Bug#48157: crash in Item_field::used_tables

MySQL handles the join syntax "JOIN ... USING( field1,
... )" and natural joins by building the same parse tree as
a corresponding join with an "ON t1.field1 = t2.field1 ..."
expression would produce. This parse tree was not cleaned up
properly in the following scenario. If a thread tries to
lock some tables and finds that the tables were dropped and
re-created while waiting for the lock, it cleans up column
references in the statement by means a per-statement free
list. But if the statement was part of a stored procedure,
column references on the stored procedure's free list weren't
cleaned up and thus contained pointers to freed objects.

Fixed by adding a call to clean up the current prepared
statement's free list.


mysql-test/r/sp_sync.result:
  Bug#48157: Test case
mysql-test/t/sp_sync.test:
  Bug#48157: Test result
sql/item.h:
  Bug#48157: Commented field.
sql/sql_parse.cc:
  Bug#48157: Commented function.
sql/sql_update.cc:
  Bug#48157: fix

1 files changed, 7 insertions, 0 deletions

diff --git a/sql/item.h b/sql/item.h
index 8f0e5874f3f..88e90924fcc 100644
--- a/sql/item.h
+++ b/sql/item.h
@@ -506,6 +506,13 @@ public:
   char * name;			/* Name from select */
   /* Original item name (if it was renamed)*/
   char * orig_name;
+  /**
+     Intrusive list pointer for free list. If not null, points to the next
+     Item on some Query_arena's free list. For instance, stored procedures
+     have their own Query_arena's.
+
+     @see Query_arena::free_list
+   */
   Item *next;
   uint32 max_length;
   uint name_length;                     /* Length of name */