Details
Minor
Description
All invocations of post_kill_notification are protected by LOCK_thd_data except one in close_connections. This may lead to race condition. post_kill_notification will shutdown the socket, event handler thread will receive notification and will destroy the THD at the same time.
Gliffy Diagrams
Attachments
Activity
- All
- Comments
- Work Log
- History
- Activity
- Transitions
Is there any evidence that MariaDB (not Percona Server) has this bug?
In MariaDB, freeing memory (vio_delete) happens when THD destructor is running.. At this moment, THD is not anymore in the global threads list (see unlink_thd() calling thd->unlink() before THD destructor). The "unlink" operation is protected by LOCK_thread_count. Therefore, code in server shutdown, that traverses the threads lists under protection of the same LOCK_thread_count mutex , and issues post_kill_notification, this code cannot possibly access freed memory.
In Percona Server 5.6, on the other hand, accessing freed memory is quite possible . Freeing vio memory happens under in threadpool_remove_connection in thd->release_resources(), which is newly introduced in 5.6. MariaDB does not have THD::release_resources, and the threadpool_remove_connection is the same as in 5.5, with proper LOCK_thread_count mutex protection as described above.
As for Percona Server, I think that that newly introduced thd->release_resources(); is the culprit, and that it is not required at all (because it will be called anyway in THD destructor, after the THD is removed from the global list)
Closing for now, since the bug is non-existent in MariaDB. Please feel free to reopen if I missed something in the analysis above.
https://bugs.launchpad.net/bugs/1206065