avoid null pointers.

Bug#38883 thd_security_context is not thread safe, crashes?
Innodb monitor could cause a server crash because of invalid access to a shared variable in a concurrent environment. This patch adds a guard to protect against crashes but not against inconsistent values because of performance reasons. sql/sql_class.cc: * Attempt snapshot of static memory pointer proc_info to avoid null pointers.
e88487cc · Kristofer Pettersson · 8b1f501c · e88487cc
Commit e88487cc authored Nov 07, 2008 by Kristofer Pettersson
Hide whitespace changes
Inline Side-by-side

Showing with 27 additions and 12 deletions

sql/sql_class.cc sql/sql_class.cc +27 -12

No files found.
--- a/sql/sql_class.cc
+++ b/sql/sql_class.cc
@@ -306,20 +306,25 @@ void thd_inc_row_count(THD *thd)
  thd->row_count++;
 }

-/*
+
+/**
  Dumps a text description of a thread, its security context
  (user, host) and the current query.

-  SYNOPSIS
-    thd_security_context()
-    thd                 current thread context
-    buffer              pointer to preferred result buffer
-    length              length of buffer
-    max_query_len       how many chars of query to copy (0 for all)
-
-  RETURN VALUES
-    pointer to string
+  @param thd current thread context
+  @param buffer pointer to preferred result buffer
+  @param length length of buffer
+  @param max_query_len how many chars of query to copy (0 for all)
+
+  @req LOCK_thread_count
+  
+  @note LOCK_thread_count mutex is not necessary when the function is invoked on
+   the currently running thread (current_thd) or if the caller in some other
+   way guarantees that access to thd->query is serialized.
+ 
+  @return Pointer to string
 */
+
 extern "C"
 char *thd_security_context(THD *thd, char *buffer, unsigned int length,
                           unsigned int max_query_len)
@@ -328,6 +333,16 @@ char *thd_security_context(THD *thd, char *buffer, unsigned int length,
  const Security_context *sctx= &thd->main_security_ctx;
  char header[64];
  int len;
+  /*
+    The pointers thd->query and thd->proc_info might change since they are
+    being modified concurrently. This is acceptable for proc_info since its
+    values doesn't have to very accurate and the memory it points to is static,
+    but we need to attempt a snapshot on the pointer values to avoid using NULL
+    values. The pointer to thd->query however, doesn't point to static memory
+    and has to be protected by LOCK_thread_count or risk pointing to
+    uninitialized memory.
+  */
+  const char *proc_info= thd->proc_info;

  len= my_snprintf(header, sizeof(header),
                   "MySQL thread id %lu, query id %lu",
@@ -353,10 +368,10 @@ char *thd_security_context(THD *thd, char *buffer, unsigned int length,
    str.append(sctx->user);
  }

-  if (thd->proc_info)
+  if (proc_info)
  {
    str.append(' ');
-    str.append(thd->proc_info);
+    str.append(proc_info);
  }

  if (thd->query)