From c72c77ca3bcb9d29903f95bf37c9930224984d29 Mon Sep 17 00:00:00 2001
From: Sergei Petrunia <psergey@askmonty.org>
Date: Fri, 23 Apr 2021 19:28:48 +0300
Subject: [PATCH 1/3] MDEV-24925: Server crashes in
 Item_subselect::init_expr_cache_tracker

(trivial backport to 10.2)
The optimizer removes redundant GROUP BY operations. If GROUP BY element
is a subselect, it is "eliminated".

However one must not eliminate the item if it is used both in the select
list and in the GROUP BY, like so:

  select (select ... ) as SUBQ from ... group by SUBQ

Do not eliminate such items.
---
 mysql-test/r/subselect4.result | 50 ++++++++++++++++++++++++++++++++++
 mysql-test/t/subselect4.test   | 32 ++++++++++++++++++++++
 sql/sql_select.cc              | 11 +++++++-
 3 files changed, 92 insertions(+), 1 deletion(-)

diff --git a/mysql-test/r/subselect4.result b/mysql-test/r/subselect4.result
index 2e24cbcb40c..ef75bd97fcc 100644
--- a/mysql-test/r/subselect4.result
+++ b/mysql-test/r/subselect4.result
@@ -2722,3 +2722,53 @@ SELECT a FROM t1 WHERE (a, a) IN (SELECT 1, 2) AND a = (SELECT MIN(b) FROM t2);
 a
 DROP TABLE t1,t2;
 # End of 10.2 tests
+#
+# MDEV-24925: Server crashes in Item_subselect::init_expr_cache_tracker
+#
+CREATE TABLE t1 (id INT PRIMARY KEY);
+INSERT INTO t1 VALUES (1),(2);
+SELECT
+1 IN (
+SELECT
+(SELECT COUNT(id)
+FROM t1
+WHERE t1_outer.id <> id
+) AS f
+FROM
+t1 AS t1_outer
+GROUP BY f
+);
+1 IN (
+SELECT
+(SELECT COUNT(id)
+FROM t1
+WHERE t1_outer.id <> id
+) AS f
+FROM
+t1 AS t1_outer
+GROUP BY f
+)
+1
+SELECT
+1 IN (
+SELECT
+(SELECT COUNT(id)
+FROM t1
+WHERE t1_outer.id <> id
+) AS f
+FROM
+t1 AS t1_outer
+GROUP BY 1
+);
+1 IN (
+SELECT
+(SELECT COUNT(id)
+FROM t1
+WHERE t1_outer.id <> id
+) AS f
+FROM
+t1 AS t1_outer
+GROUP BY 1
+)
+1
+DROP TABLE t1;
diff --git a/mysql-test/t/subselect4.test b/mysql-test/t/subselect4.test
index f19a654de64..dae9e71fd92 100644
--- a/mysql-test/t/subselect4.test
+++ b/mysql-test/t/subselect4.test
@@ -2237,3 +2237,35 @@ SELECT a FROM t1 WHERE (a, a) IN (SELECT 1, 2) AND a = (SELECT MIN(b) FROM t2);
 DROP TABLE t1,t2;
 
 --echo # End of 10.2 tests
+
+--echo #
+--echo # MDEV-24925: Server crashes in Item_subselect::init_expr_cache_tracker
+--echo #
+CREATE TABLE t1 (id INT PRIMARY KEY);
+INSERT INTO t1 VALUES (1),(2);
+
+SELECT
+  1 IN (
+    SELECT
+      (SELECT COUNT(id)
+       FROM t1
+       WHERE t1_outer.id <> id
+       ) AS f
+    FROM
+      t1 AS t1_outer
+    GROUP BY f
+  );
+
+SELECT
+  1 IN (
+    SELECT
+      (SELECT COUNT(id)
+       FROM t1
+       WHERE t1_outer.id <> id
+       ) AS f
+    FROM
+      t1 AS t1_outer
+    GROUP BY 1
+  );
+
+DROP TABLE t1;
diff --git a/sql/sql_select.cc b/sql/sql_select.cc
index 90c071803a1..b85bd31e23c 100644
--- a/sql/sql_select.cc
+++ b/sql/sql_select.cc
@@ -585,7 +585,16 @@ void remove_redundant_subquery_clauses(st_select_lex *subq_select_lex)
   {
     for (ORDER *ord= subq_select_lex->group_list.first; ord; ord= ord->next)
     {
-      (*ord->item)->walk(&Item::eliminate_subselect_processor, FALSE, NULL);
+      /*
+        Do not remove the item if it is used in select list and then referred
+        from GROUP BY clause by its name or number. Example:
+
+          select (select ... ) as SUBQ ...  group by SUBQ
+
+        Here SUBQ cannot be removed.
+      */
+      if (!ord->in_field_list)
+        (*ord->item)->walk(&Item::eliminate_subselect_processor, FALSE, NULL);
     }
     subq_select_lex->join->group_list= NULL;
     subq_select_lex->group_list.empty();

From 2f6912dabcb85382eea004f590ad51815c20e5c5 Mon Sep 17 00:00:00 2001
From: Sergei Petrunia <psergey@askmonty.org>
Date: Fri, 23 Apr 2021 19:45:09 +0300
Subject: [PATCH 2/3] MDEV-24898: Server crashes in st_select_lex::next_select

(trivial backport to 10.2)
Add a testcase
---
 mysql-test/r/subselect4.result | 11 +++++++++++
 mysql-test/t/subselect4.test   | 13 +++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/mysql-test/r/subselect4.result b/mysql-test/r/subselect4.result
index ef75bd97fcc..4021f717964 100644
--- a/mysql-test/r/subselect4.result
+++ b/mysql-test/r/subselect4.result
@@ -2772,3 +2772,14 @@ GROUP BY 1
 )
 1
 DROP TABLE t1;
+#
+#  MDEV-24898: Server crashes in st_select_lex::next_select / Item_subselect::is_expensive
+#  (Testcase)
+#
+CREATE TABLE t1 (a INT);
+INSERT INTO t1 VALUES (1),(2);
+CREATE TABLE t2 (b INT);
+INSERT INTO t2 VALUES (3),(4);
+SELECT 1 IN (SELECT (SELECT a FROM t1) AS x FROM t2 GROUP BY x);
+ERROR 21000: Subquery returns more than 1 row
+drop table t1,t2;
diff --git a/mysql-test/t/subselect4.test b/mysql-test/t/subselect4.test
index dae9e71fd92..e218e3aab18 100644
--- a/mysql-test/t/subselect4.test
+++ b/mysql-test/t/subselect4.test
@@ -2269,3 +2269,16 @@ SELECT
   );
 
 DROP TABLE t1;
+
+--echo #
+--echo #  MDEV-24898: Server crashes in st_select_lex::next_select / Item_subselect::is_expensive
+--echo #  (Testcase)
+--echo #
+CREATE TABLE t1 (a INT);
+INSERT INTO t1 VALUES (1),(2); # Optional, fails either way
+CREATE TABLE t2 (b INT);
+INSERT INTO t2 VALUES (3),(4); # Optional, fails either way
+
+--error ER_SUBQUERY_NO_1_ROW
+SELECT 1 IN (SELECT (SELECT a FROM t1) AS x FROM t2 GROUP BY x);
+drop table t1,t2;

From a35cde8cd8364edc0a23752fc5fde442c8b78a0a Mon Sep 17 00:00:00 2001
From: Daniel Black <daniel@mariadb.org>
Date: Tue, 27 Apr 2021 08:17:37 +1000
Subject: [PATCH 3/3] MDEV-25513: raise systemd LimitNOFILE limits to match
 server defaults

Quoting MDEV reporter Daniel Lewart:

Starting MariaDB with default configuration causes the following problems:

    "[Warning] Could not increase number of max_open_files to more than 16384 (request: 32186)"
    silently reduces table_open_cache_instances from 8 (default) to 4

Default Server System Variables:

    extra_max_connections = 1
    max_connections = 151
    table_open_cache = 2000
    table_open_cache_instances = 8
    thread_pool_size = 4

LimitNOFILE=16834 is in the following files:

    support-files/mariadb.service.in
    support-files/mariadb@.service.in

Looking at sql/mysqld.cc lines 3837-3917:
wanted_files= (extra_files + max_connections + extra_max_connections +
tc_size * 2 * tc_instances);
wanted_files+= threadpool_size;

Plugging in the default values:
wanted_files = (30 + 151 + 1 + 2000 * 2 * 8 + 4) = 32186

However, systemd configuration has LimitNOFILE = 16384, which is far smaller.

I suggest increasing LimitNOFILE to 32768.
---
 support-files/mariadb.service.in  | 2 +-
 support-files/mariadb@.service.in | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/support-files/mariadb.service.in b/support-files/mariadb.service.in
index 245c506c117..7c885b1f6e9 100644
--- a/support-files/mariadb.service.in
+++ b/support-files/mariadb.service.in
@@ -142,7 +142,7 @@ TimeoutStopSec=900
 ##
 
 # Number of files limit. previously [mysqld_safe] open-files-limit
-LimitNOFILE=16384
+LimitNOFILE=32768
 
 # Maximium core size. previously [mysqld_safe] core-file-size
 # LimitCore=
diff --git a/support-files/mariadb@.service.in b/support-files/mariadb@.service.in
index a487e22521b..d625ce67396 100644
--- a/support-files/mariadb@.service.in
+++ b/support-files/mariadb@.service.in
@@ -168,7 +168,7 @@ TimeoutStopSec=900
 ##
 
 # Number of files limit. previously [mysqld_safe] open-files-limit
-LimitNOFILE=16384
+LimitNOFILE=32768
 
 # Maximium core size. previously [mysqld_safe] core-file-size
 # LimitCore=