| Bug #75373 | incorrect expression | ||
|---|---|---|---|
| Submitted: | 1 Jan 2015 11:11 | Modified: | 9 Jan 2015 15:31 |
| Reporter: | Joshua Rogers | Email Updates: | |
| Status: | Closed | Impact on me: | |
| Category: | MySQL Server: InnoDB storage engine | Severity: | S3 (Non-critical) |
| Version: | 5.7.6 | OS: | Any |
| Assigned to: | CPU Architecture: | Any | |
[1 Jan 2015 12:27]
MySQL Verification Team
Thank you for the report, it looks like a cut 'n paste error to me.
On 5.7.6 trunk we get this in TrxFactory::destroy:
if (!trx->lock.rec_pool.empty()) {
/* See lock_trx_alloc_locks() why we only free
the first element. */
ut_free(trx->lock.rec_pool[0]);
}
if (!trx->lock.rec_pool.empty()) {
/* See lock_trx_alloc_locks() why we only free
the first element. */
ut_free(trx->lock.table_pool[0]);
}
[5 Jan 2015 7:10]
Sunny Bains
Thanks for the bug report. The fix has been pushed.
[5 Jan 2015 9:40]
Joshua Rogers
Could this have led to a double free, by the way? Thanks,
[5 Jan 2015 10:13]
Sunny Bains
No, it was not a double free. The code with and without the fix frees two different data structures. The worst case was the equivalent of ut_free(NULL).
[9 Jan 2015 15:31]
Daniel Price
Posted by developer: Fixed as of the upcoming 5.7.6 release, and here's the changelog entry: An incorrect expression was used in "/storage/innobase/trx/trx0trx.cc". "trx->lock.rec_pool.empty()" was used instead of "trx->lock.table_pool.empty()". Thank you for the bug report.
Description: in /storage/innobase/trx/trx0trx.cc: 256 if (!trx->lock.rec_pool.empty()) { it should be 256 if (!trx->lock.table_pool.empty()) { How to repeat: . Suggested fix: .