oqgraph-dev team mailing list archive

[Andrew McDonnell <bugs@xxxxxxxxxxxxxxxxxxx>]

Hi all,

https://mariadb.atlassian.net/browse/MDEV-6282 is a use after free bug that
happens when one connection is opened, oqgraph queried, then the connection
closed, then a second connection opened and oqgraph queried again in the same
server session.

Essentially, our handler in open() eventually creates a graph share object
that keeps a reference to the underlying TABLE object, this table object has
an in_use field that is a THD*.

But when the connection goes away, mysqld free()'d that THD.  Except the
handler never processes close() at this point, and we never get a chance to
cause that table object to 'refresh' for want of a better word.

Which means when the next query comes along, eventually it calls index_read()
on our handler which calls seek_to() in the graph code which calls back into
mysql using ha_index_read_map on the backing table, which then crashes because
it eventually calls increment_statistics which first increments free()'d
memory via &SSV and then accesses a bogus member pointer in the long dead THD.

I dont yet know enough about the internals of mysqld to know how to handle this...

cheers,
Andrew