From 49b29688bb2c8b87ec38963eba679349d28ea48c Mon Sep 17 00:00:00 2001 From: Alexander Nozdrin Date: Fri, 15 Feb 2013 16:01:37 +0400 Subject: [PATCH] Bug#16056537: MYSQLD CRASHES IN ITEM_FUNC_GET_USER_VAR::FIX_LENGTH_AND_DEC() The technical problem was that THD::user_var_events_alloc was reset to NULL from a valid value when a stored program is executed during the PREPARE statement. The user visible problem was that the server crashed if user issued a PREPARE statement using some combination of stored functions and user variables. The fix is to restore THD::user_var_events_alloc to the original value. This is a minimal fix for 5.5. More proper patch has been already implemented for 5.6+. It avoids evaluation of stored functions for the PREPARE phase. From the user point of view, this bug is a regression, introduced by the patch for WL2649 (Number-to-string conversions), revid: bar@mysql.com-20100211041725-ijbox021olab82nv However, the code resetting THD::user_var_events_alloc exists even in 5.1. The WL just changed the way arguments are converted to strings and the bug became visible. --- sql/sp_head.cc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sql/sp_head.cc b/sql/sp_head.cc index f20c205886d..552a44c7a96 100644 --- a/sql/sp_head.cc +++ b/sql/sp_head.cc @@ -1427,6 +1427,7 @@ sp_head::execute(THD *thd, bool merge_da_on_success) Will write this SP statement into binlog separately. TODO: consider changing the condition to "not inside event union". */ + MEM_ROOT *user_var_events_alloc_saved= thd->user_var_events_alloc; if (thd->locked_tables_mode <= LTM_LOCK_TABLES) thd->user_var_events_alloc= thd->mem_root; @@ -1442,7 +1443,7 @@ sp_head::execute(THD *thd, bool merge_da_on_success) if (thd->locked_tables_mode <= LTM_LOCK_TABLES) { reset_dynamic(&thd->user_var_events); - thd->user_var_events_alloc= NULL;//DEBUG + thd->user_var_events_alloc= user_var_events_alloc_saved; } /* we should cleanup free_list and memroot, used by instruction */