BUG#19894987: HANDLE_FATAL_SIGNAL (SIG=11) IN HA_INDEX_OR_RND_END | SQL/HANDLER.H:1999

Execution of certain BINLOG statements while having temporary tables
open by HANDLER statements caused server crash.

Execution of BINLOG statements for Start/Format_description events
may close the connection's temporary tables. If a handler had been associated
with a temporary table, the BINLOG statement's call to close_temporary_tables()
would result in dangling pointers to the now freed TABLE in
thd->handler_table_hash. Similarly, a dangling pointer would also be left if
there was a lock on the temporary table. Running with valgrind showed that
freed memory was being accessed.

Solution: Properly close handlers and remove locks associated with temporary
tables being closed by the BINLOG statement.

Author: Dyre Tjeldvoll

sql/sql_base.cc

@@ -1728,13 +1728,18 @@ bool close_temporary_tables(THD *thd)
   DBUG_ASSERT(!thd->slave_thread ||
               thd->system_thread != SYSTEM_THREAD_SLAVE_WORKER);
 
+  /*
+    Ensure we don't have open HANDLERs for tables we are about to close.
+    This is necessary when close_temporary_tables() is called as part
+    of execution of BINLOG statement (e.g. for format description event).
+  */
+  mysql_ha_rm_temporary_tables(thd);
   if (!mysql_bin_log.is_open())
   {
-    TABLE *tmp_next;
-    for (table= thd->temporary_tables; table; table= tmp_next)
+    for (TABLE *t= thd->temporary_tables; t; t= t->next)
     {
-      tmp_next= table->next;
-      close_temporary(table, 1, 1);
+        mysql_lock_remove(thd, thd->lock, t);
+        close_temporary(t, 1, 1);
     }
 
     thd->temporary_tables= 0;
@@ -1743,6 +1748,7 @@ bool close_temporary_tables(THD *thd)
 
     DBUG_RETURN(FALSE);
   }
+
   /*
     We are about to generate DROP TEMPORARY TABLE statements for all
     the left out temporary tables. If GTID_NEXT is set (e.g. if user
@@ -1866,6 +1872,7 @@ bool close_temporary_tables(THD *thd)
         }
 
         next= table->next;
+        mysql_lock_remove(thd, thd->lock, table);
         close_temporary(table, 1, 1);
       }
       thd->clear_error();

sql/sql_handler.cc

@@ -986,6 +986,53 @@ void mysql_ha_flush(THD *thd)
 }
 
 
+/**
+  Remove temporary tables from the HANDLER's hash table. The reason
+  for having a separate function, rather than calling
+  mysql_ha_rm_tables() is that it is not always feasible (e.g. in
+  close_temporary_tables) to obtain a TABLE_LIST containing the
+  temporary tables.
+
+  @See close_temporary_tables
+  @param thd Thread identifier.
+*/
+void mysql_ha_rm_temporary_tables(THD *thd)
+{
+  DBUG_ENTER("mysql_ha_rm_temporary_tables");
+
+  TABLE_LIST *tmp_handler_tables= NULL;
+  for (uint i= 0; i < thd->handler_tables_hash.records; i++)
+  {
+    TABLE_LIST *handler_table= reinterpret_cast<TABLE_LIST*>
+      (my_hash_element(&thd->handler_tables_hash, i));
+
+    if (handler_table->table && handler_table->table->s->tmp_table)
+    {
+      handler_table->next_local= tmp_handler_tables;
+      tmp_handler_tables= handler_table;
+    }
+  }
+
+  while (tmp_handler_tables)
+  {
+    TABLE_LIST *nl= tmp_handler_tables->next_local;
+    mysql_ha_close_table(thd, tmp_handler_tables);
+    my_hash_delete(&thd->handler_tables_hash, (uchar*) tmp_handler_tables);
+    tmp_handler_tables= nl;
+  }
+
+  /*
+    Mark MDL_context as no longer breaking protocol if we have
+    closed last HANDLER.
+  */
+  if (thd->handler_tables_hash.records == 0)
+  {
+    thd->mdl_context.set_needs_thr_lock_abort(FALSE);
+  }
+  DBUG_VOID_RETURN;
+}
+
+
 /**
   Close all HANDLER's tables.
 

sql/sql_handler.h

@@ -124,6 +124,7 @@ class Sql_cmd_handler_close : public Sql_cmd
 void mysql_ha_flush(THD *thd);
 void mysql_ha_flush_tables(THD *thd, TABLE_LIST *all_tables);
 void mysql_ha_rm_tables(THD *thd, TABLE_LIST *tables);
+void mysql_ha_rm_temporary_tables(THD *thd);
 void mysql_ha_cleanup(THD *thd);
 void mysql_ha_set_explicit_lock_duration(THD *thd);