MySQL Bugs: #115157: Potential Nullptr Derefence in file `storage\innobase\lob\zlob0update.cc`

Bug #115157	Potential Nullptr Derefence in file `storage\innobase\lob\zlob0update.cc`
Submitted:	29 May 2024 7:34	Modified:	29 May 2024 7:52
Reporter:	Yu Xiao	Email Updates:
Status:	Verified	Impact on me:	None
Category:	MySQL Server: InnoDB storage engine	Severity:	S3 (Non-critical)
Version:	mysql-trunk, 8.0	OS:	Any
Assigned to:		CPU Architecture:	Any

Description:
File: storage\innobase\lob\zlob0update.cc
Function: z_replace()
Detail:
The `trx == nullptr ?` on line 181 takes into account the possibility of `trx` being nullptr, but on line 201, there is a dereference of `trx` without checking if it is nullptr.

For your convenience, I have copied and pasted the relevant code as follow:

176 static dberr_t z_replace(InsertContext &ctx, trx_t *trx, dict_index_t *index,
177                         ref_t ref, z_first_page_t &first_page, ulint offset,
178                         ulint len, byte *buf) {
        ...
        // Assuming `trx` is `nullptr`
181     trx_id_t trxid = (trx == nullptr) ? 0 : trx->id;
182     const undo_no_t undo_no = (trx == nullptr ? 0 : trx->undo_no - 1);
        ...
201     first_page.set_last_trx_id(trx->id); // `nullptr` dereference happened here
202     first_page.set_last_trx_undo_no(undo_no);
        ...
    }

How to repeat:
This is a static analyzer warning, we have not found an actual path that triggers the null pointer dereference, but we believe this is a clear logical error in the code.

Suggested fix:
Replace `trx->id` with `trxid` as follow:

201 first_page.set_last_trx_id(trxid);

What's more, similar situations have been found in `update(), replace(), replace_inline()` functions in `storage/innobase/lob/lob0update.cc`.Perhaps they also need to be fixed.

Hello!

Thank you for the report and feedback.

regards,
Umesh