From e546077ee8f79131979f2b04925e76a4abe30aaf Mon Sep 17 00:00:00 2001
From: Georgi Kodinov <joro@sun.com>
Date: Wed, 11 Mar 2009 14:10:44 +0200
Subject: [PATCH] Bug #43354: Use key hint can crash server in explain extended
 query

The copy of the original arguments of a aggregate function was not
initialized until after fix_fields().
Sometimes (e.g. when there's an error processing the statement)
the print() can be called with no corresponding fix_fields() call.

Fixed by adding a check if the Item is fixed before using the arguments
copy.
---
 mysql-test/r/explain.result |  4 ++++
 mysql-test/t/explain.test   | 13 +++++++++++++
 sql/item_sum.cc             |  3 ++-
 3 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/mysql-test/r/explain.result b/mysql-test/r/explain.result
index 3aa189f4a9d..b0adc428e4c 100644
--- a/mysql-test/r/explain.result
+++ b/mysql-test/r/explain.result
@@ -155,3 +155,7 @@ id	select_type	table	type	possible_keys	key	key_len	ref	rows	Extra
 Warnings:
 Note	1003	select 1 AS `1` from (select count(distinct `test`.`t1`.`a`) AS `COUNT(DISTINCT t1.a)` from `test`.`t1` join `test`.`t2` group by `test`.`t1`.`a`) `s1`
 DROP TABLE t1,t2;
+CREATE TABLE t1 (a INT PRIMARY KEY);
+EXPLAIN EXTENDED SELECT COUNT(a) FROM t1 USE KEY(a);
+ERROR HY000: Key 'a' doesn't exist in table 't1'
+DROP TABLE t1;
diff --git a/mysql-test/t/explain.test b/mysql-test/t/explain.test
index 0247aca82df..1bc98a8acb1 100644
--- a/mysql-test/t/explain.test
+++ b/mysql-test/t/explain.test
@@ -123,4 +123,17 @@ execute s1;
 
 DROP TABLE t1,t2;
 
+
+#
+# Bug #43354: Use key hint can crash server in explain extended query
+#
+
+CREATE TABLE t1 (a INT PRIMARY KEY);
+
+--error ER_KEY_DOES_NOT_EXITS
+EXPLAIN EXTENDED SELECT COUNT(a) FROM t1 USE KEY(a);
+
+DROP TABLE t1;
+
+
 # End of 5.0 tests.
diff --git a/sql/item_sum.cc b/sql/item_sum.cc
index d33d92a5238..57045f52825 100644
--- a/sql/item_sum.cc
+++ b/sql/item_sum.cc
@@ -440,7 +440,8 @@ void Item_sum::make_field(Send_field *tmp_field)
 
 void Item_sum::print(String *str)
 {
-  Item **pargs= orig_args;
+  /* orig_args is not filled with valid values until fix_fields() */
+  Item **pargs= fixed ? orig_args : args;
   str->append(func_name());
   for (uint i=0 ; i < arg_count ; i++)
   {