MDEV-23198 Crash in REPLACE

row_vers_impl_x_locked_low(): clust_offsets may point to memory that is allocated by mem_heap_alloc() and may have been freed. For initializing clust_offsets, try to use the stack-allocated buffer instead of a pointer that may point to freed memory. This fixes a regression that was introduced in commit f0aa073f2b (MDEV-20950).
2025-07-29 05:21:33 +03:00 · 2020-07-31 11:38:23 +03:00
parent fd0abc890f
commit f35d172103
3 changed files with 38 additions and 4 deletions
--- a/mysql-test/suite/innodb/r/mvcc.result
+++ b/mysql-test/suite/innodb/r/mvcc.result
@ -28,4 +28,18 @@ SELECT * FROM t1;
 a
 0
 DROP TABLE t1;
+#
+# MDEV-23198 Crash in REPLACE
+#
+BEGIN NOT ATOMIC
+DECLARE c TEXT DEFAULT(SELECT CONCAT('CREATE TABLE t1(id INT PRIMARY KEY, c',
+GROUP_CONCAT(seq SEPARATOR ' INT, c'),
+' INT NOT NULL UNIQUE) ENGINE=InnoDB')
+FROM seq_1_to_294);
+EXECUTE IMMEDIATE c;
+END;
+$$
+INSERT INTO t1 SET id=1,c294=1;
+REPLACE t1 SET id=1,c294=1;
+DROP TABLE t1;
 SET GLOBAL innodb_file_per_table= @save_per_table;
--- a/mysql-test/suite/innodb/t/mvcc.test
+++ b/mysql-test/suite/innodb/t/mvcc.test
@ -1,4 +1,5 @@
 --source include/have_innodb.inc
+--source include/have_sequence.inc

 SET @save_per_table= @@GLOBAL.innodb_file_per_table;
 SET GLOBAL innodb_file_per_table= 1;
@ -49,4 +50,23 @@ SELECT * FROM t1;

 DROP TABLE t1;

+--echo #
+--echo # MDEV-23198 Crash in REPLACE
+--echo #
+
+DELIMITER $$;
+BEGIN NOT ATOMIC
+  DECLARE c TEXT DEFAULT(SELECT CONCAT('CREATE TABLE t1(id INT PRIMARY KEY, c',
+                                       GROUP_CONCAT(seq SEPARATOR ' INT, c'),
+                                       ' INT NOT NULL UNIQUE) ENGINE=InnoDB')
+                                       FROM seq_1_to_294);
+  EXECUTE IMMEDIATE c;
+END;
+$$
+DELIMITER ;$$
+
+INSERT INTO t1 SET id=1,c294=1;
+REPLACE t1 SET id=1,c294=1;
+DROP TABLE t1;
+
 SET GLOBAL innodb_file_per_table= @save_per_table;