ASAN error in rpl.mysql-wsrep#110-2

Annotate_rows_log_event again. When a new annotate event comes,
the server applies it first (which backs up thd->query_string),
then frees the old annotate event, if any. Normally there isn't.

But with sub-statements (e.g. triggers) new annotate event comes
before the first one is freed, so the second event backs up
thd->query_string that was set by the first annotate event. Then
the first event is freed, together with its query string. And then
the second event restores thd->query_string to this freed memory.

Fix: free old annotate event before applying the new one.

2 files changed, 2 insertions, 1 deletions

diff --git a/sql/log_event.cc b/sql/log_event.cc
index 156f5bac7b7..0ba44c5d35b 100644
--- a/sql/log_event.cc
+++ b/sql/log_event.cc
@@ -11429,6 +11429,7 @@ void Annotate_rows_log_event::print(FILE *file, PRINT_EVENT_INFO *pinfo)
 #if !defined(MYSQL_CLIENT) && defined(HAVE_REPLICATION)
 int Annotate_rows_log_event::do_apply_event(rpl_group_info *rgi)
 {
+  rgi->free_annotate_event();
   m_save_thd_query_txt= thd->query();
   m_save_thd_query_len= thd->query_length();
   m_saved_thd_query= true;
diff --git a/sql/rpl_rli.h b/sql/rpl_rli.h
index 93e7b869be0..448fc231b2b 100644
--- a/sql/rpl_rli.h
+++ b/sql/rpl_rli.h
@@ -835,7 +835,7 @@ struct rpl_group_info
   */
   inline void set_annotate_event(Annotate_rows_log_event *event)
   {
-    free_annotate_event();
+    DBUG_ASSERT(m_annotate_event == NULL);
     m_annotate_event= event;
     this->thd->variables.binlog_annotate_row_events= 1;
   }