MDEV-27212 Crash in Item_equal::sort on second execution of stored procedure

This bug could cause a crash of the server at the second call of a stored
procedure when it executed a query containing a mergeable derived table /
view whose specification used another mergeable derived_table or view and a
subquery with outer reference in the select list of the specification.
Such queries could cause the same problem when they were executed for the
second time in a prepared mode.
The problem appeared due to a typo mistake in the legacy code of the function
create_view_field() that prevented building Item_direct_view_ref wrapper
for the mentioned outer reference at the second execution of the query and
setting the depended_from field for the outer reference.

Approved by Oleksandr Byelkin <sanja@mariadb.com>

Author: igorbabaev

mysql-test/r/derived_view.result

@@ -3586,4 +3586,64 @@ f2	f3
 DROP PROCEDURE p1;
 DROP VIEW v1,v2,v3;
 DROP TABLE t1;
+#
+# MDEV-27212: 2-nd execution of PS for select with embedded derived tables
+#             and correlated subquery in select list of outer derived
+#
+create table t1 ( id int, id2 int ) engine=myisam;
+create table t2 ( x3 int , x1 int , x2 int, a1 int) engine=myisam;
+insert into t1 values (3, 2), (4, 2), (3, 4);
+insert into t2 values (1, 2, 2, 1), (1, 3, 3, 2), (2, 3, 3, 1);
+prepare stmt from "select id from t1
+join
+( select dt2.x1,
+( select sum(a1) from t2 where t2.x1 = dt2.x1 ) m
+from ( select x1 from t2 u where  x3 = 1 ) dt2
+) dt
+on t1.id = dt.x1
+where t1.id2 < dt.m";
+execute stmt;
+id
+3
+execute stmt;
+id
+3
+deallocate prepare stmt;
+create procedure sp1() select id from t1
+join
+( select dt2.x1,
+( select sum(a1) from t2 where t2.x1 = dt2.x1 ) m
+from ( select x1 from t2 u where  x3 = 1 ) dt2
+) dt
+on t1.id = dt.x1
+where t1.id2 < dt.m;
+call sp1();
+id
+3
+call sp1();
+id
+3
+create view v2 as select x1 from t2 u where  x3 = 1;
+create view v as
+select v2.x1,
+( select sum(a1) from t2 where t2.x1 = v2.x1 ) m from v2;
+prepare stmt from "select id from t1 join v on t1.id = v.x1 where t1.id2 < v.m";
+execute stmt;
+id
+3
+execute stmt;
+id
+3
+deallocate prepare stmt;
+create procedure sp2() select id from t1 join v on t1.id = v.x1 where t1.id2 < v.m;
+call sp2();
+id
+3
+call sp2();
+id
+3
+drop procedure sp1;
+drop procedure sp2;
+drop view v, v2;
+drop table t1,t2;
 # End of 10.2 tests

mysql-test/t/derived_view.test

@@ -2376,4 +2376,56 @@ DROP PROCEDURE p1;
 DROP VIEW v1,v2,v3;
 DROP TABLE t1;
 
+--echo #
+--echo # MDEV-27212: 2-nd execution of PS for select with embedded derived tables
+--echo #             and correlated subquery in select list of outer derived
+--echo #
+create table t1 ( id int, id2 int ) engine=myisam;
+create table t2 ( x3 int , x1 int , x2 int, a1 int) engine=myisam;
+insert into t1 values (3, 2), (4, 2), (3, 4);
+insert into t2 values (1, 2, 2, 1), (1, 3, 3, 2), (2, 3, 3, 1);
+
+let $q=
+select id from t1
+               join
+               ( select dt2.x1,
+                        ( select sum(a1) from t2 where t2.x1 = dt2.x1 ) m
+                 from ( select x1 from t2 u where  x3 = 1 ) dt2
+               ) dt
+               on t1.id = dt.x1
+where t1.id2 < dt.m;
+
+eval prepare stmt from "$q";
+execute stmt;
+execute stmt;
+deallocate prepare stmt;
+
+eval create procedure sp1() $q;
+call sp1();
+call sp1();
+
+create view v2 as select x1 from t2 u where  x3 = 1;
+create view v as
+select v2.x1,
+       ( select sum(a1) from t2 where t2.x1 = v2.x1 ) m from v2;
+
+let $q=
+select id from t1 join v on t1.id = v.x1 where t1.id2 < v.m;
+
+eval prepare stmt from "$q";
+execute stmt;
+execute stmt;
+deallocate prepare stmt;
+
+eval create procedure sp2() $q;
+call sp2();
+call sp2();
+
+drop procedure sp1;
+drop procedure sp2;
+
+drop view v, v2;
+
+drop table t1,t2;
+
 --echo # End of 10.2 tests

sql/table.cc

@@ -5984,7 +5984,7 @@ Item *Field_iterator_view::create_item(THD *thd)
 Item *create_view_field(THD *thd, TABLE_LIST *view, Item **field_ref,
                         const char *name)
 {
-  bool save_wrapper= thd->lex->select_lex.no_wrap_view_item;
+  bool save_wrapper= thd->lex->current_select->no_wrap_view_item;
   Item *field= *field_ref;
   DBUG_ENTER("create_view_field");