Bug#29300049: HANDLE_FATAL_SIGNAL (SIG=11) IN DESTROY

kahatlen · kahatlen · commit d62b354b8d9d · 2019-04-25T08:24:44.000+02:00
HANDLER statements that access tables with generated columns, could
leave pointers to dead data in the generated column data structures,
which could cause problems for statements that accessed the same
tables later.

The bug is fixed by cleaning up the generated column expressions
before HANDLER ... OPEN finishes, and adding code that re-resolves the
expressions and cleans them up again on each HANDLER ... READ
statement.

Change-Id: I6a1cea647b5b293c373e84cf37051424a9b9074d
diff --git a/sql/sql_handler.cc b/sql/sql_handler.cc
@@ -1,4 +1,4 @@
-/* Copyright (c) 2001, 2016, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2001, 2019, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -380,6 +380,15 @@ static bool mysql_ha_open_table(THD *thd, TABLE_LIST *hash_tables)
   */
   hash_tables->table->open_by_handler= 1;
 
+  /*
+    Generated column expressions have been resolved using the MEM_ROOT of the
+    current HANDLER statement, which is cleared when the statement has finished.
+    Clean up the expressions so that subsequent HANDLER ... READ calls don't
+    access data allocated on a cleared MEM_ROOT. The generated column
+    expressions have to be re-resolved on each HANDLER ... READ call.
+  */
+  hash_tables->table->cleanup_gc_items();
+
   DBUG_PRINT("exit",("OK"));
   DBUG_RETURN(FALSE);
 }
@@ -679,6 +688,14 @@ bool Sql_cmd_handler_read::execute(THD *thd)
 
   table->file->init_table_handle_for_HANDLER();
 
+  /*
+    Resolve the generated column expressions. They have to be cleaned up before
+    returning, since the resolved expressions may point to memory allocated on
+    the MEM_ROOT of the current HANDLER ... READ statement, which will be
+    cleared when the statement has completed.
+  */
+  if (table->refix_gc_items(thd)) goto err;
+
   for (num_rows=0; num_rows < select_limit_cnt; )
   {
     switch (mode) {
@@ -843,13 +860,15 @@ bool Sql_cmd_handler_read::execute(THD *thd)
   trans_commit_stmt(thd);
   mysql_unlock_tables(thd,lock);
   thd->mdl_context.rollback_to_savepoint(mdl_savepoint);
+  table->cleanup_gc_items();
   my_eof(thd);
   DBUG_PRINT("exit",("OK"));
   DBUG_RETURN(FALSE);
 
 err:
   trans_rollback_stmt(thd);
   mysql_unlock_tables(thd,lock);
+  table->cleanup_gc_items();
 err1:
   thd->mdl_context.rollback_to_savepoint(mdl_savepoint);
 err0:
