Description:
This problem is found through code review instead of testing.
The source file "https://github.com/mysql/mysql-server/blob/8.0/sql/rpl_msr.cc" has iterator erase problem in looping. This
may cause undefined behavior or stability problem.
The iterator becomes invalid after its element is removed. "it++" would cause undefined behavior due to such invalidation.
How to repeat:
In the code snippet below, the line of "channel_to_filter.erase(it);" has problem.
void Rpl_channel_filters::delete_filter(Rpl_filter *rpl_filter) {
DBUG_ENTER("Rpl_channel_filters::delete_filter");
/* Traverse the filter map. */
m_channel_to_filter_lock->wrlock();
for (filter_map::iterator it = channel_to_filter.begin();
it != channel_to_filter.end(); it++) {
if (it->second == rpl_filter) {
/* Find the replication filter and delete it. */
delete it->second;
channel_to_filter.erase(it);
#ifdef WITH_PERFSCHEMA_STORAGE_ENGINE
reset_pfs_view();
#endif /* WITH_PERFSCHEMA_STORAGE_ENGINE */
m_channel_to_filter_lock->unlock();
DBUG_VOID_RETURN;
}
}
m_channel_to_filter_lock->unlock();
DBUG_VOID_RETURN;
}
Suggested fix:
The fix of one line change is very subtle as below.
void Rpl_channel_filters::delete_filter(Rpl_filter *rpl_filter) {
DBUG_ENTER("Rpl_channel_filters::delete_filter");
/* Traverse the filter map. */
m_channel_to_filter_lock->wrlock();
for (filter_map::iterator it = channel_to_filter.begin();
it != channel_to_filter.end(); it++) {
if (it->second == rpl_filter) {
/* Find the replication filter and delete it. */
delete it->second;
it = channel_to_filter.erase(it);
#ifdef WITH_PERFSCHEMA_STORAGE_ENGINE
reset_pfs_view();
#endif /* WITH_PERFSCHEMA_STORAGE_ENGINE */
m_channel_to_filter_lock->unlock();
DBUG_VOID_RETURN;
}
}
m_channel_to_filter_lock->unlock();
DBUG_VOID_RETURN;
}
