Crashes in ibm: bdb_temp_table_cursor access null tbl pointer -- failure to create tmp table

[adizaimi]

This is observed in our testing on ibm machines with some frequency:

bdb_temp_table_cursor(bdb_state = 0x0000000110f51700, tbl = (nil), usermem = (nil), bdberr = 0x00000001195a2fc8), line 835 in "temptable.c"
bdb_cursor_move_int(cur = 0x00000001195ac698, how = 9, bdberr = 0x00000001195a2fc8), line 6084 in "cursor.c"
bdb_cursor_move(cur = 0x00000001195ac698, how = 9, bdberr = 0x00000001195a2fc8), line 6239 in "cursor.c"
bdb_cursor_first(pcur_ifn = 0x00000001195ac580, bdberr = 0x00000001195a2fc8), line 3899 in "cursor.c"
ddguard_bdb_cursor_move(thd = 0x00000001195ac290, pCur = 0x00000001195bf398, flags = 0, bdberr = 0x00000001195a2fc8, how = 0, iq_do_prefault = (nil), freshcursor = 0), line 10151 in "sqlglue.c"
cursor_move_table(pCur = 0x00000001195bf398, pRes = 0x00000001195a3680, how = 0), line 2437 in "sqlglue.c"
sqlite3BtreeFirst(pCur = 0x00000001195bf398, pRes = 0x00000001195a3680), line 3876 in "sqlglue.c"
unnamed block in sqlite3VdbeExec(p = 0x00000001195bfc90), line 5969 in "vdbe.c"
sqlite3VdbeExec(p = 0x00000001195bfc90), line 5969 in "vdbe.c"
sqlite3Step(p = 0x00000001195bfc90), line 897 in "vdbeapi.c"
sqlite3_step(pStmt = 0x00000001195bfc90), line 967 in "vdbeapi.c"
unnamed block in sqlite3_exec(db = 0x00000001195ad250, zSql = "SELECT tbl,idx,stat FROM 'main'.sqlite_stat1 WHERE tbl not like 'cdb2.%.sav'", xCallback = 0x000000011011ad90, pArg = 0x00000001195a4560, pzErrMsg = (nil)), line 67 in "legacy.c"
unnamed block in sqlite3_exec(db = 0x00000001195ad250, zSql = "SELECT tbl,idx,stat FROM 'main'.sqlite_stat1 WHERE tbl not like 'cdb2.%.sav'", xCallback = 0x000000011011ad90, pArg = 0x00000001195a4560, pzErrMsg = (nil)), line 67 in "legacy.c"
sqlite3_exec(db = 0x00000001195ad250, zSql = "SELECT tbl,idx,stat FROM 'main'.sqlite_stat1 WHERE tbl not like 'cdb2.%.sav'", xCallback = 0x000000011011ad90, pArg = 0x00000001195a4560, pzErrMsg = (nil)), line 67 in "legacy.c"
sqlite3AnalysisLoad(db = 0x00000001195ad250, iDb = 0), line 2496 in "analyze.c"
unnamed block in sqlite3InitOne(db = 0x00000001195ad250, iDb = 0, pzErrMsg = 0x00000001195a5398, mFlags = 0), line 389 in "prepare.c"
sqlite3InitOne(db = 0x00000001195ad250, iDb = 0, pzErrMsg = 0x00000001195a5398, mFlags = 0), line 389 in "prepare.c"
sqlite3InitTable(db = 0x00000001195ad250, pzErrMsg = 0x00000001195a5398, zName = (nil)), line 486 in "prepare.c"
sqlite3Init(db = 0x00000001195ad250, pzErrMsg = 0x00000001195a5398), line 544 in "prepare.c"
sqlite3ReadSchema(pParse = 0x00000001195a5390), line 557 in "prepare.c"
sqlite3LocateTable(pParse = 0x00000001195a5390, flags = 0, zName = "t", zDbase = (nil)), line 657 in "build.c"
sqlite3LocateTableItem(pParse = 0x00000001195a5390, flags = 0, p = 0x00000001195bdbd0), line 745 in "build.c"
sqlite3SrcListLookup(pParse = 0x00000001195a5390, pSrc = 0x00000001195bdbc0), line 40 in "delete.c"
sqlite3Insert(pParse = 0x00000001195a5390, pTabList = 0x00000001195bdbc0, pSelect = (nil), pColumn = (nil), onError = 11, pUpsert = (nil)), line 589 in "insert.c"
unnamed block in yy_reduce(yypParser = 0x00000001195bd230, yyruleno = 151, yyLookahead = 1, yyLookaheadToken = (...), pParse = 0x00000001195a5390), line 1146 in "parse.y"
yy_reduce(yypParser = 0x00000001195bd230, yyruleno = 151, yyLookahead = 1, yyLookaheadToken = (...), pParse = 0x00000001195a5390), line 1146 in "parse.y"
sqlite3Parser(yyp = 0x00000001195bd230, yymajor = 1, yyminor = (...)), line 7241 in "parse.c"
sqlite3RunParser(pParse = 0x00000001195a5390, zSql = "", pzErrMsg = 0x00000001195a5380), line 691 in "tokenize.c"
sqlite3Prepare(db = 0x00000001195ad250, zSql = "insert into t values(1)", nBytes = -1, prepFlags = 130, pReprepare = (nil), ppStmt = 0x00000001195a81f0, pzTail = 0x00000001195a7e90), line 789 in "prepare.c"
sqlite3LockAndPrepare(db = 0x00000001195ad250, zSql = "insert into t values(1)", nBytes = -1, prepFlags = 130, pOld = (nil), ppStmt = 0x00000001195a81f0, pzTail = 0x00000001195a7e90), line 885 in "prepare.c"
sqlite3_prepare_v3(db = 0x00000001195ad250, zSql = "insert into t values(1)", nBytes = -1, prepFlags = 2, ppStmt = 0x00000001195a81f0, pzTail = 0x00000001195a7e90), line 997 in "prepare.c"
get_prepared_stmt_int(thd = 0x00000001195a84f0, clnt = 0x00000001191502a8, rec = 0x00000001195a81e8, err = 0x00000001195a80e8, flags = 7), line 3590 in "sqlinterfaces.c"
get_prepared_stmt(thd = 0x00000001195a84f0, clnt = 0x00000001191502a8, rec = 0x00000001195a81e8, err = 0x00000001195a80e8, flags = 0), line 3730 in "sqlinterfaces.c"
get_prepared_bound_stmt(thd = 0x00000001195a84f0, clnt = 0x00000001191502a8, rec = 0x00000001195a81e8, err = 0x00000001195a80e8, flags = 0), line 3908 in "sqlinterfaces.c"
unnamed block in handle_sqlite_requests(thd = 0x00000001195a84f0, clnt = 0x00000001191502a8), line 4444 in "sqlinterfaces.c"
handle_sqlite_requests(thd = 0x00000001195a84f0, clnt = 0x00000001191502a8), line 4444 in "sqlinterfaces.c"
execute_sql_query(thd = 0x00000001195a84f0, clnt = 0x00000001191502a8), line 4801 in "sqlinterfaces.c"
sqlengine_work_appsock(thddata = 0x00000001195a84f0, work = 0x00000001191502a8), line 5300 in "sqlinterfaces.c"
sqlengine_work_appsock_pp(pool = 0x000000011048a318, work = 0x00000001191502a8, thddata = 0x00000001195a84f0, op = 0), line 5334 in "sqlinterfaces.c"

[adizaimi]

i found that the test that triggers ibm crash is tmptable_starve.
The error log from in db log is "bdb_temp_table_create returns NULL, bdberr=0".
Ihe fact that bdberr is 0 and that we don't see error in allocation, suggests that the
issue is not with bdb_temp_table_create, but rather with the other codepaths:
bdb_temp_table_create() or bdb_temp_table_create().
Why it fails only on ibm is also a mystery.