Description:
mysqld crashes when the following statement is executed:

DO IFNULL(NULL,NULL);

The following statements do NOT make the server crash:

DO NULL;
DO IF(1,NULL,NULL);
DO IFNULL(NULL,1);
DO IFNULL(1,NULL);
DO IF(ISNULL(NULL),NULL,NULL);

How to repeat:
DO IFNULL(NULL,NULL);

Program received signal SIGSEGV, Segmentation fault.
0x0805e5a8 in String::ptr (this=0x0) at sql_string.h:88
88        inline const char *ptr() const { return Ptr; }
(gdb) bt
#0  0x0805e5a8 in String::ptr (this=0x0) at sql_string.h:88
#1  0x080728d6 in Item_func_numhybrid::val_int (this=0x8cb79e8) at item_func.cc:738
#2  0x0816e6a0 in mysql_do (thd=0x8ca1f90, values=@0x8cb78f0) at sql_do.cc:30
#3  0x080f98f4 in mysql_execute_command (thd=0x8ca1f90) at sql_parse.cc:2557
#4  0x08101e11 in mysql_parse (thd=0x8ca1f90, inBuf=0x8cb78a0 "do ifnull(null, null)", length=21)
    at sql_parse.cc:5445
#5  0x080f7401 in dispatch_command (command=COM_QUERY, thd=0x8ca1f90,
    packet=0x8ca4461 "do ifnull(null, null)", packet_length=22) at sql_parse.cc:1665
#6  0x080f6bce in do_command (thd=0x8ca1f90) at sql_parse.cc:1464
#7  0x080f5cae in handle_one_connection (arg=0x8ca1f90) at sql_parse.cc:1116
#8  0x080e3d45 in create_new_thread (thd=0x8ca1f90) at mysqld.cc:3655
#9  0x080e4525 in handle_connections_sockets (arg=0x0) at mysqld.cc:3927
#10 0x080e3785 in main (argc=2, argv=0xbffff0c4) at mysqld.cc:3326

Because of a problem with my SMTP blacklisted the email to dev-public did not went through. Here is the commit message.

ChangeSet
  1.1915 05/08/27 08:58:53 andrey@lmy004. +3 -0
  fix for bug #12841 (Server crash on DO IFNULL(NULL,NULL) )

  sql/item_func.cc
    1.243 05/08/27 08:58:47 andrey@lmy004. +3 -2
    check whether res is a zero pointer earlier, thus preventing core dump

  mysql-test/t/select.test
    1.73 05/08/27 08:58:47 andrey@lmy004. +5 -0
    add test for bug 12841

  mysql-test/r/select.result
    1.88 05/08/27 08:58:47 andrey@lmy004. +1 -0
    result of the test

# This is a BitKeeper patch.  What follows are the unified diffs for the
# set of deltas contained in the patch.  The rest of the patch, the part
# that BitKeeper cares about, is below these diffs.
# User:        andrey
# Host:        lmy004.
# Root:        /work/mysql-5.0-ready3

--- 1.242/sql/item_func.cc        2005-08-18 04:56:28 +02:00
+++ 1.243/sql/item_func.cc        2005-08-27 08:58:47 +02:00
@@ -735,10 +735,11 @@
   {
     int err_not_used;
     String *res= str_op(&str_value);
+    if (!res)
+      return 0;
     char *end= (char*) res->ptr() + res->length();
     CHARSET_INFO *cs= str_value.charset();
-    return (res ? (*(cs->cset->strtoll10))(cs, res->ptr(), &end,
-                                           &err_not_used) : 0);
+    return (*(cs->cset->strtoll10))(cs, res->ptr(), &end, &err_not_used);
   }
   default:
     DBUG_ASSERT(0);

--- 1.87/mysql-test/r/select.result        2005-08-23 21:29:02 +02:00
+++ 1.88/mysql-test/r/select.result        2005-08-27 08:58:47 +02:00
@@ -2875,6 +2875,7 @@
 1        1        1        1
 1        2        2        1
 drop table t1, t2, t3;
+DO IFNULL(NULL, NULL);
 create table t1 (a char(1));
 create table t2 (a char(1));
 insert into t1 values ('a'),('b'),('c');

--- 1.72/mysql-test/t/select.test        2005-08-23 21:29:02 +02:00
+++ 1.73/mysql-test/t/select.test        2005-08-27 08:58:47 +02:00
@@ -2446,6 +2446,11 @@
 
 
 #
+# Bug #12841: Server crash on DO IFNULL(NULL,NULL)
+#
+DO IFNULL(NULL, NULL);
+
+#
 # Bug #6495 Illogical requirement for column qualification in NATURAL join
 #

Igor has found similar problem in other place (moving this one to "in progress").

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/28975

Noted in 5.0.13 changelog.