MDEV-16090: Server crash in in Item_func_in::val_int or assertion `in_item'

            failure upon SELECT with impossible condition

The problem appears because of a wrong implementation of the
Item_func_in::build_clone() method. It didn't clone 'array' and 'cmp_fields'
fields for the cloned IN predicate and this could cause crashes.
The Item_func_in::fix_length_and_dec() method was refactored and a new method
named Item_func_in::create_array() was created. It allowed to create 'array'
for cloned IN predicates in a proper way.

1 files changed, 3 insertions, 10 deletions

diff --git a/sql/item_cmpfunc.h b/sql/item_cmpfunc.h
index de1b27cff1a..78a9e384b55 100644
--- a/sql/item_cmpfunc.h
+++ b/sql/item_cmpfunc.h
@@ -1648,6 +1648,7 @@ public:
   }
   longlong val_int();
   bool fix_fields(THD *, Item **);
+  bool create_array(THD *thd);
   void fix_length_and_dec();
   void cleanup()
   {
@@ -1693,16 +1694,7 @@ public:
   bool count_sargable_conds(void *arg);
   Item *get_copy(THD *thd, MEM_ROOT *mem_root)
   { return get_item_copy<Item_func_in>(thd, mem_root, this); }
-  Item *build_clone(THD *thd, MEM_ROOT *mem_root)
-  {
-    Item_func_in *clone= (Item_func_in *) Item_func::build_clone(thd, mem_root);
-    if (clone)
-    {
-      clone->array= 0;
-      bzero(&clone->cmp_items, sizeof(cmp_items));
-    }
-    return clone;
-  }      
+  Item *build_clone(THD *thd, MEM_ROOT *mem_root);
 };
 
 class cmp_item_row :public cmp_item
@@ -1731,6 +1723,7 @@ public:
   ~in_row();
   void set(uint pos,Item *item);
   uchar *get_value(Item *item);
+  friend bool Item_func_in::create_array(THD *thd);
   friend void Item_func_in::fix_length_and_dec();
   Item_result result_type() { return ROW_RESULT; }
   cmp_item *get_cmp_item() { return &tmp; }