Bug#33362: Query cache invalidation (truncate) may hang

if cached query uses many tables The problem was that query cache would not properly cache queries which used 256 or more tables but yet would leave behind query cache blocks pointing to freed (destroyed) data. Later when invalidating (due to a truncate) query cache would attempt to grab a lock which resided in the freed data, leading to hangs or undefined behavior. This was happening due to a improper return value from the function responsible for registering the tables used in the query (so the cache can be invalidated later if one of the tables is modified). The function expected a return value of type boolean (char, 8 bits) indicating success (1) or failure (0) but the number of tables registered (unsigned int, 32 bits) was being returned instead. This caused the function to return failure for cases where it had actually succeed because when a type (unsigned int) is converted to a narrower type (char), the excess bits on the left are discarded. Thus if the 8 rightmost bits are zero, the return value will be 0 (failure). The solution is to simply return true (1) only if the number of registered table is greater than zero and false (0) otherwise. mysql-test/r/query_cache_merge.result: Add test case result for Bug#33362 mysql-test/t/query_cache_merge.test: Add test case for Bug#33362 sql/sql_cache.cc: Return 1 or 0 depending on the number of registered tables.

Bug#33362: Query cache invalidation (truncate) may hang
if cached query uses many tables The problem was that query cache would not properly cache queries which used 256 or more tables but yet would leave behind query cache blocks pointing to freed (destroyed) data. Later when invalidating (due to a truncate) query cache would attempt to grab a lock which resided in the freed data, leading to hangs or undefined behavior. This was happening due to a improper return value from the function responsible for registering the tables used in the query (so the cache can be invalidated later if one of the tables is modified). The function expected a return value of type boolean (char, 8 bits) indicating success (1) or failure (0) but the number of tables registered (unsigned int, 32 bits) was being returned instead. This caused the function to return failure for cases where it had actually succeed because when a type (unsigned int) is converted to a narrower type (char), the excess bits on the left are discarded. Thus if the 8 rightmost bits are zero, the return value will be 0 (failure). The solution is to simply return true (1) only if the number of registered table is greater than zero and false (0) otherwise. mysql-test/r/query_cache_merge.result: Add test case result for Bug#33362 mysql-test/t/query_cache_merge.test: Add test case for Bug#33362 sql/sql_cache.cc: Return 1 or 0 depending on the number of registered tables.
9fca54f7 · Davi Arnaut · 5891c6c1 · 9fca54f7 · 9fca54f7 · 9fca54f7
Commit 9fca54f7 authored Jun 03, 2008 by Davi Arnaut
Showing with 1733 additions and 1 deletion

mysql-test/r/query_cache_merge.result mysql-test/r/query_cache_merge.result +1674 -0

mysql-test/t/query_cache_merge.test mysql-test/t/query_cache_merge.test +58 -0

sql/sql_cache.cc sql/sql_cache.cc +1 -1

No files found.
--- a/mysql-test/r/query_cache_merge.result
+++ b/mysql-test/r/query_cache_merge.result
--- a/mysql-test/t/query_cache_merge.test
+++ b/mysql-test/t/query_cache_merge.test
@@ -48,3 +48,61 @@ SET @@global.query_cache_size=0;
 set @@global.table_definition_cache=@save_table_definition_cache;

 # End of 4.1 tests
+
+#
+# Bug#33362: Query cache invalidation (truncate) may hang if cached query uses many tables
+#
+
+SET @save_table_definition_cache = @@global.table_definition_cache;
+SET @@global.table_definition_cache = 512;
+
+let $c= 255;
+
+while ($c)
+{
+  eval CREATE TABLE t$c (a INT);
+  eval INSERT INTO t$c VALUES ($c);
+  dec $c;
+}
+
+let $c= 254;
+let $str= t255;
+
+while ($c)
+{
+  let $str= t$c,$str;
+  dec $c;
+}
+
+eval CREATE TABLE t0 (a INT) ENGINE=MERGE UNION($str);
+SET GLOBAL query_cache_size = 1048576;
+FLUSH STATUS;
+SELECT a FROM t0 WHERE a = 1;
+SHOW STATUS LIKE "Qcache_queries_in_cache";
+
+let $c= 255;
+let $i= 1;
+
+while ($c)
+{
+  eval TRUNCATE TABLE t$c;
+  eval SELECT a FROM t$i;
+  dec $c;
+  inc $i;
+}
+
+SELECT a FROM t0;
+DROP TABLE t0;
+
+let $c= 255;
+
+while ($c)
+{
+  eval DROP TABLE t$c;
+  dec $c;
+}
+
+SET @@global.query_cache_size = 0;
+SET @@global.table_definition_cache = @save_table_definition_cache;
+
+--echo End of 5.1 tests
--- a/sql/sql_cache.cc
+++ b/sql/sql_cache.cc
@@ -2746,7 +2746,7 @@ my_bool Query_cache::register_all_tables(Query_cache_block *block,
 	 tmp++)
      unlink_table(tmp);
  }
-  return (n);
+  return test(n);
 }