MDEV-19445 heap-use-after-free related to innodb_ft_aux_table

Try to fix the race conditions between
SET GLOBAL innodb_ft_aux_table = ...;
and access to the INFORMATION_SCHEMA tables that depend on
this variable.

innodb_ft_aux_table: Replaces
fts_internal_tbl_name,fts_internal_tbl_name2. Just store the
user-specified parameter as is.

innodb_ft_aux_table_id: The table_id corresponding to
SET GLOBAL innodb_ft_aux_table, or 0 if the table does not exist
or does not contain FULLTEXT INDEX. If the table is renamed later,
the INFORMATION_SCHEMA tables will continue to refer to the table.
If the table is dropped or rebuilt, the INFORMATION_SCHEMA tables
will not find the table.

mysql-test/suite/innodb/r/innodb_skip_innodb_is_tables.result

@@ -319,14 +319,24 @@ the
 www
 select * from information_schema.innodb_ft_deleted;
 DOC_ID
+Warnings:
+Warning	1012	InnoDB: SELECTing from INFORMATION_SCHEMA.innodb_ft_deleted but the InnoDB storage engine is not installed
 select * from information_schema.innodb_ft_being_deleted;
 DOC_ID
+Warnings:
+Warning	1012	InnoDB: SELECTing from INFORMATION_SCHEMA.innodb_ft_being_deleted but the InnoDB storage engine is not installed
 select * from information_schema.innodb_ft_index_cache;
 WORD	FIRST_DOC_ID	LAST_DOC_ID	DOC_COUNT	DOC_ID	POSITION
+Warnings:
+Warning	1012	InnoDB: SELECTing from INFORMATION_SCHEMA.innodb_ft_index_cache but the InnoDB storage engine is not installed
 select * from information_schema.innodb_ft_index_table;
 WORD	FIRST_DOC_ID	LAST_DOC_ID	DOC_COUNT	DOC_ID	POSITION
+Warnings:
+Warning	1012	InnoDB: SELECTing from INFORMATION_SCHEMA.innodb_ft_index_table but the InnoDB storage engine is not installed
 select * from information_schema.innodb_ft_config;
 KEY	VALUE
+Warnings:
+Warning	1012	InnoDB: SELECTing from INFORMATION_SCHEMA.innodb_ft_config but the InnoDB storage engine is not installed
 select * from information_schema.innodb_buffer_page;
 POOL_ID	BLOCK_ID	SPACE	PAGE_NUMBER	PAGE_TYPE	FLUSH_TYPE	FIX_COUNT	IS_HASHED	NEWEST_MODIFICATION	OLDEST_MODIFICATION	ACCESS_TIME	TABLE_NAME	INDEX_NAME	NUMBER_RECORDS	DATA_SIZE	COMPRESSED_SIZE	PAGE_STATE	IO_FIX	IS_OLD	FREE_PAGE_CLOCK
 Warnings:

mysql-test/suite/innodb_fts/r/innodb_ft_aux_table.result

@@ -0,0 +1,116 @@
+CREATE TABLE t1 (v VARCHAR(100), FULLTEXT INDEX (v)) ENGINE=InnoDB;
+insert into t1 VALUES('First record'),('Second record'),('Third record');
+SET @save_ft_aux_table = @@GLOBAL.innodb_ft_aux_table;
+SET GLOBAL innodb_ft_aux_table = 'test/t0';
+ERROR 42000: Variable 'innodb_ft_aux_table' can't be set to the value of 'test/t0'
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_DEFAULT_STOPWORD;
+value
+a
+about
+an
+are
+as
+at
+be
+by
+com
+de
+en
+for
+from
+how
+i
+in
+is
+it
+la
+of
+on
+or
+that
+the
+this
+to
+was
+what
+when
+where
+who
+will
+with
+und
+the
+www
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_DELETED;
+DOC_ID
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_BEING_DELETED;
+DOC_ID
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_INDEX_CACHE;
+WORD	FIRST_DOC_ID	LAST_DOC_ID	DOC_COUNT	DOC_ID	POSITION
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_INDEX_TABLE;
+WORD	FIRST_DOC_ID	LAST_DOC_ID	DOC_COUNT	DOC_ID	POSITION
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_CONFIG;
+KEY	VALUE
+SET GLOBAL innodb_ft_aux_table = 'test/t1';
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_DELETED;
+DOC_ID
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_BEING_DELETED;
+DOC_ID
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_INDEX_CACHE;
+WORD	FIRST_DOC_ID	LAST_DOC_ID	DOC_COUNT	DOC_ID	POSITION
+first	1	1	1	1	0
+record	1	3	3	1	6
+record	1	3	3	2	7
+record	1	3	3	3	6
+second	2	2	1	2	0
+third	3	3	1	3	0
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_INDEX_TABLE;
+WORD	FIRST_DOC_ID	LAST_DOC_ID	DOC_COUNT	DOC_ID	POSITION
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_CONFIG;
+KEY	VALUE
+optimize_checkpoint_limit	180
+synced_doc_id	0
+stopword_table_name	
+use_stopword	1
+SELECT @@GLOBAL.innodb_ft_aux_table;
+@@GLOBAL.innodb_ft_aux_table
+test/t1
+RENAME TABLE t1 TO t2;
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_DELETED;
+DOC_ID
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_BEING_DELETED;
+DOC_ID
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_INDEX_CACHE;
+WORD	FIRST_DOC_ID	LAST_DOC_ID	DOC_COUNT	DOC_ID	POSITION
+first	1	1	1	1	0
+record	1	3	3	1	6
+record	1	3	3	2	7
+record	1	3	3	3	6
+second	2	2	1	2	0
+third	3	3	1	3	0
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_INDEX_TABLE;
+WORD	FIRST_DOC_ID	LAST_DOC_ID	DOC_COUNT	DOC_ID	POSITION
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_CONFIG;
+KEY	VALUE
+optimize_checkpoint_limit	180
+synced_doc_id	0
+stopword_table_name	
+use_stopword	1
+SELECT @@GLOBAL.innodb_ft_aux_table;
+@@GLOBAL.innodb_ft_aux_table
+test/t1
+DROP TABLE t2;
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_DELETED;
+DOC_ID
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_BEING_DELETED;
+DOC_ID
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_INDEX_CACHE;
+WORD	FIRST_DOC_ID	LAST_DOC_ID	DOC_COUNT	DOC_ID	POSITION
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_INDEX_TABLE;
+WORD	FIRST_DOC_ID	LAST_DOC_ID	DOC_COUNT	DOC_ID	POSITION
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_CONFIG;
+KEY	VALUE
+SELECT @@GLOBAL.innodb_ft_aux_table;
+@@GLOBAL.innodb_ft_aux_table
+test/t1
+SET GLOBAL innodb_ft_aux_table = @save_ft_aux_table;

mysql-test/suite/innodb_fts/t/innodb_ft_aux_table.opt

@@ -0,0 +1,6 @@
+--innodb_ft_default_stopword
+--innodb_ft_deleted
+--innodb_ft_being_deleted
+--innodb_ft_index_cache
+--innodb_ft_index_table
+--innodb_ft_config

mysql-test/suite/innodb_fts/t/innodb_ft_aux_table.test

@@ -0,0 +1,43 @@
+--source include/have_innodb.inc
+
+CREATE TABLE t1 (v VARCHAR(100), FULLTEXT INDEX (v)) ENGINE=InnoDB;
+
+insert into t1 VALUES('First record'),('Second record'),('Third record');
+
+SET @save_ft_aux_table = @@GLOBAL.innodb_ft_aux_table;
+
+connect (con1,localhost,root,,);
+--error ER_WRONG_VALUE_FOR_VAR
+SET GLOBAL innodb_ft_aux_table = 'test/t0';
+connection default;
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_DEFAULT_STOPWORD;
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_DELETED;
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_BEING_DELETED;
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_INDEX_CACHE;
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_INDEX_TABLE;
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_CONFIG;
+connection con1;
+SET GLOBAL innodb_ft_aux_table = 'test/t1';
+disconnect con1;
+connection default;
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_DELETED;
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_BEING_DELETED;
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_INDEX_CACHE;
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_INDEX_TABLE;
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_CONFIG;
+SELECT @@GLOBAL.innodb_ft_aux_table;
+RENAME TABLE t1 TO t2;
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_DELETED;
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_BEING_DELETED;
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_INDEX_CACHE;
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_INDEX_TABLE;
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_CONFIG;
+SELECT @@GLOBAL.innodb_ft_aux_table;
+DROP TABLE t2;
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_DELETED;
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_BEING_DELETED;
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_INDEX_CACHE;
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_INDEX_TABLE;
+SELECT * FROM INFORMATION_SCHEMA.INNODB_FT_CONFIG;
+SELECT @@GLOBAL.innodb_ft_aux_table;
+SET GLOBAL innodb_ft_aux_table = @save_ft_aux_table;

storage/innobase/fts/fts0fts.cc

@@ -107,11 +107,6 @@ UNIV_INTERN mysql_pfs_key_t	fts_doc_id_mutex_key;
 UNIV_INTERN mysql_pfs_key_t	fts_pll_tokenize_mutex_key;
 #endif /* UNIV_PFS_MUTEX */
 
-/** variable to record innodb_fts_internal_tbl_name for information
-schema table INNODB_FTS_INSERTED etc. */
-UNIV_INTERN char* fts_internal_tbl_name		= NULL;
-UNIV_INTERN char* fts_internal_tbl_name2	= NULL;
-
 /** InnoDB default stopword list:
 There are different versions of stopwords, the stop words listed
 below comes from "Google Stopword" list. Reference:

storage/innobase/handler/ha_innodb.cc

@@ -17118,98 +17118,36 @@ innodb_stopword_table_validate(
 	return(ret);
 }
 
-/*************************************************************//**
-Check whether valid argument given to "innodb_fts_internal_tbl_name"
-This function is registered as a callback with MySQL.
-@return 0 for valid stopword table */
-static
-int
-innodb_internal_table_validate(
-/*===========================*/
-	THD*				thd,	/*!< in: thread handle */
-	struct st_mysql_sys_var*	var,	/*!< in: pointer to system
-						variable */
-	void*				save,	/*!< out: immediate result
-						for update function */
-	struct st_mysql_value*		value)	/*!< in: incoming string */
-{
-	const char*	table_name;
-	char		buff[STRING_BUFFER_USUAL_SIZE];
-	int		len = sizeof(buff);
-	int		ret = 1;
-	dict_table_t*	user_table;
-
-	ut_a(save != NULL);
-	ut_a(value != NULL);
-
-	table_name = value->val_str(value, buff, &len);
-
-	if (!table_name) {
-		*static_cast<const char**>(save) = NULL;
-		return(0);
-	}
-
-	user_table = dict_table_open_on_name(
-		table_name, FALSE, TRUE, DICT_ERR_IGNORE_NONE);
-
-	if (user_table) {
-		if (dict_table_has_fts_index(user_table)) {
-			*static_cast<const char**>(save) = table_name;
-			ret = 0;
+/** The latest assigned innodb_ft_aux_table name */
+static char* innodb_ft_aux_table;
+
+/** Update innodb_ft_aux_table_id on SET GLOBAL innodb_ft_aux_table.
+@param[out]	save	new value of innodb_ft_aux_table
+@param[in]	value	user-specified value */
+static int innodb_ft_aux_table_validate(THD*, st_mysql_sys_var*,
+					void* save, st_mysql_value* value)
+{
+	char buf[STRING_BUFFER_USUAL_SIZE];
+	int len = sizeof buf;
+
+	if (const char* table_name = value->val_str(value, buf, &len)) {
+		if (dict_table_t* table = dict_table_open_on_name(
+			    table_name, FALSE, TRUE, DICT_ERR_IGNORE_NONE)) {
+			const table_id_t id = dict_table_has_fts_index(table)
+				? table->id : 0;
+			dict_table_close(table, FALSE, FALSE);
+			if (id) {
+				innodb_ft_aux_table_id = id;
+				*static_cast<const char**>(save) = table_name;
+				return 0;
+			}
 		}
 
-		dict_table_close(user_table, FALSE, TRUE);
-
-		DBUG_EXECUTE_IF("innodb_evict_autoinc_table",
-			mutex_enter(&dict_sys->mutex);
-			dict_table_remove_from_cache_low(user_table, TRUE);
-			mutex_exit(&dict_sys->mutex);
-		);
-	}
-
-	return(ret);
-}
-
-/****************************************************************//**
-Update global variable "fts_internal_tbl_name" with the "saved"
-stopword table name value. This function is registered as a callback
-with MySQL. */
-static
-void
-innodb_internal_table_update(
-/*=========================*/
-	THD*				thd,	/*!< in: thread handle */
-	struct st_mysql_sys_var*	var,	/*!< in: pointer to
-						system variable */
-	void*				var_ptr,/*!< out: where the
-						formal string goes */
-	const void*			save)	/*!< in: immediate result
-						from check function */
-{
-	const char*	table_name;
-	char*		old;
-
-	ut_a(save != NULL);
-	ut_a(var_ptr != NULL);
-
-	table_name = *static_cast<const char*const*>(save);
-	old = *(char**) var_ptr;
-
-	if (table_name) {
-		*(char**) var_ptr =  my_strdup(table_name,  MYF(0));
-	} else {
-		*(char**) var_ptr = NULL;
-	}
-
-	if (old) {
-		my_free(old);
-	}
-
-	fts_internal_tbl_name2 = *(char**) var_ptr;
-	if (fts_internal_tbl_name2 == NULL) {
-		fts_internal_tbl_name = const_cast<char*>("default");
+		return 1;
 	} else {
-		fts_internal_tbl_name = fts_internal_tbl_name2;
+		*static_cast<char**>(save) = NULL;
+		innodb_ft_aux_table_id = 0;
+		return 0;
 	}
 }
 
@@ -19476,11 +19414,10 @@ static MYSQL_SYSVAR_BOOL(disable_sort_file_cache, srv_disable_sort_file_cache,
   "Whether to disable OS system file cache for sort I/O",
   NULL, NULL, FALSE);
 
-static MYSQL_SYSVAR_STR(ft_aux_table, fts_internal_tbl_name2,
-  PLUGIN_VAR_NOCMDARG,
+static MYSQL_SYSVAR_STR(ft_aux_table, innodb_ft_aux_table,
+  PLUGIN_VAR_NOCMDARG | PLUGIN_VAR_MEMALLOC,
   "FTS internal auxiliary table to be checked",
-  innodb_internal_table_validate,
-  innodb_internal_table_update, NULL);
+  innodb_ft_aux_table_validate, NULL, NULL);
 
 static MYSQL_SYSVAR_ULONG(ft_cache_size, fts_max_cache_size,
   PLUGIN_VAR_RQCMDARG | PLUGIN_VAR_READONLY,