From ab90eaad792996d10c5c67cde09cffa3d5baebbd Mon Sep 17 00:00:00 2001
From: Aleksey Midenkov <midenok@gmail.com>
Date: Mon, 13 Jan 2025 15:40:59 +0300
Subject: [PATCH] MDEV-22695 Server crashes in heap_rnext upon DELETE from a
 HEAP table

Quick read record uses different handler (H1) for finding records. It
cannot use ha_delete_row() handler (H2) as it is different search
mode: inited == INDEX for H1, inited == RND for H2. So, read handler
H1 uses index while write handler H2 uses random access.

For going next record in H1 there is info->last_pos optimization for
stepping index via tree_search_next(). This optimization can work with
deleted rows only if delete is conducted in the same handler, there
is:

67      int hp_rb_delete_key(HP_INFO *info, register HP_KEYDEF *keyinfo,
68                         const uchar *record, uchar *recpos, int flag)
69      {
...
74        if (flag)
75          info->last_pos= NULL; /* For heap_rnext/heap_rprev */

But this cannot work for different handler. So, last_pos in H1 after
delete in H2 contains stale info->parents array and last_pos points
into that parents. In the specific test case last_pos' parent is
already freed node and tree_search_next() steps into it.

The fix invalidates local savings of info->parents and info->last_pos
based on key_version. Record deletion increments share->key_version in
H2, so in H1 we know the tree might be changed.

Another good measure would be to use H1 for delete. But this is bigger
refactoring than just bug fixing.
---
 mysql-test/suite/heap/heap.result | 7 +++++++
 mysql-test/suite/heap/heap.test   | 9 +++++++++
 storage/heap/hp_rnext.c           | 4 +++-
 storage/heap/hp_rprev.c           | 3 ++-
 4 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/mysql-test/suite/heap/heap.result b/mysql-test/suite/heap/heap.result
index 67641d51b02..11c50d97475 100644
--- a/mysql-test/suite/heap/heap.result
+++ b/mysql-test/suite/heap/heap.result
@@ -877,3 +877,10 @@ DELETE FROM t1 WHERE ts = 1 AND color = 'GREEN';
 SELECT * from t1 WHERE ts = 1 AND color = 'GREEN';
 id	color	ts
 DROP TABLE t1;
+#
+# MDEV-22695 Server crashes in heap_rnext upon DELETE from a HEAP table
+#
+CREATE TABLE t1 (a VARCHAR(128), b VARCHAR(32), KEY(a) USING BTREE, KEY(b) USING BTREE) ENGINE=HEAP;
+INSERT INTO t1 VALUES ('foo',NULL),('m','b'),(6,'j'),('bar','qux'),(NULL,NULL);
+DELETE FROM t1 WHERE a <=> 'm' OR b <=> NULL;
+DROP TABLE t1;
diff --git a/mysql-test/suite/heap/heap.test b/mysql-test/suite/heap/heap.test
index ef950da5484..02a2586f605 100644
--- a/mysql-test/suite/heap/heap.test
+++ b/mysql-test/suite/heap/heap.test
@@ -659,3 +659,12 @@ INSERT INTO t1 VALUES("7","GREEN", 2);
 DELETE FROM t1 WHERE ts = 1 AND color = 'GREEN';
 SELECT * from t1 WHERE ts = 1 AND color = 'GREEN';
 DROP TABLE t1;
+
+--echo #
+--echo # MDEV-22695 Server crashes in heap_rnext upon DELETE from a HEAP table
+--echo #
+CREATE TABLE t1 (a VARCHAR(128), b VARCHAR(32), KEY(a) USING BTREE, KEY(b) USING BTREE) ENGINE=HEAP;
+INSERT INTO t1 VALUES ('foo',NULL),('m','b'),(6,'j'),('bar','qux'),(NULL,NULL);
+DELETE FROM t1 WHERE a <=> 'm' OR b <=> NULL;
+# Cleanup
+DROP TABLE t1;
diff --git a/storage/heap/hp_rnext.c b/storage/heap/hp_rnext.c
index f227ce4d274..ac21ed83da2 100644
--- a/storage/heap/hp_rnext.c
+++ b/storage/heap/hp_rnext.c
@@ -46,7 +46,7 @@ int heap_rnext(HP_INFO *info, uchar *record)
                               &info->last_pos, offsetof(TREE_ELEMENT, left));
       }
     }
-    else if (info->last_pos)
+    else if (info->last_pos && info->key_version == info->s->key_version)
     {
       /*
         We enter this branch for non-DELETE queries after heap_rkey()
@@ -72,6 +72,7 @@ int heap_rnext(HP_INFO *info, uchar *record)
       */
       pos= tree_search_edge(&keyinfo->rb_tree, info->parents,
                             &info->last_pos, offsetof(TREE_ELEMENT, left));
+      info->key_version= info->s->key_version;
     }
     else
     {
@@ -87,6 +88,7 @@ int heap_rnext(HP_INFO *info, uchar *record)
       info->last_find_flag= HA_READ_KEY_OR_NEXT;
       pos = tree_search_key(&keyinfo->rb_tree, info->lastkey, info->parents, 
                            &info->last_pos, info->last_find_flag, &custom_arg);
+      info->key_version= info->s->key_version;
     }
     if (pos)
     {
diff --git a/storage/heap/hp_rprev.c b/storage/heap/hp_rprev.c
index 1d9420ba8b6..cc81d179570 100644
--- a/storage/heap/hp_rprev.c
+++ b/storage/heap/hp_rprev.c
@@ -46,7 +46,7 @@ int heap_rprev(HP_INFO *info, uchar *record)
                               &info->last_pos, offsetof(TREE_ELEMENT, right));
       }
     }
-    else if (info->last_pos)
+    else if (info->last_pos && info->key_version == info->s->key_version)
       pos = tree_search_next(&keyinfo->rb_tree, &info->last_pos,
                              offsetof(TREE_ELEMENT, right),
                              offsetof(TREE_ELEMENT, left));
@@ -58,6 +58,7 @@ int heap_rprev(HP_INFO *info, uchar *record)
       info->last_find_flag= HA_READ_KEY_OR_PREV;
       pos = tree_search_key(&keyinfo->rb_tree, info->lastkey, info->parents, 
                            &info->last_pos, info->last_find_flag, &custom_arg);
+      info->key_version= info->s->key_version;
     }
     if (pos)
     {