Post review fixes for BUG#16474: SP crashed MySQL.

mysql-test/r/ps.result:
  Added test coverage for "order by" in prepared statements (related to BUG#16474).
mysql-test/r/sp.result:
  Added reference to test case for BUG#16474.
mysql-test/t/ps.test:
  Added test coverage for "order by" in prepared statements (related to BUG#16474).
mysql-test/t/sp.test:
  Added reference to test case for BUG#16474.
sql/sql_select.cc:
  Fixed comment and test for basic_const_item() instead of is_splocal().

5 files changed, 94 insertions, 2 deletions

diff --git a/mysql-test/r/ps.result b/mysql-test/r/ps.result
index 4d108e06356..9afbca9dcb1 100644
--- a/mysql-test/r/ps.result
+++ b/mysql-test/r/ps.result
@@ -880,3 +880,49 @@ select row_count();
 row_count()
 1
 drop table t1;
+create table t1 (a int, b int);
+insert into t1 (a,b) values (2,8),(1,9),(3,7);
+prepare stmt from "select * from t1 order by ?";
+execute stmt using @a;
+a	b
+2	8
+1	9
+3	7
+set @a=1;
+execute stmt using @a;
+a	b
+1	9
+2	8
+3	7
+set @a=2;
+execute stmt using @a;
+a	b
+3	7
+2	8
+1	9
+deallocate prepare stmt;
+select * from t1 order by 1;
+a	b
+1	9
+2	8
+3	7
+prepare stmt from "select * from t1 order by ?+1";
+set @a=0;
+execute stmt using @a;
+a	b
+2	8
+1	9
+3	7
+set @a=1;
+execute stmt using @a;
+a	b
+2	8
+1	9
+3	7
+deallocate prepare stmt;
+select * from t1 order by 1+1;
+a	b
+2	8
+1	9
+3	7
+drop table t1;
diff --git a/mysql-test/r/sp.result b/mysql-test/r/sp.result
index f19dbbd2689..0c9b64f37fa 100644
--- a/mysql-test/r/sp.result
+++ b/mysql-test/r/sp.result
@@ -4885,5 +4885,11 @@ b
 a
 drop procedure bug16474_1|
 drop procedure bug16474_2|
+set @x = 2|
+select * from t1 order by @x|
+id	data
+c	2
+b	3
+a	1
 delete from t1|
 drop table t1,t2;
diff --git a/mysql-test/t/ps.test b/mysql-test/t/ps.test
index d6b239c31bf..285b5fb0aa3 100644
--- a/mysql-test/t/ps.test
+++ b/mysql-test/t/ps.test
@@ -933,4 +933,38 @@ execute ins_call;
 select row_count();
 drop table t1;
 
+#
+# BUG#16474: SP crashed MySQL
+# (when using "order by localvar", where 'localvar' is just that.
+# The actual bug test is in sp.test, this is just testing that we get the
+# expected result for prepared statements too, i.e. place holders work as
+# textual substitution. If it's a single integer, it works as the (deprecated)
+# "order by column#", otherwise it's an expression.
+#
+create table t1 (a int, b int);
+insert into t1 (a,b) values (2,8),(1,9),(3,7);
+
+# Will order by index
+prepare stmt from "select * from t1 order by ?";
+execute stmt using @a;
+set @a=1;
+execute stmt using @a;
+set @a=2;
+execute stmt using @a;
+deallocate prepare stmt;
+# For reference:
+select * from t1 order by 1;
+
+# Will not order by index.
+prepare stmt from "select * from t1 order by ?+1";
+set @a=0;
+execute stmt using @a;
+set @a=1;
+execute stmt using @a;
+deallocate prepare stmt;
+# For reference:
+select * from t1 order by 1+1;
+
+drop table t1;
+
 # End of 5.0 tests
diff --git a/mysql-test/t/sp.test b/mysql-test/t/sp.test
index af7ce57b252..1d1272b0b2a 100644
--- a/mysql-test/t/sp.test
+++ b/mysql-test/t/sp.test
@@ -5745,6 +5745,11 @@ call bug16474_2(1)|
 call bug16474_2(2)|
 drop procedure bug16474_1|
 drop procedure bug16474_2|
+
+# For reference: user variables are expressions too and do not affect ordering.
+set @x = 2|
+select * from t1 order by @x|
+
 delete from t1|
 
 
diff --git a/sql/sql_select.cc b/sql/sql_select.cc
index eb92bd1177b..e31a2068dee 100644
--- a/sql/sql_select.cc
+++ b/sql/sql_select.cc
@@ -12327,9 +12327,10 @@ find_order_in_list(THD *thd, Item **ref_pointer_array, TABLE_LIST *tables,
 
   /*
     Local SP variables may be int but are expressions, not positions.
-    (And they must be fixed.)
+    (And they can't be used before fix_fields is called for them).
   */
-  if (order_item->type() == Item::INT_ITEM && !order_item->is_splocal())
+  //  if (order_item->type() == Item::INT_ITEM && !order_item->is_splocal())
+  if (order_item->type() == Item::INT_ITEM && order_item->basic_const_item())
   {						/* Order by position */
     uint count= (uint) order_item->val_int();
     if (!count || count > fields.elements)