MDEV-29027 ASAN errors in spider_db_free_result after partition DDL

Spider calls ha_spider::close() at least twice on ALTER TABLE ... ADD PARTITION. The first call frees wide_handler and the second call accesses wide_handler->trx->thd (heap-use-after-free). In general, there seems to be no problem with using THD obtained by the macro current_thd() except in background threads. Thus, we simply replace wide_handler->trx->thd with current_thd(). Original author: Nayuta Yanagasawa

MDEV-29027 ASAN errors in spider_db_free_result after partition DDL
Spider calls ha_spider::close() at least twice on ALTER TABLE ... ADD PARTITION. The first call frees wide_handler and the second call accesses wide_handler->trx->thd (heap-use-after-free). In general, there seems to be no problem with using THD obtained by the macro current_thd() except in background threads. Thus, we simply replace wide_handler->trx->thd with current_thd(). Original author: Nayuta Yanagasawa
25476ba1 · Yuchen Pei · 6d0c9872 · 25476ba1 · 25476ba1 · 25476ba1
Commit 25476ba1 authored May 09, 2024 by Yuchen Pei
6 changed files
--- a/storage/spider/mysql-test/spider/bugfix/r/mdev_29027.result
+++ b/storage/spider/mysql-test/spider/bugfix/r/mdev_29027.result
+#
+# MDEV-29027 ASAN errors in spider_db_free_result after partition DDL
+#
+for master_1
+for child2
+child2_1
+child2_2
+child2_3
+for child3
+CREATE DATABASE auto_test_local;
+USE auto_test_local;
+CREATE TABLE tbl_a (
+c INT
+) ENGINE=Spider DEFAULT CHARSET=utf8 PARTITION BY HASH(c) (
+PARTITION pt1
+);
+ALTER TABLE tbl_a ADD PARTITION (PARTITION pt2);
+DROP DATABASE auto_test_local;
+for master_1
+for child2
+child2_1
+child2_2
+child2_3
+for child3
--- a/storage/spider/mysql-test/spider/bugfix/r/mdev_29027_original.result
+++ b/storage/spider/mysql-test/spider/bugfix/r/mdev_29027_original.result
+for master_1
+for child2
+for child3
+set spider_same_server_link= 1;
+CREATE SERVER srv FOREIGN DATA WRAPPER mysql
+OPTIONS (SOCKET "$MASTER_1_MYSOCK", DATABASE 'test',user 'root');
+CREATE TABLE t1 (a INT);
+CREATE TABLE t_spider (a INT) ENGINE=SPIDER PARTITION BY HASH(a) (PARTITION p1 COMMENT = "wrapper 'mysql', srv 'srv', table 't1'");
+CREATE TABLE t2 (a INT);
+ALTER TABLE t_spider ADD PARTITION (PARTITION p2 COMMENT = "wrapper 'mysql', srv 'srv', table 't2'");
+DROP TABLE t_spider, t1, t2;
+drop server srv;
+for master_1
+for child2
+for child3
--- a/storage/spider/mysql-test/spider/bugfix/t/mdev_29027.cnf
+++ b/storage/spider/mysql-test/spider/bugfix/t/mdev_29027.cnf
+!include include/default_mysqld.cnf
+!include ../my_1_1.cnf
+!include ../my_2_1.cnf
--- a/storage/spider/mysql-test/spider/bugfix/t/mdev_29027.test
+++ b/storage/spider/mysql-test/spider/bugfix/t/mdev_29027.test
+--echo #
+--echo # MDEV-29027 ASAN errors in spider_db_free_result after partition DDL
+--echo #
+--disable_query_log
+--disable_result_log
+--source ../../t/test_init.inc
+--enable_result_log
+--enable_query_log
+CREATE DATABASE auto_test_local;
+USE auto_test_local;
+eval CREATE TABLE tbl_a (
+    c INT
+) $MASTER_1_ENGINE $MASTER_1_CHARSET PARTITION BY HASH(c) (
+    PARTITION pt1
+);
+ALTER TABLE tbl_a ADD PARTITION (PARTITION pt2);
+DROP DATABASE auto_test_local;
+--disable_query_log
+--disable_result_log
+--source ../../t/test_deinit.inc
+--enable_result_log
+--enable_query_log
--- a/storage/spider/mysql-test/spider/bugfix/t/mdev_29027_original.test
+++ b/storage/spider/mysql-test/spider/bugfix/t/mdev_29027_original.test
+--disable_query_log
+--disable_result_log
+--source ../../t/test_init.inc
+--enable_result_log
+--enable_query_log
+--source include/have_partition.inc
+set spider_same_server_link= 1;
+evalp CREATE SERVER srv FOREIGN DATA WRAPPER mysql
+OPTIONS (SOCKET "$MASTER_1_MYSOCK", DATABASE 'test',user 'root');
+CREATE TABLE t1 (a INT);
+CREATE TABLE t_spider (a INT) ENGINE=SPIDER PARTITION BY HASH(a) (PARTITION p1 COMMENT = "wrapper 'mysql', srv 'srv', table 't1'");
+CREATE TABLE t2 (a INT);
+ALTER TABLE t_spider ADD PARTITION (PARTITION p2 COMMENT = "wrapper 'mysql', srv 'srv', table 't2'");
+DROP TABLE t_spider, t1, t2;
+drop server srv;
+--disable_query_log
+--disable_result_log
+--source ../../t/test_deinit.inc
+--enable_result_log
+--enable_query_log
--- a/storage/spider/spd_db_conn.cc
+++ b/storage/spider/spd_db_conn.cc
@@ -3406,7 +3406,7 @@ int spider_db_free_result(
  SPIDER_RESULT *result;
  SPIDER_RESULT *prev;
  SPIDER_SHARE *share = spider->share;
-  SPIDER_TRX *trx = spider->wide_handler->trx;
+  THD *thd= current_thd;
  SPIDER_POSITION *position;
  int roop_count, error_num;
  DBUG_ENTER("spider_db_free_result");
@@ -3423,10 +3423,10 @@ int spider_db_free_result(
  if (
    final ||
-    spider_param_reset_sql_alloc(trx->thd, share->reset_sql_alloc) == 1
+    spider_param_reset_sql_alloc(thd, share->reset_sql_alloc) == 1
  ) {
    int alloc_size = final ? 0 :
-      (spider_param_init_sql_alloc_size(trx->thd, share->init_sql_alloc_size));
+      (spider_param_init_sql_alloc_size(thd, share->init_sql_alloc_size));
    while (result)
    {
      position = result->first_position;
@@ -3469,7 +3469,7 @@ int spider_db_free_result(
    {
      ulong realloced = 0;
      int init_sql_alloc_size =
-        spider_param_init_sql_alloc_size(trx->thd, share->init_sql_alloc_size);
+        spider_param_init_sql_alloc_size(thd, share->init_sql_alloc_size);
      for (roop_count = 0; roop_count < (int) share->use_dbton_count;
        roop_count++)
      {