Fixed BUG#13941: replace() string fuction behaves badly inside stored

procedure
  For some functions returning strings (like "replace" and "ifnull" - where
  val_str() is returning a pointer into one of the parameters) - we ended
  up with a dangling pointer after the new operator destroyed the reuse item
  in the eval function.
  A working, if not very elegant, solution is to simply copy the string in
  such cases.

mysql-test/r/sp.result

@@ -3504,4 +3504,32 @@ drop procedure bug7049_5|
 drop procedure bug7049_6|
 drop function bug7049_1|
 drop function bug7049_2|
+drop function if exists bug13941|
+drop procedure if exists bug13941|
+create function bug13941(p_input_str text)
+returns text
+begin
+declare p_output_str text;
+set p_output_str = p_input_str;
+set p_output_str = replace(p_output_str, 'xyzzy', 'plugh');
+set p_output_str = replace(p_output_str, 'test', 'prova');
+set p_output_str = replace(p_output_str, 'this', 'questo');
+set p_output_str = replace(p_output_str, ' a ', 'una ');
+set p_output_str = replace(p_output_str, 'is', '');
+return p_output_str;
+end|
+create procedure bug13941(out sout varchar(128))
+begin
+set sout = 'Local';
+set sout = ifnull(sout, 'DEF');
+end|
+select bug13941('this is a test')|
+bug13941('this is a test')
+questo una prova
+call bug13941(@a)|
+select @a|
+@a
+Local
+drop function bug13941|
+drop procedure bug13941|
 drop table t1,t2;

mysql-test/t/sp.test

@@ -4390,6 +4390,49 @@ drop function bug7049_1|
 drop function bug7049_2|
 
 
+#
+# BUG#13941: replace() string fuction behaves badly inside stored procedure
+# (BUG#13914: IFNULL is returning garbage in stored procedure)
+#
+--disable_warnings
+drop function if exists bug13941|
+drop procedure if exists bug13941|
+--enable_warnings
+
+create function bug13941(p_input_str text)
+  returns text
+begin
+  declare p_output_str text;
+
+  set p_output_str = p_input_str;
+
+  set p_output_str = replace(p_output_str, 'xyzzy', 'plugh');
+  set p_output_str = replace(p_output_str, 'test', 'prova');
+  set p_output_str = replace(p_output_str, 'this', 'questo');
+  set p_output_str = replace(p_output_str, ' a ', 'una ');
+  set p_output_str = replace(p_output_str, 'is', '');
+
+  return p_output_str;
+end|
+
+create procedure bug13941(out sout varchar(128))
+begin
+  set sout = 'Local';
+  set sout = ifnull(sout, 'DEF');
+end|
+
+# Note: The bug showed different behaviour in different types of builds,
+#  giving garbage results in some, and seemingly working in others.
+#  Running with valgrind (or purify) is the safe way to check that it's
+#  really working correctly.
+select bug13941('this is a test')|
+call bug13941(@a)|
+select @a|
+
+drop function bug13941|
+drop procedure bug13941|
+
+
 #
 # BUG#NNNN: New bug synopsis
 #

sql/sp_head.cc

@@ -293,6 +293,21 @@ sp_eval_func_item(THD *thd, Item **it_addr, enum enum_field_types type,
     if (it == reuse)
       DBUG_RETURN(it);
 
+    /*
+      For some functions, 's' is now pointing to an argument of the
+      function, which might be a local variable that it to be reused.
+      In this case, new(reuse, &rsize) below will call the destructor
+      and 's' ends up pointing to freed memory.
+      A somewhat ugly fix is to simply copy the string to our local one
+      (which is unused by most functions anyway), but only if 's' is
+      pointing somewhere else than to 'tmp' or 'it->str_value'.
+     */
+    if (reuse && s != &tmp && s != &it->str_value)
+    {
+      tmp.copy(s->c_ptr(), s->length(), it->collation.collation);
+      s= &tmp;
+    }
+
     CREATE_ON_CALLERS_ARENA(it= new(reuse, &rsize)
                             Item_string(it->collation.collation),
                             use_callers_arena, &backup_arena);