MDEV-26228 ASAN heap-use-after-free with ON UPDATE CASCADE

In commit 83d2e0841ee30727c609f23957cc592399a3aca4 (MDEV-24041)
we failed to notice that in addition to the bug with
DELETE and ON DELETE CASCADE, there is another bug with
UPDATE and ON UPDATE CASCADE.

row_ins_foreign_fill_virtual(): Use the correct memory heap
for everything that will be reachable from the cascade->update
that we return to the caller.

Note: It is correct to use the shorter-lived cascade->heap for
rec_get_offsets(), because that memory will be abandoned when
row_ins_foreign_fill_virtual() returns.

3 files changed, 9 insertions, 3 deletions

diff --git a/mysql-test/suite/gcol/r/innodb_virtual_fk.result b/mysql-test/suite/gcol/r/innodb_virtual_fk.result
index 252274f3e0a..367ed1223f7 100644
--- a/mysql-test/suite/gcol/r/innodb_virtual_fk.result
+++ b/mysql-test/suite/gcol/r/innodb_virtual_fk.result
@@ -809,15 +809,18 @@ generated_email_id int as (email_id),
 PRIMARY KEY (id),
 KEY mautic_generated_sent_date_email_id (generated_email_id),
 FOREIGN KEY (email_id) REFERENCES emails (id) ON DELETE SET NULL
+ON UPDATE CASCADE
 ) ENGINE=InnoDB;
 CREATE TABLE emails_metadata (
 email_id int,
 PRIMARY KEY (email_id),
 CONSTRAINT FK FOREIGN KEY (email_id) REFERENCES emails (id) ON DELETE CASCADE
+ON UPDATE CASCADE
 ) ENGINE=InnoDB;
 INSERT INTO emails VALUES (1);
 INSERT INTO email_stats (id, email_id,  date_sent) VALUES (1,1,'Jan');
 INSERT INTO emails_metadata VALUES (1);
+UPDATE emails SET id=2;
 DELETE FROM emails;
 DROP TABLE email_stats;
 DROP TABLE emails_metadata;
diff --git a/mysql-test/suite/gcol/t/innodb_virtual_fk.test b/mysql-test/suite/gcol/t/innodb_virtual_fk.test
index 24b6a4631e6..c99259531b3 100644
--- a/mysql-test/suite/gcol/t/innodb_virtual_fk.test
+++ b/mysql-test/suite/gcol/t/innodb_virtual_fk.test
@@ -670,6 +670,7 @@ CREATE TABLE email_stats (
   PRIMARY KEY (id),
   KEY mautic_generated_sent_date_email_id (generated_email_id),
   FOREIGN KEY (email_id) REFERENCES emails (id) ON DELETE SET NULL
+  ON UPDATE CASCADE
 ) ENGINE=InnoDB;
 
 
@@ -677,6 +678,7 @@ CREATE TABLE emails_metadata (
   email_id int,
   PRIMARY KEY (email_id),
   CONSTRAINT FK FOREIGN KEY (email_id) REFERENCES emails (id) ON DELETE CASCADE
+  ON UPDATE CASCADE
 ) ENGINE=InnoDB;
 
 
@@ -684,6 +686,7 @@ INSERT INTO emails VALUES (1);
 INSERT INTO email_stats (id, email_id,  date_sent) VALUES (1,1,'Jan');
 INSERT INTO emails_metadata VALUES (1);
 
+UPDATE emails SET id=2;
 DELETE FROM emails;
 
 DROP TABLE email_stats;
diff --git a/storage/innobase/row/row0ins.cc b/storage/innobase/row/row0ins.cc
index 4dc9c66a536..929d3683ce6 100644
--- a/storage/innobase/row/row0ins.cc
+++ b/storage/innobase/row/row0ins.cc
@@ -1,7 +1,7 @@
 /*****************************************************************************
 
 Copyright (c) 1996, 2016, Oracle and/or its affiliates. All Rights Reserved.
-Copyright (c) 2016, 2020, MariaDB Corporation.
+Copyright (c) 2016, 2021, MariaDB Corporation.
 
 This program is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free Software
@@ -969,8 +969,8 @@ row_ins_foreign_fill_virtual(
 		upd_field = update->fields + n_diff;
 
 		upd_field->old_v_val = static_cast<dfield_t*>(
-				mem_heap_alloc(cascade->heap,
-					sizeof *upd_field->old_v_val));
+			mem_heap_alloc(update->heap,
+				       sizeof *upd_field->old_v_val));
 
 		dfield_copy(upd_field->old_v_val, vfield);