fix: [3.3.6] memory leak and use-after-free crash (#35142)

Author: DuanKuanJun

source/client/src/clientImpl.c

@@ -482,6 +482,9 @@ int32_t asyncExecDdlQuery(SRequestObj* pRequest, SQuery* pQuery) {
   }
 
   SCmdMsgInfo* pMsgInfo = pQuery->pCmdMsg;
+  // Clear pQuery->pCmdMsg before the async call so that nodesDestroyNode (which may be
+  // triggered by the async response callback on another thread) will not double-free pCmdMsg.
+  pQuery->pCmdMsg = NULL;
   pRequest->type = pMsgInfo->msgType;
   pRequest->body.requestMsg = (SDataBuf){.pData = pMsgInfo->pMsg, .len = pMsgInfo->msgLen, .handle = NULL};
   pMsgInfo->pMsg = NULL;  // pMsg transferred to SMsgSendInfo management
@@ -490,6 +493,11 @@ int32_t asyncExecDdlQuery(SRequestObj* pRequest, SQuery* pQuery) {
   SMsgSendInfo* pSendMsg = buildMsgInfoImpl(pRequest);
 
   int32_t code = asyncSendMsgToServer(pAppInfo->pTransporter, &pMsgInfo->epSet, NULL, pSendMsg);
+  // pMsgInfo->pMsg has been transferred to pRequest->body.requestMsg and pMsgInfo->epSet has
+  // been consumed by asyncSendMsgToServer; the SCmdMsgInfo struct itself is no longer needed.
+  // Use the local pMsgInfo variable (not pQuery->pCmdMsg) to avoid a use-after-free: the async
+  // response callback may have run on another thread and destroyed pQuery by this point.
+  taosMemoryFree(pMsgInfo);
   if (code) {
     doRequestCallback(pRequest, code);
   }

source/libs/executor/src/sysscanoperator.c

@@ -3128,7 +3128,7 @@ static SSDataBlock* sysTableScanFromMNode(SOperatorInfo* pOperator, SSysTableSca
              pRsp->numOfRows, pInfo->loadInfo.totalRows);
 
       if (pRsp->numOfRows == 0) {
-        taosMemoryFree(pRsp);
+        taosMemoryFreeClear(pInfo->pRsp);
         return NULL;
       }
     }
@@ -3138,7 +3138,7 @@ static SSDataBlock* sysTableScanFromMNode(SOperatorInfo* pOperator, SSysTableSca
     if (code != TSDB_CODE_SUCCESS) {
       qError("%s failed at line %d since %s", __func__, __LINE__, tstrerror(code));
       pTaskInfo->code = code;
-      taosMemoryFreeClear(pRsp);
+      taosMemoryFreeClear(pInfo->pRsp);
       T_LONG_JMP(pTaskInfo->env, code);
     }
     updateLoadRemoteInfo(&pInfo->loadInfo, pRsp->numOfRows, pRsp->compLen, startTs, pOperator);
@@ -3148,10 +3148,10 @@ static SSDataBlock* sysTableScanFromMNode(SOperatorInfo* pOperator, SSysTableSca
     if (code != TSDB_CODE_SUCCESS) {
       qError("%s failed at line %d since %s", __func__, __LINE__, tstrerror(code));
       pTaskInfo->code = code;
-      taosMemoryFreeClear(pRsp);
+      taosMemoryFreeClear(pInfo->pRsp);
       T_LONG_JMP(pTaskInfo->env, code);
     }
-    taosMemoryFree(pRsp);
+    taosMemoryFreeClear(pInfo->pRsp);
     if (pInfo->pRes->info.rows > 0) {
       return pInfo->pRes;
     } else if (pOperator->status == OP_EXEC_DONE) {

test/ci/run_upgrade_compat.sh

@@ -96,10 +96,10 @@ function download_version() {
     local start_time
     start_time=$(date +%s)
 
-    # Quick check: skip if cache exists and all files are >= 30M
+    # Quick check: skip if cache exists and all files are >= 10M
     local file_count valid_count
     file_count=$(find "$target_dir" -maxdepth 1 -type f 2>/dev/null | wc -l)
-    valid_count=$(find "$target_dir" -maxdepth 1 -type f -size +30M 2>/dev/null | wc -l)
+    valid_count=$(find "$target_dir" -maxdepth 1 -type f -size +10M 2>/dev/null | wc -l)
     if [ "$file_count" -ge 2 ] && [ "$valid_count" -eq "$file_count" ]; then
         return 0
     fi
@@ -110,7 +110,7 @@ function download_version() {
 
         # Re-check inside lock in case another process already finished
         file_count=$(find "$target_dir" -maxdepth 1 -type f 2>/dev/null | wc -l)
-        valid_count=$(find "$target_dir" -maxdepth 1 -type f -size +30M 2>/dev/null | wc -l)
+        valid_count=$(find "$target_dir" -maxdepth 1 -type f -size +10M 2>/dev/null | wc -l)
         if [ "$file_count" -ge 2 ] && [ "$valid_count" -eq "$file_count" ]; then
             return 0
         fi