Hi all, https://mariadb.atlassian.net/browse/MDEV-6282 is a use after free bug that happens when one connection is opened, oqgraph queried, then the connection closed, then a second connection opened and oqgraph queried again in the same server session.
Essentially, our handler in open() eventually creates a graph share object that keeps a reference to the underlying TABLE object, this table object has an in_use field that is a THD*. But when the connection goes away, mysqld free()'d that THD. Except the handler never processes close() at this point, and we never get a chance to cause that table object to 'refresh' for want of a better word. Which means when the next query comes along, eventually it calls index_read() on our handler which calls seek_to() in the graph code which calls back into mysql using ha_index_read_map on the backing table, which then crashes because it eventually calls increment_statistics which first increments free()'d memory via &SSV and then accesses a bogus member pointer in the long dead THD. I dont yet know enough about the internals of mysqld to know how to handle this... cheers, Andrew -- Mailing list: https://launchpad.net/~oqgraph-dev Post to : oqgraph-dev@lists.launchpad.net Unsubscribe : https://launchpad.net/~oqgraph-dev More help : https://help.launchpad.net/ListHelp
