A fix for Bug#26750 "valgrind leak in sp_head" (and post-review

fixes).

The legend: on a replication slave, in case a trigger creation
was filtered out because of application of replicate-do-table/
replicate-ignore-table rule, the parsed definition of a trigger was not 
cleaned up properly. LEX::sphead member was left around and leaked 
memory. Until the actual implementation of support of 
replicate-ignore-table rules for triggers by the patch for Bug 24478 it 
was never the case that "case SQLCOM_CREATE_TRIGGER"
was not executed once a trigger was parsed,
so the deletion of lex->sphead there worked and the memory did not leak.

The fix: 

The real cause of the bug is that there is no 1 or 2 places where
we can clean up the main LEX after parse. And the reason we 
can not have just one or two places where we clean up the LEX is
asymmetric behaviour of MYSQLparse in case of success or error. 

One of the root causes of this behaviour is the code in Item::Item()
constructor. There, a newly created item adds itself to THD::free_list
- a single-linked list of Items used in a statement. Yuck. This code
is unaware that we may have more than one statement active at a time,
and always assumes that the free_list of the current statement is
located in THD::free_list. One day we need to be able to explicitly
allocate an item in a given Query_arena.
Thus, when parsing a definition of a stored procedure, like
CREATE PROCEDURE p1() BEGIN SELECT a FROM t1; SELECT b FROM t1; END;
we actually need to reset THD::mem_root, THD::free_list and THD::lex
to parse the nested procedure statement (SELECT *).
The actual reset and restore is implemented in semantic actions
attached to sp_proc_stmt grammar rule.
The problem is that in case of a parsing error inside a nested statement
Bison generated parser would abort immediately, without executing the
restore part of the semantic action. This would leave THD in an 
in-the-middle-of-parsing state.
This is why we couldn't have had a single place where we clean up the LEX
after MYSQLparse - in case of an error we needed to do a clean up
immediately, in case of success a clean up could have been delayed.
This left the door open for a memory leak.

One of the following possibilities were considered when working on a fix:
- patch the replication logic to do the clean up. Rejected
as breaks module borders, replication code should not need to know the
gory details of clean up procedure after CREATE TRIGGER.
- wrap MYSQLparse with a function that would do a clean up.
Rejected as ideally we should fix the problem when it happens, not
adjust for it outside of the problematic code.
- make sure MYSQLparse cleans up after itself by invoking the clean up
functionality in the appropriate places before return. Implemented in 
this patch.
- use %destructor rule for sp_proc_stmt to restore THD - cleaner
than the prevoius approach, but rejected
because needs a careful analysis of the side effects, and this patch is 
for 5.0, and long term we need to use the next alternative anyway
- make sure that sp_proc_stmt doesn't juggle with THD - this is a 
large work that will affect many modules.

Cleanup: move main_lex and main_mem_root from Statement to its
only two descendants Prepared_statement and THD. This ensures that
when a Statement instance was created for purposes of statement backup,
we do not involve LEX constructor/destructor, which is fairly expensive.
In order to track that the transformation produces equivalent 
functionality please check the respective constructors and destructors
of Statement, Prepared_statement and THD - these members were
used only there.
This cleanup is unrelated to the patch.


sql/log_event.cc:
  THD::main_lex is private and should not be used.
sql/mysqld.cc:
  Move MYSQLerror to sql_yacc.yy as it depends on LEX headers now.
sql/sql_class.cc:
  Cleanup: move main_lex and main_mem_root to THD and Prepared_statement
sql/sql_class.h:
  Cleanup: move main_lex and main_mem_root to THD and Prepared_statement
sql/sql_lex.cc:
  Implement st_lex::restore_lex()
sql/sql_lex.h:
  Declare st_lex::restore_lex().
sql/sql_parse.cc:
  Consolidate the calls to unit.cleanup() and deletion of lex->sphead
  in mysql_parse (COM_QUERY handler)
sql/sql_prepare.cc:
  No need to delete lex->sphead to restore memory roots now in case of a 
  parse error - this is done automatically inside MYSQLparse
sql/sql_trigger.cc:
  This code could lead to double deletion apparently, as in case
  of an error lex.sphead was never reset.
sql/sql_yacc.yy:
  Trap all returns from the parser to ensure that MySQL-specific cleanup
  is invoked: we need to restore the global state of THD and LEX in 
  case of a parsing error. In case of a parsing success this happens as 
  part of normal grammar reduction process.

1 files changed, 14 insertions, 18 deletions

diff --git a/sql/sql_class.cc b/sql/sql_class.cc
index cef9257c235..e7ea86ac850 100644
--- a/sql/sql_class.cc
+++ b/sql/sql_class.cc
@@ -166,14 +166,10 @@ Open_tables_state::Open_tables_state(ulong version_arg)
 }
 
 
-/*
-  Pass nominal parameters to Statement constructor only to ensure that
-  the destructor works OK in case of error. The main_mem_root will be
-  re-initialized in init().
-*/
 
 THD::THD()
-  :Statement(CONVENTIONAL_EXECUTION, 0, ALLOC_ROOT_MIN_BLOCK_SIZE, 0),
+   :Statement(&main_lex, &main_mem_root, CONVENTIONAL_EXECUTION,
+              /* statement id */ 0),
    Open_tables_state(refresh_version),
    lock_id(&main_lock_id),
    user_time(0), in_sub_stmt(0), global_read_lock(0), is_fatal_error(0),
@@ -184,6 +180,12 @@ THD::THD()
 {
   ulong tmp;
 
+  /*
+    Pass nominal parameters to init_alloc_root only to ensure that
+    the destructor works OK in case of an error. The main_mem_root
+    will be re-initialized in init_for_queries().
+  */
+  init_sql_alloc(&main_mem_root, ALLOC_ROOT_MIN_BLOCK_SIZE, 0);
   stmt_arena= this;
   thread_stack= 0;
   db= 0;
@@ -443,6 +445,7 @@ THD::~THD()
 #ifndef DBUG_OFF
   dbug_sentry= THD_SENTRY_GONE;
 #endif  
+  free_root(&main_mem_root, MYF(0));
   DBUG_VOID_RETURN;
 }
 
@@ -1581,18 +1584,17 @@ void Query_arena::cleanup_stmt()
   Statement functions 
 */
 
-Statement::Statement(enum enum_state state_arg, ulong id_arg,
-                     ulong alloc_block_size, ulong prealloc_size)
-  :Query_arena(&main_mem_root, state_arg),
+Statement::Statement(LEX *lex_arg, MEM_ROOT *mem_root_arg,
+                     enum enum_state state_arg, ulong id_arg)
+  :Query_arena(mem_root_arg, state_arg),
   id(id_arg),
   set_query_id(1),
-  lex(&main_lex),
+  lex(lex_arg),
   query(0),
   query_length(0),
   cursor(0)
 {
   name.str= NULL;
-  init_sql_alloc(&main_mem_root, alloc_block_size, prealloc_size);
 }
 
 
@@ -1634,7 +1636,7 @@ void Statement::restore_backup_statement(Statement *stmt, Statement *backup)
 
 void THD::end_statement()
 {
-  /* Cleanup SQL processing state to resuse this statement in next query. */
+  /* Cleanup SQL processing state to reuse this statement in next query. */
   lex_end(lex);
   delete lex->result;
   lex->result= 0;
@@ -1675,12 +1677,6 @@ void THD::restore_active_arena(Query_arena *set, Query_arena *backup)
 
 Statement::~Statement()
 {
-  /*
-    We must free `main_mem_root', not `mem_root' (pointer), to work
-    correctly if this statement is used as a backup statement,
-    for which `mem_root' may point to some other statement.
-  */
-  free_root(&main_mem_root, MYF(0));
 }
 
 C_MODE_START