MDEV-32829 Crash when executing PS for query with eliminated subquery using view

Statements affected by this bug have all the following
1) select statements with a sub-query
2) that sub-query includes a group-by clause
3) that group-by clause contains an expression
4) that expression has a reference to view

When a view is used in a group by expression, and that group by can be
eliminated in a sub-query simplification as part of and outer condition
that could be in, exists, > or <, then the table structure left behind
will have a unit that contains a null select_lex pointer.

If this happens as part of a prepared statement, or execute in a stored
procedure for the second time, then, when the statement is executed, the table
list entry for that, now eliminated, view is "opened" and "reinit"ialized.
This table entry's unit no longer has a select_lex pointer.
Prior to MDEV-31995 this was of little consequence, but now following this
null pointer will cause a crash.

Reviewed by Igor Babaev (igor@mariadb.com)

mysql-test/main/derived_view.result

@@ -4172,4 +4172,49 @@ a
 deallocate prepare stmt;
 drop view v;
 drop table t1,t2,t3;
+#
+# MDEV-32829 Crash when executing PS for query with eliminated subquery
+#   using view
+#
+create view v1 as select 1 as a;
+prepare stmt from
+'SELECT EXISTS (SELECT 1 FROM v1 GROUP BY a IN (SELECT a FROM v1))';
+execute stmt;
+EXISTS (SELECT 1 FROM v1 GROUP BY a IN (SELECT a FROM v1))
+1
+drop view v1;
+create table t1 (a int, b int);
+insert into t1 values (1,2),(3,4),(5,6);
+create view v1 as select * from t1;
+create table t2 select * from t1;
+prepare stmt from "select t2.a from t2 where exists
+(
+select * from t1 where t2.b = t1.b and t1.b != 6
+group by a in (select a from v1 where v1.a = t2.a)
+)";
+execute stmt;
+a
+1
+3
+execute stmt;
+a
+1
+3
+deallocate prepare stmt;
+create procedure aproc() select t2.a from t2 where exists
+(
+select * from t1 where t2.b = t1.b and t1.b != 6
+group by a in (select a from v1 where v1.a = t2.a)
+);
+call aproc();
+a
+1
+3
+call aproc();
+a
+1
+3
+drop table t1, t2;
+drop view v1;
+drop procedure aproc;
 # End of 10.4 tests

mysql-test/main/derived_view.test

@@ -2759,4 +2759,40 @@ deallocate prepare stmt;
 drop view v;
 drop table t1,t2,t3;
 
+--echo #
+--echo # MDEV-32829 Crash when executing PS for query with eliminated subquery
+--echo #   using view
+--echo #
+
+create view v1 as select 1 as a;
+prepare stmt from
+  'SELECT EXISTS (SELECT 1 FROM v1 GROUP BY a IN (SELECT a FROM v1))';
+execute stmt;
+drop view v1;
+
+create table t1 (a int, b int);
+insert into t1 values (1,2),(3,4),(5,6);
+create view v1 as select * from t1;
+create table t2 select * from t1;
+
+let $q=
+select t2.a from t2 where exists
+(
+  select * from t1 where t2.b = t1.b and t1.b != 6
+  group by a in (select a from v1 where v1.a = t2.a)
+);
+
+eval prepare stmt from "$q";
+execute stmt;
+execute stmt;
+deallocate prepare stmt;
+
+eval create procedure aproc() $q;
+call aproc();
+call aproc();
+
+drop table t1, t2;
+drop view v1;
+drop procedure aproc;
+
 --echo # End of 10.4 tests

sql/sql_derived.cc

@@ -1335,13 +1335,10 @@ bool mysql_derived_reinit(THD *thd, LEX *lex, TABLE_LIST *derived)
                        (derived->alias.str ? derived->alias.str : "<NULL>"),
                        derived->get_unit()));
   st_select_lex_unit *unit= derived->get_unit();
-  st_select_lex *sl= unit->first_select();
 
   // reset item names to that saved after wildcard expansion in JOIN::prepare
-  do
-  {
+  for(st_select_lex *sl= unit->first_select(); sl; sl= sl->next_select())
     sl->restore_item_list_names();
-  } while ((sl=  sl->next_select()));
 
   derived->merged_for_insert= FALSE;
   unit->unclean();