SIGSEGV in spider_db_mbase::append_lock_tables (or spider_string::length) on SELECT, ASAN: heap-use-after-free in spider_link_get_key

DROP DATABASE test;

CREATE DATABASE test;

USE test;

INSTALL PLUGIN Spider SONAME 'ha_spider.so';

CREATE SERVER srv FOREIGN DATA WRAPPER mysql OPTIONS (SOCKET '../socket.sock', DATABASE 'test', USER 'Spider', PASSWORD '');

CREATE TABLE t1 (c INT PRIMARY KEY,c1 BLOB, c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql", SRV "srv", TABLE "t"';

CREATE TABLE t2 (c INT KEY,c1 BLOB, c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql", SRV "srv", TABLE "tm"';

CREATE TABLE t3 (e INT, f BLOB) ENGINE=Spider;

SET GLOBAL default_storage_engine=Spider;

CREATE TABLE t5 (c1 TINYINT NOT NULL);

XA START 'xa1';

SHOW CREATE TABLE t1;

SET spider_semi_table_lock=1;

SELECT AVG(c1) AS VALUE FROM t1;

SET GLOBAL table_open_cache=10;

EXPLAIN EXTENDED SELECT * FROM t3 WHERE a >=any (SELECT b FROM t2);

INSERT INTO t2 VALUES (0,0,0,'a','b','c','d');

UPDATE IGNORE t5 SET c1=NULL WHERE c1>1;

SELECT * FROM t1 WHERE c2 IS NOT NULL ORDER BY c1,c2 LIMIT 2;

INSERT INTO t1 SELECT A.a+10* B.a+100* C.a, A.a+10* B.a+100* C.a, 'filler' FROM t1 A, t1 B, t1 C;

INSERT INTO t3 VALUES (1,0);

SELECT HEX(c1),HEX (c2) FROM t5;

SELECT * FROM t2 WHERE c1 <=-255 ORDER BY c1,c6 DESC LIMIT 2;

Core was generated by `/test/MD090924-mariadb-11.2.6-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'.

Program terminated with signal SIGSEGV, Segmentation fault.

#0  spider_db_mbase::append_lock_tables (this=0x149cb0067890, str=0x149cb00f3670) at /test/11.2_dbg/storage/spider/spd_db_mysql.cc:3572

[Current thread is 1 (LWP 3655217)]

(gdb) bt

#0  spider_db_mbase::append_lock_tables (this=0x149cb0067890, str=0x149cb00f3670) at /test/11.2_dbg/storage/spider/spd_db_mysql.cc:3572

#1  0x0000149d1ffa8120 in spider_mbase_handler::lock_tables (this=0x149cb00f3610, link_idx=0)at /test/11.2_dbg/storage/spider/spd_db_mysql.cc:13877

#2  0x0000149d1ff2e2ae in spider_db_lock_tables (spider=spider@entry=0x149cb003b030, link_idx=link_idx@entry=0)at /test/11.2_dbg/storage/spider/spd_db_conn.cc:1271

#3  0x0000149d1ff96ac7 in ha_spider::lock_tables (this=this@entry=0x149cb003b030)at /test/11.2_dbg/storage/spider/ha_spider.cc:11990

#4  0x0000149d1ff96f61 in ha_spider::external_lock (this=0x149cb003b030, thd=0x149cb0000d58, lock_type=0)at /test/11.2_dbg/storage/spider/ha_spider.cc:941

#5  0x0000563cf5f27f71 in handler::ha_external_lock (this=0x149cb003b030, thd=thd@entry=0x149cb0000d58, lock_type=lock_type@entry=0)at /test/11.2_dbg/sql/handler.cc:7445

#6  0x0000563cf6083118 in lock_external (count=1, tables=0x149cb00154e0, thd=0x149cb0000d58) at /test/11.2_dbg/sql/lock.cc:396

#7  mysql_lock_tables (thd=thd@entry=0x149cb0000d58, sql_lock=sql_lock@entry=0x149cb00154b0, flags=flags@entry=0)at /test/11.2_dbg/sql/lock.cc:341

#8  0x0000563cf6083f4b in mysql_lock_tables (thd=thd@entry=0x149cb0000d58, tables=tables@entry=0x149cb00154a8, count=count@entry=1, flags=flags@entry=0) at /test/11.2_dbg/sql/lock.cc:304

#9  0x0000563cf5b89138 in lock_tables (thd=thd@entry=0x149cb0000d58, tables=0x149cb0013d50, count=<optimized out>, flags=flags@entry=0)at /test/11.2_dbg/sql/sql_base.cc:5917

#10 0x0000563cf5b8af1c in open_and_lock_tables (thd=thd@entry=0x149cb0000d58, options=<optimized out>, tables=<optimized out>, tables@entry=0x149cb0013d50, derived=derived@entry=true, flags=flags@entry=0, prelocking_strategy=prelocking_strategy@entry=0x149d24078880)at /test/11.2_dbg/sql/sql_base.cc:5649

#11 0x0000563cf5bfde10 in open_and_lock_tables (flags=0, derived=true, tables=0x149cb0013d50, thd=0x149cb0000d58)at /test/11.2_dbg/sql/sql_base.h:531

#12 execute_sqlcom_select (thd=thd@entry=0x149cb0000d58, all_tables=0x149cb0013d50) at /test/11.2_dbg/sql/sql_parse.cc:6089

#13 0x0000563cf5c0a07a in mysql_execute_command (thd=thd@entry=0x149cb0000d58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false)at /test/11.2_dbg/sql/sql_parse.cc:3984

#14 0x0000563cf5c10d26 in mysql_parse (thd=thd@entry=0x149cb0000d58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x149d240792a0)at /test/11.2_dbg/sql/sql_parse.cc:7929

#15 0x0000563cf5c131bd in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x149cb0000d58, packet=packet@entry=0x149cb000b309 "SELECT * FROM t2 WHERE c1 <=-255 ORDER BY c1,c6 DESC LIMIT 2", packet_length=packet_length@entry=60, blocking=blocking@entry=true) at /test/11.2_dbg/sql/sql_class.h:248

#16 0x0000563cf5c153e3 in do_command (thd=0x149cb0000d58, blocking=blocking@entry=true) at /test/11.2_dbg/sql/sql_parse.cc:1407

#17 0x0000563cf5d8135c in do_handle_one_connection (connect=<optimized out>, connect@entry=0x563cf888b448, put_in_cache=put_in_cache@entry=true)at /test/11.2_dbg/sql/sql_connect.cc:1439

#18 0x0000563cf5d8165c in handle_one_connection (arg=arg@entry=0x563cf888b448)at /test/11.2_dbg/sql/sql_connect.cc:1341

#19 0x0000563cf61c862c in pfs_spawn_thread (arg=0x563cf88a8a38)at /test/11.2_dbg/storage/perfschema/pfs.cc:2201

#20 0x0000149d2689ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447

#21 0x0000149d26929c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

Core was generated by `/test/MD090924-mariadb-11.2.6-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'.

Program terminated with signal SIGSEGV, Segmentation fault.

#0  spider_string::length (this=0x1) at /test/11.2_dbg/sql/sql_string.h:355

[Current thread is 1 (LWP 3889885)]

(gdb) bt

#0  spider_string::length (this=0x1) at /test/11.2_dbg/sql/sql_string.h:355

#1  0x000014df50152689 in spider_link_get_key (link_for_hash=0x14def41f1008, length=0x14df50567518, not_used=<optimized out>)at /test/11.2_dbg/storage/spider/spd_table.cc:408

#2  0x000055c416461656 in my_hash_key (first=1 '\001', length=0x14df50567518, record=<optimized out>, hash=0x14def4284b88)at /test/11.2_dbg/mysys/hash.c:197

#3  hashcmp (hash=hash@entry=0x14def4284b88, pos=pos@entry=0x14def408cad8, key=key@entry=0x14def40fb408 "`test`.`tm`", length=length@entry=11)at /test/11.2_dbg/mysys/hash.c:380

#4  0x000055c41646188f in my_hash_first_from_hash_value (hash=0x14def4284b88, hash_value=<optimized out>, key=0x14def40fb408 "`test`.`tm`", length=11, current_record=current_record@entry=0x14df505675bc)at /test/11.2_dbg/mysys/hash.c:291

#5  0x000055c4164618e0 in my_hash_search_using_hash_value (hash=<optimized out>, hash_value=<optimized out>, key=<optimized out>, length=<optimized out>) at /test/11.2_dbg/mysys/hash.c:245

#6  0x000014df501a2202 in spider_mbase_handler::append_lock_tables_list (this=0x14def4037070, conn=0x14def4317038, link_idx=0, appended=0x14df5056763c)at /test/11.2_dbg/storage/spider/spd_db_mysql.cc:12760

#7  0x000014df50196484 in ha_spider::append_lock_tables_list (this=this@entry=0x14def4080040)at /test/11.2_dbg/storage/spider/ha_spider.cc:11915

#8  0x000014df501968b0 in ha_spider::store_lock (this=0x14def4080040, thd=0x14def4000d58, to=0x14def40154d0, lock_type=TL_READ)at /test/11.2_dbg/storage/spider/ha_spider.cc:820

#9  0x000055c415e0ebb7 in get_lock_data (thd=thd@entry=0x14def4000d58, table_ptr=table_ptr@entry=0x14def40154a8, count=count@entry=1, flags=flags@entry=3) at /test/11.2_dbg/sql/lock.cc:825

#10 0x000055c415e0ef31 in mysql_lock_tables (thd=thd@entry=0x14def4000d58, tables=tables@entry=0x14def40154a8, count=count@entry=1, flags=flags@entry=0) at /test/11.2_dbg/sql/lock.cc:301

#11 0x000055c415914138 in lock_tables (thd=thd@entry=0x14def4000d58, tables=0x14def4013d50, count=<optimized out>, flags=flags@entry=0)at /test/11.2_dbg/sql/sql_base.cc:5917

#12 0x000055c415915f1c in open_and_lock_tables (thd=thd@entry=0x14def4000d58, options=<optimized out>, tables=<optimized out>, tables@entry=0x14def4013d50, derived=derived@entry=true, flags=flags@entry=0, prelocking_strategy=prelocking_strategy@entry=0x14df50567880)at /test/11.2_dbg/sql/sql_base.cc:5649

#13 0x000055c415988e10 in open_and_lock_tables (flags=0, derived=true, tables=0x14def4013d50, thd=0x14def4000d58)at /test/11.2_dbg/sql/sql_base.h:531

#14 execute_sqlcom_select (thd=thd@entry=0x14def4000d58, all_tables=0x14def4013d50) at /test/11.2_dbg/sql/sql_parse.cc:6089

#15 0x000055c41599507a in mysql_execute_command (thd=thd@entry=0x14def4000d58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false)at /test/11.2_dbg/sql/sql_parse.cc:3984

#16 0x000055c41599bd26 in mysql_parse (thd=thd@entry=0x14def4000d58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14df505682a0)at /test/11.2_dbg/sql/sql_parse.cc:7929

#17 0x000055c41599e1bd in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14def4000d58, packet=packet@entry=0x14def401f8f9 "SELECT * FROM t2 WHERE c1 <=-255 ORDER BY c1,c6 DESC LIMIT 2", packet_length=packet_length@entry=60, blocking=blocking@entry=true) at /test/11.2_dbg/sql/sql_class.h:248

#18 0x000055c4159a03e3 in do_command (thd=0x14def4000d58, blocking=blocking@entry=true) at /test/11.2_dbg/sql/sql_parse.cc:1407

#19 0x000055c415b0c35c in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55c418e37ce8, put_in_cache=put_in_cache@entry=true)at /test/11.2_dbg/sql/sql_connect.cc:1439

#20 0x000055c415b0c65c in handle_one_connection (arg=arg@entry=0x55c418e37ce8)at /test/11.2_dbg/sql/sql_connect.cc:1341

#21 0x000055c415f5362c in pfs_spawn_thread (arg=0x55c418e70f68)at /test/11.2_dbg/storage/perfschema/pfs.cc:2201

#22 0x000014df52c9ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447

#23 0x000014df52d29c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78