revno: 4591.1.70
committer: Guilhem Bichot <guilhem.bichot@oracle.com>
branch nick: 5.6-3
timestamp: Sat 2012-11-24 15:45:56 +0100
message:
  fix for Bug#13996639 CRASH IN ITEM_REF::FIX_FIELDS ON EXEC OF STORED
  FUNCTION WITH ONLY_FULL_GROUP_BY. See per-file comments.

  mysql-test/r/ps_ddl1.result:
    side affect of the bugfix; this is a good change, as the removed comment says.
  sql/sql_lex.cc:
    LEX starts clean
  sql/sql_optimizer.cc:
    If optimize () fails, tag the Lex as "broken"
  sql/sql_parse.cc:
    At first execution of:
     SELECT stored_func()
    this happens:
    1) body of stored_func is read from mysql.proc
    2) body is parsed (sp_compile()) (for each substatement a LEX and some
    Items are created)
    3) parsing went ok so parse trees are cached (sp_cache_insert())
    4) substatement starts executing (SELECT with a NOT IN (subq))
    4.1) Item_in_subselect::fix_fields():
      if (!(res= engine->prepare()))
      {
          (*ref)= substitution;
    engine->prepare() calls JOIN::prepare() on subq, which calls
    resolve_subquery() which starts IN2EXISTS transformation: adds
    conditions (using some new Item_ref) to the subquery's WHERE, creates
    Item_in_optimizer and puts it in 'substitution'. After
    resolve_subquery(), JOIN::prepare() of subq fails in:

        my_message(ER_MIX_OF_GROUP_FUNC_AND_FIELDS,
                   ER(ER_MIX_OF_GROUP_FUNC_AND_FIELDS), MYF(0));
        DBUG_RETURN(-1);

    So far, so good.
    Thus engine->prepare() fails. Thus we don't do:
      (*ref)= substitution;
    i.e. the parent of the subquery continues to have its WHERE point to
    Item_in_subselect. At this stage we have a broken parse tree, because
    subq has been transformed but parent query points to pre-transform
    subq. This mess is not rolled back (IN2EXISTS is a complex transform
    which does not use change_item_tree()).
    ER_MIX_OF_GROUP_FUNC_AND_FIELDS is sent to client.
    So far, so good.

    At 2nd execution of:
     SELECT stored_func()
    this happens:
    1) cached parse trees of stored_func is read from cache
    2) but this is the broken parse tree!
    3) as the Item_ref depends on Item_in_optimizer::fix_fields() to set
    its '*ref', and as Item_in_optimizer was not stored in parent query,
    Item_in_optimizer::fix_fields() is not called, so
    Item_ref::fix_fields() crashes.

    Summary: first execution broke Item_in_subselect/LEX, 2nd execution reused it.

    Solution: first execution marks the fact that it
    broke LEX; 2nd execution sees the mark and asks for a
    reprepare, which creates new parse trees, and thus works as the first
    execution.
    A new member m_broken is added to class LEX. It is set to "true" when
    JOIN:: prepare () or JOIN:: optimize () fail, because it is possible
    that those functions were doing transformations. It is set to "false"
    when the Lex is initialized.
  sql/sql_resolver.cc:
    If prepare () fails, tag the Lex as "broken"