Spider: SIGSEGV in spider_db_direct_delete, SIGSEGV in spider_db_connect, ASAN: heap-use-after-free in spider_db_direct_delete

INSTALL PLUGIN spider SONAME 'ha_spider.so';

CREATE TABLE t (c INT) ENGINE=Spider;

SELECT * FROM t;

INSERT INTO t (SELECT 1 FROM t);

LOCK TABLES t WRITE CONCURRENT;

DELETE FROM t;

Core was generated by `/test/MD160322-mariadb-10.4.25-linux-x86_64-opt/bin/mysqld --no-defaults --core'.

Program terminated with signal SIGSEGV, Segmentation fault.

#0  0x0000150c80078923 in spider_db_connect (share=0x150c34058828, 

    conn=conn@entry=0x150c340817c8, link_idx=0)

    at /test/10.4_opt/storage/spider/spd_db_conn.cc:178

[Current thread is 1 (Thread 0x150c8c11f700 (LWP 3880049))]

(gdb) bt

#0  0x0000150c80078923 in spider_db_connect (share=0x150c34058828, conn=conn@entry=0x150c340817c8, link_idx=0) at /test/10.4_opt/storage/spider/spd_db_conn.cc:178

#1  0x0000150c80079508 in spider_db_conn_queue_action (conn=0x150c340817c8) at /test/10.4_opt/storage/spider/spd_db_conn.cc:293

#2  0x0000150c8007f830 in spider_db_before_query (conn=0x150c340817c8, need_mon=<optimized out>) at /test/10.4_opt/storage/spider/spd_db_conn.cc:608

#3  0x0000150c8007fa42 in spider_db_set_names_internal (trx=0x150c3403c3e8, share=0x150c34058828, conn=conn@entry=0x150c340817c8, all_link_idx=0, need_mon=0x150c3405f328) at /test/10.4_opt/storage/spider/spd_db_conn.cc:909

#4  0x0000150c8007fc05 in spider_db_set_names (spider=spider@entry=0x150c34057c50, conn=conn@entry=0x150c340817c8, link_idx=link_idx@entry=0) at /test/10.4_opt/storage/spider/spd_db_conn.cc:955

#5  0x0000150c80085eda in spider_db_direct_delete (spider=spider@entry=0x150c34057c50, table=<optimized out>, delete_rows=delete_rows@entry=0x150c8c11c2d8) at /test/10.4_opt/storage/spider/spd_db_conn.cc:8315

#6  0x0000150c800d3317 in ha_spider::direct_delete_rows (this=0x150c34057c50, delete_rows=0x150c8c11c2d8) at /test/10.4_opt/storage/spider/ha_spider.cc:11331

#7  0x0000564402989df3 in mysql_delete (thd=thd@entry=0x150c34000c48, table_list=0x150c340100b0, conds=<optimized out>, order_list=order_list@entry=0x150c34005458, limit=18446744073709551615, options=0, result=0x0) at /test/10.4_opt/sql/sql_delete.cc:654

#8  0x000056440261b0ea in mysql_execute_command (thd=0x150c34000c48) at /test/10.4_opt/sql/sql_parse.cc:4792

#9  0x0000564402621257 in mysql_parse (thd=0x150c34000c48, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /test/10.4_opt/sql/sql_parse.cc:7995

#10 0x00005644026238cd in dispatch_command (command=COM_QUERY, thd=0x150c34000c48, packet=<optimized out>, packet_length=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /test/10.4_opt/sql/sql_class.h:1201

#11 0x0000564402625f3e in do_command (thd=0x150c34000c48) at /test/10.4_opt/sql/sql_parse.cc:1373

#12 0x000056440271bd3e in do_handle_one_connection (connect=connect@entry=0x564406013208) at /test/10.4_opt/sql/sql_connect.cc:1420

#13 0x000056440271be6f in handle_one_connection (arg=0x564406013208) at /test/10.4_opt/sql/sql_connect.cc:1316

#14 0x0000150c98a1d609 in start_thread (arg=<optimized out>) at pthread_create.c:477

#15 0x0000150c98609133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Core was generated by `/test/MD160322-mariadb-10.4.25-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.

Program terminated with signal SIGSEGV, Segmentation fault.

#0  0x0000151ba166f1d6 in spider_db_direct_delete (

    spider=spider@entry=0x151b68083168, table=<optimized out>, 

    delete_rows=delete_rows@entry=0x151ba17e4288)

    at /test/10.4_dbg/storage/spider/spd_db_conn.cc:8282

[Current thread is 1 (Thread 0x151ba17e7700 (LWP 3885425))]

(gdb) bt

#0  0x0000151ba166f1d6 in spider_db_direct_delete (spider=spider@entry=0x151b68083168, table=<optimized out>, delete_rows=delete_rows@entry=0x151ba17e4288) at /test/10.4_dbg/storage/spider/spd_db_conn.cc:8282

#1  0x0000151ba16e20e4 in ha_spider::direct_delete_rows (this=0x151b68083168, delete_rows=0x151ba17e4288) at /test/10.4_dbg/storage/spider/ha_spider.cc:11304

#2  0x00005592f9b1f099 in handler::ha_direct_delete_rows (this=0x151b68083168, delete_rows=delete_rows@entry=0x151ba17e4288) at /test/10.4_dbg/sql/handler.cc:6978

#3  0x00005592f9cf8405 in mysql_delete (thd=thd@entry=0x151b68000d90, table_list=0x151b680132f8, conds=<optimized out>, order_list=order_list@entry=0x151b68005760, limit=18446744073709551615, options=<optimized out>, result=0x0) at /test/10.4_dbg/sql/sql_delete.cc:654

#4  0x00005592f98588af in mysql_execute_command (thd=thd@entry=0x151b68000d90) at /test/10.4_dbg/sql/sql_parse.cc:4797

#5  0x00005592f985fd01 in mysql_parse (thd=thd@entry=0x151b68000d90, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x151ba17e6490, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.4_dbg/sql/sql_parse.cc:7995

#6  0x00005592f986275d in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x151b68000d90, packet=packet@entry=0x151b6801a361 "DELETE FROM t", packet_length=packet_length@entry=13, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.4_dbg/sql/sql_class.h:1201

#7  0x00005592f9866050 in do_command (thd=0x151b68000d90) at /test/10.4_dbg/sql/sql_parse.cc:1373

#8  0x00005592f99a5457 in do_handle_one_connection (connect=connect@entry=0x5592fde73120) at /test/10.4_dbg/sql/sql_connect.cc:1420

#9  0x00005592f99a5576 in handle_one_connection (arg=0x5592fde73120) at /test/10.4_dbg/sql/sql_connect.cc:1316

#10 0x0000151bc7fde609 in start_thread (arg=<optimized out>) at pthread_create.c:477

#11 0x0000151bc7bca133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95