Bug #28039477 SERVER CRASHES AT CHECKPOINT TIME

Problem:

The function btr_cur_pessimistic_update() takes two mem_heap_t objects.  One
heap contains the dtuple_t object and this heap should not be emptied, while
the other heap contains temporary stuff and can be emptied.  This function was
wrongly used in the DDTableBuffer::replace() routine by passing the same heap.
Since it was getting emptied, there was subsequently a "memory use after free"
problem.

Solution:

Pass two separate memory heap objects to btr_cur_pessimistic_update().

rb#19781 approved by Bin Su.

Author: gurusami

storage/innobase/btr/btr0btr.cc

@@ -2350,6 +2350,7 @@ rec_t *btr_page_split_and_insert(
   }
   n_uniq = dict_index_get_n_unique_in_tree(cursor->index);
 func_start:
+  ut_ad(tuple->m_heap != *heap);
   mem_heap_empty(*heap);
   *offsets = NULL;
 

storage/innobase/dict/dict0dict.cc

@@ -6380,6 +6380,7 @@ void DDTableBuffer::init() {
 
   m_heap = mem_heap_create(500);
   m_dynamic_heap = mem_heap_create(1000);
+  m_replace_heap = mem_heap_create(1000);
 
   create_tuples();
 }
@@ -6478,6 +6479,7 @@ void DDTableBuffer::init_tuple_with_id(dtuple_t *tuple, table_id_t id) {
 void DDTableBuffer::close() {
   mem_heap_free(m_heap);
   mem_heap_free(m_dynamic_heap);
+  mem_heap_free(m_replace_heap);
 
   m_search_tuple = NULL;
   m_replace_tuple = NULL;
@@ -6516,7 +6518,7 @@ upd_t *DDTableBuffer::update_set_metadata(const dtuple_t *entry,
     return (nullptr);
   }
 
-  update = upd_create(2, m_dynamic_heap);
+  update = upd_create(2, m_replace_heap);
 
   upd_field = upd_get_nth_field(update, 0);
   dfield_copy(&upd_field->new_val, version_field);
@@ -6558,7 +6560,7 @@ dberr_t DDTableBuffer::replace(table_id_t id, uint64_t version,
   dfield_set_data(dfield, metadata, len);
   /* Other system fields have been initialized */
 
-  entry = row_build_index_entry(m_replace_tuple, NULL, m_index, m_dynamic_heap);
+  entry = row_build_index_entry(m_replace_tuple, NULL, m_index, m_replace_heap);
 
   /* Start to search for the to-be-replaced tuple */
   mtr.start();
@@ -6581,6 +6583,7 @@ dberr_t DDTableBuffer::replace(table_id_t id, uint64_t version,
     ut_a(error == DB_SUCCESS);
 
     mem_heap_empty(m_dynamic_heap);
+    mem_heap_empty(m_replace_heap);
 
     return (DB_SUCCESS);
   }
@@ -6599,14 +6602,15 @@ dberr_t DDTableBuffer::replace(table_id_t id, uint64_t version,
 
     error = btr_cur_pessimistic_update(
         flags, btr_pcur_get_btr_cur(&pcur), &cur_offsets, &m_dynamic_heap,
-        m_dynamic_heap, &big_rec, update, 0, NULL, 0, 0, &mtr);
+        m_replace_heap, &big_rec, update, 0, NULL, 0, 0, &mtr);
     ut_a(error == DB_SUCCESS);
     /* We don't have big rec in this table */
     ut_ad(!big_rec);
   }
 
   mtr.commit();
   mem_heap_empty(m_dynamic_heap);
+  mem_heap_empty(m_replace_heap);
 
   return (DB_SUCCESS);
 }

storage/innobase/include/data0data.h

@@ -476,6 +476,10 @@ struct dtuple_t {
   /*!< data tuples can be linked into a
   list using this field */
 #ifdef UNIV_DEBUG
+
+  /** memory heap where this tuple is allocated. */
+  mem_heap_t *m_heap;
+
   ulint magic_n; /*!< magic number, used in
                  debug assertions */
 /** Value of dtuple_t::magic_n */

storage/innobase/include/data0data.ic

@@ -466,6 +466,10 @@ dtuple_t *dtuple_create_with_vcol(mem_heap_t *heap, ulint n_fields,
 
   tuple = dtuple_create_from_mem(buf, buf_size, n_fields, n_v_fields);
 
+#ifdef UNIV_DEBUG
+  tuple->m_heap = heap;
+#endif /* UNIV_DEBUG */
+
   return (tuple);
 }
 

storage/innobase/include/dict0dict.h

@@ -1365,6 +1365,10 @@ class DDTableBuffer {
   be freed before return */
   mem_heap_t *m_dynamic_heap;
 
+  /** The heap used during replace() operation, which should always
+  be freed before return */
+  mem_heap_t *m_replace_heap;
+
   /** The heap used to create the search tuple and replace tuple */
   mem_heap_t *m_heap;