maria-developers team mailing list archive

Thread
Date

Re: 2be9b69f4ff: MDEV-23001 Precreate static Item_bool() to simplify code

To: Michael Widenius <michael.widenius@xxxxxxxxx>
From: Sergei Golubchik <serg@xxxxxxxxxxx>
Date: Fri, 14 May 2021 21:03:53 +0200
Cc: MariaDB Developers <maria-developers@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CAEiQ=_v1p4qOeoTG+fZzgNm1f_hWLep3Q-Xo1QHUsCGa_Vpt3w@mail.gmail.com>

Hi, Michael!

On May 10, Michael Widenius wrote:
> > > diff --git a/sql/item.cc b/sql/item.cc
> > > index 1a86b8b3114..0f160fa257b 100644
> > > --- a/sql/item.cc
> > > +++ b/sql/item.cc
> > > @@ -55,7 +55,8 @@ const char *item_empty_name="";
> > >  const char *item_used_name= "\0";
> > >
> > >  static int save_field_in_field(Field *, bool *, Field *, bool);
> > > -
> > > +const Item_bool_static Item_false("FALSE", 0);
> > > +const Item_bool_static Item_true("TRUE", 1);
> >
> > The main question - we have tons of modifiable Item members. How do
> > you know none of them will modified in your Item_bool_static
> > objects?
> 
> Because these are global const. We will get an assert if anyone tries.

No. It doesn't go into a read-only segment.
Here's the patch that really makes it to go there:

--- a/sql/item.h
+++ b/sql/item.h
@@ -4395,7 +4395,22 @@ class Item_bool_static :public Item_bool
   { DBUG_ASSERT(0); }
 };
 
-extern const Item_bool_static Item_false, Item_true;
+class Item_bool_static_true: public Item_bool_static
+{
+  public:
+  Item_bool_static_true():
+    Item_bool_static("TRUE", 1) {}
+};
+
+class Item_bool_static_false: public Item_bool_static
+{
+  public:
+  Item_bool_static_false():
+    Item_bool_static("FALSE", 0) {}
+};
+
+extern const Item_bool_static_true Item_true;
+extern const Item_bool_static_false Item_false;
 
 class Item_uint :public Item_int
 {

diff --git a/sql/item.cc b/sql/item.cc
index 67fcb7d4e0c..1f0031dcfb9 100644
--- a/sql/item.cc
+++ b/sql/item.cc
@@ -55,8 +55,9 @@ const char *item_empty_name="";
 const char *item_used_name= "\0";
 
 static int save_field_in_field(Field *, bool *, Field *, bool);
-const Item_bool_static Item_false("FALSE", 0);
-const Item_bool_static Item_true("TRUE", 1);
+
+const Item_bool_static_false Item_false;
+const Item_bool_static_true Item_true __attribute__ ((section (".rodata")));
 
 /**
   Compare two Items for List<Item>::add_unique()
=============================================================

With this patch the server immediately crashes on startup, on

3052    class Type_numeric_attributes
3053    {
...  
3069      Type_numeric_attributes()
3070 =>  :max_length(0), decimals(0), unsigned_flag(false)
3071      { }

with the stack trace:

#0  0x0000555555fa7210 in Type_numeric_attributes::Type_numeric_attributes (
    this=0x555556db0468 <Item_true+8>) at sql/sql_type.h:3070
#1  0x0000555555fa7244 in Type_std_attributes::Type_std_attributes (
    this=0x555556db0468 <Item_true+8>) at sql/sql_type.h:3128
#2  0x0000555555fa7282 in Type_all_attributes::Type_all_attributes (
    this=0x555556db0460 <Item_true>) at sql/sql_type.h:3305
#3  0x0000555556214d70 in Item::Item (this=0x555556db0460 <Item_true>)
    at sql/item.cc:452
#4  0x0000555556236efa in Item_basic_value::Item_basic_value (
    this=0x555556db0460 <Item_true>) at sql/item.h:2929
#5  0x0000555556236f4e in Item_basic_constant::Item_basic_constant (
    this=0x555556db0460 <Item_true>) at sql/item.h:2959
#6  0x000055555623725e in Item_literal::Item_literal (
    this=0x555556db0460 <Item_true>) at sql/item.h:3338
#7  0x00005555562372a2 in Item_num::Item_num (this=0x555556db0460 <Item_true>)
    at sql/item.h:3353
#8  0x0000555556237d74 in Item_int::Item_int (this=0x555556db0460 <Item_true>,
    str_arg=0x555556dafc3f "TRUE", i=1, length=1) at sql/item.h:4330
#9  0x0000555556237e2b in Item_bool::Item_bool (
    this=0x555556db0460 <Item_true>, str_arg=0x555556dafc3f "TRUE", i=1)
    at sql/item.h:4371
#10 0x0000555556237f3d in Item_bool_static::Item_bool_static (
    this=0x555556db0460 <Item_true>, str_arg=0x555556dafc3f "TRUE", i=1)
    at sql/item.h:4392
#11 0x000055555623805c in Item_bool_static_true::Item_bool_static_true (
    this=0x555556db0460 <Item_true>) at sql/item.h:4402
#12 0x00005555562361be in __static_initialization_and_destruction_0 (
    __initialize_p=1, __priority=65535) at sql/item.cc:60
#13 0x00005555562361f4 in _GLOBAL__sub_I_item.cc(void) () at sql/item.cc:10755
#14 0x0000555556b8cf45 in __libc_csu_init (argc=argc@entry=1,
    argv=argv@entry=0x7fffffffdeb8, envp=0x7fffffffdec8) at elf-init.c:89
#15 0x00007ffff76ebbcc in __libc_start_main (main=
    0x555555d2c4b5 <main(int, char**)>, argc=1, argv=0x7fffffffdeb8, init=
    0x555556b8cf00 <__libc_csu_init>, fini=<optimized out>,
    rtld_fini=<optimized out>, stack_end=0x7fffffffdea8)
    at ../csu/libc-start.c:270
#16 0x0000555555d2c3fa in _start ()

that is, before main(), on attempt to initialize your Item_true.

In other words, you'll never be able to put it into a read-only segment.
And you have no protection against run-time modifications of your static
items. So, now I see it as a very dangerous trick and I ask you not to
push it.

Regards,
Sergei
VP of MariaDB Server Engineering
and security@xxxxxxxxxxx

References

Re: 2be9b69f4ff: MDEV-23001 Precreate static Item_bool() to simplify code
From: Sergei Golubchik, 2021-03-25
Re: 2be9b69f4ff: MDEV-23001 Precreate static Item_bool() to simplify code
From: Michael Widenius, 2021-05-10