Merge 11.4 into 11.8

Author: dr-m

mysql-test/main/func_json.result

@@ -5290,3 +5290,14 @@ SELECT JSON_OBJECT_FILTER_KEYS (@obj1,@arr1);
 JSON_OBJECT_FILTER_KEYS (@obj1,@arr1)
 NULL
 # End of 11.2 Test
+# Beginning of 11.4 Test
+#
+# MDEV-33149: JSON_ARRAY_INTERSECT function crashes the server when
+# called with empty json arrays, UBSAN runtime error: member access
+# within null pointer of type 'struct String' in
+# Item_func_json_array_intersect::prepare_json_and_create_hash
+#
+SELECT json_array_intersect(@a,@b);
+json_array_intersect(@a,@b)
+NULL
+# End of 11.4 Test

mysql-test/main/func_json.test

@@ -4178,3 +4178,16 @@ SET @obj1='{ "a": 1,"b": 2,"c": 3}';
 SELECT JSON_OBJECT_FILTER_KEYS (@obj1,@arr1);
 
 --echo # End of 11.2 Test
+
+--echo # Beginning of 11.4 Test
+
+--echo #
+--echo # MDEV-33149: JSON_ARRAY_INTERSECT function crashes the server when
+--echo # called with empty json arrays, UBSAN runtime error: member access
+--echo # within null pointer of type 'struct String' in
+--echo # Item_func_json_array_intersect::prepare_json_and_create_hash
+--echo #
+
+SELECT json_array_intersect(@a,@b);
+
+--echo # End of 11.4 Test

sql/item_jsonfunc.cc

@@ -5409,6 +5409,9 @@ String* Item_func_json_array_intersect::val_str(String *str)
   json_engine_t je2, res_je, je1;
   String *js2= args[1]->val_json(&tmp_js2), *js1= args[0]->val_json(&tmp_js1);
 
+  if (!js1 || !js2)
+    goto null_return;
+
   if (parse_for_each_row)
   {
     if (args[0]->null_value)
@@ -5504,7 +5507,9 @@ bool Item_func_json_array_intersect::fix_length_and_dec(THD *thd)
   }
 
   js1= args[0]->val_json(&tmp_js1);
-  prepare_json_and_create_hash(&je1, js1);
+
+  if (js1)
+    prepare_json_and_create_hash(&je1, js1);
 
 end:
   set_maybe_null();

storage/innobase/handler/ha_innodb.cc

@@ -1780,6 +1780,20 @@ trx_t *thd_to_trx(const THD *thd) noexcept
   return static_cast<trx_t*>(thd_get_ha_data(thd, innodb_hton_ptr));
 }
 
+/** Detach and free a transaction.
+@param trx transaction
+@return the trx->mysql_thd */
+THD *free_thd_trx(trx_t *trx) noexcept
+{
+  THD *const thd= trx->mysql_thd;
+  DBUG_ASSERT(current_thd == thd);
+  DBUG_ASSERT(thd_to_trx(thd) == trx);
+  thd->ha_data[innodb_hton_ptr->slot].ha_ptr= nullptr;
+  DBUG_ASSERT(thd_to_trx(thd) == nullptr);
+  trx->free();
+  return thd;
+}
+
 #ifdef WITH_WSREP
 /********************************************************************//**
 Obtain the InnoDB transaction id of a MySQL thread.

storage/innobase/include/ha_prototypes.h

@@ -178,6 +178,11 @@ extern "C" unsigned long long thd_start_utime(const MYSQL_THD thd);
 @return InnoDB transaction */
 trx_t *thd_to_trx(const THD *thd) noexcept;
 
+/** Detach and free a transaction.
+@param trx transaction
+@return the trx->mysql_thd */
+THD *free_thd_trx(trx_t *trx) noexcept;
+
 /** Determines the current SQL statement.
 Thread unsafe, can only be called from the thread owning the THD.
 @param[in]	thd	MySQL thread handle

storage/innobase/srv/srv0srv.cc

@@ -1474,9 +1474,7 @@ extern struct handlerton *innodb_hton_ptr;
 
 static void release_thd(trx_t *trx, void *ctx)
 {
-  THD *const thd= trx->mysql_thd;
-  trx->free();
-  thd_set_ha_data(thd, innodb_hton_ptr, nullptr);
+  THD *const thd= free_thd_trx(trx);
   thd_detach_thd(ctx);
   std::unique_lock<std::mutex> lk(purge_thd_mutex);
   purge_thds.push_back(thd);