Bug#21753180: handle_fatal_signal (sig=11) in my_strtod_int

This problem occurs on a query on a table with this definition:

CREATE TABLE t1(a int, b blob, c blob);
INSERT INTO t1 VALUES(1,2,1),(2,4,1);

The query is:

SELECT a, (SELECT SUM(a + c) FROM (SELECT b as c FROM t1) AS v1) FROM t1;

We see there is an implicit grouping because of the SUM expression.
When analyzing the SUM expression, the aggregation query block should be
calculated as the inner-most query block that the individual columns are
resolved from. "a" refers to t1, so it may be aggregated in the outer
query block. "c" refers to v1, so it must be aggregated in the inner
query block. Thus, the SUM expression should be aggregated in the inner
query block, and the outer query block should be non-aggregated.

However, Item_field::fix_fields() does not calculate this correctly.
The "c" field will be wrapped in an Item_direct_view_ref object and the
condition in this statement will be true (line 5943).

    if (from_field == view_ref_found)
      return false;

It is correct that we shall not call set_field() for such items, but
missing the calculation of in_sum_func->max_arg_level further down
means that the aggregation level for the SUM expression is calculated
to be the outer query block. Somehow, this causes the failure reported
in the bug. This problem goes away when calculating max_arg_level
also for fields that are resolved from views and derived tables.

Author: roylyseng

mysql-test/r/group_by.result

@@ -3199,3 +3199,24 @@ a	MAX(b)
 9	10
 10	10
 DROP TABLE t0, t1;
+# Bug#21753180: handle_fatal_signal (sig=11) in my_strtod_int
+CREATE TABLE t1(
+a INTEGER,
+b BLOB(1),
+c BLOB(1),
+PRIMARY KEY(a,b(1)),
+UNIQUE KEY (a,c(1))
+);
+INSERT INTO t1 VALUES(1,2,1),(2,4,1);
+explain SELECT a, (SELECT SUM(a + c) FROM (SELECT b as c FROM t1) AS v1) FROM t1;
+id	select_type	table	partitions	type	possible_keys	key	key_len	ref	rows	filtered	Extra
+1	PRIMARY	t1	NULL	index	NULL	PRIMARY	7	NULL	2	100.00	Using index
+2	DEPENDENT SUBQUERY	t1	NULL	ALL	NULL	NULL	NULL	NULL	2	100.00	NULL
+Warnings:
+Note	1276	Field or reference 'test.t1.a' of SELECT #2 was resolved in SELECT #1
+Note	1003	/* select#1 */ select `test`.`t1`.`a` AS `a`,(/* select#2 */ select sum((`test`.`t1`.`a` + `test`.`t1`.`b`)) from `test`.`t1`) AS `(SELECT SUM(a + c) FROM (SELECT b as c FROM t1) AS v1)` from `test`.`t1`
+SELECT a, (SELECT SUM(a + c) FROM (SELECT b as c FROM t1) AS v1) FROM t1;
+a	(SELECT SUM(a + c) FROM (SELECT b as c FROM t1) AS v1)
+1	8
+2	10
+DROP TABLE t1;

mysql-test/t/group_by.test

@@ -2385,3 +2385,24 @@ eval EXPLAIN $query;
 eval $query;
 
 DROP TABLE t0, t1;
+
+--echo # Bug#21753180: handle_fatal_signal (sig=11) in my_strtod_int
+
+CREATE TABLE t1(
+ a INTEGER,
+ b BLOB(1),
+ c BLOB(1),
+ PRIMARY KEY(a,b(1)),
+ UNIQUE KEY (a,c(1))
+);
+
+INSERT INTO t1 VALUES(1,2,1),(2,4,1);
+
+let $query=
+SELECT a, (SELECT SUM(a + c) FROM (SELECT b as c FROM t1) AS v1) FROM t1;
+
+eval explain $query;
+
+eval $query;
+
+DROP TABLE t1;

sql/item.cc

@@ -5921,25 +5921,24 @@ bool Item_field::fix_fields(THD *thd, Item **reference)
     }
 
     /*
-      if it is not expression from merged VIEW we will set this field.
-
-      We can leave expression substituted from view for next PS/SP rexecution
-      (i.e. do not register this substitution for reverting on cleanup()
-      (register_item_tree_changing())), because this subtree will be
-      fix_field'ed during setup_tables()->setup_underlying() (i.e. before
-      all other expressions of query, and references on tables which do
-      not present in query will not make problems.
-
-      Also we suppose that view can't be changed during PS/SP life.
+      If inside an aggregation function, set the correct aggregation level.
+      Even if a view reference is found, the level is still the query block
+      associated with the context of the current item:
     */
-    if (from_field == view_ref_found)
-      return false;
-
-    set_field(from_field);
+    DBUG_ASSERT(from_field != view_ref_found ||
+                context->select_lex ==
+                dynamic_cast<Item_ident *>(*reference)->context->select_lex);
     if (thd->lex->in_sum_func &&
         thd->lex->in_sum_func->nest_level == context->select_lex->nest_level)
       set_if_bigger(thd->lex->in_sum_func->max_arg_level,
                     context->select_lex->nest_level);
+
+    // If view column reference, Item in *reference is completely resolved:
+    if (from_field == view_ref_found)
+      return false;
+
+    // Not view reference, not outer reference; need to set properties:
+    set_field(from_field);
   }
   else if (thd->mark_used_columns != MARK_COLUMNS_NONE)
   {