MDEV-23229 Read of Uninitialized memory during buffer pool resizing

Thirunarayanan · Thirunarayanan · commit 744919552cc6 · 2020-07-24T20:30:06.000+05:30
commit b1ab211 (MDEV-15053) introduced the code to unfix the block earlier in buf_block_t::unfix(). After unfixing the block, InnoDB can withdraw the block from the buffer pool and deallocate it while doing buffer pool resizing. So subsequent assert could leads to uninitialized memory access of block. buf_block_t::unfix(): Unfix the block after checking the assert.
diff --git a/storage/innobase/include/buf0buf.h b/storage/innobase/include/buf0buf.h
@@ -1198,12 +1198,11 @@ struct buf_block_t{
   void fix() { page.fix(); }
   uint32_t unfix()
   {
-    uint32_t fix_count= page.unfix();
-    ut_ad(fix_count || page.io_fix() != BUF_IO_NONE ||
+    ut_ad(page.buf_fix_count() || page.io_fix() != BUF_IO_NONE ||
           page.state() == BUF_BLOCK_ZIP_PAGE ||
           !rw_lock_own_flagged(&lock, RW_LOCK_FLAG_X | RW_LOCK_FLAG_S |
                                RW_LOCK_FLAG_SX));
-    return fix_count;
+    return page.unfix();
   }
 
   /** @return the physical size, in bytes */

Original file line number	Diff line number	Diff line change
`@@ -1198,12 +1198,11 @@ struct buf_block_t{`
`1198`	`1198`	`void fix() { page.fix(); }`
`1199`	`1199`	`uint32_t unfix()`
`1200`	`1200`	`{`
`1201`		`- uint32_t fix_count= page.unfix();`
`1202`		`- ut_ad(fix_count \|\| page.io_fix() != BUF_IO_NONE \|\|`
	`1201`	`+ ut_ad(page.buf_fix_count() \|\| page.io_fix() != BUF_IO_NONE \|\|`
`1203`	`1202`	`page.state() == BUF_BLOCK_ZIP_PAGE \|\|`
`1204`	`1203`	`!rw_lock_own_flagged(&lock, RW_LOCK_FLAG_X \| RW_LOCK_FLAG_S \|`
`1205`	`1204`	`RW_LOCK_FLAG_SX));`
`1206`		`- return fix_count;`
	`1205`	`+ return page.unfix();`
`1207`	`1206`	`}`
`1208`	`1207`
`1209`	`1208`	`/** @return the physical size, in bytes */`