-
aelkin@mysql.com authored
The bug was found in rpl_stm_000001 testing. In essence the following happens SLAVE thread receives what happens start init THD and its temp_table (tt0) stop storing tt0 pointer to rli->save... start restoring temp_tables - new pointer tt1 executing regular binlog event DROP temp_table at the end of which tt1-refered list must be empty (slave_open_temp_tables == 0) but the pointer refers to tt0 location! shutdown end_slave calls cleaning of temp_tables and crashes. The reason of the crash is that tt1 values is not zero upon DROPing the single temp table. This is due to alg of removing links from temp_tables list which "adapted" 5.0 code but w/o accounting that thd->temporary_tables in slave thread in prone to freeing. Upon freeing there is no more original '0' value available to denote empty list. temporary_tables must not refer to any "external" location, one of which thd->temporary_tables represents (since belong to THD instance). The fix done in sql_base.cc for two functions, look at there for details.
d30425a1