mirror of
https://github.com/MariaDB/server.git
synced 2025-07-29 05:21:33 +03:00
MDEV-21341: Fix UBSAN failures: Issue Six
(Variant #2 of the patch, which keeps the sp_head object inside the MEM_ROOT that sp_head object owns) (10.3 version of the fix, with handling for class sp_package) sp_head::operator new() and operator delete() were dereferencing sp_head* pointers to memory that didn't hold a valid sp_head object (it was not created/already destroyed). This caused UBSan to crash when looking up type information. Fixed by providing static sp_head::create() and sp_head::destroy() methods.
This commit is contained in:
@ -793,7 +793,7 @@ void lex_end_stage1(LEX *lex)
|
||||
}
|
||||
else
|
||||
{
|
||||
delete lex->sphead;
|
||||
sp_head::destroy(lex->sphead);
|
||||
lex->sphead= NULL;
|
||||
}
|
||||
|
||||
@ -3049,13 +3049,13 @@ void LEX::cleanup_lex_after_parse_error(THD *thd)
|
||||
DBUG_ASSERT(pkg == pkg->m_top_level_lex->sphead);
|
||||
pkg->restore_thd_mem_root(thd);
|
||||
LEX *top= pkg->m_top_level_lex;
|
||||
delete pkg;
|
||||
sp_package::destroy(pkg);
|
||||
thd->lex= top;
|
||||
thd->lex->sphead= NULL;
|
||||
}
|
||||
else
|
||||
{
|
||||
delete thd->lex->sphead;
|
||||
sp_head::destroy(thd->lex->sphead);
|
||||
thd->lex->sphead= NULL;
|
||||
}
|
||||
}
|
||||
@ -6190,7 +6190,7 @@ sp_head *LEX::make_sp_head(THD *thd, const sp_name *name,
|
||||
sp_head *sp;
|
||||
|
||||
/* Order is important here: new - reset - init */
|
||||
if (likely((sp= new sp_head(package, sph))))
|
||||
if (likely((sp= sp_head::create(package, sph))))
|
||||
{
|
||||
sp->reset_thd_mem_root(thd);
|
||||
sp->init(this);
|
||||
@ -7829,7 +7829,7 @@ sp_package *LEX::create_package_start(THD *thd,
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
if (unlikely(!(pkg= new sp_package(this, name_arg, sph))))
|
||||
if (unlikely(!(pkg= sp_package::create(this, name_arg, sph))))
|
||||
return NULL;
|
||||
pkg->reset_thd_mem_root(thd);
|
||||
pkg->init(this);
|
||||
|
Reference in New Issue
Block a user