MDEV-26583 SIGSEGV's in spider_get_select_limit_from_select_lex when DELAYED INSERT is used

nayuta-yanagisawa · nayuta-yanagisawa · commit f8c3d5927445 · 2022-01-19T18:58:47.000+09:00
Spider dereferences a freed select_lex and then results in SIGSEGV.
diff --git a/sql/sql_insert.cc b/sql/sql_insert.cc
@@ -2423,6 +2423,11 @@ bool delayed_get_table(THD *thd, MDL_request *grl_protection_request,
       di->table_list.alias.str=    di->table_list.table_name.str=    di->thd.query();
       di->table_list.alias.length= di->table_list.table_name.length= di->thd.query_length();
       di->table_list.db= di->thd.db;
+      /*
+        Nulify select_lex because, if the thread that spawned the current one
+        disconnects, the select_lex will point to freed memory.
+      */
+      di->table_list.select_lex= NULL;
       /*
         We need the tickets so that they can be cloned in
         handle_delayed_insert
diff --git a/storage/spider/mysql-test/spider/bugfix/r/mdev_26583.result b/storage/spider/mysql-test/spider/bugfix/r/mdev_26583.result
@@ -0,0 +1,34 @@
+#
+# MDEV-26583 SIGSEGV's in spider_get_select_limit_from_select_lex when DELAYED INSERT is used
+#
+for master_1
+for child2
+child2_1
+child2_2
+child2_3
+for child3
+connection child2_1;
+CREATE DATABASE auto_test_remote;
+USE auto_test_remote;
+CREATE TABLE tbl_a (
+a INT AUTO_INCREMENT KEY,
+b INT,INDEX i (b)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+connection master_1;
+CREATE DATABASE auto_test_local;
+USE auto_test_local;
+CREATE TABLE tbl_a (
+a INT AUTO_INCREMENT KEY,
+b INT,INDEX i (b)
+) ENGINE=Spider DEFAULT CHARSET=utf8 COMMENT='srv "s_2_1", table "tbl_a"';
+INSERT DELAYED INTO tbl_a VALUES (0,0),(0,0),(0,0);
+connection master_1;
+DROP DATABASE auto_test_local;
+connection child2_1;
+DROP DATABASE auto_test_remote;
+for master_1
+for child2
+child2_1
+child2_2
+child2_3
+for child3
diff --git a/storage/spider/mysql-test/spider/bugfix/t/mdev_26583.cnf b/storage/spider/mysql-test/spider/bugfix/t/mdev_26583.cnf
@@ -0,0 +1,3 @@
+!include include/default_mysqld.cnf
+!include ../my_1_1.cnf
+!include ../my_2_1.cnf
diff --git a/storage/spider/mysql-test/spider/bugfix/t/mdev_26583.test b/storage/spider/mysql-test/spider/bugfix/t/mdev_26583.test
@@ -0,0 +1,44 @@
+--echo #
+--echo # MDEV-26583 SIGSEGV's in spider_get_select_limit_from_select_lex when DELAYED INSERT is used
+--echo #
+
+--disable_query_log
+--disable_result_log
+--source ../../t/test_init.inc
+--enable_result_log
+--enable_query_log
+
+--connection child2_1
+CREATE DATABASE auto_test_remote;
+USE auto_test_remote;
+
+eval CREATE TABLE tbl_a (
+    a INT AUTO_INCREMENT KEY,
+    b INT,INDEX i (b)
+) $CHILD2_1_ENGINE $CHILD2_1_CHARSET;
+
+--connection master_1
+CREATE DATABASE auto_test_local;
+USE auto_test_local;
+
+eval CREATE TABLE tbl_a (
+    a INT AUTO_INCREMENT KEY,
+    b INT,INDEX i (b)
+) $MASTER_1_ENGINE $MASTER_1_CHARSET COMMENT='srv "s_2_1", table "tbl_a"';
+
+INSERT DELAYED INTO tbl_a VALUES (0,0),(0,0),(0,0);
+
+let $wait_condition=select count(*)=3 from tbl_a
+source include/wait_condition.inc;
+
+--connection master_1
+DROP DATABASE auto_test_local;
+
+--connection child2_1
+DROP DATABASE auto_test_remote;
+
+--disable_query_log
+--disable_result_log
+--source ../../t/test_deinit.inc
+--enable_result_log
+--enable_query_log

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+!include include/default_mysqld.cnf`
	`2`	`+!include ../my_1_1.cnf`
	`3`	`+!include ../my_2_1.cnf`