MDEV-27332 SIGSEGV in fetch_data_into_cache()

Since commit fb335b48b5 we may have
a null pointer in purge_sys.query when fetch_data_into_cache() is
invoked and innodb_force_recovery>4. This is because the call to
purge_sys.create() would be skipped.

fetch_data_into_cache(): Load the purge_sys pseudo transaction pointer
to a local variable (null pointer if purge_sys is not initialized).

mysql-test/suite/innodb/r/read_only_recover_committed.result

@@ -63,6 +63,13 @@ SELECT * FROM t;
 a
 3
 20
+#
+# MDEV-27332 SIGSEGV in fetch_data_into_cache
+#
+BEGIN;
+SELECT trx_state FROM information_schema.innodb_trx;
+trx_state
+COMMIT;
 SELECT * FROM t;
 a
 3

mysql-test/suite/innodb/t/read_only_recover_committed.test

@@ -78,6 +78,13 @@ SET TRANSACTION ISOLATION LEVEL SERIALIZABLE;
 SELECT * FROM t;
 SET TRANSACTION ISOLATION LEVEL READ COMMITTED;
 SELECT * FROM t;
+
+--echo #
+--echo # MDEV-27332 SIGSEGV in fetch_data_into_cache
+--echo #
+BEGIN;
+SELECT trx_state FROM information_schema.innodb_trx;
+COMMIT;
 --let $restart_parameters=
 --source include/restart_mysqld.inc
 SELECT * FROM t;

storage/innobase/trx/trx0i_s.cc

@@ -1275,6 +1275,8 @@ static void fetch_data_into_cache_low(trx_i_s_cache_t *cache, const trx_t *trx)
 
 static void fetch_data_into_cache(trx_i_s_cache_t *cache)
 {
+  const trx_t *const purge_trx= purge_sys.query ? purge_sys.query->trx : NULL;
+
   ut_ad(lock_mutex_own());
   trx_i_s_cache_clear(cache);
 
@@ -1284,7 +1286,7 @@ static void fetch_data_into_cache(trx_i_s_cache_t *cache)
        trx != NULL;
        trx= UT_LIST_GET_NEXT(trx_list, trx))
   {
-    if (trx->state != TRX_STATE_NOT_STARTED && trx != purge_sys.query->trx)
+    if (trx != purge_trx && trx->state != TRX_STATE_NOT_STARTED)
     {
       mutex_enter(&trx->mutex);
       if (trx->state != TRX_STATE_NOT_STARTED)