Bug#35621842: Rollup subquery segv

This is a simplified patch for 8.0.

The problem here is that a nameless field is presented to the function
find_item_in_list(). Since the search is name-based, it will fail.

The culprit is in Item::split_sum_func2(), which when presented with
an expression that contains a GROUPING field is supposed to split
the function's arguments, however it adds a reference to the expression.

The function is enhanced so that it also checks for this case.

Change-Id: Ib272698e2718c4a65eb8a71a8022d6ac527723e8

Author: roylyseng

sql/item.cc

@@ -2212,6 +2212,8 @@ void Item::split_sum_func2(THD *thd, Ref_item_array ref_item_array,
   const bool is_sum_func = type() == SUM_FUNC_ITEM && !m_is_window_function;
   if ((!is_sum_func && has_aggregation() && !m_is_window_function) ||
       (!m_is_window_function && has_wf()) ||
+      (has_grouping_func() &&
+       !is_function_of_type(this, Item_func::GROUPING_FUNC)) ||
       (type() == FUNC_ITEM && ((down_cast<Item_func *>(this))->functype() ==
                                    Item_func::ISNOTNULLTEST_FUNC ||
                                (down_cast<Item_func *>(this))->functype() ==

sql/sql_base.cc

@@ -8114,6 +8114,11 @@ bool find_item_in_list(THD *thd, Item *find, mem_root_deque<Item *> *items,
       find->type() == Item::FIELD_ITEM || find->type() == Item::REF_ITEM
           ? down_cast<Item_ident *>(find)
           : nullptr;
+  /*
+    Some items, such as Item_aggregate_ref, do not have a name and hence
+    can never be found.
+  */
+  assert(find_ident == nullptr || find_ident->field_name != nullptr);
 
   int i = 0;
   for (auto it = VisibleFields(*items).begin();