MDEV-29731 Assertion failure when HAVING in a correlated subquery references...

MDEV-29731 Assertion failure when HAVING in a correlated subquery references columns in the outer query

When resolving a column from the HAVING clause, a new Item_field
object may be created inside Item_ref::fix_fields().
But the object is created with an empty name resolution context,
which then leads to debug assertion failure during
Item_field::fix_fields().

The solution is to pass the correct name resolution context
when creating the Item_field object.

Reviewer: Oleksandr Byelkin (sanja@mariadb.com)

mysql-test/main/having.result

@@ -904,5 +904,54 @@ SELECT * FROM t HAVING f = 'foo';
 f
 DROP TABLE t;
 #
+# MDEV-29731 Crash when HAVING in a correlated subquery references
+#            columns in the outer query
+#
+CREATE TABLE t (a INT, b INT);
+SELECT 1 FROM t
+WHERE b = (SELECT 1 FROM t GROUP BY a HAVING b = a+1);
+1
+DROP TABLE t;
+CREATE TABLE t (a INT, b INT, c INT);
+SELECT 1 FROM t
+WHERE (b,c) = (SELECT 1,1 FROM t GROUP BY a HAVING b = a+1 and c = a-1);
+1
+DROP TABLE t;
+CREATE TABLE t (a TEXT, b INT UNIQUE);
+SELECT 1 FROM t
+WHERE b IN (SELECT 1 FROM t
+GROUP BY '', a
+HAVING (CASE b WHEN 1 +'' THEN 3 ELSE a END)
+ORDER BY b)
+GROUP BY b HAVING b = 1;
+1
+Warnings:
+Warning	1292	Truncated incorrect DOUBLE value: ''
+DROP TABLE t;
+CREATE TABLE t (a INT, b CHAR KEY UNIQUE);
+CREATE VIEW v AS SELECT * FROM t WHERE a LIKE '' GROUP BY b HAVING a > a;
+SELECT * FROM v AS v1 NATURAL JOIN v AS v5 NATURAL JOIN v
+WHERE a LIKE '' AND b IN (SELECT a FROM t
+WHERE a LIKE ''
+                            GROUP BY a
+HAVING b LIKE (b < +1 OR a > 1) >= b);
+a	b
+DROP VIEW v;
+DROP TABLE t;
+EXECUTE IMMEDIATE 'SELECT LEAD(c) OVER (ORDER BY c)
+                   FROM (SELECT 0 AS c) AS a NATURAL JOIN (SELECT 0 AS c) AS b;';
+LEAD(c) OVER (ORDER BY c)
+NULL
+CREATE TABLE t (a INT);
+UPDATE t SET a = ''
+  WHERE 1 IN (SELECT * FROM
+(SELECT * FROM
+(SELECT * FROM t AS v5 NATURAL JOIN t AS v4 NATURAL JOIN t) AS v3
+NATURAL JOIN t
+GROUP BY a) AS v2
+WHERE (0, a) IN ((0,-1),(+1,0))
+ORDER BY 1+AVG(a) OVER (ORDER BY a)) ORDER BY a;
+DROP TABLE t;
+#
 # End of 10.4 tests
 #

mysql-test/main/having.test

@@ -950,8 +950,53 @@ DROP TABLE t1,t2;
 CREATE TABLE t (f VARCHAR(512));
 INSERT INTO t VALUES ('a'),('b');
 SELECT * FROM t HAVING f = 'foo';
+DROP TABLE t;
+
+--echo #
+--echo # MDEV-29731 Crash when HAVING in a correlated subquery references
+--echo #            columns in the outer query
+--echo #
+CREATE TABLE t (a INT, b INT);
+SELECT 1 FROM t
+  WHERE b = (SELECT 1 FROM t GROUP BY a HAVING b = a+1);
+DROP TABLE t;
+
+CREATE TABLE t (a INT, b INT, c INT);
+SELECT 1 FROM t
+  WHERE (b,c) = (SELECT 1,1 FROM t GROUP BY a HAVING b = a+1 and c = a-1);
+DROP TABLE t;
+
+CREATE TABLE t (a TEXT, b INT UNIQUE);
+SELECT 1 FROM t
+  WHERE b IN (SELECT 1 FROM t
+              GROUP BY '', a
+              HAVING (CASE b WHEN 1 +'' THEN 3 ELSE a END)
+              ORDER BY b)
+  GROUP BY b HAVING b = 1;
+DROP TABLE t;
+
+CREATE TABLE t (a INT, b CHAR KEY UNIQUE);
+CREATE VIEW v AS SELECT * FROM t WHERE a LIKE '' GROUP BY b HAVING a > a;
+SELECT * FROM v AS v1 NATURAL JOIN v AS v5 NATURAL JOIN v
+  WHERE a LIKE '' AND b IN (SELECT a FROM t
+                            WHERE a LIKE ''
+                            GROUP BY a
+                            HAVING b LIKE (b < +1 OR a > 1) >= b);
+DROP VIEW v;
+DROP TABLE t;
 
-# Cleanup
+EXECUTE IMMEDIATE 'SELECT LEAD(c) OVER (ORDER BY c)
+                   FROM (SELECT 0 AS c) AS a NATURAL JOIN (SELECT 0 AS c) AS b;';
+
+CREATE TABLE t (a INT);
+UPDATE t SET a = ''
+  WHERE 1 IN (SELECT * FROM
+               (SELECT * FROM
+                 (SELECT * FROM t AS v5 NATURAL JOIN t AS v4 NATURAL JOIN t) AS v3
+                NATURAL JOIN t
+              GROUP BY a) AS v2
+              WHERE (0, a) IN ((0,-1),(+1,0))
+              ORDER BY 1+AVG(a) OVER (ORDER BY a)) ORDER BY a;
 DROP TABLE t;
 
 --echo #

sql/item.cc

@@ -8041,7 +8041,7 @@ bool Item_ref::fix_fields(THD *thd, Item **reference)
       if (from_field != not_found_field)
       {
         Item_field* fld;
-        if (!(fld= new (thd->mem_root) Item_field(thd, from_field)))
+        if (!(fld= new (thd->mem_root) Item_field(thd, context, from_field)))
           goto error;
         thd->change_item_tree(reference, fld);
         mark_as_dependent(thd, last_checked_context->select_lex,