MDEV-37720 use-after-free on CREATE OR REPLACE GTT under pseudo_slave_mode

... and LOCK TABLES.

Global temporary tables data is not replicated, and pseudo_slave_mode is
used internally for partial replication testing.

Hence forbid opening GTT (i.e. create child GTT handles) under
pseudo_slave_mode, and forbid setting pseudo_slave_mode=1 whenever child
GTT handles are open.

Author: FooBarrior

mysql-test/main/global_temporary_table.result

@@ -1109,4 +1109,18 @@ Warning	1196	Some non-transactional changed tables couldn't be rolled back
 select * from gtt;
 c
 drop table gtt;
+# MDEV-37720 use-after-free on CREATE OR REPLACE GTT under LOCK TABLES and pseudo_slave_mode
+create global temporary table t (c int) engine=innodb on commit preserve rows;
+set pseudo_slave_mode=1;
+select * from t;
+ERROR HY000: Failed to open t.test
+set pseudo_slave_mode=0;
+Warnings:
+Warning	1231	Slave applier execution mode not active, statement ineffective.
+select * from t;
+c
+set pseudo_slave_mode=1;
+ERROR 42000: Variable 'pseudo_slave_mode' can't be set to the value of '1'
+truncate t;
+drop table t;
 disconnect con1;

mysql-test/main/global_temporary_table.test

@@ -973,5 +973,16 @@ rollback to sp1;
 select * from gtt;
 drop table gtt;
 
+--echo # MDEV-37720 use-after-free on CREATE OR REPLACE GTT under LOCK TABLES and pseudo_slave_mode
+create global temporary table t (c int) engine=innodb on commit preserve rows;
+set pseudo_slave_mode=1;
+--error ER_GTID_OPEN_TABLE_FAILED
+select * from t;
+set pseudo_slave_mode=0;
+select * from t;
+--error ER_WRONG_VALUE_FOR_VAR
+set pseudo_slave_mode=1;
+truncate t;
+drop table t;
 
 --disconnect con1

mysql-test/suite/binlog/r/global_temporary_table.result

@@ -1112,6 +1112,20 @@ Warning	1196	Some non-transactional changed tables couldn't be rolled back
 select * from gtt;
 c
 drop table gtt;
+# MDEV-37720 use-after-free on CREATE OR REPLACE GTT under LOCK TABLES and pseudo_slave_mode
+create global temporary table t (c int) engine=innodb on commit preserve rows;
+set pseudo_slave_mode=1;
+select * from t;
+ERROR HY000: Failed to open t.test
+set pseudo_slave_mode=0;
+Warnings:
+Warning	1231	Slave applier execution mode not active, statement ineffective.
+select * from t;
+c
+set pseudo_slave_mode=1;
+ERROR 42000: Variable 'pseudo_slave_mode' can't be set to the value of '1'
+truncate t;
+drop table t;
 disconnect con1;
 include/show_binlog_events.inc
 Log_name	Pos	Event_type	Server_id	End_log_pos	Info
@@ -1688,4 +1702,8 @@ master-bin.000001	#	Gtid	#	#	GTID #-#-#
 master-bin.000001	#	Query	#	#	use `test`; create global temporary table gtt (c int)
 master-bin.000001	#	Gtid	#	#	GTID #-#-#
 master-bin.000001	#	Query	#	#	use `test`; DROP TABLE `gtt` /* generated by server */
+master-bin.000001	#	Gtid	#	#	GTID #-#-#
+master-bin.000001	#	Query	#	#	use `test`; create global temporary table t (c int) engine=innodb on commit preserve rows
+master-bin.000001	#	Gtid	#	#	GTID #-#-#
+master-bin.000001	#	Query	#	#	use `test`; DROP TABLE `t` /* generated by server */
 set global binlog_annotate_row_events= @old_binlog_annotate_row_events;

mysql-test/suite/rpl/r/global_temporary_table.result

@@ -1112,6 +1112,20 @@ Warning	1196	Some non-transactional changed tables couldn't be rolled back
 select * from gtt;
 c
 drop table gtt;
+# MDEV-37720 use-after-free on CREATE OR REPLACE GTT under LOCK TABLES and pseudo_slave_mode
+create global temporary table t (c int) engine=innodb on commit preserve rows;
+set pseudo_slave_mode=1;
+select * from t;
+ERROR HY000: Failed to open t.test
+set pseudo_slave_mode=0;
+Warnings:
+Warning	1231	Slave applier execution mode not active, statement ineffective.
+select * from t;
+c
+set pseudo_slave_mode=1;
+ERROR 42000: Variable 'pseudo_slave_mode' can't be set to the value of '1'
+truncate t;
+drop table t;
 disconnect con1;
 connection slave;
 connection master;

sql/sql_table.cc

@@ -6222,6 +6222,16 @@ my_bool open_global_temporary_table(THD *thd, TABLE_SHARE *source,
                                     MDL_ticket *mdl_ticket)
 {
   DBUG_ASSERT(!thd->rgi_slave); // slave won't use global temporary tables
+  if (thd->variables.pseudo_slave_mode)
+  {
+    push_warning(thd, Sql_condition::WARN_LEVEL_WARN,
+                 ER_GTID_OPEN_TABLE_FAILED,
+                 "Can't open global temporary table upder "
+                 "slave applier execution mode");
+    my_error(ER_GTID_OPEN_TABLE_FAILED, MYF(0),
+             source->table_name.str, source->db.str);
+    return TRUE;
+  }
 
   /*
     First, lookup in tmp tables list for cases like "t join t"

sql/sys_vars.cc

@@ -7233,6 +7233,16 @@ static bool check_pseudo_slave_mode(sys_var *self, THD *thd, set_var *var)
   }
   else
   {
+    if (!thd->rgi_slave && thd->temporary_tables &&
+        thd->temporary_tables->global_temporary_tables_count)
+    {
+      push_warning(thd, Sql_condition::WARN_LEVEL_WARN,
+                   ER_WRONG_VALUE_FOR_VAR,
+                   "Slave applier execution mode can't be enabled "
+                   "when some global temporary tables are open.");
+      return TRUE;
+    }
+
     if (!previous_val && !val)
       goto ineffective;
     else if (previous_val && !val)