MDEV-26281 ASAN use-after-poison when complex conversion is involved in blob

the bug was that in_vector array in Item_func_in was allocated in the statement arena, not in the table->expr_arena. revert part of the 5acd391e8b. Instead, change the arena correctly in fix_all_session_vcol_exprs(). Remove TABLE_ARENA, that was introduced in 5acd391e8b to force item tree changes to be rolled back (because they were allocated in the wrong arena and didn't persist. now they do)
2025-01-16 12:02:42 +01:00 · 2022-04-14 21:45:20 +02:00 · 2022-04-14 21:45:20 +02:00 · 4681b6f2d8
commit 4681b6f2d8
parent cc08c43ed6
5 changed files with 43 additions and 28 deletions
--- a/mysql-test/suite/vcol/r/wrong_arena.result
+++ b/mysql-test/suite/vcol/r/wrong_arena.result
@ -1,3 +1,6 @@
 #
 # MDEV-9690 concurrent queries with virtual columns crash in temporal code
 #
 create table t1 (a datetime,
 # get_datetime_value
 b int as (a > 1),                             # Arg_comparator
@ -59,6 +62,9 @@ a	b
 Warnings:
 Warning	1292	Incorrect datetime value: '1'
 drop table t1;
 #
 # MDEV-13435 Crash when selecting virtual columns generated using JSON functions
 #
 create table t1 (
 id int  not null ,
 js varchar(1000) not null,
@ -68,3 +74,16 @@ select * from t1;
 id	js	t
 0	{"default" : {"start": "00:00:00", "end":"23:59:50"}}	NULL
 drop table t1;
 #
 # MDEV-26281 ASAN use-after-poison when complex conversion is involved in blob
 #
 create table t1 (v2 blob as ('a' is null), a1 int, a char(1) as (cast(a1 in (0,current_user() is null) as char(16777216) )));
 insert ignore into t1 values ('x','x',v2) ;
 Warnings:
 Warning	1906	The value specified for generated column 'v2' in table 't1' has been ignored
 Warning	1366	Incorrect integer value: 'x' for column `test`.`t1`.`a1` at row 1
 Warning	1906	The value specified for generated column 'a' in table 't1' has been ignored
 drop table t1;
 #
 # End of 10.2 tests
 #
--- a/mysql-test/suite/vcol/t/wrong_arena.test
+++ b/mysql-test/suite/vcol/t/wrong_arena.test
@ -3,9 +3,9 @@
 # not in the TABLE::expr_arena.
 #
-#
+--echo #
-# MDEV-9690 concurrent queries with virtual columns crash in temporal code
+--echo # MDEV-9690 concurrent queries with virtual columns crash in temporal code
-#
+--echo #
 create table t1 (a datetime,
  # get_datetime_value
  b int as (a > 1),                             # Arg_comparator
@ -40,9 +40,9 @@ connection default;
 select * from t1;
 drop table t1;
-#
+--echo #
-# MDEV-13435 Crash when selecting virtual columns generated using JSON functions
+--echo # MDEV-13435 Crash when selecting virtual columns generated using JSON functions
-#
+--echo #
 create table t1 (
  id int  not null ,
  js varchar(1000) not null,
@ -50,3 +50,14 @@ create table t1 (
 insert  into t1(id,js) values (0, '{"default" : {"start": "00:00:00", "end":"23:59:50"}}');
 select * from t1;
 drop table t1;
 --echo #
 --echo # MDEV-26281 ASAN use-after-poison when complex conversion is involved in blob
 --echo #
 create table t1 (v2 blob as ('a' is null), a1 int, a char(1) as (cast(a1 in (0,current_user() is null) as char(16777216) )));
 insert ignore into t1 values ('x','x',v2) ;
 drop table t1;
 --echo #
 --echo # End of 10.2 tests
 --echo #
--- a/sql/sql_base.cc
+++ b/sql/sql_base.cc
@ -5010,16 +5010,13 @@ static bool fix_all_session_vcol_exprs(THD *thd, TABLE_LIST *tables)
    if (!table->placeholder() && t->s->vcols_need_refixing &&
         table->lock_type >= TL_WRITE_ALLOW_WRITE)
    {
-      Query_arena *stmt_backup= thd->stmt_arena;
+      Query_arena backup_arena;
-      if (thd->stmt_arena->is_conventional())
+      thd->set_n_backup_active_arena(t->expr_arena, &backup_arena);
        thd->stmt_arena= t->expr_arena;
      if (table->security_ctx)
        thd->security_ctx= table->security_ctx;
      error= t->fix_vcol_exprs(thd);
      thd->security_ctx= save_security_ctx;
-      thd->stmt_arena= stmt_backup;
+      thd->restore_active_arena(t->expr_arena, &backup_arena);
    }
  }
  DBUG_RETURN(error);
--- a/sql/sql_class.h
+++ b/sql/sql_class.h
@ -967,7 +967,7 @@ public:
  /* We build without RTTI, so dynamic_cast can't be used. */
  enum Type
  {
-    STATEMENT, PREPARED_STATEMENT, STORED_PROCEDURE, TABLE_ARENA
+    STATEMENT, PREPARED_STATEMENT, STORED_PROCEDURE
  };
  Query_arena(MEM_ROOT *mem_root_arg, enum enum_state state_arg) :
@ -3728,8 +3728,7 @@ public:
  bool is_item_tree_change_register_required()
  {
-    return !stmt_arena->is_conventional()
+    return !stmt_arena->is_conventional();
           || stmt_arena->type() == Query_arena::TABLE_ARENA;
  }
  void change_item_tree(Item **place, Item *new_value)
--- a/sql/table.cc
+++ b/sql/table.cc
@ -47,17 +47,6 @@
 #define MYSQL57_GENERATED_FIELD 128
 #define MYSQL57_GCOL_HEADER_SIZE 4
 class Table_arena: public Query_arena
 {
 public:
  Table_arena(MEM_ROOT *mem_root, enum enum_state state_arg) :
          Query_arena(mem_root, state_arg){}
  virtual Type type() const
  {
    return TABLE_ARENA;
  }
 };
 static Virtual_column_info * unpack_vcol_info_from_frm(THD *, MEM_ROOT *,
              TABLE *, String *, Virtual_column_info **, bool *);
 static bool check_vcol_forward_refs(Field *, Virtual_column_info *);
@ -1031,8 +1020,8 @@ bool parse_vcol_defs(THD *thd, MEM_ROOT *mem_root, TABLE *table,
    We need to use CONVENTIONAL_EXECUTION here to ensure that
    any new items created by fix_fields() are not reverted.
  */
-  table->expr_arena= new (alloc_root(mem_root, sizeof(Table_arena)))
+  table->expr_arena= new (alloc_root(mem_root, sizeof(Query_arena)))
-                        Table_arena(mem_root, 
+                        Query_arena(mem_root,
                                    Query_arena::STMT_CONVENTIONAL_EXECUTION);
  if (!table->expr_arena)
    DBUG_RETURN(1);