MDEV-21341: Fix UBSAN failures: Issue Six

(Variant #2 of the patch, which keeps the sp_head object inside the
MEM_ROOT that sp_head object owns)
(10.3 requires extra work due to sp_package, will commit a separate
patch for it)

sp_head::operator new() and operator delete() were dereferencing sp_head*
pointers to memory that didn't hold a valid sp_head object (it was
not created/already destroyed).
This caused UBSan to crash when looking up type information.

Fixed by providing static sp_head::create() and sp_head::destroy() methods.

1 files changed, 9 insertions, 8 deletions

diff --git a/sql/sp_head.h b/sql/sp_head.h
index 2b3e568fb9a..47cb0985b05 100644
--- a/sql/sp_head.h
+++ b/sql/sp_head.h
@@ -142,7 +142,7 @@ public:
 bool
 check_routine_name(LEX_STRING *ident);
 
-class sp_head :private Query_arena
+class sp_head :private Query_arena, public Sql_alloc
 {
   sp_head(const sp_head &);	/**< Prevent use of these */
   void operator=(sp_head &);
@@ -301,14 +301,16 @@ public:
     being opened is probably enough).
   */
   SQL_I_List<Item_trigger_field> m_trg_table_fields;
+private:
+  // users must use sp= sp_head::create()
+  sp_head(MEM_ROOT *mem_root_arg);
 
-  static void *
-  operator new(size_t size) throw ();
-
-  static void
-  operator delete(void *ptr, size_t size) throw ();
+  // users must use sp_head::destroy(sp)
+  virtual ~sp_head();
 
-  sp_head();
+public:
+  static sp_head* create();
+  static void destroy(sp_head *sp);
 
   /// Initialize after we have reset mem_root
   void
@@ -326,7 +328,6 @@ public:
   void
   set_stmt_end(THD *thd);
 
-  virtual ~sp_head();
 
   bool
   execute_trigger(THD *thd,