[#MDEV-31996] Segfault when setting spider_delete_all_rows to 0 and delete all rows of a spider table, ASAN heap-use-after-free in spider_db_delete_all

ASAN sees a heap-use-after-free in spider_db_delete_all_rows in spd_db_conn.cc in both optimized and debug builds (same issue):

11.2.0 e81fa345020ec6a067583db6a7019d6404b26f93 (Optimized, UBASAN)
==3200369==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d0001d1b30 at pc 0x14abeeeffb14 bp 0x14abefb4cf20 sp 0x14abefb4cf10
WRITE of size 8 at 0x61d0001d1b30 thread T36
#0 0x14abeeeffb13 in spider_db_delete_all_rows(ha_spider*) /data/11.2_opt_san/storage/spider/spd_db_conn.cc:6701
#1 0x14abef09195a in ha_spider::delete_all_rows() /data/11.2_opt_san/storage/spider/ha_spider.cc:8422
#2 0x55bac50d6be3 in Sql_cmd_delete::delete_from_single_table(THD*) /data/11.2_opt_san/sql/sql_delete.cc:438
#3 0x55bac50e3c68 in Sql_cmd_delete::execute_inner(THD*) /data/11.2_opt_san/sql/sql_delete.cc:1794
#4 0x55bac5522f50 in Sql_cmd_dml::execute(THD*) /data/11.2_opt_san/sql/sql_select.cc:33356
#5 0x55bac5395da4 in mysql_execute_command(THD*, bool) /data/11.2_opt_san/sql/sql_parse.cc:4393
#6 0x55bac53b4fc2 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/11.2_opt_san/sql/sql_parse.cc:7800
#7 0x55bac53c05e5 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/11.2_opt_san/sql/sql_parse.cc:1892
#8 0x55bac53cc1f8 in do_command(THD*, bool) /data/11.2_opt_san/sql/sql_parse.cc:1405
#9 0x55bac5ced4ac in do_handle_one_connection(CONNECT*, bool) /data/11.2_opt_san/sql/sql_connect.cc:1445
#10 0x55bac5cefaac in handle_one_connection /data/11.2_opt_san/sql/sql_connect.cc:1347
#11 0x14ac14c94b42 in start_thread nptl/pthread_create.c:442
#12 0x14ac14d269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)

0x61d0001d1b30 is located 176 bytes inside of 2432-byte region [0x61d0001d1a80,0x61d0001d2400)
freed by thread T36 here:
#0 0x55bac4b13507 in free (/test/UBASAN_MD030823-mariadb-11.2.0-linux-x86_64-opt/bin/mariadbd+0x7c40507)
#1 0x14abef041837 in spider_free_mem(st_spider_transaction, void, unsigned long) /data/11.2_opt_san/storage/spider/spd_malloc.cc:183
#2 0x14abeef426f5 in spider_free_conn(st_spider_conn*) /data/11.2_opt_san/storage/spider/spd_conn.cc:860
#3 0x14abeee56362 in spider_free_trx_conn(st_spider_transaction*, bool) /data/11.2_opt_san/storage/spider/spd_trx.cc:114
#4 0x14abeee70087 in spider_rollback(handlerton, THD, bool) /data/11.2_opt_san/storage/spider/spd_trx.cc:3304
#5 0x55bac6965240 in ha_rollback_trans(THD*, bool) /data/11.2_opt_san/sql/handler.cc:2253
#6 0x55bac5d71f20 in trans_rollback_stmt(THD*) /data/11.2_opt_san/sql/transaction.cc:535
#7 0x55bac5393464 in mysql_execute_command(THD*, bool) /data/11.2_opt_san/sql/sql_parse.cc:5845
#8 0x55bac53b4fc2 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/11.2_opt_san/sql/sql_parse.cc:7800
#9 0x55bac53c05e5 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/11.2_opt_san/sql/sql_parse.cc:1892
#10 0x55bac53cc1f8 in do_command(THD*, bool) /data/11.2_opt_san/sql/sql_parse.cc:1405
#11 0x55bac5ced4ac in do_handle_one_connection(CONNECT*, bool) /data/11.2_opt_san/sql/sql_connect.cc:1445
#12 0x55bac5cefaac in handle_one_connection /data/11.2_opt_san/sql/sql_connect.cc:1347
#13 0x14ac14c94b42 in start_thread nptl/pthread_create.c:442

previously allocated by thread T36 here:
#0 0x55bac4b13857 in __interceptor_malloc (/test/UBASAN_MD030823-mariadb-11.2.0-linux-x86_64-opt/bin/mariadbd+0x7c40857)
#1 0x55bac8fb7454 in my_malloc /data/11.2_opt_san/mysys/my_malloc.c:89
#2 0x14abef041ccb in spider_bulk_alloc_mem(st_spider_transaction, unsigned int, char const, char const*, unsigned long, unsigned long, ...) /data/11.2_opt_san/storage/spider/spd_malloc.cc:231
#3 0x14abeef5638c in spider_create_conn(st_spider_share, ha_spider, int, int, int*) /data/11.2_opt_san/storage/spider/spd_conn.cc:412
#4 0x14abeef600d2 in spider_get_conn(st_spider_share, int, char, st_spider_transaction, ha_spider, bool, bool, int*) /data/11.2_opt_san/storage/spider/spd_conn.cc:767
#5 0x14abeee862f9 in spider_check_trx_and_get_conn(THD, ha_spider) /data/11.2_opt_san/storage/spider/spd_trx.cc:3580
#6 0x14abef13b69d in ha_spider::info(unsigned int) /data/11.2_opt_san/storage/spider/ha_spider.cc:6656
#7 0x55bac5785339 in make_join_statistics /data/11.2_opt_san/sql/sql_select.cc:5493
#8 0x55bac57bdfcb in JOIN::optimize_inner() /data/11.2_opt_san/sql/sql_select.cc:2618
#9 0x55bac57c4225 in JOIN::optimize() /data/11.2_opt_san/sql/sql_select.cc:1944
#10 0x55bac57c49c6 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/11.2_opt_san/sql/sql_select.cc:5229
#11 0x55bac57c8890 in handle_select(THD, LEX, select_result*, unsigned long long) /data/11.2_opt_san/sql/sql_select.cc:628
#12 0x55bac53440a0 in execute_sqlcom_select /data/11.2_opt_san/sql/sql_parse.cc:6056
#13 0x55bac53a64aa in mysql_execute_command(THD*, bool) /data/11.2_opt_san/sql/sql_parse.cc:3944
#14 0x55bac53b4fc2 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/11.2_opt_san/sql/sql_parse.cc:7800
#15 0x55bac53c05e5 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/11.2_opt_san/sql/sql_parse.cc:1892
#16 0x55bac53cc1f8 in do_command(THD*, bool) /data/11.2_opt_san/sql/sql_parse.cc:1405
#17 0x55bac5ced4ac in do_handle_one_connection(CONNECT*, bool) /data/11.2_opt_san/sql/sql_connect.cc:1445
#18 0x55bac5cefaac in handle_one_connection /data/11.2_opt_san/sql/sql_connect.cc:1347
#19 0x14ac14c94b42 in start_thread nptl/pthread_create.c:442

Thread T36 created by T0 here:
#0 0x55bac4ab7675 in pthread_create (/test/UBASAN_MD030823-mariadb-11.2.0-linux-x86_64-opt/bin/mariadbd+0x7be4675)
#1 0x55bac4b6c34e in create_thread_to_handle_connection(CONNECT*) /data/11.2_opt_san/sql/mysqld.cc:6169
#2 0x55bac4b7f2af in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/11.2_opt_san/sql/mysqld.cc:6293
#3 0x55bac4b80207 in handle_connections_sockets() /data/11.2_opt_san/sql/mysqld.cc:6417
#4 0x55bac4b831ed in mysqld_main(int, char**) /data/11.2_opt_san/sql/mysqld.cc:6064
#5 0x14ac14c29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-use-after-free /data/11.2_opt_san/storage/spider/spd_db_conn.cc:6701 in spider_db_delete_all_rows(ha_spider*)
Shadow bytes around the buggy address:
0x0c3a80032310: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a80032320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a80032330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a80032340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a80032350: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c3a80032360: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd
0x0c3a80032370: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a80032380: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a80032390: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a800323a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a800323b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3200369==ABORTING
230825 8:13:40 [ERROR] mysqld got signal 6 ;
qa-roel-2:/test/UBASAN_MD030823-mariadb-11.2.0-linux-x86_64-opt$ m

[MDEV-31996] Segfault when setting spider_delete_all_rows to 0 and delete all rows of a spider table, ASAN heap-use-after-free in spider_db_delete_all_rows Created: 2023-08-24 Updated: 2023-12-07 Resolved: 2023-10-11
Status:	Closed
Project:	MariaDB Server
Component/s:	Storage Engine - Spider
Affects Version/s:	10.5, 10.6, 10.9, 10.10, 10.11, 11.0, 11.1, 11.2
Fix Version/s:	10.4.32, 10.5.23, 10.6.16, 10.10.7, 10.11.6, 11.0.4, 11.1.3

[MDEV-31996] Segfault when setting spider_delete_all_rows to 0 and delete all rows of a spider table, ASAN heap-use-after-free in spider_db_delete_all_rows Created: 2023-08-24 Updated: 2023-12-07 Resolved: 2023-10-11