MDEV-29027 ASAN errors in spider_db_free_result after partition DDL

mariadb-YuchenPei · mariadb-YuchenPei · commit 25476ba1ae18 · 2024-05-31T09:06:55.000+10:00
Spider calls ha_spider::close() at least twice on ALTER TABLE ... ADD
PARTITION. The first call frees wide_handler and the second call
accesses wide_handler-&gt;trx-&gt;thd (heap-use-after-free).

In general, there seems to be no problem with using THD obtained by
the macro current_thd() except in background threads. Thus, we simply
replace wide_handler-&gt;trx-&gt;thd with current_thd().

Original author: Nayuta Yanagasawa
diff --git a/storage/spider/mysql-test/spider/bugfix/r/mdev_29027.result b/storage/spider/mysql-test/spider/bugfix/r/mdev_29027.result
@@ -0,0 +1,24 @@
+#
+# MDEV-29027 ASAN errors in spider_db_free_result after partition DDL
+#
+for master_1
+for child2
+child2_1
+child2_2
+child2_3
+for child3
+CREATE DATABASE auto_test_local;
+USE auto_test_local;
+CREATE TABLE tbl_a (
+c INT
+) ENGINE=Spider DEFAULT CHARSET=utf8 PARTITION BY HASH(c) (
+PARTITION pt1
+);
+ALTER TABLE tbl_a ADD PARTITION (PARTITION pt2);
+DROP DATABASE auto_test_local;
+for master_1
+for child2
+child2_1
+child2_2
+child2_3
+for child3
diff --git a/storage/spider/mysql-test/spider/bugfix/r/mdev_29027_original.result b/storage/spider/mysql-test/spider/bugfix/r/mdev_29027_original.result
@@ -0,0 +1,15 @@
+for master_1
+for child2
+for child3
+set spider_same_server_link= 1;
+CREATE SERVER srv FOREIGN DATA WRAPPER mysql
+OPTIONS (SOCKET "$MASTER_1_MYSOCK", DATABASE 'test',user 'root');
+CREATE TABLE t1 (a INT);
+CREATE TABLE t_spider (a INT) ENGINE=SPIDER PARTITION BY HASH(a) (PARTITION p1 COMMENT = "wrapper 'mysql', srv 'srv', table 't1'");
+CREATE TABLE t2 (a INT);
+ALTER TABLE t_spider ADD PARTITION (PARTITION p2 COMMENT = "wrapper 'mysql', srv 'srv', table 't2'");
+DROP TABLE t_spider, t1, t2;
+drop server srv;
+for master_1
+for child2
+for child3
diff --git a/storage/spider/mysql-test/spider/bugfix/t/mdev_29027.cnf b/storage/spider/mysql-test/spider/bugfix/t/mdev_29027.cnf
@@ -0,0 +1,3 @@
+!include include/default_mysqld.cnf
+!include ../my_1_1.cnf
+!include ../my_2_1.cnf
diff --git a/storage/spider/mysql-test/spider/bugfix/t/mdev_29027.test b/storage/spider/mysql-test/spider/bugfix/t/mdev_29027.test
@@ -0,0 +1,28 @@
+--echo #
+--echo # MDEV-29027 ASAN errors in spider_db_free_result after partition DDL
+--echo #
+
+--disable_query_log
+--disable_result_log
+--source ../../t/test_init.inc
+--enable_result_log
+--enable_query_log
+
+CREATE DATABASE auto_test_local;
+USE auto_test_local;
+
+eval CREATE TABLE tbl_a (
+    c INT
+) $MASTER_1_ENGINE $MASTER_1_CHARSET PARTITION BY HASH(c) (
+    PARTITION pt1
+);
+
+ALTER TABLE tbl_a ADD PARTITION (PARTITION pt2);
+
+DROP DATABASE auto_test_local;
+
+--disable_query_log
+--disable_result_log
+--source ../../t/test_deinit.inc
+--enable_result_log
+--enable_query_log
diff --git a/storage/spider/mysql-test/spider/bugfix/t/mdev_29027_original.test b/storage/spider/mysql-test/spider/bugfix/t/mdev_29027_original.test
@@ -0,0 +1,22 @@
+--disable_query_log
+--disable_result_log
+--source ../../t/test_init.inc
+--enable_result_log
+--enable_query_log
+--source include/have_partition.inc
+set spider_same_server_link= 1;
+evalp CREATE SERVER srv FOREIGN DATA WRAPPER mysql
+OPTIONS (SOCKET "$MASTER_1_MYSOCK", DATABASE 'test',user 'root');
+
+CREATE TABLE t1 (a INT);
+CREATE TABLE t_spider (a INT) ENGINE=SPIDER PARTITION BY HASH(a) (PARTITION p1 COMMENT = "wrapper 'mysql', srv 'srv', table 't1'");
+CREATE TABLE t2 (a INT);
+ALTER TABLE t_spider ADD PARTITION (PARTITION p2 COMMENT = "wrapper 'mysql', srv 'srv', table 't2'");
+
+DROP TABLE t_spider, t1, t2;
+drop server srv;
+--disable_query_log
+--disable_result_log
+--source ../../t/test_deinit.inc
+--enable_result_log
+--enable_query_log
diff --git a/storage/spider/spd_db_conn.cc b/storage/spider/spd_db_conn.cc
@@ -3406,7 +3406,7 @@ int spider_db_free_result(
   SPIDER_RESULT *result;
   SPIDER_RESULT *prev;
   SPIDER_SHARE *share = spider->share;
-  SPIDER_TRX *trx = spider->wide_handler->trx;
+  THD *thd= current_thd;
   SPIDER_POSITION *position;
   int roop_count, error_num;
   DBUG_ENTER("spider_db_free_result");
@@ -3423,10 +3423,10 @@ int spider_db_free_result(
 
   if (
     final ||
-    spider_param_reset_sql_alloc(trx->thd, share->reset_sql_alloc) == 1
+    spider_param_reset_sql_alloc(thd, share->reset_sql_alloc) == 1
   ) {
     int alloc_size = final ? 0 :
-      (spider_param_init_sql_alloc_size(trx->thd, share->init_sql_alloc_size));
+      (spider_param_init_sql_alloc_size(thd, share->init_sql_alloc_size));
     while (result)
     {
       position = result->first_position;
@@ -3469,7 +3469,7 @@ int spider_db_free_result(
     {
       ulong realloced = 0;
       int init_sql_alloc_size =
-        spider_param_init_sql_alloc_size(trx->thd, share->init_sql_alloc_size);
+        spider_param_init_sql_alloc_size(thd, share->init_sql_alloc_size);
       for (roop_count = 0; roop_count < (int) share->use_dbton_count;
         roop_count++)
       {

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+!include include/default_mysqld.cnf`
	`2`	`+!include ../my_1_1.cnf`
	`3`	`+!include ../my_2_1.cnf`