Index corruption when using innodb_change_buffering; incorrect results in reverse index scans

Stress tests of MDEV-35049 revealed cases where the InnoDB change buffer tree would become corrupted when using innodb_page_size=4k, so that the height of the change buffer B-tree root would grow to 2 pages above the leaf page level.

This revealed a pre-existing bug that turns out to have been introduced in MDEV-30400. Sometimes, InnoDB has to perform a new search for the key in a non-leaf page. When it does that, it fails to reset the up_match and low_match fields. As a result of this, when page_cur_search_with_match() starts the binary search in the page directory, it will ignore the first previously matched fields and only compare subsequent index fields. This may lead btr_cur_t::search_leaf() to an incorrect page.

This bug only affects two rarely used search modes:

• BTR_MODIFY_PREV is only used by the InnoDB change buffer. This may cause persistent data corruption of secondary indexes. The change buffer was disabled by default in MDEV-27734 and removed by MDEV-29694 in MariaDB Server 11.0.
• BTR_SEARCH_PREV is used in reverse key range scans. As far as I can tell, this bug could cause incorrect results to be returned, but no persistent damage, except when the incorrect results are being used for updating the database.