Coverity static analysis tool results (mysql-5.5.28):
Error: USE_AFTER_FREE (CWE-416): [#def1152]
mysql-5.5.28/client/mysqltest.cc:7621: cond_true: Condition "!(stmt = cur_con->stmt)", taking true branch
mysql-5.5.28/client/mysqltest.cc:7623: cond_false: Condition "!(stmt = mysql_stmt_init(mysql))", taking false branch
mysql-5.5.28/client/mysqltest.cc:7629: cond_false: Condition "!disable_warnings", taking false branch
mysql-5.5.28/client/mysqltest.cc:7633: if_end: End of if statement
mysql-5.5.28/client/mysqltest.cc:7638: cond_true: Condition "mysql_stmt_prepare(stmt, query, query_len)", taking true branch
mysql-5.5.28/client/mysqltest.cc:7642: goto: Jumping to label "end"
mysql-5.5.28/client/mysqltest.cc:7783: label: Reached label "end"
mysql-5.5.28/client/mysqltest.cc:7784: cond_false: Condition "!disable_warnings", taking false branch
mysql-5.5.28/client/mysqltest.cc:7788: if_end: End of if statement
mysql-5.5.28/client/mysqltest.cc:7792: cond_true: Condition "mysql->reconnect", taking true branch
mysql-5.5.28/client/mysqltest.cc:7794: freed_arg: "mysql_stmt_close(MYSQL_STMT *)" frees "stmt".
mysql-5.5.28/libmysql/libmysql.c:4644:3: cond_true: Condition "mysql", taking true branch
mysql-5.5.28/libmysql/libmysql.c:4652:5: cond_true: Condition "(int)stmt->state > 1 /* (int)MYSQL_STMT_INIT_DONE */", taking true branch
mysql-5.5.28/libmysql/libmysql.c:4656:7: cond_true: Condition "mysql->unbuffered_fetch_owner == &stmt->unbuffered_fetch_cancelled", taking true branch
mysql-5.5.28/libmysql/libmysql.c:4658:7: cond_true: Condition "mysql->status != MYSQL_STATUS_READY", taking true branch
mysql-5.5.28/libmysql/libmysql.c:4665:9: cond_false: Condition "mysql->unbuffered_fetch_owner", taking false branch
mysql-5.5.28/libmysql/libmysql.c:4666:11: if_end: End of if statement
mysql-5.5.28/libmysql/libmysql.c:4670:7: cond_true: Condition "rc = (*mysql->methods->advanced_command)(mysql, COM_STMT_CLOSE, NULL, 0, buff, 4, 1, stmt)", taking true branch
mysql-5.5.28/libmysql/libmysql.c:4678:3: freed_arg: "my_free(void *)" frees parameter "stmt".
mysql-5.5.28/mysys/my_malloc.c:128:3: freed_arg: "free(void *)" frees parameter "ptr".
mysql-5.5.28/client/mysqltest.cc:7804: deref_arg: Calling "mysql_stmt_errno(MYSQL_STMT *)" dereferences freed pointer "stmt".
mysql-5.5.28/libmysql/libmysql.c:4710:3: deref_parm: Directly dereferencing parameter "stmt".

Error: USE_AFTER_FREE (CWE-416): [#def1154]
mysql-5.5.28/mysys/my_malloc.c:82: cond_true: Condition "!oldpoint", taking true branch
mysql-5.5.28/mysys/my_malloc.c:82: cond_false: Condition "my_flags & 0x40", taking false branch
mysql-5.5.28/mysys/my_malloc.c:83: if_end: End of if statement
mysql-5.5.28/mysys/my_malloc.c:101: cond_true: Condition "(point = realloc(oldpoint, size)) == NULL", taking true branch
mysql-5.5.28/mysys/my_malloc.c:103: cond_true: Condition "my_flags & 0x80", taking true branch
mysql-5.5.28/mysys/my_malloc.c:104: freed_arg: "my_free(void *)" frees "oldpoint".
mysql-5.5.28/mysys/my_malloc.c:128:3: freed_arg: "free(void *)" frees parameter "ptr".
mysql-5.5.28/mysys/my_malloc.c:105: cond_true: Condition "my_flags & 0x100", taking true branch
mysql-5.5.28/mysys/my_malloc.c:106: use_after_free: Using freed pointer "oldpoint".

Error: USE_AFTER_FREE (CWE-416): [#def1155]
mysql-5.5.28/mysys/my_copy.c:65: cond_true: Condition "MyFlags & 0x80", taking true branch
mysql-5.5.28/mysys/my_copy.c:66: cond_true: Condition "my_stat((char *)to, &new_stat_buff, 0 /* (myf)0 */)", taking true branch
mysql-5.5.28/mysys/my_copy.c:68: cond_true: Condition "(from_file = my_open(from, 0 /* 0 | 0 */, MyFlags)) >= 0", taking true branch
mysql-5.5.28/mysys/my_copy.c:70: cond_false: Condition "!my_stat(from, &stat_buff, MyFlags)", taking false branch
mysql-5.5.28/mysys/my_copy.c:74: if_end: End of if statement
mysql-5.5.28/mysys/my_copy.c:75: cond_true: Condition "MyFlags & 0x80", taking true branch
mysql-5.5.28/mysys/my_copy.c:75: cond_true: Condition "new_file_stat", taking true branch
mysql-5.5.28/mysys/my_copy.c:77: cond_true: Condition "MyFlags & 0x400", taking true branch
mysql-5.5.28/mysys/my_copy.c:79: cond_false: Condition "(to_file = my_create(to, (int)stat_buff.st_mode, 1 | create_flag | 0 | 0, MyFlags)) < 0", taking false branch
mysql-5.5.28/mysys/my_copy.c:82: if_end: End of if statement
mysql-5.5.28/mysys/my_copy.c:84: cond_false: Condition "(Count = my_read(from_file, buff, 4096UL /* sizeof (buff) */, MyFlags)) != 0", taking false branch
mysql-5.5.28/mysys/my_copy.c:89: loop_end: Reached end of loop
mysql-5.5.28/mysys/my_copy.c:92: cond_true: Condition "MyFlags & 0x1000", taking true branch
mysql-5.5.28/mysys/my_copy.c:94: cond_false: Condition "my_sync(to_file, MyFlags)", taking false branch
mysql-5.5.28/mysys/my_copy.c:95: if_end: End of if statement
mysql-5.5.28/mysys/my_copy.c:98: closed_arg: "my_close(File, myf)" closes "from_file".
mysql-5.5.28/mysys/my_open.c:77:5: closed_arg: "close(int)" closes parameter "fd".
mysql-5.5.28/mysys/my_copy.c:98: cond_false: Condition "my_close(from_file, MyFlags) | my_close(to_file, MyFlags)", taking false branch
mysql-5.5.28/mysys/my_copy.c:99: if_end: End of if statement
mysql-5.5.28/mysys/my_copy.c:103: cond_true: Condition "MyFlags & 0x80", taking true branch
mysql-5.5.28/mysys/my_copy.c:103: cond_false: Condition "!new_file_stat", taking false branch
mysql-5.5.28/mysys/my_copy.c:104: if_end: End of if statement
mysql-5.5.28/mysys/my_copy.c:106: cond_false: Condition "chmod(to, stat_buff.st_mode & 4095)", taking false branch
mysql-5.5.28/mysys/my_copy.c:112: if_end: End of if statement
mysql-5.5.28/mysys/my_copy.c:115: cond_true: Condition "chown(to, stat_buff.st_uid, stat_buff.st_gid)", taking true branch
mysql-5.5.28/mysys/my_copy.c:118: cond_true: Condition "MyFlags & 24 /* 8 + 16 */", taking true branch
mysql-5.5.28/mysys/my_copy.c:120: goto: Jumping to label "err"
mysql-5.5.28/mysys/my_copy.c:135: label: Reached label "err"
mysql-5.5.28/mysys/my_copy.c:136: cond_true: Condition "from_file >= 0", taking true branch
mysql-5.5.28/mysys/my_copy.c:136: double_close: Calling "my_close(File, myf)" closes handle "from_file" which has already been closed.
mysql-5.5.28/mysys/my_open.c:77:5: closed_arg: "close(int)" closes parameter "fd".

Error: USE_AFTER_FREE (CWE-416): [#def1156]
mysql-5.5.28/mysys/my_copy.c:65: cond_true: Condition "MyFlags & 0x80", taking true branch
mysql-5.5.28/mysys/my_copy.c:66: cond_true: Condition "my_stat((char *)to, &new_stat_buff, 0 /* (myf)0 */)", taking true branch
mysql-5.5.28/mysys/my_copy.c:68: cond_true: Condition "(from_file = my_open(from, 0 /* 0 | 0 */, MyFlags)) >= 0", taking true branch
mysql-5.5.28/mysys/my_copy.c:70: cond_false: Condition "!my_stat(from, &stat_buff, MyFlags)", taking false branch
mysql-5.5.28/mysys/my_copy.c:74: if_end: End of if statement
mysql-5.5.28/mysys/my_copy.c:75: cond_true: Condition "MyFlags & 0x80", taking true branch
mysql-5.5.28/mysys/my_copy.c:75: cond_true: Condition "new_file_stat", taking true branch
mysql-5.5.28/mysys/my_copy.c:77: cond_true: Condition "MyFlags & 0x400", taking true branch
mysql-5.5.28/mysys/my_copy.c:79: cond_false: Condition "(to_file = my_create(to, (int)stat_buff.st_mode, 1 | create_flag | 0 | 0, MyFlags)) < 0", taking false branch
mysql-5.5.28/mysys/my_copy.c:82: if_end: End of if statement
mysql-5.5.28/mysys/my_copy.c:84: cond_false: Condition "(Count = my_read(from_file, buff, 4096UL /* sizeof (buff) */, MyFlags)) != 0", taking false branch
mysql-5.5.28/mysys/my_copy.c:89: loop_end: Reached end of loop
mysql-5.5.28/mysys/my_copy.c:92: cond_true: Condition "MyFlags & 0x1000", taking true branch
mysql-5.5.28/mysys/my_copy.c:94: cond_false: Condition "my_sync(to_file, MyFlags)", taking false branch
mysql-5.5.28/mysys/my_copy.c:95: if_end: End of if statement
mysql-5.5.28/mysys/my_copy.c:98: closed_arg: "my_close(File, myf)" closes "to_file".
mysql-5.5.28/mysys/my_open.c:77:5: closed_arg: "close(int)" closes parameter "fd".
mysql-5.5.28/mysys/my_copy.c:98: cond_false: Condition "my_close(from_file, MyFlags) | my_close(to_file, MyFlags)", taking false branch
mysql-5.5.28/mysys/my_copy.c:99: if_end: End of if statement
mysql-5.5.28/mysys/my_copy.c:103: cond_true: Condition "MyFlags & 0x80", taking true branch
mysql-5.5.28/mysys/my_copy.c:103: cond_false: Condition "!new_file_stat", taking false branch
mysql-5.5.28/mysys/my_copy.c:104: if_end: End of if statement
mysql-5.5.28/mysys/my_copy.c:106: cond_false: Condition "chmod(to, stat_buff.st_mode & 4095)", taking false branch
mysql-5.5.28/mysys/my_copy.c:112: if_end: End of if statement
mysql-5.5.28/mysys/my_copy.c:115: cond_true: Condition "chown(to, stat_buff.st_uid, stat_buff.st_gid)", taking true branch
mysql-5.5.28/mysys/my_copy.c:118: cond_true: Condition "MyFlags & 24 /* 8 + 16 */", taking true branch
mysql-5.5.28/mysys/my_copy.c:120: goto: Jumping to label "err"
mysql-5.5.28/mysys/my_copy.c:135: label: Reached label "err"
mysql-5.5.28/mysys/my_copy.c:136: cond_true: Condition "from_file >= 0", taking true branch
mysql-5.5.28/mysys/my_copy.c:137: cond_true: Condition "to_file >= 0", taking true branch
mysql-5.5.28/mysys/my_copy.c:139: double_close: Calling "my_close(File, myf)" closes handle "to_file" which has already been closed.
mysql-5.5.28/mysys/my_open.c:77:5: closed_arg: "close(int)" closes parameter "fd".

diff -up mysql-5.5.30/client/mysqltest.cc.broken mysql-5.5.30/client/mysqltest.cc
--- mysql-5.5.30/client/mysqltest.cc.broken	2013-04-10 14:37:57.135806903 +0200
+++ mysql-5.5.30/client/mysqltest.cc	2013-04-10 14:38:06.160836622 +0200
@@ -7788,13 +7788,6 @@ end:
   }
   revert_properties();
 
-  /* Close the statement if - no reconnect, need new prepare */
-  if (mysql->reconnect)
-  {
-    mysql_stmt_close(stmt);
-    cur_con->stmt= NULL;
-  }
-
   /*
     We save the return code (mysql_stmt_errno(stmt)) from the last call sent
     to the server into the mysqltest builtin variable $mysql_errno. This
@@ -7803,6 +7796,13 @@ end:
 
   var_set_errno(mysql_stmt_errno(stmt));
 
+  /* Close the statement if - no reconnect, need new prepare */
+  if (mysql->reconnect)
+  {
+    mysql_stmt_close(stmt);
+    cur_con->stmt= NULL;
+  }
+
   DBUG_VOID_RETURN;
 }
 
diff -up mysql-5.5.30/mysys/my_copy.c.broken mysql-5.5.30/mysys/my_copy.c
--- mysql-5.5.30/mysys/my_copy.c.broken	2013-04-10 14:42:25.707600738 +0200
+++ mysql-5.5.30/mysys/my_copy.c	2013-04-10 14:44:23.987862849 +0200
@@ -98,6 +98,9 @@ int my_copy(const char *from, const char
     if (my_close(from_file,MyFlags) | my_close(to_file,MyFlags))
       DBUG_RETURN(-1);				/* Error on close */
 
+    /* Reinitialize closed fd, so they won't be closed again */
+    from_file = to_file = -1;
+
     /* Copy modes if possible */
 
     if (MyFlags & MY_HOLD_ORIGINAL_MODES && !new_file_stat)
diff -up mysql-5.5.30/mysys/my_malloc.c.broken mysql-5.5.30/mysys/my_malloc.c
--- mysql-5.5.30/mysys/my_malloc.c.broken	2013-04-10 14:40:54.772147773 +0200
+++ mysql-5.5.30/mysys/my_malloc.c	2013-04-10 14:41:01.668161808 +0200
@@ -84,13 +84,13 @@ void *my_realloc(void *oldpoint, size_t
 #ifdef USE_HALLOC
   if (!(point = malloc(size)))
   {
-    if (my_flags & MY_FREE_ON_ERROR)
-      my_free(oldpoint);
     if (my_flags & MY_HOLD_ON_ERROR)
       DBUG_RETURN(oldpoint);
     my_errno=errno;
     if (my_flags & MY_FAE+MY_WME)
       my_error(EE_OUTOFMEMORY, MYF(ME_BELL+ME_WAITTANG),size);
+    if (my_flags & MY_FREE_ON_ERROR)
+      my_free(oldpoint);
   }
   else
   {
@@ -100,13 +100,13 @@ void *my_realloc(void *oldpoint, size_t
 #else
   if ((point= realloc(oldpoint, size)) == NULL)
   {
-    if (my_flags & MY_FREE_ON_ERROR)
-      my_free(oldpoint);
     if (my_flags & MY_HOLD_ON_ERROR)
       DBUG_RETURN(oldpoint);
     my_errno=errno;
     if (my_flags & (MY_FAE+MY_WME))
       my_error(EE_OUTOFMEMORY, MYF(ME_BELL+ME_WAITTANG), size);
+    if (my_flags & MY_FREE_ON_ERROR)
+      my_free(oldpoint);
   }
 #endif
   DBUG_PRINT("exit",("ptr: %p", point));