MDEV-16153 Server crashes in Apc_target::disable, ASAN heap-use-after-free in Explain_query::~Explain_query upon/after EXECUTE IMMEDIATE

Explain_query must be created in the execution arena. But JOIN::optimize_inner temporarily switches to the statement arena under `if (sel->first_cond_optimization)`. This might cause Explain_query to be allocated in the statement arena. Usually it is harmless (although technically incorrect and a waste of memory), but in case of EXECUTE IMMEDIATE, Prepared_statement object and its statement arena are destroyed before log_slow_statement() call, which uses Explain_query. Fix: 1. Create Explain_query before switching arenas. 2. Before filling earlier-created Explain_query with data, set thd->mem_root from the Explain_query::mem_root
2025-07-30 16:24:05 +03:00 · 2018-05-18 19:12:35 +02:00
parent 207e5ba316
commit 1cc67e090e
3 changed files with 26 additions and 1 deletions
--- a/mysql-test/t/explain_slowquerylog.test
+++ b/mysql-test/t/explain_slowquerylog.test
@ -61,3 +61,9 @@ SELECT 1;
 SET log_slow_rate_limit=@save1;
 SET long_query_time=@save2;

+#
+# MDEV-16153 Server crashes in Apc_target::disable, ASAN heap-use-after-free in Explain_query::~Explain_query upon/after EXECUTE IMMEDIATE
+#
+create table t1 (a int);
+execute immediate "select * from t1 join t1 t2 on (t1.a>5) where exists (select 1)";
+drop table t1;