MDEV-30924 Server crashes in MYSQL_LOG::is_open upon ALTER vs FUNCTION

FooBarrior · vuvova · commit 3ad0e7edd15b · 2023-08-15T10:16:13.000+02:00
ASAN showed use-after-free in binlog_online_alter_end_trans, during
running through thd-&gt;online_alter_cache_list.

In online_alter_binlog_get_cache_data, new_cache_data was allocated on
thd-&gt;mem_root, in case of autocommit=1, but this mem_root could be freed
in sp_head::execute, upon using stored functions.

It appears that thd-&gt;transaction-&gt;mem_root exists even in single-stmt
transaction mode (i.e autocommit=1), so it can be used in all cases.
This mem_root will remain valid till the end of transaction, including
commit phase.
diff --git a/mysql-test/main/alter_table_online_debug.result b/mysql-test/main/alter_table_online_debug.result
@@ -1190,5 +1190,27 @@ set debug_sync= 'now signal goon';
 connection default;
 drop table t;
 #
+# MDEV-30924 Server crashes in MYSQL_LOG::is_open upon ALTER vs FUNCTION
+#
+create table t (a int);
+insert into t values (1),(2);
+create function f () returns int
+begin
+update t set a = 10;
+return 0;
+end $
+set debug_sync= 'alter_table_online_downgraded signal downgraded wait_for goon';
+alter table t force, algorithm=copy;
+connection con1;
+set debug_sync= 'now wait_for downgraded';
+select f();
+f()
+0
+set debug_sync= 'now signal goon';
+connection default;
+drop table t;
+drop function f;
+disconnect con1;
+#
 # End of 11.2 tests
 #
diff --git a/mysql-test/main/alter_table_online_debug.test b/mysql-test/main/alter_table_online_debug.test
@@ -1370,6 +1370,34 @@ set debug_sync= 'now signal goon';
 --reap
 drop table t;
 
+--echo #
+--echo # MDEV-30924 Server crashes in MYSQL_LOG::is_open upon ALTER vs FUNCTION
+--echo #
+create table t (a int);
+insert into t values (1),(2);
+
+--delimiter $
+create function f () returns int
+begin
+  update t set a = 10;
+  return 0;
+end $
+--delimiter ;
+
+set debug_sync= 'alter_table_online_downgraded signal downgraded wait_for goon';
+send alter table t force, algorithm=copy;
+
+--connection con1
+set debug_sync= 'now wait_for downgraded';
+select f();
+set debug_sync= 'now signal goon';
+
+--connection default
+--reap
+drop table t;
+drop function f;
+--disconnect con1
+
 --echo #
 --echo # End of 11.2 tests
 --echo #
diff --git a/sql/log.cc b/sql/log.cc
@@ -6449,8 +6449,7 @@ online_alter_cache_data *online_alter_binlog_get_cache_data(THD *thd, TABLE *tab
       return &cache;
   }
 
-  MEM_ROOT *root= thd->in_multi_stmt_transaction_mode()
-                  ? &thd->transaction->mem_root : thd->mem_root;
+  MEM_ROOT *root= &thd->transaction->mem_root;
   auto *new_cache_data= binlog_setup_cache_data(root, table->s);
   list.push_back(*new_cache_data);
 

Original file line number	Diff line number	Diff line change
`@@ -6449,8 +6449,7 @@ online_alter_cache_data online_alter_binlog_get_cache_data(THD thd, TABLE *tab`
`6449`	`6449`	`return &cache;`
`6450`	`6450`	`}`
`6451`	`6451`
`6452`		`- MEM_ROOT *root= thd->in_multi_stmt_transaction_mode()`
`6453`		`- ? &thd->transaction->mem_root : thd->mem_root;`
	`6452`	`+ MEM_ROOT *root= &thd->transaction->mem_root;`
`6454`	`6453`	`auto *new_cache_data= binlog_setup_cache_data(root, table->s);`
`6455`	`6454`	`list.push_back(*new_cache_data);`
`6456`	`6455`