A fix for Bug#26750 "valgrind leak in sp_head" (and post-review

fixes).

The legend: on a replication slave, in case a trigger creation
was filtered out because of application of replicate-do-table/
replicate-ignore-table rule, the parsed definition of a trigger was not 
cleaned up properly. LEX::sphead member was left around and leaked 
memory. Until the actual implementation of support of 
replicate-ignore-table rules for triggers by the patch for Bug 24478 it 
was never the case that "case SQLCOM_CREATE_TRIGGER"
was not executed once a trigger was parsed,
so the deletion of lex->sphead there worked and the memory did not leak.

The fix: 

The real cause of the bug is that there is no 1 or 2 places where
we can clean up the main LEX after parse. And the reason we 
can not have just one or two places where we clean up the LEX is
asymmetric behaviour of MYSQLparse in case of success or error. 

One of the root causes of this behaviour is the code in Item::Item()
constructor. There, a newly created item adds itself to THD::free_list
- a single-linked list of Items used in a statement. Yuck. This code
is unaware that we may have more than one statement active at a time,
and always assumes that the free_list of the current statement is
located in THD::free_list. One day we need to be able to explicitly
allocate an item in a given Query_arena.
Thus, when parsing a definition of a stored procedure, like
CREATE PROCEDURE p1() BEGIN SELECT a FROM t1; SELECT b FROM t1; END;
we actually need to reset THD::mem_root, THD::free_list and THD::lex
to parse the nested procedure statement (SELECT *).
The actual reset and restore is implemented in semantic actions
attached to sp_proc_stmt grammar rule.
The problem is that in case of a parsing error inside a nested statement
Bison generated parser would abort immediately, without executing the
restore part of the semantic action. This would leave THD in an 
in-the-middle-of-parsing state.
This is why we couldn't have had a single place where we clean up the LEX
after MYSQLparse - in case of an error we needed to do a clean up
immediately, in case of success a clean up could have been delayed.
This left the door open for a memory leak.

One of the following possibilities were considered when working on a fix:
- patch the replication logic to do the clean up. Rejected
as breaks module borders, replication code should not need to know the
gory details of clean up procedure after CREATE TRIGGER.
- wrap MYSQLparse with a function that would do a clean up.
Rejected as ideally we should fix the problem when it happens, not
adjust for it outside of the problematic code.
- make sure MYSQLparse cleans up after itself by invoking the clean up
functionality in the appropriate places before return. Implemented in 
this patch.
- use %destructor rule for sp_proc_stmt to restore THD - cleaner
than the prevoius approach, but rejected
because needs a careful analysis of the side effects, and this patch is 
for 5.0, and long term we need to use the next alternative anyway
- make sure that sp_proc_stmt doesn't juggle with THD - this is a 
large work that will affect many modules.

Cleanup: move main_lex and main_mem_root from Statement to its
only two descendants Prepared_statement and THD. This ensures that
when a Statement instance was created for purposes of statement backup,
we do not involve LEX constructor/destructor, which is fairly expensive.
In order to track that the transformation produces equivalent 
functionality please check the respective constructors and destructors
of Statement, Prepared_statement and THD - these members were
used only there.
This cleanup is unrelated to the patch.


sql/log_event.cc:
  THD::main_lex is private and should not be used.
sql/mysqld.cc:
  Move MYSQLerror to sql_yacc.yy as it depends on LEX headers now.
sql/sql_class.cc:
  Cleanup: move main_lex and main_mem_root to THD and Prepared_statement
sql/sql_class.h:
  Cleanup: move main_lex and main_mem_root to THD and Prepared_statement
sql/sql_lex.cc:
  Implement st_lex::restore_lex()
sql/sql_lex.h:
  Declare st_lex::restore_lex().
sql/sql_parse.cc:
  Consolidate the calls to unit.cleanup() and deletion of lex->sphead
  in mysql_parse (COM_QUERY handler)
sql/sql_prepare.cc:
  No need to delete lex->sphead to restore memory roots now in case of a 
  parse error - this is done automatically inside MYSQLparse
sql/sql_trigger.cc:
  This code could lead to double deletion apparently, as in case
  of an error lex.sphead was never reset.
sql/sql_yacc.yy:
  Trap all returns from the parser to ensure that MySQL-specific cleanup
  is invoked: we need to restore the global state of THD and LEX in 
  case of a parsing error. In case of a parsing success this happens as 
  part of normal grammar reduction process.

1 files changed, 39 insertions, 16 deletions

diff --git a/sql/sql_class.h b/sql/sql_class.h
index 556b5f6e863..26e119d0a5a 100644
--- a/sql/sql_class.h
+++ b/sql/sql_class.h
@@ -753,8 +753,10 @@ public:
 
 class Server_side_cursor;
 
-/*
-  State of a single command executed against this connection.
+/**
+  @class Statement
+  @brief State of a single command executed against this connection.
+
   One connection can contain a lot of simultaneously running statements,
   some of which could be:
    - prepared, that is, contain placeholders,
@@ -772,10 +774,6 @@ class Statement: public ilink, public Query_arena
   Statement(const Statement &rhs);              /* not implemented: */
   Statement &operator=(const Statement &rhs);   /* non-copyable */
 public:
-  /* FIXME: these must be protected */
-  MEM_ROOT main_mem_root;
-  LEX     main_lex;
-
   /*
     Uniquely identifies each statement object in thread scope; change during
     statement lifetime. FIXME: must be const
@@ -819,10 +817,10 @@ public:
 public:
 
   /* This constructor is called for backup statements */
-  Statement() { clear_alloc_root(&main_mem_root); }
+  Statement() {}
 
-  Statement(enum enum_state state_arg, ulong id_arg,
-            ulong alloc_block_size, ulong prealloc_size);
+  Statement(LEX *lex_arg, MEM_ROOT *mem_root_arg,
+            enum enum_state state_arg, ulong id_arg);
   virtual ~Statement();
 
   /* Assign execution context (note: not all members) of given stmt to self */
@@ -834,7 +832,7 @@ public:
 };
 
 
-/*
+/**
   Container for all statements created/used in a connection.
   Statements in Statement_map have unique Statement::id (guaranteed by id
   assignment in Statement::Statement)
@@ -914,6 +912,10 @@ bool xid_cache_insert(XID *xid, enum xa_states xa_state);
 bool xid_cache_insert(XID_STATE *xid_state);
 void xid_cache_delete(XID_STATE *xid_state);
 
+/**
+  @class Security_context
+  @brief A set of THD members describing the current authenticated user.
+*/
 
 class Security_context {
 public:
@@ -943,7 +945,7 @@ public:
 };
 
 
-/*
+/**
   A registry for item tree transformations performed during
   query optimization. We register only those changes which require
   a rollback to re-execute a prepared statement or stored procedure
@@ -954,7 +956,7 @@ struct Item_change_record;
 typedef I_List<Item_change_record> Item_change_list;
 
 
-/*
+/**
   Type of prelocked mode.
   See comment for THD::prelocked_mode for complete description.
 */
@@ -963,7 +965,7 @@ enum prelocked_mode_type {NON_PRELOCKED= 0, PRELOCKED= 1,
                           PRELOCKED_UNDER_LOCK_TABLES= 2};
 
 
-/*
+/**
   Class that holds information about tables which were opened and locked
   by the thread. It is also used to save/restore this information in
   push_open_tables_state()/pop_open_tables_state().
@@ -1048,14 +1050,17 @@ public:
   }
 };
 
-
-/* class to save context when executing a function or trigger */
+/**
+  @class Sub_statement_state
+  @brief Used to save context when executing a function or trigger
+*/
 
 /* Defines used for Sub_statement_state::in_sub_stmt */
 
 #define SUB_STMT_TRIGGER 1
 #define SUB_STMT_FUNCTION 2
 
+
 class Sub_statement_state
 {
 public:
@@ -1072,7 +1077,8 @@ public:
 };
 
 
-/*
+/**
+  @class THD
   For each client connection we create a separate thread with THD serving as
   a thread/connection descriptor
 */
@@ -1659,6 +1665,23 @@ public:
       *p_db_length= db_length;
     return FALSE;
   }
+private:
+  /**
+    The lex to hold the parsed tree of conventional (non-prepared) queries.
+    Whereas for prepared and stored procedure statements we use an own lex
+    instance for each new query, for conventional statements we reuse
+    the same lex. (@see mysql_parse for details).
+  */
+  LEX main_lex;
+  /**
+    This memory root is used for two purposes:
+    - for conventional queries, to allocate structures stored in main_lex
+    during parsing, and allocate runtime data (execution plan, etc.)
+    during execution.
+    - for prepared queries, only to allocate runtime data. The parsed
+    tree itself is reused between executions and thus is stored elsewhere.
+  */
+  MEM_ROOT main_mem_root;
 };