Commit e16d4c49 authored by Jon Olav Hauglid's avatar Jon Olav Hauglid

Bug #57659 Segfault in Query_cache::invalidate_data for TRUNCATE TABLE

This crash could happen if TRUNCATE TABLE indirectly failed to open a
merge table due to failures to open underlying tables. Even if opening
failed, the TRUNCATE TABLE code would try to invalidate the table in
the query cache. Since this table had been closed and memory released,
this could lead to a crash.

This bug was introduced by a combination of the changes introduced by
the patch for Bug#52044, where failing to open a table will cause opened
tables to be closed. And the changes in patch for Bug#49938, where
TRUNCATE TABLE uses the standard open tables function.

This patch fixes the problem by setting the TABLE pointer to NULL before 
invalidating the query cache.

Test case added to truncate_coverage.test.
parent 077a9b5f
...@@ -78,3 +78,30 @@ COMMIT; ...@@ -78,3 +78,30 @@ COMMIT;
UNLOCK TABLES; UNLOCK TABLES;
DROP TABLE t1; DROP TABLE t1;
SET DEBUG_SYNC='RESET'; SET DEBUG_SYNC='RESET';
#
# Bug#57659 Segfault in Query_cache::invalidate_data for TRUNCATE TABLE
#
# Note that this test case only reproduces the problem
# when it is run with valgrind.
DROP TABLE IF EXISTS t1, m1;
CREATE TABLE t1(a INT) engine=memory;
CREATE TABLE m1(a INT) engine=merge UNION(t1);
# Connection con1
SET DEBUG_SYNC= 'open_tables_after_open_and_process_table SIGNAL opened WAIT_FOR dropped';
# Sending:
TRUNCATE TABLE m1;
# Connection con2
SET DEBUG_SYNC= 'now WAIT_FOR opened';
# Sending:
FLUSH TABLES;
# Connection default
# Waiting for FLUSH TABLES to be blocked.
SET DEBUG_SYNC= 'now SIGNAL dropped';
# Connection con1
# Reaping: TRUNCATE TABLE m1
ERROR HY000: Unable to open underlying table which is differently defined or of non-MyISAM type or doesn't exist
# Connection con2
# Reaping: FLUSH TABLES
# Connection default
SET DEBUG_SYNC= 'RESET';
DROP TABLE m1, t1;
...@@ -172,3 +172,57 @@ UNLOCK TABLES; ...@@ -172,3 +172,57 @@ UNLOCK TABLES;
DROP TABLE t1; DROP TABLE t1;
SET DEBUG_SYNC='RESET'; SET DEBUG_SYNC='RESET';
--echo #
--echo # Bug#57659 Segfault in Query_cache::invalidate_data for TRUNCATE TABLE
--echo #
--echo # Note that this test case only reproduces the problem
--echo # when it is run with valgrind.
--disable_warnings
DROP TABLE IF EXISTS t1, m1;
--enable_warnings
CREATE TABLE t1(a INT) engine=memory;
CREATE TABLE m1(a INT) engine=merge UNION(t1);
connect(con2, localhost, root);
--echo # Connection con1
connect(con1, localhost, root);
SET DEBUG_SYNC= 'open_tables_after_open_and_process_table SIGNAL opened WAIT_FOR dropped';
--echo # Sending:
--send TRUNCATE TABLE m1
--echo # Connection con2
connection con2;
SET DEBUG_SYNC= 'now WAIT_FOR opened';
--echo # Sending:
--send FLUSH TABLES
--echo # Connection default
connection default;
--echo # Waiting for FLUSH TABLES to be blocked.
let $wait_condition= SELECT COUNT(*)=1 FROM information_schema.processlist
WHERE state= 'Waiting for table flush' AND info= 'FLUSH TABLES';
--source include/wait_condition.inc
SET DEBUG_SYNC= 'now SIGNAL dropped';
--echo # Connection con1
connection con1;
--echo # Reaping: TRUNCATE TABLE m1
--error ER_WRONG_MRG_TABLE
--reap
disconnect con1;
--source include/wait_until_disconnected.inc
--echo # Connection con2
connection con2;
--echo # Reaping: FLUSH TABLES
--reap
disconnect con2;
--source include/wait_until_disconnected.inc
--echo # Connection default
connection default;
SET DEBUG_SYNC= 'RESET';
DROP TABLE m1, t1;
...@@ -472,6 +472,13 @@ bool Truncate_statement::truncate_table(THD *thd, TABLE_LIST *table_ref) ...@@ -472,6 +472,13 @@ bool Truncate_statement::truncate_table(THD *thd, TABLE_LIST *table_ref)
binlog_stmt= !error || error != HA_ERR_WRONG_COMMAND; binlog_stmt= !error || error != HA_ERR_WRONG_COMMAND;
} }
/*
If we tried to open a MERGE table and failed due to problems with the
children tables, the table will have been closed and table_ref->table
will be invalid. Reset the pointer here in any case as
query_cache_invalidate does not need a valid TABLE object.
*/
table_ref->table= NULL;
query_cache_invalidate3(thd, table_ref, FALSE); query_cache_invalidate3(thd, table_ref, FALSE);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment