fil0fil.c:

Add assertions to check that we do not go out of bounds of io thread status array os0file.c: Fix memory corruption (assertion failure on line 244 of sync0sync.c) reported by Miguel in a Windows build of MySQL-4.1.2. The bug is present in all InnoDB versions in Windows, but it depends on how the linker places a static array in srv0srv.c, whether the bug shows itself. 4 bytes were overwritten with a pointer to a statically allocated string: 'get windows aio return value'. innobase/os/os0file.c: Fix memory corruption (assertion failure on line 244 of sync0sync.c) reported by Miguel in a Windows build of MySQL-4.1.2. The bug is present in all InnoDB versions in Windows, but it depends on how the linker places a static array in srv0srv.c, whether the bug shows itself. 4 bytes were overwritten with a pointer to a statically allocated string: 'get windows aio return value'. innobase/fil/fil0fil.c: Add assertions to check that we do not go out of bounds of io thread status array

fil0fil.c:
Add assertions to check that we do not go out of bounds of io thread status array os0file.c: Fix memory corruption (assertion failure on line 244 of sync0sync.c) reported by Miguel in a Windows build of MySQL-4.1.2. The bug is present in all InnoDB versions in Windows, but it depends on how the linker places a static array in srv0srv.c, whether the bug shows itself. 4 bytes were overwritten with a pointer to a statically allocated string: 'get windows aio return value'. innobase/os/os0file.c: Fix memory corruption (assertion failure on line 244 of sync0sync.c) reported by Miguel in a Windows build of MySQL-4.1.2. The bug is present in all InnoDB versions in Windows, but it depends on how the linker places a static array in srv0srv.c, whether the bug shows itself. 4 bytes were overwritten with a pointer to a statically allocated string: 'get windows aio return value'. innobase/fil/fil0fil.c: Add assertions to check that we do not go out of bounds of io thread status array
f4b6dab2 · unknown · bdb370c8 · f4b6dab2 · f4b6dab2
Commit f4b6dab2 authored Mar 31, 2004 by unknown
Show whitespace changes
Inline Side-by-side

Showing with 19 additions and 4 deletions

innobase/fil/fil0fil.c innobase/fil/fil0fil.c +5 -0

innobase/os/os0file.c innobase/os/os0file.c +14 -4

No files found.
--- a/innobase/fil/fil0fil.c
+++ b/innobase/fil/fil0fil.c
@@ -1331,6 +1331,7 @@ fil_aio_wait(
 	ut_ad(fil_validate());
 	if (os_aio_use_native_aio) {
+		ut_a(segment < SRV_MAX_N_IO_THREADS);
 		srv_io_thread_op_info[segment] = (char *) "native aio handle";
 #ifdef WIN_ASYNC_IO
 		ret = os_aio_windows_handle(segment, 0, &fil_node, &message,
@@ -1342,6 +1343,7 @@ fil_aio_wait(
 		ut_error;
 #endif
 	} else {
+		ut_a(segment < SRV_MAX_N_IO_THREADS);
 		srv_io_thread_op_info[segment] =(char *)"simulated aio handle";
 		ret = os_aio_simulated_handle(segment, (void**) &fil_node,
@@ -1350,6 +1352,7 @@ fil_aio_wait(
 	ut_a(ret);
+	ut_a(segment < SRV_MAX_N_IO_THREADS);
 	srv_io_thread_op_info[segment] = (char *) "complete io for fil node";
 	mutex_enter(&(system->mutex));
@@ -1363,10 +1366,12 @@ fil_aio_wait(
 	/* Do the i/o handling */
 	if (buf_pool_is_block(message)) {
+		ut_a(segment < SRV_MAX_N_IO_THREADS);
 		srv_io_thread_op_info[segment] =
 		  (char *) "complete io for buf page";
 		buf_page_io_complete(message);
 	} else {
+		ut_a(segment < SRV_MAX_N_IO_THREADS);
 		srv_io_thread_op_info[segment] =(char *) "complete io for log";
 		log_io_complete(message);
 	}

--- a/innobase/os/os0file.c
+++ b/innobase/os/os0file.c
@@ -1586,6 +1586,7 @@ os_aio_init(
 	os_io_init_simple();
 	for (i = 0; i < n_segments; i++) {
+		ut_a(i < SRV_MAX_N_IO_THREADS);
 	        srv_io_thread_op_info[i] = (char*)"not started yet";
 	}
@@ -1606,12 +1607,14 @@ os_aio_init(
 	os_aio_read_array = os_aio_array_create(n_read_segs * n_per_seg,
 							n_read_segs);
 	for (i = 2; i < 2 + n_read_segs; i++) {
+		ut_a(i < SRV_MAX_N_IO_THREADS);
 	        srv_io_thread_function[i] = (char*)"read thread";
 	}
 	os_aio_write_array = os_aio_array_create(n_write_segs * n_per_seg,
 							n_write_segs);
 	for (i = 2 + n_read_segs; i < n_segments; i++) {
+		ut_a(i < SRV_MAX_N_IO_THREADS);
 	        srv_io_thread_function[i] = (char*)"write thread";
 	}
@@ -2324,11 +2327,10 @@ os_aio_windows_handle(
 	n = array->n_slots / array->n_segments;
 	if (array == os_aio_sync_array) {
-		srv_io_thread_op_info[orig_seg] =
-						"wait Windows aio for 1 page";
 		os_event_wait(os_aio_array_get_nth_slot(array, pos)->event);
 		i = pos;
 	} else {
+		ut_a(orig_seg < SRV_MAX_N_IO_THREADS);
 		srv_io_thread_op_info[orig_seg] =
 						"wait Windows aio";
 		i = os_event_wait_multiple(n,
@@ -2341,7 +2343,12 @@ os_aio_windows_handle(
 	ut_a(slot->reserved);
-	srv_io_thread_op_info[orig_seg] = "get windows aio return value";
+	if (orig_seg != ULINT_UNDEFINED) {
+		ut_a(orig_seg < SRV_MAX_N_IO_THREADS);
+		srv_io_thread_op_info[orig_seg] =
+					"get windows aio return value";
+	}
 	ret = GetOverlappedResult(slot->file, &(slot->control), &len, TRUE);
 	*message1 = slot->message1;
@@ -2664,6 +2671,7 @@ consecutive_loop:
 		}
 	}
+	ut_a(global_segment < SRV_MAX_N_IO_THREADS);
 	srv_io_thread_op_info[global_segment] = (char*) "doing file i/o";
 	if (os_aio_print_debug) {
@@ -2714,6 +2722,7 @@ consecutive_loop:
 	}
 	ut_a(ret);
+	ut_a(global_segment < SRV_MAX_N_IO_THREADS);
 	srv_io_thread_op_info[global_segment] = (char*) "file i/o done";
 /* printf("aio: %lu consecutive %lu:th segment, first offs %lu blocks\n",
@@ -2772,6 +2781,7 @@ wait_for_io:
 	os_mutex_exit(array->mutex);
 recommended_sleep:
+	ut_a(global_segment < SRV_MAX_N_IO_THREADS);
 	srv_io_thread_op_info[global_segment] =
 				(char*)"waiting for i/o request";