Bug#16056537: MYSQLD CRASHES IN ITEM_FUNC_GET_USER_VAR::FIX_LENGTH_AND_DEC()

The technical problem was that THD::user_var_events_alloc was reset to NULL
from a valid value when a stored program is executed during the PREPARE statement.

The user visible problem was that the server crashed if user issued a PREPARE
statement using some combination of stored functions and user variables.

The fix is to restore THD::user_var_events_alloc to the original value.
This is a minimal fix for 5.5.

More proper patch has been already implemented for 5.6+. It avoids
evaluation of stored functions for the PREPARE phase.

From the user point of view, this bug is a regression, introduced by the patch for WL2649
(Number-to-string conversions), revid: bar@mysql.com-20100211041725-ijbox021olab82nv
However, the code resetting THD::user_var_events_alloc exists even in 5.1.
The WL just changed the way arguments are converted to strings and the bug became visible.

sql/sp_head.cc

@@ -1427,6 +1427,7 @@ sp_head::execute(THD *thd, bool merge_da_on_success)
       Will write this SP statement into binlog separately.
       TODO: consider changing the condition to "not inside event union".
     */
+    MEM_ROOT *user_var_events_alloc_saved= thd->user_var_events_alloc;
     if (thd->locked_tables_mode <= LTM_LOCK_TABLES)
       thd->user_var_events_alloc= thd->mem_root;
 
@@ -1442,7 +1443,7 @@ sp_head::execute(THD *thd, bool merge_da_on_success)
     if (thd->locked_tables_mode <= LTM_LOCK_TABLES)
     {
       reset_dynamic(&thd->user_var_events);
-      thd->user_var_events_alloc= NULL;//DEBUG
+      thd->user_var_events_alloc= user_var_events_alloc_saved;
     }
 
     /* we should cleanup free_list and memroot, used by instruction */