Commit f8151aca authored by unknown's avatar unknown

Bug #31153 calling stored procedure crashes server if available memory is low

When the server was out of memory it crashed because of invalid memory access.

This patch adds detection for failed memory allocations and make the server
output a proper error message.


sql/mysqld.cc:
  Don't try to push_warning from within push_warning. It will cause a recursion
  until the stack is consumed.
  
  If my_net_init fails (for example: because of OOM) the temporary vio object 
  might have been attached to the thd object already. This will cause a double
  free on the vio object when the thd object is deleted later on and the server
  will crash.
sql/sp_head.cc:
  Added check for out-of-memory on a 'new' operation.
  Refactored reset_lex method to return a error state code instead of void.
  Initialize the mem-root with init_sql_alloc to get a basic error handler for
  memory allocation problems. This alone won't prevent the server from crashing,
  NULL pointers have to be accounted for as well.
sql/sp_head.h:
  Use the throw() clause in operator new, to indicate to the compiler that
  memory allocation can fail and return NULL, so that the compiler should
  generate code to check for NULL before invoking C++ constructors, to be
  crash safe.
sql/sql_base.cc:
  Use init_sql_alloc to get basic out-of-memory error handling.
sql/sql_lex.h:
  Use the throw() clause in operator new, to indicate to the compiler that
  memory allocation can fail and return NULL, so that the compiler should
  generate code to check for NULL before invoking C++ constructors, to be
  crash safe.
sql/sql_prepare.cc:
  Use init_sql_alloc to get basic out-of-memory error handling.
sql/sql_yacc.yy:
  Check for memory allocation failures where it matters.
parent 711be53b
...@@ -2489,7 +2489,12 @@ static int my_message_sql(uint error, const char *str, myf MyFlags) ...@@ -2489,7 +2489,12 @@ static int my_message_sql(uint error, const char *str, myf MyFlags)
thd->query_error= 1; // needed to catch query errors during replication thd->query_error= 1; // needed to catch query errors during replication
if (!thd->no_warnings_for_error) if (!thd->no_warnings_for_error)
{
thd->no_warnings_for_error= TRUE;
push_warning(thd, MYSQL_ERROR::WARN_LEVEL_ERROR, error, str); push_warning(thd, MYSQL_ERROR::WARN_LEVEL_ERROR, error, str);
thd->no_warnings_for_error= FALSE;
}
/* /*
thd->lex->current_select == 0 if lex structure is not inited thd->lex->current_select == 0 if lex structure is not inited
(not query command (COM_QUERY)) (not query command (COM_QUERY))
...@@ -4295,7 +4300,12 @@ pthread_handler_t handle_connections_sockets(void *arg __attribute__((unused))) ...@@ -4295,7 +4300,12 @@ pthread_handler_t handle_connections_sockets(void *arg __attribute__((unused)))
sock == unix_sock ? VIO_LOCALHOST: 0)) || sock == unix_sock ? VIO_LOCALHOST: 0)) ||
my_net_init(&thd->net,vio_tmp)) my_net_init(&thd->net,vio_tmp))
{ {
if (vio_tmp) /*
Only delete the temporary vio if we didn't already attach it to the
NET object. The destructor in THD will delete any initialized net
structure.
*/
if (vio_tmp && thd->net.vio != vio_tmp)
vio_delete(vio_tmp); vio_delete(vio_tmp);
else else
{ {
......
...@@ -411,14 +411,16 @@ check_routine_name(LEX_STRING ident) ...@@ -411,14 +411,16 @@ check_routine_name(LEX_STRING ident)
*/ */
void * void *
sp_head::operator new(size_t size) sp_head::operator new(size_t size) throw()
{ {
DBUG_ENTER("sp_head::operator new"); DBUG_ENTER("sp_head::operator new");
MEM_ROOT own_root; MEM_ROOT own_root;
sp_head *sp; sp_head *sp;
init_alloc_root(&own_root, MEM_ROOT_BLOCK_SIZE, MEM_ROOT_PREALLOC); init_sql_alloc(&own_root, MEM_ROOT_BLOCK_SIZE, MEM_ROOT_PREALLOC);
sp= (sp_head *) alloc_root(&own_root, size); sp= (sp_head *) alloc_root(&own_root, size);
if (sp == NULL)
return NULL;
sp->main_mem_root= own_root; sp->main_mem_root= own_root;
DBUG_PRINT("info", ("mem_root 0x%lx", (ulong) &sp->mem_root)); DBUG_PRINT("info", ("mem_root 0x%lx", (ulong) &sp->mem_root));
DBUG_RETURN(sp); DBUG_RETURN(sp);
...@@ -429,6 +431,10 @@ sp_head::operator delete(void *ptr, size_t size) ...@@ -429,6 +431,10 @@ sp_head::operator delete(void *ptr, size_t size)
{ {
DBUG_ENTER("sp_head::operator delete"); DBUG_ENTER("sp_head::operator delete");
MEM_ROOT own_root; MEM_ROOT own_root;
if (ptr == NULL)
DBUG_VOID_RETURN;
sp_head *sp= (sp_head *) ptr; sp_head *sp= (sp_head *) ptr;
/* Make a copy of main_mem_root as free_root will free the sp */ /* Make a copy of main_mem_root as free_root will free the sp */
...@@ -472,6 +478,9 @@ sp_head::init(LEX *lex) ...@@ -472,6 +478,9 @@ sp_head::init(LEX *lex)
lex->spcont= m_pcont= new sp_pcontext(); lex->spcont= m_pcont= new sp_pcontext();
if (!lex->spcont)
DBUG_VOID_RETURN;
/* /*
Altough trg_table_fields list is used only in triggers we init for all Altough trg_table_fields list is used only in triggers we init for all
types of stored procedures to simplify reset_lex()/restore_lex() code. types of stored procedures to simplify reset_lex()/restore_lex() code.
...@@ -973,7 +982,7 @@ sp_head::execute(THD *thd) ...@@ -973,7 +982,7 @@ sp_head::execute(THD *thd)
DBUG_RETURN(TRUE); DBUG_RETURN(TRUE);
/* init per-instruction memroot */ /* init per-instruction memroot */
init_alloc_root(&execute_mem_root, MEM_ROOT_BLOCK_SIZE, 0); init_sql_alloc(&execute_mem_root, MEM_ROOT_BLOCK_SIZE, 0);
DBUG_ASSERT(!(m_flags & IS_INVOKED)); DBUG_ASSERT(!(m_flags & IS_INVOKED));
m_flags|= IS_INVOKED; m_flags|= IS_INVOKED;
...@@ -1795,16 +1804,29 @@ sp_head::execute_procedure(THD *thd, List<Item> *args) ...@@ -1795,16 +1804,29 @@ sp_head::execute_procedure(THD *thd, List<Item> *args)
} }
// Reset lex during parsing, before we parse a sub statement. /**
void @brief Reset lex during parsing, before we parse a sub statement.
@param thd Thread handler.
@return Error state
@retval true An error occurred.
@retval false Success.
*/
bool
sp_head::reset_lex(THD *thd) sp_head::reset_lex(THD *thd)
{ {
DBUG_ENTER("sp_head::reset_lex"); DBUG_ENTER("sp_head::reset_lex");
LEX *sublex; LEX *sublex;
LEX *oldlex= thd->lex; LEX *oldlex= thd->lex;
sublex= new (thd->mem_root)st_lex_local;
if (sublex == 0)
DBUG_RETURN(TRUE);
thd->lex= sublex;
(void)m_lex.push_front(oldlex); (void)m_lex.push_front(oldlex);
thd->lex= sublex= new st_lex;
/* Reset most stuff. */ /* Reset most stuff. */
lex_start(thd); lex_start(thd);
...@@ -1827,7 +1849,7 @@ sp_head::reset_lex(THD *thd) ...@@ -1827,7 +1849,7 @@ sp_head::reset_lex(THD *thd)
sublex->interval_list.empty(); sublex->interval_list.empty();
sublex->type= 0; sublex->type= 0;
DBUG_VOID_RETURN; DBUG_RETURN(FALSE);
} }
// Restore lex during parsing, after we have parsed a sub statement. // Restore lex during parsing, after we have parsed a sub statement.
...@@ -3703,7 +3725,7 @@ sp_add_to_query_tables(THD *thd, LEX *lex, ...@@ -3703,7 +3725,7 @@ sp_add_to_query_tables(THD *thd, LEX *lex,
if (!(table= (TABLE_LIST *)thd->calloc(sizeof(TABLE_LIST)))) if (!(table= (TABLE_LIST *)thd->calloc(sizeof(TABLE_LIST))))
{ {
my_error(ER_OUTOFMEMORY, MYF(0), sizeof(TABLE_LIST)); thd->fatal_error();
return NULL; return NULL;
} }
table->db_length= strlen(db); table->db_length= strlen(db);
......
...@@ -191,10 +191,10 @@ class sp_head :private Query_arena ...@@ -191,10 +191,10 @@ class sp_head :private Query_arena
Security_context m_security_ctx; Security_context m_security_ctx;
static void * static void *
operator new(size_t size); operator new(size_t size) throw ();
static void static void
operator delete(void *ptr, size_t size); operator delete(void *ptr, size_t size) throw ();
sp_head(); sp_head();
...@@ -254,7 +254,7 @@ class sp_head :private Query_arena ...@@ -254,7 +254,7 @@ class sp_head :private Query_arena
} }
// Resets lex in 'thd' and keeps a copy of the old one. // Resets lex in 'thd' and keeps a copy of the old one.
void bool
reset_lex(THD *thd); reset_lex(THD *thd);
// Restores lex in 'thd' from our copy, but keeps some status from the // Restores lex in 'thd' from our copy, but keeps some status from the
......
...@@ -80,7 +80,6 @@ bool Prelock_error_handler::safely_trapped_errors() ...@@ -80,7 +80,6 @@ bool Prelock_error_handler::safely_trapped_errors()
return ((m_handled_errors > 0) && (m_unhandled_errors == 0)); return ((m_handled_errors > 0) && (m_unhandled_errors == 0));
} }
TABLE *unused_tables; /* Used by mysql_test */ TABLE *unused_tables; /* Used by mysql_test */
HASH open_cache; /* Used by mysql_test */ HASH open_cache; /* Used by mysql_test */
...@@ -2643,7 +2642,7 @@ int open_tables(THD *thd, TABLE_LIST **start, uint *counter, uint flags) ...@@ -2643,7 +2642,7 @@ int open_tables(THD *thd, TABLE_LIST **start, uint *counter, uint flags)
temporary mem_root for new .frm parsing. temporary mem_root for new .frm parsing.
TODO: variables for size TODO: variables for size
*/ */
init_alloc_root(&new_frm_mem, 8024, 8024); init_sql_alloc(&new_frm_mem, 8024, 8024);
thd->current_tablenr= 0; thd->current_tablenr= 0;
restart: restart:
......
...@@ -1283,11 +1283,11 @@ typedef struct st_lex : public Query_tables_list ...@@ -1283,11 +1283,11 @@ typedef struct st_lex : public Query_tables_list
struct st_lex_local: public st_lex struct st_lex_local: public st_lex
{ {
static void *operator new(size_t size) static void *operator new(size_t size) throw()
{ {
return (void*) sql_alloc((uint) size); return (void*) sql_alloc((uint) size);
} }
static void *operator new(size_t size, MEM_ROOT *mem_root) static void *operator new(size_t size, MEM_ROOT *mem_root) throw()
{ {
return (void*) alloc_root(mem_root, (uint) size); return (void*) alloc_root(mem_root, (uint) size);
} }
...@@ -1303,3 +1303,4 @@ extern void lex_start(THD *thd); ...@@ -1303,3 +1303,4 @@ extern void lex_start(THD *thd);
extern void lex_end(LEX *lex); extern void lex_end(LEX *lex);
extern int MYSQLlex(void *arg, void *yythd); extern int MYSQLlex(void *arg, void *yythd);
extern char *skip_rear_comments(CHARSET_INFO *cs, char *begin, char *end); extern char *skip_rear_comments(CHARSET_INFO *cs, char *begin, char *end);
...@@ -2659,7 +2659,7 @@ Prepared_statement::Prepared_statement(THD *thd_arg, Protocol *protocol_arg) ...@@ -2659,7 +2659,7 @@ Prepared_statement::Prepared_statement(THD *thd_arg, Protocol *protocol_arg)
last_errno(0), last_errno(0),
flags((uint) IS_IN_USE) flags((uint) IS_IN_USE)
{ {
init_alloc_root(&main_mem_root, thd_arg->variables.query_alloc_block_size, init_sql_alloc(&main_mem_root, thd_arg->variables.query_alloc_block_size,
thd_arg->variables.query_prealloc_size); thd_arg->variables.query_prealloc_size);
*last_error= '\0'; *last_error= '\0';
} }
......
This diff is collapsed.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment