[MDEV-6641] Embedded server : NULL-pointer reference in THD::store_globals causes SEGFAULT Created: 2014-08-26  Updated: 2014-12-24

Status: Open
Project: MariaDB Server
Component/s: None
Affects Version/s: 5.5.39
Fix Version/s: 5.5

Type: Bug Priority: Minor
Reporter: Vilho Raatikka Assignee: Alexey Botchkov
Resolution: Unresolved Votes: 0
Labels: None
Environment:

x86_64 x86_64 x86_64 GNU/Linux


 Description   

Reproduce by calling a mysql_thread_end followed by mysql->methods->free_embedded_thd()

The call sequence is illegal and expected outcome would be an error or some indication of error.

The location of problematic code :

mysys_var=my_thread_var;
 
/*
 
  Let mysqld define the thread id (not mysys)
 
  This allows us to move THD to different threads if needed.
 
*/
 
mysys_var->id= thread_id;
 
real_id= pthread_self();                      // For debugging
 
mysys_var->stack_ends_here= thread_stack +    // for consistency, see libevent_thread_proc
 
                              STACK_DIRECTION * (long)my_thread_stack_size;

where mysys_var is NULL.

Valgrind:

==15784== 1 errors in context 1 of 10:
 
==15784== Thread 9:
 
==15784== Invalid write of size 8
 
==15784==    at 0x528A309: THD::store_globals() (sql_class.cc:1791)
 
==15784==    by 0x519A68F: emb_free_embedded_thd (lib_sql.cc:422)
 
==15784==    by 0x1A72064F: parsing_info_done (query_classifier.cc:1034)
 
==15784==    by 0x40933B: gwbuf_remove_buffer_object (buffer.c:463)
 
==15784==    by 0x4085D1: gwbuf_free (buffer.c:122)
 
==15784==    by 0x408EA5: gwbuf_consume (buffer.c:316)
 
==15784==    by 0x40E91A: dcb_write (dcb.c:935)
 
==15784==    by 0x1F9CCA66: backend_write_delayqueue (mysql_backend.c:1113)
 
==15784==    by 0x1F9CB066: gw_read_backend_event (mysql_backend.c:410)
 
==15784==    by 0x4175C5: poll_waitevents (poll.c:424)
 
==15784==    by 0x80B9E0E: start_thread (in /lib64/libpthread-2.17.so)
 
==15784==    by 0x83B744C: clone (in /lib64/libc-2.17.so)
 
==15784==  Address 0x90 is not stack'd, malloc'd or (recently) free'd



 Comments   
Comment by Vilho Raatikka [ 2014-09-02 ]

I guess the function is not very often called directly from client application.

Generated at Thu Feb 08 07:13:26 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.