From ce64a16b75746848c8d5a89cfb726a38691c9d6f Mon Sep 17 00:00:00 2001
From: Alexey Botchkov <holyfoot@mysql.com>
Date: Mon, 29 Sep 2008 19:11:34 +0500
Subject: [PATCH] Bug#37949 Crash if argument to SP is a subquery that returns
 more than one row      JOIN for the subselect wasn't cleaned if we came upon
 an error      during sub_select() execution. That leads to the assertion
 failure      in close_thread_tables()

     part of the 6.0 code backported

per-file comments:
  mysql-test/r/sp-error.result
Bug#37949 Crash if argument to SP is a subquery that returns more than one row
    test result

  mysql-test/t/sp-error.test
Bug#37949 Crash if argument to SP is a subquery that returns more than one row
    test case

  sql/sp_head.cc
Bug#37949 Crash if argument to SP is a subquery that returns more than one row
    lex->unit.cleanup() call added if not substatement
---
 mysql-test/r/sp-error.result | 7 +++++++
 mysql-test/t/sp-error.test   | 8 ++++++++
 sql/sp_head.cc               | 6 +++++-
 3 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/mysql-test/r/sp-error.result b/mysql-test/r/sp-error.result
index 0fc0adc89ad..e83e8c2c71d 100644
--- a/mysql-test/r/sp-error.result
+++ b/mysql-test/r/sp-error.result
@@ -1513,3 +1513,10 @@ end loop label1;
 end loop;
 end|
 ERROR 42000: End-label label1 without match
+CREATE TABLE t1 (a INT)|
+INSERT INTO t1 VALUES (1),(2)|
+CREATE PROCEDURE p1(a INT) BEGIN END|
+CALL p1((SELECT * FROM t1))|
+ERROR 21000: Subquery returns more than 1 row
+DROP PROCEDURE IF EXISTS p1|
+DROP TABLE t1|
diff --git a/mysql-test/t/sp-error.test b/mysql-test/t/sp-error.test
index c9b2b1dbd0e..c839b1e4374 100644
--- a/mysql-test/t/sp-error.test
+++ b/mysql-test/t/sp-error.test
@@ -2173,6 +2173,14 @@ begin
     end loop;
 end|
 
+CREATE TABLE t1 (a INT)|
+INSERT INTO t1 VALUES (1),(2)|
+CREATE PROCEDURE p1(a INT) BEGIN END|
+--error ER_SUBQUERY_NO_1_ROW
+CALL p1((SELECT * FROM t1))|
+DROP PROCEDURE IF EXISTS p1|
+DROP TABLE t1|
+
 delimiter ;|
 
 #
diff --git a/sql/sp_head.cc b/sql/sp_head.cc
index b1bfab40acd..5ce24aecebd 100644
--- a/sql/sp_head.cc
+++ b/sql/sp_head.cc
@@ -1762,7 +1762,11 @@ sp_head::execute_procedure(THD *thd, List<Item> *args)
       we'll leave it here.
     */
     if (!thd->in_sub_stmt)
-      close_thread_tables(thd, 0, 0);
+    {
+      thd->lex->unit.cleanup();
+      close_thread_tables(thd);            
+      thd->rollback_item_tree_changes();
+    }
 
     DBUG_PRINT("info",(" %.*s: eval args done", m_name.length, m_name.str));
   }