Bug #115157 Potential Nullptr Derefence in file `storage\innobase\lob\zlob0update.cc`
Submitted: 29 May 7:34 Modified: 29 May 7:52
Reporter: Hershey None Email Updates:
Status: Verified Impact on me:
Category:MySQL Server: InnoDB storage engine Severity:S3 (Non-critical)
Version:mysql-trunk, 8.0 OS:Any
Assigned to: CPU Architecture:Any

[29 May 7:34] Hershey None
File: storage\innobase\lob\zlob0update.cc
Function: z_replace()
The `trx == nullptr ?` on line 181 takes into account the possibility of `trx` being nullptr, but on line 201, there is a dereference of `trx` without checking if it is nullptr.

For your convenience, I have copied and pasted the relevant code as follow:

176 static dberr_t z_replace(InsertContext &ctx, trx_t *trx, dict_index_t *index,
177                         ref_t ref, z_first_page_t &first_page, ulint offset,
178                         ulint len, byte *buf) {
​        ...
        // Assuming `trx` is `nullptr`
181     trx_id_t trxid = (trx == nullptr) ? 0 : trx->id;
182 ​    const undo_no_t undo_no = (trx == nullptr ? 0 : trx->undo_no - 1);
​        ...
​201     first_page.set_last_trx_id(trx->id); // `nullptr` dereference happened here
​202     first_page.set_last_trx_undo_no(undo_no);
​        ...

How to repeat:
This is a static analyzer warning, we have not found an actual path that triggers the null pointer dereference, but we believe this is a clear logical error in the code.

Suggested fix:
Replace `trx->id` with `trxid` as follow:

201 first_page.set_last_trx_id(trxid);

What's more, similar situations have been found in `update(), replace(), replace_inline()` functions in `storage/innobase/lob/lob0update.cc`.Perhaps they also need to be fixed.
[29 May 7:52] MySQL Verification Team

Thank you for the report and feedback.