Bug#23550835 ITERATING ON A FULL PERFORMANCE SCHEMA BUFFER CAN CRASH

Before this fix, a SELECT on performance schema tables could crash
the server, when an internal buffer is full.

This could happen for example with:
- more than 2^20 tables
- more than 2^20 indexes
- more than 2^20 files

The immediate root cause is that using PFS_buffer_scalable_iterator
on a full buffer causes an overflow in
PFS_buffer_scalable_container::scan_next(),
by accessing a page outside of m_pages[]

This has been fixed by changing the do {} while loop
into a while {} loop.

For robustness, other do while loops have been
changed to use the same while {} pattern,
which is more tolerant to edge cases,
and therefore less risky for maintenance.

While investigating this issue, another case of overflow was found
in the code: every page in the scalable buffer is of size PFS_PAGE_SIZE,
** except ** the last page, which can be smaller, due to m_last_page_size.

The problem is that every code that iterate on pages,
for example PFS_buffer_scalable_container::apply(),
expects page to have a size of PFS_PAGE_SIZE,
and cause corruption when using a partial last page.

The fix is to:
- make each page aware of its own size, with
  PFS_buffer_default_array::m_max,
- iterate from PFS_buffer_default_array::get_first()
  to PFS_buffer_default_array::get_last(),
  instead of using [0, PFS_PAGE_SIZE[

Also, logic for iterators need to be aware of partial pages,
with tests such as "if (index_2 >= page->m_max)",
in PFS_buffer_scalable_container::get().

Lastly, the hard coded theoretical size limit on some buffers
has been raised, since it was reached in practice for some workloads.

New limits are:
- 16 million instrumented tables (2^24), increased from 1M (2^20)
- 64 million instrumented indexes (2^26), increased from 1M (2^20)
- 16 million instrumented files (2^24), increased from 1M (2^20)

Author: marcalff

storage/perfschema/pfs_buffer_container.cc

@@ -1,4 +1,4 @@
-/* Copyright (c) 2014, 2015, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -64,8 +64,9 @@ PFS_program_container global_program_container(& default_program_allocator);
 PFS_buffer_default_allocator<PFS_prepared_stmt> default_prepared_stmt_allocator(& builtin_memory_prepared_stmt);
 PFS_prepared_stmt_container global_prepared_stmt_container(& default_prepared_stmt_allocator);
 
-int PFS_account_allocator::alloc_array(PFS_account_array *array, size_t size)
+int PFS_account_allocator::alloc_array(PFS_account_array *array)
 {
+  size_t size= array->m_max;
   size_t index;
   size_t waits_sizing= size * wait_class_max;
   size_t stages_sizing= size * stage_class_max;
@@ -168,8 +169,9 @@ int PFS_account_allocator::alloc_array(PFS_account_array *array, size_t size)
   return 0;
 }
 
-void PFS_account_allocator::free_array(PFS_account_array *array, size_t size)
+void PFS_account_allocator::free_array(PFS_account_array *array)
 {
+  size_t size= array->m_max;
   size_t waits_sizing= size * wait_class_max;
   size_t stages_sizing= size * stage_class_max;
   size_t statements_sizing= size * statement_class_max;
@@ -209,8 +211,9 @@ void PFS_account_allocator::free_array(PFS_account_array *array, size_t size)
 PFS_account_allocator account_allocator;
 PFS_account_container global_account_container(& account_allocator);
 
-int PFS_host_allocator::alloc_array(PFS_host_array *array, size_t size)
+int PFS_host_allocator::alloc_array(PFS_host_array *array)
 {
+  size_t size= array->m_max;
   PFS_host *pfs;
   size_t index;
   size_t waits_sizing= size * wait_class_max;
@@ -316,8 +319,9 @@ int PFS_host_allocator::alloc_array(PFS_host_array *array, size_t size)
   return 0;
 }
 
-void PFS_host_allocator::free_array(PFS_host_array *array, size_t size)
+void PFS_host_allocator::free_array(PFS_host_array *array)
 {
+  size_t size= array->m_max;
   size_t waits_sizing= size * wait_class_max;
   size_t stages_sizing= size * stage_class_max;
   size_t statements_sizing= size * statement_class_max;
@@ -357,8 +361,9 @@ void PFS_host_allocator::free_array(PFS_host_array *array, size_t size)
 PFS_host_allocator host_allocator;
 PFS_host_container global_host_container(& host_allocator);
 
-int PFS_thread_allocator::alloc_array(PFS_thread_array *array, size_t size)
+int PFS_thread_allocator::alloc_array(PFS_thread_array *array)
 {
+  size_t size= array->m_max;
   PFS_thread *pfs;
   PFS_events_statements *pfs_stmt;
   unsigned char *pfs_tokens;
@@ -614,8 +619,9 @@ int PFS_thread_allocator::alloc_array(PFS_thread_array *array, size_t size)
   return 0;
 }
 
-void PFS_thread_allocator::free_array(PFS_thread_array *array, size_t size)
+void PFS_thread_allocator::free_array(PFS_thread_array *array)
 {
+  size_t size= array->m_max;
   size_t waits_sizing= size * wait_class_max;
   size_t stages_sizing= size * stage_class_max;
   size_t statements_sizing= size * statement_class_max;
@@ -718,8 +724,9 @@ void PFS_thread_allocator::free_array(PFS_thread_array *array, size_t size)
 PFS_thread_allocator thread_allocator;
 PFS_thread_container global_thread_container(& thread_allocator);
 
-int PFS_user_allocator::alloc_array(PFS_user_array *array, size_t size)
+int PFS_user_allocator::alloc_array(PFS_user_array *array)
 {
+  size_t size= array->m_max;
   PFS_user *pfs;
   size_t index;
   size_t waits_sizing= size * wait_class_max;
@@ -825,8 +832,9 @@ int PFS_user_allocator::alloc_array(PFS_user_array *array, size_t size)
   return 0;
 }
 
-void PFS_user_allocator::free_array(PFS_user_array *array, size_t size)
+void PFS_user_allocator::free_array(PFS_user_array *array)
 {
+  size_t size= array->m_max;
   size_t waits_sizing= size * wait_class_max;
   size_t stages_sizing= size * stage_class_max;
   size_t statements_sizing= size * statement_class_max;