MDEV-22563 Segfault on duplicate free of Item_func_in::array

Same array instance in two Item_func_in instances. First Item_func_in
instance is freed on table close. Second one is freed on
cleanup_after_query().

get_copy() depends on copy ctor for copying an item and hence does
shallow copy for default copy ctor. Use build_clone() for deep copy of
Item_func_in.

1 files changed, 5 insertions, 0 deletions

diff --git a/sql/item.h b/sql/item.h
index 54eaaaf8743..b83b997323d 100644
--- a/sql/item.h
+++ b/sql/item.h
@@ -1586,6 +1586,7 @@ public:
   virtual bool is_order_clause_position() const { return false; }
   /* cloning of constant items (0 if it is not const) */
   virtual Item *clone_item(THD *thd) { return 0; }
+  /* deep copy item */
   virtual Item* build_clone(THD *thd) { return get_copy(thd); }
   virtual cond_result eq_cmp_result() const { return COND_OK; }
   inline uint float_length(uint decimals_par) const
@@ -2031,6 +2032,10 @@ public:
   virtual bool check_index_dependence(void *arg) { return 0; }
   /*============== End of Item processor list ======================*/
 
+  /*
+    Does not guarantee deep copy (depends on copy ctor).
+    See build_clone() for deep copy.
+  */
   virtual Item *get_copy(THD *thd)=0;
 
   bool cache_const_expr_analyzer(uchar **arg);