From f8c3d5927445dcd75f31ed8e9fb3cfcc07c3ed8f Mon Sep 17 00:00:00 2001 From: Nayuta Yanagisawa Date: Tue, 4 Jan 2022 13:21:14 +0900 Subject: [PATCH] MDEV-26583 SIGSEGV's in spider_get_select_limit_from_select_lex when DELAYED INSERT is used Spider dereferences a freed select_lex and then results in SIGSEGV. --- sql/sql_insert.cc | 5 +++ .../spider/bugfix/r/mdev_26583.result | 34 ++++++++++++++ .../mysql-test/spider/bugfix/t/mdev_26583.cnf | 3 ++ .../spider/bugfix/t/mdev_26583.test | 44 +++++++++++++++++++ 4 files changed, 86 insertions(+) create mode 100644 storage/spider/mysql-test/spider/bugfix/r/mdev_26583.result create mode 100644 storage/spider/mysql-test/spider/bugfix/t/mdev_26583.cnf create mode 100644 storage/spider/mysql-test/spider/bugfix/t/mdev_26583.test diff --git a/sql/sql_insert.cc b/sql/sql_insert.cc index 0f454e74a48..460fbba4ac5 100644 --- a/sql/sql_insert.cc +++ b/sql/sql_insert.cc @@ -2423,6 +2423,11 @@ bool delayed_get_table(THD *thd, MDL_request *grl_protection_request, di->table_list.alias.str= di->table_list.table_name.str= di->thd.query(); di->table_list.alias.length= di->table_list.table_name.length= di->thd.query_length(); di->table_list.db= di->thd.db; + /* + Nulify select_lex because, if the thread that spawned the current one + disconnects, the select_lex will point to freed memory. + */ + di->table_list.select_lex= NULL; /* We need the tickets so that they can be cloned in handle_delayed_insert diff --git a/storage/spider/mysql-test/spider/bugfix/r/mdev_26583.result b/storage/spider/mysql-test/spider/bugfix/r/mdev_26583.result new file mode 100644 index 00000000000..0ce268af7e3 --- /dev/null +++ b/storage/spider/mysql-test/spider/bugfix/r/mdev_26583.result @@ -0,0 +1,34 @@ +# +# MDEV-26583 SIGSEGV's in spider_get_select_limit_from_select_lex when DELAYED INSERT is used +# +for master_1 +for child2 +child2_1 +child2_2 +child2_3 +for child3 +connection child2_1; +CREATE DATABASE auto_test_remote; +USE auto_test_remote; +CREATE TABLE tbl_a ( +a INT AUTO_INCREMENT KEY, +b INT,INDEX i (b) +) ENGINE=InnoDB DEFAULT CHARSET=utf8; +connection master_1; +CREATE DATABASE auto_test_local; +USE auto_test_local; +CREATE TABLE tbl_a ( +a INT AUTO_INCREMENT KEY, +b INT,INDEX i (b) +) ENGINE=Spider DEFAULT CHARSET=utf8 COMMENT='srv "s_2_1", table "tbl_a"'; +INSERT DELAYED INTO tbl_a VALUES (0,0),(0,0),(0,0); +connection master_1; +DROP DATABASE auto_test_local; +connection child2_1; +DROP DATABASE auto_test_remote; +for master_1 +for child2 +child2_1 +child2_2 +child2_3 +for child3 diff --git a/storage/spider/mysql-test/spider/bugfix/t/mdev_26583.cnf b/storage/spider/mysql-test/spider/bugfix/t/mdev_26583.cnf new file mode 100644 index 00000000000..05dfd8a0bce --- /dev/null +++ b/storage/spider/mysql-test/spider/bugfix/t/mdev_26583.cnf @@ -0,0 +1,3 @@ +!include include/default_mysqld.cnf +!include ../my_1_1.cnf +!include ../my_2_1.cnf diff --git a/storage/spider/mysql-test/spider/bugfix/t/mdev_26583.test b/storage/spider/mysql-test/spider/bugfix/t/mdev_26583.test new file mode 100644 index 00000000000..e4a2d64ba6d --- /dev/null +++ b/storage/spider/mysql-test/spider/bugfix/t/mdev_26583.test @@ -0,0 +1,44 @@ +--echo # +--echo # MDEV-26583 SIGSEGV's in spider_get_select_limit_from_select_lex when DELAYED INSERT is used +--echo # + +--disable_query_log +--disable_result_log +--source ../../t/test_init.inc +--enable_result_log +--enable_query_log + +--connection child2_1 +CREATE DATABASE auto_test_remote; +USE auto_test_remote; + +eval CREATE TABLE tbl_a ( + a INT AUTO_INCREMENT KEY, + b INT,INDEX i (b) +) $CHILD2_1_ENGINE $CHILD2_1_CHARSET; + +--connection master_1 +CREATE DATABASE auto_test_local; +USE auto_test_local; + +eval CREATE TABLE tbl_a ( + a INT AUTO_INCREMENT KEY, + b INT,INDEX i (b) +) $MASTER_1_ENGINE $MASTER_1_CHARSET COMMENT='srv "s_2_1", table "tbl_a"'; + +INSERT DELAYED INTO tbl_a VALUES (0,0),(0,0),(0,0); + +let $wait_condition=select count(*)=3 from tbl_a +source include/wait_condition.inc; + +--connection master_1 +DROP DATABASE auto_test_local; + +--connection child2_1 +DROP DATABASE auto_test_remote; + +--disable_query_log +--disable_result_log +--source ../../t/test_deinit.inc +--enable_result_log +--enable_query_log