The cause is thd->variables becoming a dangling pointer:
int mysql_execute_command(THD *thd) { ... struct system_variables *per_query_variables_backup; ... if (thd->tx_read_only && (sql_command_flags[lex->sql_command] & CF_DISALLOW_IN_RO_TRANS)) { my_error(ER_CANT_EXECUTE_IN_READ_ONLY_TRANSACTION, MYF(0)); goto error; } ... if (lex->set_statement && !lex->var_list.is_empty()) { per_query_variables_backup= copy_system_variables(&thd->variables, thd->m_enable_plugins); ... error: ... if (lex->set_statement && !lex->var_list.is_empty()) { ... free_system_variables(&thd->variables, thd->m_enable_plugins); thd->variables= *per_query_variables_backup; my_free(per_query_variables_backup); ... }
This bug is a sibling of bug 1387951 and bug 1418049. These three bugs represent three different error paths in mysql_execute_command that result in dangling thd->variables pointer.
The cause is thd->variables becoming a dangling pointer:
int command( THD *thd) variables_ backup; sql_command_ flags[lex- >sql_command] & CF_DISALLOW_ IN_RO_TRANS) ) error(ER_ CANT_EXECUTE_ IN_READ_ ONLY_TRANSACTIO N, MYF(0)); list.is_ empty() ) { query_variables _backup= copy_system_ variables( &thd->variables ,
thd- >m_enable_ plugins) ; list.is_ empty() ) { system_ variables( &thd->variables , thd->m_ enable_ plugins) ; variables_ backup; free(per_ query_variables _backup) ;
mysql_execute_
{
...
struct system_variables *per_query_
...
if (thd->tx_read_only &&
(
{
my_
goto error;
}
...
if (lex->set_statement && !lex->var_
per_
...
error:
...
if (lex->set_statement && !lex->var_
...
free_
thd->variables= *per_query_
my_
...
}
This bug is a sibling of bug 1387951 and bug 1418049. These three bugs represent three different error paths in mysql_execute_ command that result in dangling thd->variables pointer.