Bug#36593235: MySQL server 8.3.0 crashes at

              Item_rollup_sum_switcher::current_arg

Problem is seen when a subquery containing a aggregate
function with rollup is part of a row value comparator
and if there were no rows returned from the subquery.

cmp_item_row::store_value() evaluates the subquery and
goes ahead to store the values of the expressions in
the comparator without checking if the result was assigned
for the subquery. This leads to evaluation of a rollup
expression when it is marked as not to be evaluated as
aggregation was completed earlier. For the failing
query, AggregateIterator() does evaluate the expressions.
However HAVING clause does not qualify the rows. So the
result of the aggregation is never cached.

If a subquery returns empty result, bring_value()
would set the "null_value" to true.
cmp_item_row::store_value() now stores the value of
the underlying comparator objects only when the
result is not null. Else the result is set
to null.

Change-Id: Ia04ee852f4c8daa50741f7a217c3fc6f9b250ac8

Author: Chaithra Gopalareddy

sql/item_cmpfunc.cc

@@ -4684,11 +4684,16 @@ bool cmp_item_row::allocate_template_comparators(THD *thd, Item *item) {
 void cmp_item_row::store_value(Item *item) {
   DBUG_TRACE;
   assert(comparators != nullptr);
-  item->bring_value();
   item->null_value = false;
-  for (uint i = 0; i < n; i++) {
-    comparators[i]->store_value(item->element_index(i));
-    item->null_value |= item->element_index(i)->null_value;
+  item->bring_value();
+  if (item->null_value) {
+    set_null_value(/*nv=*/true);
+  } else {
+    item->null_value = false;
+    for (uint i = 0; i < n; i++) {
+      comparators[i]->store_value(item->element_index(i));
+      item->null_value |= item->element_index(i)->null_value;
+    }
   }
 }
 
@@ -4714,12 +4719,17 @@ bool cmp_item_row::allocate_value_comparators(MEM_ROOT *mem_root,
 
 void cmp_item_row::store_value_by_template(cmp_item *t, Item *item) {
   cmp_item_row *tmpl = (cmp_item_row *)t;
-  item->bring_value();
   item->null_value = false;
-  for (uint i = 0; i < n; i++) {
-    comparators[i]->store_value_by_template(tmpl->comparators[i],
-                                            item->element_index(i));
-    item->null_value |= item->element_index(i)->null_value;
+  item->bring_value();
+  if (item->null_value) {
+    set_null_value(/*nv=*/true);
+  } else {
+    item->null_value = false;
+    for (uint i = 0; i < n; i++) {
+      comparators[i]->store_value_by_template(tmpl->comparators[i],
+                                              item->element_index(i));
+      item->null_value |= item->element_index(i)->null_value;
+    }
   }
 }
 

sql/item_cmpfunc.h

@@ -1828,13 +1828,14 @@ class cmp_item {
   virtual void store_value_by_template(cmp_item *, Item *item) {
     store_value(item);
   }
+  virtual void set_null_value(bool nv) = 0;
 };
 
 /// cmp_item which stores a scalar (i.e. non-ROW).
 class cmp_item_scalar : public cmp_item {
  protected:
   bool m_null_value;  ///< If stored value is NULL
-  void set_null_value(bool nv) { m_null_value = nv; }
+  void set_null_value(bool nv) override { m_null_value = nv; }
 };
 
 class cmp_item_string final : public cmp_item_scalar {
@@ -2199,6 +2200,11 @@ class cmp_item_row : public cmp_item {
   int compare(const cmp_item *arg) const override;
   cmp_item *make_same() override;
   void store_value_by_template(cmp_item *tmpl, Item *) override;
+  void set_null_value(bool nv) override {
+    for (uint i = 0; i < n; i++) {
+      comparators[i]->set_null_value(nv);
+    }
+  }
 
  private:
   /**