Bug#22551677 SIGNAL 11 IN LF_PINBOX_PUT_PINS

  Before this fix, the following query:
    SET GLOBAL offline_mode = ON
  could cause the server to crash.

  The root cause is actually complex, as described below.

  1)

  A session A is connected, and performing network io,
  typically waiting for the next command to execute.
  The performance schema socket instrumentation is enabled,
  so that pfs_start_socket_wait() / pfs_end_socket_wait()
  are executed.

  2)

  A session B executes SET GLOBAL offline_mode = ON,
  which terminates session A.
  In particular, session B forcefully closes the socket used by session A.

  3)

  Session A and session B are different threads, but they both
  execute performance schema instrumented code against the same socket.

  4)

  Because a socket is "owned" by a thread,
  the instrumentation in pfs_start/end_socket_wait()
  uses the same PFS_thread (of thread A) in both thread A and B.
  This leads to race conditions when using member m_events_waits_current.

  5)

  Because PFS_thread::m_events_waits_current can be damaged with race conditions,
  the m_events_waits_current pointer can point outside of the waits array.
  Using this pointer to populate current waits can damage other members
  of the PFS_thread structure, most notably LF_HASH pins.

  6)

  Upon thread disconnect, using a corrupted LF_HASH pin when calling
  lf_hash_put_pins leads to a crash.

---

  The fix for this issue is to use the current thread, not the socket owner,
  in the performance schema socket instrumenttion.

  Also, asserts have been added to detect similar failures.
  With the asserts, the original issue,
  which was spurious and only occured rarely,
  is not detected systematically.

Author: marcalff

storage/perfschema/pfs.cc

@@ -3093,9 +3093,9 @@ pfs_start_table_io_wait_v1(PSI_table_locker_state *state,
   if (! pfs_table->m_io_enabled)
     return NULL;
 
-  PFS_thread *pfs_thread= pfs_table->m_thread_owner;
+  PFS_thread *pfs_thread= my_thread_get_THR_PFS();
 
-  DBUG_ASSERT(pfs_thread == my_thread_get_THR_PFS());
+  DBUG_ASSERT(pfs_thread == pfs_table->m_thread_owner);
 
   uint flags;
   ulonglong timer_start= 0;
@@ -3198,7 +3198,9 @@ pfs_start_table_lock_wait_v1(PSI_table_locker_state *state,
   if (! pfs_table->m_lock_enabled)
     return NULL;
 
-  PFS_thread *pfs_thread= pfs_table->m_thread_owner;
+  PFS_thread *pfs_thread= my_thread_get_THR_PFS();
+
+  DBUG_ASSERT(pfs_thread == pfs_table->m_thread_owner);
 
   PFS_TL_LOCK_TYPE lock_type;
 
@@ -3611,7 +3613,12 @@ pfs_start_socket_wait_v1(PSI_socket_locker_state *state,
 
   if (flag_thread_instrumentation)
   {
-    PFS_thread *pfs_thread= pfs_socket->m_thread_owner;
+    /*
+       Do not use pfs_socket->m_thread_owner here,
+       as different threads may use concurrently the same socket,
+       for example during a KILL.
+    */
+    PFS_thread *pfs_thread= my_thread_get_THR_PFS();
 
     if (unlikely(pfs_thread == NULL))
       return NULL;
@@ -3983,6 +3990,8 @@ void pfs_end_idle_wait_v1(PSI_idle_locker* locker)
       if (thread->m_flag_events_waits_history_long)
         insert_events_waits_history_long(wait);
       thread->m_events_waits_current--;
+
+      DBUG_ASSERT(wait == thread->m_events_waits_current);
     }
   }
 
@@ -4067,6 +4076,8 @@ void pfs_end_mutex_wait_v1(PSI_mutex_locker* locker, int rc)
       if (thread->m_flag_events_waits_history_long)
         insert_events_waits_history_long(wait);
       thread->m_events_waits_current--;
+
+      DBUG_ASSERT(wait == thread->m_events_waits_current);
     }
   }
 }
@@ -4146,6 +4157,8 @@ void pfs_end_rwlock_rdwait_v1(PSI_rwlock_locker* locker, int rc)
       if (thread->m_flag_events_waits_history_long)
         insert_events_waits_history_long(wait);
       thread->m_events_waits_current--;
+
+      DBUG_ASSERT(wait == thread->m_events_waits_current);
     }
   }
 }
@@ -4223,6 +4236,8 @@ void pfs_end_rwlock_wrwait_v1(PSI_rwlock_locker* locker, int rc)
       if (thread->m_flag_events_waits_history_long)
         insert_events_waits_history_long(wait);
       thread->m_events_waits_current--;
+
+      DBUG_ASSERT(wait == thread->m_events_waits_current);
     }
   }
 }
@@ -4287,6 +4302,8 @@ void pfs_end_cond_wait_v1(PSI_cond_locker* locker, int rc)
       if (thread->m_flag_events_waits_history_long)
         insert_events_waits_history_long(wait);
       thread->m_events_waits_current--;
+
+      DBUG_ASSERT(wait == thread->m_events_waits_current);
     }
   }
 }
@@ -4382,6 +4399,8 @@ void pfs_end_table_io_wait_v1(PSI_table_locker* locker, ulonglong numrows)
       if (thread->m_flag_events_waits_history_long)
         insert_events_waits_history_long(wait);
       thread->m_events_waits_current--;
+
+      DBUG_ASSERT(wait == thread->m_events_waits_current);
     }
   }
 
@@ -4451,6 +4470,8 @@ void pfs_end_table_lock_wait_v1(PSI_table_locker* locker)
       if (thread->m_flag_events_waits_history_long)
         insert_events_waits_history_long(wait);
       thread->m_events_waits_current--;
+
+      DBUG_ASSERT(wait == thread->m_events_waits_current);
     }
   }
 
@@ -4723,6 +4744,8 @@ void pfs_end_file_wait_v1(PSI_file_locker *locker,
       if (thread->m_flag_events_waits_history_long)
         insert_events_waits_history_long(wait);
       thread->m_events_waits_current--;
+
+      DBUG_ASSERT(wait == thread->m_events_waits_current);
     }
   }
 }
@@ -6307,6 +6330,8 @@ void pfs_end_socket_wait_v1(PSI_socket_locker *locker, size_t byte_count)
     if (thread->m_flag_events_waits_history_long)
       insert_events_waits_history_long(wait);
     thread->m_events_waits_current--;
+
+    DBUG_ASSERT(wait == thread->m_events_waits_current);
   }
 }
 
@@ -7039,6 +7064,8 @@ pfs_end_metadata_wait_v1(PSI_metadata_locker *locker,
       if (thread->m_flag_events_waits_history_long)
         insert_events_waits_history_long(wait);
       thread->m_events_waits_current--;
+
+      DBUG_ASSERT(wait == thread->m_events_waits_current);
     }
   }
   else