Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
10.2(EOL)
-
None
Description
If OOM (out of memory) happens inside create_virtual_tmp_table(), the server can crash.
There are two problems:
1. If OOM happens inside multi_alloc_root in Virtual_tmp_table::init, then the member TABLE::s is left to be a NULL pointer. The destructor calls destruct_fields() without a test that TABLE::s was really allocated. It should test that s is not NULL before calling destruct_fields.
2. The class Virtual_tmp_table overrides the operator new to allocate itself on mem_root, but it does not override the operator delete, which is mapped to the system function free() by default. As a result free() is called for something which was never allocated with the system function malloc(). The class Virtual_tmp_table should override operator delete.
The problem was introduced by the patch for MDEV-9238 in 10.2.0.
Attachments
Issue Links
- relates to
-
MDEV-9238 Wrap create_virtual_tmp_table() into a class, split into different steps
-
- Closed
-
Activity
| Field | Original Value | New Value |
|---|---|---|
| Description |
If OOM (out of memory) happens inside {{create_virtual_tmp_table()}}, the server can crash.
There are two problems: 1. If OOM happens inside {{multi_alloc_root}} in {{Virtual_tmp_table::init}}, then the {{TABLE::s}} member is {{NULL}}. The destructor calls {{destruct_fields()}} without a test that {{TABLE::s}} was allocated. It should test that {{s}} is not {{NULL}} before calling {{destruct_fields}}. 2. The class {{Virtual_tmp_table}} overrides the operator {{new}} to allocate itself on {{mem_root}}, but it does not override the operator {{delete}}, which is mapped to the system function {{free()}} by default. As a result {{free()}} is called for something which was never allocated with the system function {{malloc()}}. The class {{Virtual_tmp_table}} should override {{operator delete}}. |
If OOM (out of memory) happens inside {{create_virtual_tmp_table()}}, the server can crash.
There are two problems: 1. If OOM happens inside {{multi_alloc_root}} in {{Virtual_tmp_table::init}}, then the {{TABLE::s}} member is {{NULL}}. The destructor calls {{destruct_fields()}} without a test that {{TABLE::s}} was allocated. It should test that {{s}} is not {{NULL}} before calling {{destruct_fields}}. 2. The class {{Virtual_tmp_table}} overrides the operator {{new}} to allocate itself on {{mem_root}}, but it does not override the operator {{delete}}, which is mapped to the system function {{free()}} by default. As a result {{free()}} is called for something which was never allocated with the system function {{malloc()}}. The class {{Virtual_tmp_table}} should override {{operator delete}}. The problem was introduces by the patch for |
| Description |
If OOM (out of memory) happens inside {{create_virtual_tmp_table()}}, the server can crash.
There are two problems: 1. If OOM happens inside {{multi_alloc_root}} in {{Virtual_tmp_table::init}}, then the {{TABLE::s}} member is {{NULL}}. The destructor calls {{destruct_fields()}} without a test that {{TABLE::s}} was allocated. It should test that {{s}} is not {{NULL}} before calling {{destruct_fields}}. 2. The class {{Virtual_tmp_table}} overrides the operator {{new}} to allocate itself on {{mem_root}}, but it does not override the operator {{delete}}, which is mapped to the system function {{free()}} by default. As a result {{free()}} is called for something which was never allocated with the system function {{malloc()}}. The class {{Virtual_tmp_table}} should override {{operator delete}}. The problem was introduces by the patch for |
If OOM (out of memory) happens inside {{create_virtual_tmp_table()}}, the server can crash.
There are two problems: 1. If OOM happens inside {{multi_alloc_root}} in {{Virtual_tmp_table::init}}, then the {{TABLE::s}} member is {{NULL}}. The destructor calls {{destruct_fields()}} without a test that {{TABLE::s}} was allocated. It should test that {{s}} is not {{NULL}} before calling {{destruct_fields}}. 2. The class {{Virtual_tmp_table}} overrides the operator {{new}} to allocate itself on {{mem_root}}, but it does not override the operator {{delete}}, which is mapped to the system function {{free()}} by default. As a result {{free()}} is called for something which was never allocated with the system function {{malloc()}}. The class {{Virtual_tmp_table}} should override {{operator delete}}. The problem was introduced by the patch for |
| Description |
If OOM (out of memory) happens inside {{create_virtual_tmp_table()}}, the server can crash.
There are two problems: 1. If OOM happens inside {{multi_alloc_root}} in {{Virtual_tmp_table::init}}, then the {{TABLE::s}} member is {{NULL}}. The destructor calls {{destruct_fields()}} without a test that {{TABLE::s}} was allocated. It should test that {{s}} is not {{NULL}} before calling {{destruct_fields}}. 2. The class {{Virtual_tmp_table}} overrides the operator {{new}} to allocate itself on {{mem_root}}, but it does not override the operator {{delete}}, which is mapped to the system function {{free()}} by default. As a result {{free()}} is called for something which was never allocated with the system function {{malloc()}}. The class {{Virtual_tmp_table}} should override {{operator delete}}. The problem was introduced by the patch for |
If OOM (out of memory) happens inside {{create_virtual_tmp_table()}}, the server can crash.
There are two problems: 1. If OOM happens inside {{multi_alloc_root}} in {{Virtual_tmp_table::init}}, then the member {{TABLE::s}} is left to be a {{NULL}} pointer. The destructor calls {{destruct_fields()}} without a test that {{TABLE::s}} was really allocated. It should test that {{s}} is not {{NULL}} before calling {{destruct_fields}}. 2. The class {{Virtual_tmp_table}} overrides the operator {{new}} to allocate itself on {{mem_root}}, but it does not override the operator {{delete}}, which is mapped to the system function {{free()}} by default. As a result {{free()}} is called for something which was never allocated with the system function {{malloc()}}. The class {{Virtual_tmp_table}} should override {{operator delete}}. The problem was introduced by the patch for |
| Status | Open [ 1 ] | In Progress [ 3 ] |
| Assignee | Alexander Barkov [ bar ] | Alexey Botchkov [ holyfoot ] |
| Status | In Progress [ 3 ] | In Review [ 10002 ] |
| Status | In Review [ 10002 ] | Stalled [ 10000 ] |
| Assignee | Alexey Botchkov [ holyfoot ] | Alexander Barkov [ bar ] |
| Status | Stalled [ 10000 ] | In Progress [ 3 ] |
| issue.field.resolutiondate | 2017-03-31 12:03:10.0 | 2017-03-31 12:03:10.433 |
| Fix Version/s | 10.2.5 [ 22117 ] | |
| Fix Version/s | 10.2 [ 14601 ] | |
| Resolution | Fixed [ 1 ] | |
| Status | In Progress [ 3 ] | Closed [ 6 ] |
| Workflow | MariaDB v3 [ 80205 ] | MariaDB v4 [ 151899 ] |