database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-27 18:02:13 +03:00
Code Activity

MDEV-28268: Server crashes in Expression_cache_tracker::fetch_current_stats

Browse Source 
Expression_cache_tmptable object uses an Expression_cache_tracker object
to report the statistics.

In the common scenario, Expression_cache_tmptable destructor sets
tracker->cache=NULL. The tracker object survives after the expression
cache is deleted and one may call cache_tracker->fetch_current_stats()
for it with no harm.

However a degenerate cache with no parameters does not set
tracker->cache=NULL in Expression_cache_tmptable destructor which
results in an attempt to use freed data in the
cache_tracker->fetch_current_stats() call.

Fixed by setting tracker->cache to NULL and wrapping the assignment into
a function.
This commit is contained in:
Sergei Petrunia
2022-04-26 23:03:34 +03:00
parent c711abd182
commit eea15803ec
4 changed files with 98 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
sql/sql_expression_cache.h
View File

@ -83,7 +83,11 @@ public:
cache(c), hit(0), miss(0), state(UNINITED)
{}
private:
// This can be NULL if the cache is already deleted
Expression_cache *cache;
public:
ulong hit, miss;
enum expr_cache_state state;
@ -91,6 +95,7 @@ public:
void set(ulong h, ulong m, enum expr_cache_state s)
{hit= h; miss= m; state= s;}
void detach_from_cache() { cache= NULL; }
void fetch_current_stats()
{
if (cache)