Bug #2674 Crash if return system variable in stored procedures
Submitted: 8 Feb 2004 10:44 Modified: 17 Mar 2004 3:49
Reporter: Peter Gulutzan Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:5.0.0-alpha-debug OS:Linux (SuSE 8.2/ Win XP)
Assigned to: Bugs System CPU Architecture:Any

[8 Feb 2004 10:44] Peter Gulutzan 
Description:
I can say 'return <system variable' in CREATE FUNCTION. But when I call the function, 
there's a crash. 

How to repeat:
mysql> create function fu9 () returns int return sort_buffer_size; 
Query OK, 0 rows affected (0.29 sec) 
 
mysql> select fu9(); 
ERROR 2013 (HY000): Lost connection to MySQL server during query
[8 Feb 2004 13:38] MySQL Verification Team 
Thank you for the bug report I was able to repeat also on Windows.
Back trace:

>	mysqld.exe!Field::is_null(unsigned int row_offset=0)  Line 136 + 0xc	C++
 	mysqld.exe!Item_field::val()  Line 381 + 0xd	C++
 	mysqld.exe!Item_func_sp::val()  Line 1118	C++
 	mysqld.exe!Item_func_sp::val_int()  Line 1108 + 0x8	C++
 	mysqld.exe!Item::send(Protocol * protocol=0x02cf00e8, String * buffer=0x047dec78)  Line 1396 + 0x11	C++
 	mysqld.exe!select_send::send_data(List<Item> & items={...})  Line 643 + 0x19	C++
 	mysqld.exe!JOIN::exec()  Line 1096 + 0x96	C++
 	mysqld.exe!mysql_select(THD * thd=0x02cef898, Item * * * rref_pointer_array=0x02cefaa0, st_table_list * tables=0x00000000, unsigned int wild_num=0, List<Item> & fields={...}, Item * conds=0x00000000, unsigned int og_num=0, st_order * order=0x00000000, st_order * group=0x00000000, Item * having=0x00000000, st_order * proc_param=0x00000000, unsigned long select_options=8669696, select_result * result=0x02cf20d0, st_select_lex_unit * unit=0x02cef8bc, st_select_lex * select_lex=0x02cef9a8)  Line 1618	C++
 	mysqld.exe!handle_select(THD * thd=0x02cef898, st_lex * lex=0x02cef8b0, select_result * result=0x02cf20d0)  Line 194 + 0x89	C++
 	mysqld.exe!mysql_execute_command(THD * thd=0x02cef898)  Line 1917 + 0x11	C++
 	mysqld.exe!mysql_parse(THD * thd=0x02cef898, char * inBuf=0x02cf1f20, unsigned int length=12)  Line 4149 + 0x9	C++
 	mysqld.exe!dispatch_command(enum_server_command command=COM_QUERY, THD * thd=0x02cef898, char * packet=0x02cf3f69, unsigned int packet_length=13)  Line 1396 + 0x1d	C++
 	mysqld.exe!do_command(THD * thd=0x02cef898)  Line 1226 + 0x31	C++
 	mysqld.exe!handle_one_connection(void * arg=0x02cef898)  Line 991 + 0x9	C++
 	mysqld.exe!pthread_start(void * param=0x00e6ffe8)  Line 63 + 0x7	C
 	mysqld.exe!_threadstart(void * ptd=0x02cec748)  Line 173 + 0xd	C
 	kernel32.dll!77e6d33b()
[16 Mar 2004 8:35] Per-Erik Martin 
It seems refering to a system variable in an expression requires the '@@' prefix
(in the 4.1 parser already), so the given example crashes due to another bug:
BUG#2653: Undeclared variables not detected in stored procedures.

However, changing the example to use @@sort_buffer_size instead still
crashes the server (but in a completely different part of the code)...
[17 Mar 2004 3:49] Per-Erik Martin 
Thank you for your bug report. This issue has been committed to our
source repository of that product and will be incorporated into the
next release.

If necessary, you can access the source repository and build the latest
available version, including the bugfix, yourself. More information 
about accessing the source trees is available at
    http://www.mysql.com/doc/en/Installing_source_tree.html

Additional info:

The testcase is:

create function bug2674 () returns int
  return @@sort_buffer_size;
select bug2674();