MDEV-27240 SIGSEGV in ha_spider::store_lock on LOCK TABLE

The commit e954d9de gave different lifetime to wide_share and partition_handler_share. This introduced the possibility that partition_handler_share could be accessed even after it was freed. We stop sharing partitoiin_handler_share and make it belong to a single wide_handler to fix the problem.

MDEV-27240 SIGSEGV in ha_spider::store_lock on LOCK TABLE
The commit e954d9de gave different lifetime to wide_share and partition_handler_share. This introduced the possibility that partition_handler_share could be accessed even after it was freed. We stop sharing partitoiin_handler_share and make it belong to a single wide_handler to fix the problem.
2ecd39c9 · Nayuta Yanagisawa · 8535c260 · 2ecd39c9 · 2ecd39c9 · 2ecd39c9
Commit 2ecd39c9 authored Jan 11, 2022 by Nayuta Yanagisawa
8 changed files
--- a/storage/spider/ha_spider.cc
+++ b/storage/spider/ha_spider.cc
--- a/storage/spider/ha_spider.h
+++ b/storage/spider/ha_spider.h
 /* Copyright (C) 2008-2019 Kentoku Shiba
-   Copyright (C) 2019 MariaDB corp
+   Copyright (C) 2019-2022 MariaDB corp
  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@@ -92,8 +92,7 @@ class ha_spider final : public handler
  SPIDER_POSITION    *pushed_pos;
  SPIDER_POSITION    pushed_pos_buf;
 #ifdef WITH_PARTITION_STORAGE_ENGINE
-  bool               pt_handler_share_owner = FALSE;
+  SPIDER_PARTITION_HANDLER *partition_handler;
-  SPIDER_PARTITION_HANDLER_SHARE *partition_handler_share;
 #endif
  bool                wide_handler_owner = FALSE;
  SPIDER_WIDE_HANDLER *wide_handler = NULL;

--- a/storage/spider/mysql-test/spider/bugfix/r/mdev_27240.result
+++ b/storage/spider/mysql-test/spider/bugfix/r/mdev_27240.result
+for master_1
+for child2
+for child3
+CREATE DATABASE auto_test_local;
+USE auto_test_local;
+CREATE TABLE tbl_a (a INT KEY) ENGINE=SPIDER;
+SELECT a.z FROM tbl_a AS a,tbl_a b WHERE a.z=b.z;
+ERROR 42S22: Unknown column 'a.z' in 'field list'
+ALTER TABLE tbl_a CHANGE c c INT;
+ERROR 42S22: Unknown column 'c' in 'tbl_a'
+LOCK TABLE tbl_a READ;
+ERROR HY000: Unable to connect to foreign data source: localhost
+DROP DATABASE auto_test_local;
+for master_1
+for child2
+for child3
--- a/storage/spider/mysql-test/spider/bugfix/t/mdev_27240.cnf
+++ b/storage/spider/mysql-test/spider/bugfix/t/mdev_27240.cnf
+!include include/default_mysqld.cnf
+!include ../my_1_1.cnf
--- a/storage/spider/mysql-test/spider/bugfix/t/mdev_27240.test
+++ b/storage/spider/mysql-test/spider/bugfix/t/mdev_27240.test
+--disable_warnings
+--disable_query_log
+--disable_result_log
+--source ../../t/test_init.inc
+--enable_result_log
+--enable_query_log
+--enable_warnings
+CREATE DATABASE auto_test_local;
+USE auto_test_local;
+CREATE TABLE tbl_a (a INT KEY) ENGINE=SPIDER;
+--error ER_BAD_FIELD_ERROR
+SELECT a.z FROM tbl_a AS a,tbl_a b WHERE a.z=b.z;
+--error ER_BAD_FIELD_ERROR
+ALTER TABLE tbl_a CHANGE c c INT;
+--error ER_CONNECT_TO_FOREIGN_DATA_SOURCE
+LOCK TABLE tbl_a READ;
+DROP DATABASE auto_test_local;
+--disable_warnings
+--disable_query_log
+--disable_result_log
+--source ../../t/test_deinit.inc
+--enable_result_log
+--enable_query_log
+--enable_warnings
--- a/storage/spider/spd_include.h
+++ b/storage/spider/spd_include.h
 /* Copyright (C) 2008-2020 Kentoku Shiba
-   Copyright (C) 2019-2020 MariaDB corp
+   Copyright (C) 2019-2022 MariaDB corp
  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@@ -676,18 +676,15 @@ typedef struct st_spider_lgtm_tblhnd_share
 } SPIDER_LGTM_TBLHND_SHARE;
 #ifdef WITH_PARTITION_STORAGE_ENGINE
-typedef struct st_spider_patition_handler_share
+typedef struct st_spider_patition_handler
 {
  bool               clone_bitmap_init;
-#ifdef SPIDER_HAS_HASH_VALUE_TYPE
-  my_hash_value_type table_hash_value;
-#endif
  query_id_t         parallel_search_query_id;
  uint               no_parts;
  TABLE              *table;
  ha_spider          *owner;
  ha_spider          **handlers;
-} SPIDER_PARTITION_HANDLER_SHARE;
+} SPIDER_PARTITION_HANDLER;
 #endif
 typedef struct st_spider_wide_share
@@ -701,12 +698,6 @@ typedef struct st_spider_wide_share
  THR_LOCK           lock;
  pthread_mutex_t    sts_mutex;
  pthread_mutex_t    crd_mutex;
-  pthread_mutex_t    pt_handler_mutex;
-  HASH               pt_handler_hash;
-  uint               pt_handler_hash_id;
-  const char         *pt_handler_hash_func_name;
-  const char         *pt_handler_hash_file_name;
-  ulong              pt_handler_hash_line_no;
  volatile bool      sts_init;
  volatile bool      crd_init;
@@ -751,7 +742,7 @@ typedef struct st_spider_wide_handler
 #endif
 #endif
 #ifdef WITH_PARTITION_STORAGE_ENGINE
-  SPIDER_PARTITION_HANDLER_SHARE *partition_handler_share;
+  SPIDER_PARTITION_HANDLER *partition_handler;
 #endif
 #ifdef HANDLER_HAS_DIRECT_UPDATE_ROWS
  List<Item>         *direct_update_fields;

--- a/storage/spider/spd_table.cc
+++ b/storage/spider/spd_table.cc
 /* Copyright (C) 2008-2020 Kentoku Shiba
-   Copyright (C) 2019-2020 MariaDB corp
+   Copyright (C) 2019-2022 MariaDB corp
  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@@ -432,7 +432,7 @@ uchar *spider_wide_share_get_key(
 #ifdef WITH_PARTITION_STORAGE_ENGINE
 uchar *spider_pt_handler_share_get_key(
-  SPIDER_PARTITION_HANDLER_SHARE *share,
+  SPIDER_PARTITION_HANDLER *share,
  size_t *length,
  my_bool not_used __attribute__ ((unused))
 ) {
@@ -6436,34 +6436,8 @@ SPIDER_WIDE_SHARE *spider_get_wide_share(
      goto error_init_crd_mutex;
    }
-#if MYSQL_VERSION_ID < 50500
-    if (pthread_mutex_init(&wide_share->pt_handler_mutex,
-      MY_MUTEX_INIT_FAST))
-#else
-    if (mysql_mutex_init(spd_key_mutex_pt_handler,
-      &wide_share->pt_handler_mutex, MY_MUTEX_INIT_FAST))
-#endif
-    {
-      *error_num = HA_ERR_OUT_OF_MEM;
-      goto error_init_pt_handler_mutex;
-    }
-    if(
-      my_hash_init(PSI_INSTRUMENT_ME, &wide_share->pt_handler_hash, spd_charset_utf8mb3_bin,
-        32, 0, 0, (my_hash_get_key) spider_pt_handler_share_get_key, 0, 0)
-    ) {
-      *error_num = HA_ERR_OUT_OF_MEM;
-      goto error_init_pt_handler_hash;
-    }
    thr_lock_init(&wide_share->lock);
-    spider_alloc_calc_mem_init(wide_share->pt_handler_hash, 142);
-    spider_alloc_calc_mem(spider_current_trx,
-      wide_share->pt_handler_hash,
-      wide_share->pt_handler_hash.array.max_element *
-      wide_share->pt_handler_hash.array.size_of_element);
    uint old_elements = spider_open_wide_share.array.max_element;
 #ifdef HASH_UPDATE_WITH_HASH_VALUE
    if (my_hash_insert_with_hash_value(&spider_open_wide_share,
@@ -6491,14 +6465,6 @@ SPIDER_WIDE_SHARE *spider_get_wide_share(
  DBUG_RETURN(wide_share);
 error_hash_insert:
-  spider_free_mem_calc(spider_current_trx,
-    wide_share->pt_handler_hash_id,
-    wide_share->pt_handler_hash.array.max_element *
-    wide_share->pt_handler_hash.array.size_of_element);
-  my_hash_free(&wide_share->pt_handler_hash);
-error_init_pt_handler_hash:
-  pthread_mutex_destroy(&wide_share->pt_handler_mutex);
-error_init_pt_handler_mutex:
  pthread_mutex_destroy(&wide_share->crd_mutex);
 error_init_crd_mutex:
  pthread_mutex_destroy(&wide_share->sts_mutex);
@@ -6523,12 +6489,6 @@ int spider_free_wide_share(
 #else
    my_hash_delete(&spider_open_wide_share, (uchar*) wide_share);
 #endif
-    spider_free_mem_calc(spider_current_trx,
-      wide_share->pt_handler_hash_id,
-      wide_share->pt_handler_hash.array.max_element *
-      wide_share->pt_handler_hash.array.size_of_element);
-    my_hash_free(&wide_share->pt_handler_hash);
-    pthread_mutex_destroy(&wide_share->pt_handler_mutex);
    pthread_mutex_destroy(&wide_share->crd_mutex);
    pthread_mutex_destroy(&wide_share->sts_mutex);
    spider_free(spider_current_trx, wide_share, MYF(0));
@@ -8036,15 +7996,15 @@ int spider_get_sts(
  if (error_num)
  {
 #ifdef WITH_PARTITION_STORAGE_ENGINE
-    SPIDER_PARTITION_HANDLER_SHARE *partition_handler_share =
+    SPIDER_PARTITION_HANDLER *partition_handler =
-      spider->partition_handler_share;
+      spider->partition_handler;
    if (
      !share->wide_share->sts_init &&
      sts_sync >= sts_sync_level &&
      get_type > 1 &&
-      partition_handler_share &&
+      partition_handler &&
-      partition_handler_share->handlers &&
+      partition_handler->handlers &&
-      partition_handler_share->handlers[0] == spider
+      partition_handler->handlers[0] == spider
    ) {
      int roop_count;
      ha_spider *tmp_spider;
@@ -8054,11 +8014,11 @@ int spider_get_sts(
      int tmp_sts_sync;
      THD *thd = spider->wide_handler->trx->thd;
      for (roop_count = 1;
-        roop_count < (int) partition_handler_share->no_parts;
+        roop_count < (int) partition_handler->no_parts;
        roop_count++)
      {
        tmp_spider =
-          (ha_spider *) partition_handler_share->handlers[roop_count];
+          (ha_spider *) partition_handler->handlers[roop_count];
        tmp_share = tmp_spider->share;
        tmp_sts_interval = spider_param_sts_interval(thd, share->sts_interval);
        tmp_sts_mode = spider_param_sts_mode(thd, share->sts_mode);
@@ -8187,15 +8147,15 @@ int spider_get_crd(
  if (error_num)
  {
 #ifdef WITH_PARTITION_STORAGE_ENGINE
-    SPIDER_PARTITION_HANDLER_SHARE *partition_handler_share =
+    SPIDER_PARTITION_HANDLER *partition_handler =
-      spider->partition_handler_share;
+      spider->partition_handler;
    if (
      !share->wide_share->crd_init &&
      crd_sync >= crd_sync_level &&
      get_type > 1 &&
-      partition_handler_share &&
+      partition_handler &&
-      partition_handler_share->handlers &&
+      partition_handler->handlers &&
-      partition_handler_share->handlers[0] == spider
+      partition_handler->handlers[0] == spider
    ) {
      int roop_count;
      ha_spider *tmp_spider;
@@ -8205,11 +8165,11 @@ int spider_get_crd(
      int tmp_crd_sync;
      THD *thd = spider->wide_handler->trx->thd;
      for (roop_count = 1;
-        roop_count < (int) partition_handler_share->no_parts;
+        roop_count < (int) partition_handler->no_parts;
        roop_count++)
      {
        tmp_spider =
-          (ha_spider *) partition_handler_share->handlers[roop_count];
+          (ha_spider *) partition_handler->handlers[roop_count];
        tmp_share = tmp_spider->share;
        tmp_crd_interval = spider_param_crd_interval(thd, share->crd_interval);
        tmp_crd_mode = spider_param_crd_mode(thd, share->crd_mode);
@@ -9348,10 +9308,10 @@ int spider_set_direct_limit_offset(
    DBUG_RETURN(TRUE);
  if (
-    spider->partition_handler_share &&
+    spider->partition_handler &&
-    !spider->pt_handler_share_owner
+    !spider->wide_handler_owner
  ) {
-    if (spider->partition_handler_share->owner->
+    if (spider->partition_handler->owner->
      result_list.direct_limit_offset == TRUE)
    {
      spider->result_list.direct_limit_offset = TRUE;

--- a/storage/spider/spd_table.h
+++ b/storage/spider/spd_table.h
 /* Copyright (C) 2008-2019 Kentoku Shiba
-   Copyright (C) 2019 MariaDB corp
+   Copyright (C) 2019-2022 MariaDB corp
  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@@ -321,7 +321,7 @@ uchar *spider_wide_share_get_key(
 #ifdef WITH_PARTITION_STORAGE_ENGINE
 uchar *spider_pt_handler_share_get_key(
-  SPIDER_PARTITION_HANDLER_SHARE *share,
+  SPIDER_PARTITION_HANDLER *share,
  size_t *length,
  my_bool not_used __attribute__ ((unused))
 );