Description:
running stored procedures at the same time as flush tables with read lock and killing connections leads to invalid reads of memory and crashes.

Sample crash:

mysqld-nt.exe!find_field_in_tables      Line 3889
mysqld-nt.exe!Item_field::fix_fields   Line 3873
mysqld-nt.exe!setup_fields
mysqld-nt.exe!JOIN::prepare
mysqld-nt.exe!mysql_select
mysqld-nt.exe!handle_select
mysqld-nt.exe!mysql_execute_command
mysqld-nt.exe!sp_instr_stmt::exec_core
mysqld-nt.exe!sp_lex_keeper::reset_lex_and_exec_core
mysqld-nt.exe!sp_instr_stmt::execute
mysqld-nt.exe!sp_head::execute
mysqld-nt.exe!sp_head::execute_procedure
mysqld-nt.exe!mysql_execute_command
mysqld-nt.exe!mysql_parse
mysqld-nt.exe!dispatch_command
mysqld-nt.exe!do_command
mysqld-nt.exe!handle_one_connection

See attachment for a variety of valgrind errors found during this test.

How to repeat:
compile and run the attached .c testcase.

full stack trace and valgrind output

Attachment: bug38816_more_info.txt (text/plain), 68.31 KiB.

testcase. run against server and wait for crash, or check valgrind errors!

Attachment: bug38816.c (text/plain), 7.77 KiB.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/58531

2714 Gleb Shchepa	2008-11-12
      Bug #38816: kill + flush tables with read lock + stored
                  procedures causes crashes!
      
      The problem of that bugreport was mostly fixed by the
      patch for bug 38691.
      However, attached test case focused on another crash or
      valgrind warning problem: SHOW PROCESSLIST query accesses
      freed memory of SP instruction that run in a parallel
      connection.
      
      Changes of thd->query/thd->query_length inside
      sp_instr_stmt::execute have been guarded with the
      LOCK_thread_cound mutex.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/76072

2768 Gleb Shchepa	2009-06-11
      Bug #38816: kill + flush tables with read lock + stored
                  procedures causes crashes!
      
      The problem of that bugreport was mostly fixed by the
      patch for bug 38691.
      However, attached test case focused on another crash or
      valgrind warning problem: SHOW PROCESSLIST query accesses
      freed memory of SP instruction that run in a parallel
      connection.
      
      Changes of thd->query/thd->query_length in dangerous
      places have been guarded with the new per-thread
      LOCK_query_string mutex.
     @ sql/ha_myisam.cc
        Bug #38816: kill + flush tables with read lock + stored
                    procedures causes crashes!
        
        Modification of THD::query/query_length has been guarded
        with the a THD::set_query() method call/LOCK_query_string
        mutex.
        Unnecessary locking with the global LOCK_thread_count
        mutex has been removed.
     @ sql/log_event.cc
        Bug #38816: kill + flush tables with read lock + stored
                    procedures causes crashes!
        
        Modification of THD::query/query_length has been guarded
        with the a THD::set_query()/reset_query() method calls/
        LOCK_query_string mutex.
     @ sql/slave.cc
        Bug #38816: kill + flush tables with read lock + stored
                    procedures causes crashes!
        
        Modification of THD::query/query_length has been guarded
        with the a THD::set_query()/reset_query() method calls/
        LOCK_query_string mutex.
     @ sql/sp_head.cc
        Bug #38816: kill + flush tables with read lock + stored
                    procedures causes crashes!
        
        Modification of THD::query/query_length has been guarded
        with the a THD::set_query() method calls/ LOCK_query_string
        mutex.
     @ sql/sql_class.cc
        Bug #38816: kill + flush tables with read lock + stored
                    procedures causes crashes!
        
        The new THD::LOCK_query_string mutex and THD::set_query(),
        THD::memdup_query_w_gap() and THD::reset_query() methods
        have been added to guard modifications of THD::query/
        THD::query_length fields, also the Statement::set_statement()
        method has been overloaded in the THD class.
     @ sql/sql_class.h
        Bug #38816: kill + flush tables with read lock + stored
                    procedures causes crashes!
        
        The new THD::LOCK_query_string mutex and THD::set_query(),
        THD::memdup_query_w_gap() and THD::reset_query() methods
        have been added to guard modifications of THD::query/
        THD::query_length fields, also the Statement::set_statement()
        method has been overloaded in the THD class.
     @ sql/sql_insert.cc
        Bug #38816: kill + flush tables with read lock + stored
                    procedures causes crashes!
        
        Modification of THD::query/query_length has been guarded
        with the a THD::set_query() method calls/ LOCK_query_string
        mutex.
     @ sql/sql_parse.cc
        Bug #38816: kill + flush tables with read lock + stored
                    procedures causes crashes!
        
        Modification of THD::query/query_length has been guarded
        with the a THD::set_query()/memdup_query_w_gap()/reset_query()
        method calls/LOCK_query_string mutex.
     @ sql/sql_show.cc
        Bug #38816: kill + flush tables with read lock + stored
                    procedures causes crashes!
        
        Inter-thread read of THD::query/query_length field has
        been protected with a new per-thread LOCK_query_string
        mutex in the mysqld_list_processes function.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/79202

2789 Gleb Shchepa	2009-07-23
      Bug #38816: kill + flush tables with read lock + stored
                  procedures causes crashes!
      
      The problem of that bugreport was mostly fixed by the
      patch for bug 38691.
      However, attached test case focused on another crash or
      valgrind warning problem: SHOW PROCESSLIST query accesses
      freed memory of SP instruction that run in a parallel
      connection.
      
      Changes of thd->query/thd->query_length in dangerous
      places have been guarded with the per-thread
      LOCK_thd_data mutex (the THD::LOCK_delete mutex has been
      renamed to THD::LOCK_thd_data).
     @ sql/ha_myisam.cc
        Bug #38816: kill + flush tables with read lock + stored
                    procedures causes crashes!
        
        Modification of THD::query/query_length has been guarded
        with the a THD::set_query() method call/LOCK_thd_data
        mutex.
        Unnecessary locking with the global LOCK_thread_count
        mutex has been removed.
     @ sql/log_event.cc
        Bug #38816: kill + flush tables with read lock + stored
                    procedures causes crashes!
        
        Modification of THD::query/query_length has been guarded
        with the THD::set_query()) method call/LOCK_thd_data
        mutex.
     @ sql/slave.cc
        Bug #38816: kill + flush tables with read lock + stored
                    procedures causes crashes!
        
        Modification of THD::query/query_length has been guarded
        with the THD::set_query() method call/LOCK_thd_data mutex.
        
        The THD::LOCK_delete mutex has been renamed to
        THD::LOCK_thd_data.
     @ sql/sp_head.cc
        Bug #38816: kill + flush tables with read lock + stored
                    procedures causes crashes!
        
        Modification of THD::query/query_length has been guarded
        with the a THD::set_query() method call/LOCK_thd_data
        mutex.
     @ sql/sql_class.cc
        Bug #38816: kill + flush tables with read lock + stored
                    procedures causes crashes!
        
        The new THD::LOCK_thd_data mutex and THD::set_query()
        method has been added to guard modifications of THD::query/
        THD::query_length fields, also the Statement::set_statement()
        method has been overloaded in the THD class.
        
        The THD::LOCK_delete mutex has been renamed to
        THD::LOCK_thd_data.
     @ sql/sql_class.h
        Bug #38816: kill + flush tables with read lock + stored
                    procedures causes crashes!
        
        The new THD::LOCK_thd_data mutex and THD::set_query()
        method has been added to guard modifications of THD::query/
        THD::query_length fields, also the Statement::set_statement()
        method has been overloaded in the THD class.
        
        The THD::LOCK_delete mutex has been renamed to
        THD::LOCK_thd_data.
     @ sql/sql_insert.cc
        Bug #38816: kill + flush tables with read lock + stored
                    procedures causes crashes!
        
        Modification of THD::query/query_length has been guarded
        with the a THD::set_query() method call/LOCK_thd_data
        mutex.
     @ sql/sql_parse.cc
        Bug #38816: kill + flush tables with read lock + stored
                    procedures causes crashes!
        
        Modification of THD::query/query_length has been guarded
        with the a THD::set_query() method call/LOCK_thd_data mutex.
     @ sql/sql_repl.cc
        Bug #38816: kill + flush tables with read lock + stored
                    procedures causes crashes!
        
        The THD::LOCK_delete mutex has been renamed to
        THD::LOCK_thd_data.
     @ sql/sql_show.cc
        Bug #38816: kill + flush tables with read lock + stored
                    procedures causes crashes!
        
        Inter-thread read of THD::query/query_length field has
        been protected with a new per-thread LOCK_thd_data
        mutex in the mysqld_list_processes function.

Pushed into 5.0.85 (revid:davi.arnaut@sun.com-20090804135315-6lfdnk4zjwk7kn7r) (version source revid:davi.arnaut@sun.com-20090804135315-6lfdnk4zjwk7kn7r) (merge vers: 5.0.85) (pib:11)

Pushed into 5.4.4-alpha (revid:alik@sun.com-20090804194615-h40sa098mx4z49qg) (version source revid:satya.bn@sun.com-20090727062228-uf93hg5izc1lpe3z) (merge vers: 5.4.4-alpha) (pib:11)

Pushed into 5.1.38 (revid:davi.arnaut@sun.com-20090804204317-ggodqkik7de6nfpz) (version source revid:davi.arnaut@sun.com-20090804204317-ggodqkik7de6nfpz) (merge vers: 5.1.38) (pib:11)

Noted in 5.0.85, 5.1.38, 5.4.4 changelogs.

SHOW PROCESSLIST could access freed memory of a stored procedure run
in a concurrent session.

Noted in 5.4.2 changelog because next 5.4 version will be 5.4.2 and not 5.4.4.

Ignore previous comment about 5.4.2.

Pushed into 5.1.39-ndb-6.3.28 (revid:jonas@mysql.com-20091001055605-ap2kiaarr7p40mmv) (version source revid:jonas@mysql.com-20091001055605-ap2kiaarr7p40mmv) (merge vers: 5.1.39-ndb-6.3.28) (pib:11)

Pushed into 5.1.39-ndb-7.0.9 (revid:jonas@mysql.com-20091001072547-kv17uu06hfjhgjay) (version source revid:jonas@mysql.com-20091001071652-irejtnumzbpsbgk2) (merge vers: 5.1.39-ndb-7.0.9) (pib:11)

Pushed into 5.1.39-ndb-7.1.0 (revid:jonas@mysql.com-20091001123013-g9ob2tsyctpw6zs0) (version source revid:jonas@mysql.com-20091001123013-g9ob2tsyctpw6zs0) (merge vers: 5.1.39-ndb-7.1.0) (pib:11)

Pushed into 5.1.39-ndb-6.2.19 (revid:jonas@mysql.com-20091005103850-dwij2dojwpvf5hi6) (version source revid:jonas@mysql.com-20090930185117-bhud4ek1y0hsj1nv) (merge vers: 5.1.39-ndb-6.2.19) (pib:11)

The 5.4 fix has been pushed to 5.4.2.

Also see bug #48024.

The fix for this bug reintroduced bug #38883. That reintroduced bug was fixed in versions 5.0.89, 5.1.42 and 5.5.1-m2 (probably).