Avoid a malfunction that could occur if the same correlated column reference appears...

FossilOrigin-Name: 1e35cc6d5c2f563c6bb163bb150d7bc6ede4c993efa828af1face3261bf65a2c

diff --git a/manifest b/manifest
index fed613db3ad959ebdfcf47c19ac434faffa97eba..d324909d0d5aa85ee842db35df3997cea4b31769 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C It\sdoes\snot\swork\sto\sdeserialized\sinto\sTEMP,\sso\sdo\snot\sallow\sit.\s\sThe\nsqlite3_deserialize()\sroutine\snow\sreturns\sSQLITE_ERROR\sif\syou\stry.
-D 2021-07-20T02:02:24.771
+C Avoid\sa\smalfunction\sthat\scould\soccur\sif\sthe\ssame\scorrelated\scolumn\sreference\sappears\sin\sboth\sthe\sGROUP\sBY\sand\sthe\sHAVING\sclause\sof\sa\ssub-select.\sdbsqlfuzz\sa779227f721a834df95f4f42d0c31550a1f8b8a2.
+D 2021-07-20T14:57:49.212
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@@ -544,7 +544,7 @@ F src/printf.c 78fabb49b9ac9a12dd1c89d744abdc9b67fd3205e62967e158f78b965a29ec4b
 F src/random.c 097dc8b31b8fba5a9aca1697aeb9fd82078ec91be734c16bffda620ced7ab83c
 F src/resolve.c ea205123fba6bb254666f50b6c220270913eae54eb03d263abaa432c703f5857
 F src/rowset.c ba9515a922af32abe1f7d39406b9d35730ed65efab9443dc5702693b60854c92
-F src/select.c 0c783511b5f35b37d971dcd653c554d21f74d7cb63a4979991a61d068480c40f
+F src/select.c bc9767ab4972c63ca6def53d7b5c8cc8e4df78b63bf51981ae14a82084089a5b
 F src/shell.c.in 856de2945bb7fdfdeebe7136cf1b59d24618845aa5e5f3937fda7ff37c623b51
 F src/sqlite.h.in 43fcf0fe2af04081f420a906fc020bde1243851ba44b0aa567a27f94bf8c3145
 F src/sqlite3.rc 5121c9e10c3964d5755191c80dd1180c122fc3a8
@@ -640,7 +640,7 @@ F test/8_3_names.test ebbb5cd36741350040fd28b432ceadf495be25b2
 F test/affinity2.test ce1aafc86e110685b324e9a763eab4f2a73f737842ec3b687bd965867de90627
 F test/affinity3.test eecb0dabee4b7765a8465439d5e99429279ffba23ca74a7eae270a452799f9e7
 F test/aggerror.test a867e273ef9e3d7919f03ef4f0e8c0d2767944f2
-F test/aggnested.test 2f65ec8132e0ca896de550b9908094d49ad65a99116a9d79deeb6017604ad4f6
+F test/aggnested.test cc47afa5e11e0d6771a85a4993fa6ff721480ddb53ea538ec3fdbafb720bd505
 F test/alias.test 4529fbc152f190268a15f9384a5651bbbabc9d87
 F test/all.test 2ecb8bbd52416642e41c9081182a8df05d42c75637afd4488aace78cc4b69e13
 F test/alter.test f53d8a4ecd35f051c07e54a36beec5d0a30d30a9d98bc723f6cde6afbfb3c5ca
@@ -1920,7 +1920,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P b5ede6a68891820bd5b6d051b1b641bc1cd49104cad2466db184134d14f58f5b
-R e22cd931ae144bced3e3587611f0e114
-U drh
-Z b4c2ab277c13106aeed921dd3a580a07
+P 18068cc60698d4944a9d682cdf34b14b4d4b32f043f8d584dbf41c2bb5ac6220
+R facd06e35d967824eff05936c4ae18f7
+U dan
+Z 1eb6cf39f57a9c2d1d0141c8c9e6030e

diff --git a/manifest.uuid b/manifest.uuid
index dd0503215ce944d864815cdc1a2077aca23bef98..8d6dce630e241b78bfd2fafc8fabb05ad16d2bf9 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-18068cc60698d4944a9d682cdf34b14b4d4b32f043f8d584dbf41c2bb5ac6220
\ No newline at end of file
+1e35cc6d5c2f563c6bb163bb150d7bc6ede4c993efa828af1face3261bf65a2c
\ No newline at end of file

diff --git a/src/select.c b/src/select.c
index e0ac9db97b03cc306e2082966f95d94edb5dc0f8..b74999a8f234de1f6d21eadba082384249b17524 100644 (file)
--- a/src/select.c
+++ b/src/select.c
@@ -6019,8 +6019,16 @@ static void explainSimpleCount(
 static int havingToWhereExprCb(Walker *pWalker, Expr *pExpr){
   if( pExpr->op!=TK_AND ){
     Select *pS = pWalker->u.pSelect;
+    /* This routine is called before the HAVING clause of the current
+    ** SELECT is analyzed for aggregates. So if pExpr->pAggInfo is set
+    ** here, it indicates that the expression is a correlated reference to a
+    ** column from an outer aggregate query, or an aggregate function that
+    ** belongs to an outer query. Do not move the expression to the WHERE
+    ** clause in this obscure case, as doing so may corrupt the outer Select
+    ** statements AggInfo structure.  */
     if( sqlite3ExprIsConstantOrGroupBy(pWalker->pParse, pExpr, pS->pGroupBy) 
      && ExprAlwaysFalse(pExpr)==0
+     && pExpr->pAggInfo==0
     ){
       sqlite3 *db = pWalker->pParse->db;
       Expr *pNew = sqlite3Expr(db, TK_INTEGER, "1");

diff --git a/test/aggnested.test b/test/aggnested.test
index dcb1f95c997ded33b7f8e096729cc9cfb630b1d2..35d5f1e3a68b2de74d4dbb6e1c365bbbe8509d88 100644 (file)
--- a/test/aggnested.test
+++ b/test/aggnested.test
@@ -306,6 +306,48 @@ do_execsql_test 5.5 {
     b, b;
 }
 
+#-------------------------------------------------------------------------
+# dbsqlfuzz a779227f721a834df95f4f42d0c31550a1f8b8a2 
+#
+reset_db
+do_execsql_test 6.0 {
+  CREATE TABLE t1(a);
+  CREATE TABLE t2(b);
+
+  INSERT INTO t1 VALUES('x');
+  INSERT INTO t2 VALUES(1);
+}
+
+do_execsql_test 6.1.1 {
+  SELECT ( 
+    SELECT t2.b FROM (SELECT t2.b AS c FROM t1) GROUP BY 1 HAVING t2.b
+  )
+  FROM t2 GROUP BY 'constant_string';
+} {1}
+do_execsql_test 6.1.2 {
+  SELECT ( 
+    SELECT c FROM (SELECT t2.b AS c FROM t1) GROUP BY c HAVING t2.b
+  )
+  FROM t2 GROUP BY 'constant_string';
+} {1}
+
+do_execsql_test 6.2.0 {
+  UPDATE t2 SET b=0
+}
+do_execsql_test 6.2.1 {
+  SELECT ( 
+    SELECT t2.b FROM (SELECT t2.b AS c FROM t1) GROUP BY 1 HAVING t2.b
+  )
+  FROM t2 GROUP BY 'constant_string';
+} {{}}
+do_execsql_test 6.2.2 {
+  SELECT ( 
+    SELECT c FROM (SELECT t2.b AS c FROM t1) GROUP BY c HAVING t2.b
+  )
+  FROM t2 GROUP BY 'constant_string';
+} {{}}
+
+