[#MDEV-32470] MDEV-31949: use-after-poison in xid_t::key

ASAN testing of bb-10.6-MDEV-31949 has found the following use-after-poison in xid_t::key_length(). All testcase reduction attempts have failed. The issue was observed a number of times in various bb-10.6-MDEV-31949 tests, but was never seen in BASE. Hopefully the detailed ASAN description is sufficient to find the issue in the code.

10.6.16 3455be1b4a925f43a1e7170029abf3304122409f
==3970054==ERROR: AddressSanitizer: use-after-poison on address 0x619000432790 at pc 0x55d06bc89ba3 bp 0x151937da76d0 sp 0x151937da76c0
READ of size 8 at 0x619000432790 thread T14
#0 0x55d06bc89ba2 in xid_t::key_length() const /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/handler.h:954
#1 0x55d06bc89ba2 in xid_t::length() /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/handler.h:945
#2 0x55d06bc89ba2 in xid_t::set(xid_t*) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/handler.h:896
#3 0x55d06bc89ba2 in Gtid_log_event::Gtid_log_event(THD*, unsigned long long, unsigned int, bool, unsigned short, bool, unsigned long long, bool, bool) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/log_event_server.cc:3333
#4 0x55d06bb2849d in MYSQL_BIN_LOG::write_gtid_event(THD*, bool, bool, unsigned long long, bool, bool) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/log.cc:6453
#5 0x55d06bb47e1b in MYSQL_BIN_LOG::write_transaction_or_stmt(MYSQL_BIN_LOG::group_commit_entry*, unsigned long long) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/log.cc:8718
#6 0x55d06bb8415a in MYSQL_BIN_LOG::trx_group_commit_leader(MYSQL_BIN_LOG::group_commit_entry*) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/log.cc:8464
#7 0x55d06bb86d70 in MYSQL_BIN_LOG::write_transaction_to_binlog_events(MYSQL_BIN_LOG::group_commit_entry*) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/log.cc:8254
#8 0x55d06bb89264 in MYSQL_BIN_LOG::write_transaction_to_binlog(THD, binlog_cache_mngr, Log_event*, bool, bool, bool, bool) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/log.cc:7851
#9 0x55d06bb89f5b in binlog_flush_cache /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/log.cc:1775
#10 0x55d06bb8c2c6 in binlog_rollback_flush_trx_cache /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/log.cc:1916
#11 0x55d06bb8e080 in binlog_rollback /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/log.cc:2402
#12 0x55d06afa6ed2 in ha_rollback_trans(THD*, bool) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/handler.cc:2224
#13 0x55d06aa84c54 in xa_trans_force_rollback(THD*) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/xa.cc:614
#14 0x55d06989fe1f in THD::cleanup() /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_class.cc:1558
#15 0x55d0694e01bf in unlink_thd(THD*) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/mysqld.cc:2734
#16 0x55d06a445da2 in do_handle_one_connection(CONNECT*, bool) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_connect.cc:1427
#17 0x55d06a4491dc in handle_one_connection /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_connect.cc:1318
#18 0x15196a094b42 in start_thread nptl/pthread_create.c:442
#19 0x15196a1269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)

0x619000432790 is located 272 bytes inside of 1072-byte region [0x619000432680,0x619000432ab0)
allocated by thread T14 here:
#0 0x55d06948c3f7 in __interceptor_malloc (/test/PATCH3_UBASAN_MD031023-mariadb-10.6.16-linux-x86_64-opt/bin/mariadbd+0x77113f7)
#1 0x55d06d74c644 in my_malloc /test/bb-10.6-MDEV-31949_PATCH3_opt_san/mysys/my_malloc.c:91
#2 0x55d06d727d9f in reset_root_defaults /test/bb-10.6-MDEV-31949_PATCH3_opt_san/mysys/my_alloc.c:156
#3 0x55d06a4dd3a0 in fix_thd_mem_root /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sys_vars.cc:2995
#4 0x55d06a4dd3a0 in fix_thd_mem_root /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sys_vars.cc:2992
#5 0x55d06956d778 in sys_var::update(THD, set_var) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/set_var.cc:213
#6 0x55d069570e46 in set_var::update(THD*) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/set_var.cc:863
#7 0x55d06957977d in sql_set_variables(THD, List<set_var_base>, bool) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/set_var.cc:745
#8 0x55d069bb6286 in mysql_execute_command(THD*, bool) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_parse.cc:5065
#9 0x55d069bcb1e2 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_parse.cc:8050
#10 0x55d069bd7255 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_parse.cc:1896
#11 0x55d069be2630 in do_command(THD*, bool) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_parse.cc:1409
#12 0x55d06a446bdc in do_handle_one_connection(CONNECT*, bool) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_connect.cc:1416
#13 0x55d06a4491dc in handle_one_connection /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/sql_connect.cc:1318
#14 0x15196a094b42 in start_thread nptl/pthread_create.c:442

Thread T14 created by T0 here:
#0 0x55d069430215 in __interceptor_pthread_create (/test/PATCH3_UBASAN_MD031023-mariadb-10.6.16-linux-x86_64-opt/bin/mariadbd+0x76b5215)
#1 0x55d0694e211e in create_thread_to_handle_connection(CONNECT*) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/mysqld.cc:5996
#2 0x55d0694f3c4f in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/mysqld.cc:6117
#3 0x55d0694f4a97 in handle_connections_sockets() /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/mysqld.cc:6241
#4 0x55d0694f7a6d in mysqld_main(int, char**) /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/mysqld.cc:5891
#5 0x15196a029d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: use-after-poison /test/bb-10.6-MDEV-31949_PATCH3_opt_san/sql/handler.h:954 in xid_t::key_length() const
Shadow bytes around the buggy address:
0x0c328007e4a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c328007e4b0: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c328007e4c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c328007e4d0: 00 00 00 00 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c328007e4e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x0c328007e4f0: f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c328007e500: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c328007e510: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c328007e520: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c328007e530: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c328007e540: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3970054==ABORTING
231004 22:12:20 [ERROR] mysqld got signal 6 ;

[MDEV-32470] MDEV-31949: use-after-poison in xid_t::key_length() Created: 2023-10-13 Updated: 2023-10-17 Resolved: 2023-10-13
Status:	Closed
Project:	MariaDB Server
Component/s:	XA
Affects Version/s:	N/A
Fix Version/s:	N/A

[MDEV-32470] MDEV-31949: use-after-poison in xid_t::key_length() Created: 2023-10-13 Updated: 2023-10-17 Resolved: 2023-10-13