From 1408e26d0b15ea95d3d017bb059cd65b53b00a86 Mon Sep 17 00:00:00 2001
From: Alexander Barkov <bar@mariadb.com>
Date: Fri, 15 May 2020 06:15:10 +0400
Subject: MDEV-22560 Crash on a table value constructor with an SP variable

fix_fields_for_tvc() could call fix_fields() for Items that have
already been fixed before. Changing fix_fields() to fix_fields_if_needed().
---
 mysql-test/main/table_value_constr.result | 11 +++++++++++
 mysql-test/main/table_value_constr.test   | 13 +++++++++++++
 sql/sql_tvc.cc                            |  9 ++++++++-
 3 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/mysql-test/main/table_value_constr.result b/mysql-test/main/table_value_constr.result
index 03e378e68f2..b00cfd28dcc 100644
--- a/mysql-test/main/table_value_constr.result
+++ b/mysql-test/main/table_value_constr.result
@@ -2599,3 +2599,14 @@ a
 2
 1
 drop view v1;
+#
+# MDEV-22560 Crash on a table value constructor with an SP variable
+#
+BEGIN NOT ATOMIC
+DECLARE a INT DEFAULT 0;
+VALUES (a) UNION SELECT 1;
+END;
+$$
+a
+0
+1
diff --git a/mysql-test/main/table_value_constr.test b/mysql-test/main/table_value_constr.test
index 4464eb7b77b..e7843c604dd 100644
--- a/mysql-test/main/table_value_constr.test
+++ b/mysql-test/main/table_value_constr.test
@@ -1326,3 +1326,16 @@ create view v1 as with t(a) as (values (2), (1)) select a from t;
 show create view v1;
 select * from v1;
 drop view v1;
+
+
+--echo #
+--echo # MDEV-22560 Crash on a table value constructor with an SP variable
+--echo #
+
+DELIMITER $$;
+BEGIN NOT ATOMIC
+  DECLARE a INT DEFAULT 0;
+  VALUES (a) UNION SELECT 1;
+END;
+$$
+DELIMITER ;$$
diff --git a/sql/sql_tvc.cc b/sql/sql_tvc.cc
index b4538248e07..92cd229eebb 100644
--- a/sql/sql_tvc.cc
+++ b/sql/sql_tvc.cc
@@ -52,7 +52,14 @@ bool fix_fields_for_tvc(THD *thd, List_iterator_fast<List_item> &li)
 
     while ((item= it++))
     {
-      if (item->fix_fields(thd, 0))
+      /*
+        Some items have already been fixed.
+        For example Item_splocal items get fixed in
+        Item_splocal::append_for_log(), which is called from subst_spvars()
+        while replacing their values to NAME_CONST()s.
+        So fix only those that have not been.
+      */
+      if (item->fix_fields_if_needed(thd, 0))
 	DBUG_RETURN(true);
     }
   }
-- 
cgit v1.2.1