Description:
#0  0x00002b8bb78a7ea3 in pthread_kill () from /lib64/libpthread.so.0
#1  0x0000000000437dec in signal_handler (sig=6) at mysqltest.cc:7473
#2  <signal handler called>
#3  0x00002b8bb7d8abb5 in raise () from /lib64/libc.so.6
#4  0x00002b8bb7d8bfb0 in abort () from /lib64/libc.so.6
#5  0x00002b8bb7dc132b in __libc_message () from /lib64/libc.so.6
#6  0x00002b8bb7dc631e in malloc_printerr () from /lib64/libc.so.6
#7  0x00002b8bb7dc83b4 in _int_malloc () from /lib64/libc.so.6
#8  0x00002b8bb7dc9766 in malloc () from /lib64/libc.so.6
#9  0x000000000044de72 in my_malloc (size=243, my_flags=21431) at my_malloc.c:35
#10 0x0000000000437acf in insert_pointer_name (pa=0x7ffff3325ab0, name=0x7dc19a "<NEW_PARTITION_DEFINITION>") at mysqltest.cc:9345
#11 0x0000000000440d06 in do_get_replace (command=0x7dcd60) at mysqltest.cc:8271
#12 0x0000000000445b65 in main (argc=1, argv=<value optimized out>) at mysqltest.cc:7892

How to repeat:
USE test;
--disable_warnings
DROP TABLE IF EXISTS t_parts;
--enable_warnings

let $current_sec = 63425820894;
let $new_partition_definition = PARTITION p0 VALUES LESS THAN ($current_sec);

let $num = 1;
let $count = 21;

while ($count)
{
        let $current_sec = `SELECT $current_sec + 30`;
        let $new_partition_definition = $new_partition_definition,
                PARTITION p$num VALUES LESS THAN ($current_sec);
        inc $num;
        dec $count;
}

let $new_partition_definition = $new_partition_definition,
        PARTITION pmax VALUES LESS THAN (MAXVALUE);

--replace_result $new_partition_definition <NEW_PARTITION_DEFINITION>

eval CREATE TABLE t_parts ( dt BIGINT )
        PARTITION BY RANGE (dt) ($new_partition_definition);

replace_result segfaults in malloc() if from is longer than 1024 chars (and another place if exactly 1024). There's clearly a buffer overflow somewhere, currently investigating.

I'm inclined to fail with a proper error message rather than allow arbitrarily long arguments. The example given could be done either by splitting up the from pattern in pieces, and then you might say

--replace_result $new_part_def1 <NEW_PARTITION $new_part_def2 DEFINITION>

(The command can take a number of pairs of strings)

Or you could use replace_regex, in this example e.g.

--replace_regex /PARTITION p0 VALUES LESS THAN .* pmax VALUES LESS THAN .MAXVALUE./<NEW_PARTITION_DEFINITION>/

I have tested both of the above alternatives. The latter has the possible disadvantage that you won't discover if the result isn't exactly as expected; any deviations within the part covered by .* will be ignored.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/96897

2876 Bjorn Munch	2010-01-14
      Bug #48888 mysqltest crashes on --replace_result if 'from' is longer than ~1024 symbols
      valgrind pointed to a buffer allocated by my_realloc which looked fishy
      Replaced size with what was probably intended.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/96934

2876 Bjorn Munch	2010-01-14
      Bug #48888 mysqltest crashes on --replace_result if 'from' is longer than ~1024
      symbols
      valgrind pointed to a buffer allocated by my_realloc which looked fishy
      Replaced size with what was probably intended, added test case.

Very good :)

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/97540

2878 Bjorn Munch	2010-01-20
      Bug #48888 mysqltest crashes on --replace_result if 'from' is longer than ~1024 symbols
      valgrind pointed to a buffer allocated by my_realloc which looked fishy
      Replaced size with what was probably intended, added test case.
      Now also fixed line after review comment

Pushed to 5.1-mtr, trunk-mtr, next-mr-mtr, 6.0-codebase-mtr

Pushed into 6.0.14-alpha (revid:alik@sun.com-20100220092844-jh07ayojyxn8uh9p) (version source revid:bjorn.munch@sun.com-20100120153513-b70e3bs7e06jfvf3) (merge vers: 6.0.14-alpha) (pib:16)

Pushed into 5.5.3-m2 (revid:alik@sun.com-20100220092622-wvhh1vfy5tjq4mhu) (version source revid:bjorn.munch@sun.com-20100120133748-0aiuazzbcqje8my0) (merge vers: 5.5.1-m2) (pib:16)

Pushed into mysql-next-mr (revid:alik@sun.com-20100220092730-paoo5t9gcajs5dq8) (version source revid:bjorn.munch@sun.com-20100120154314-icr9oiinm588c3sk) (pib:16)

Changes to test suite. No changelog entry needed.

Setting report to Need Merge pending push to 5.1.x, Celosia.

Pushed into 5.1.45 (revid:joro@sun.com-20100301083827-xnimmrjg6bh33o1o) (version source revid:azundris@mysql.com-20100222175719-viuh0f3gdsrkgv0r) (merge vers: 5.1.45) (pib:16)

No changelog entry needed.

Pushed into 5.1.47-ndb-7.0.16 (revid:martin.skold@mysql.com-20100617114014-bva0dy24yyd67697) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (merge vers: 5.1.46) (pib:16)

Pushed into 5.1.47-ndb-6.2.19 (revid:martin.skold@mysql.com-20100617115448-idrbic6gbki37h1c) (version source revid:martin.skold@mysql.com-20100609140708-52rvuyq4q500sxkq) (merge vers: 5.1.45-ndb-6.2.19) (pib:16)

Pushed into 5.1.47-ndb-6.3.35 (revid:martin.skold@mysql.com-20100617114611-61aqbb52j752y116) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (merge vers: 5.1.46) (pib:16)