From a4868c3509772da1666eb3d492515e7d39f8834d Mon Sep 17 00:00:00 2001
From: Oleksandr Byelkin <sanja@mariadb.com>
Date: Mon, 19 Dec 2016 22:03:28 +0100
Subject: [PATCH] MDEV-9208: Function->Function->View = Mysqld segfault (Server
 crashes in Dependency_marker::visit_field on 2nd execution with merged
 subquery)

Prevent crossing name resolution border in finding item tables.
---
 mysql-test/r/ps.result | 30 ++++++++++++++++++++++++++++++
 mysql-test/t/ps.test   | 26 ++++++++++++++++++++++++++
 sql/item.cc            |  6 +++++-
 3 files changed, 61 insertions(+), 1 deletion(-)

diff --git a/mysql-test/r/ps.result b/mysql-test/r/ps.result
index f954583a097..e2c0d6567ac 100644
--- a/mysql-test/r/ps.result
+++ b/mysql-test/r/ps.result
@@ -4173,4 +4173,34 @@ Warnings:
 Note	1003	select `test`.`t1`.`id` AS `id`,`test`.`t1`.`c` AS `c` from `test`.`t1` where 0
 deallocate prepare stmt2;
 drop table t1;
+#
+# MDEV-9208: Function->Function->View = Mysqld segfault
+# (Server crashes in Dependency_marker::visit_field on 2nd
+# execution with merged subquery)
+#
+CREATE TABLE t1 (i1 INT);
+insert into t1 values(1),(2);
+CREATE TABLE t2 (i2 INT);
+insert into t2 values(1),(2);
+prepare stmt from "
+  select 1 from (
+    select
+      if (i1<0, 0, 0) as f1,
+      (select f1) as f2
+    from t1, t2
+  ) sq
+";
+execute stmt;
+1
+1
+1
+1
+1
+execute stmt;
+1
+1
+1
+1
+1
+drop table t1,t2;
 # End of 5.5 tests
diff --git a/mysql-test/t/ps.test b/mysql-test/t/ps.test
index cfd810fd625..dac0bbd4d29 100644
--- a/mysql-test/t/ps.test
+++ b/mysql-test/t/ps.test
@@ -3714,4 +3714,30 @@ deallocate prepare stmt2;
 
 drop table t1;
 
+--echo #
+--echo # MDEV-9208: Function->Function->View = Mysqld segfault
+--echo # (Server crashes in Dependency_marker::visit_field on 2nd
+--echo # execution with merged subquery)
+--echo #
+
+CREATE TABLE t1 (i1 INT);
+insert into t1 values(1),(2);
+
+CREATE TABLE t2 (i2 INT);
+insert into t2 values(1),(2);
+
+prepare stmt from "
+  select 1 from (
+    select
+      if (i1<0, 0, 0) as f1,
+      (select f1) as f2
+    from t1, t2
+  ) sq
+";
+
+execute stmt;
+execute stmt;
+
+drop table t1,t2;
+
 --echo # End of 5.5 tests
diff --git a/sql/item.cc b/sql/item.cc
index fdfbba31404..3100a4e3408 100644
--- a/sql/item.cc
+++ b/sql/item.cc
@@ -6876,7 +6876,11 @@ public:
     // Find which select the field is in. This is achieved by walking up 
     // the select tree and looking for the table of interest.
     st_select_lex *sel;
-    for (sel= current_select; sel; sel= sel->outer_select())
+    for (sel= current_select;
+         sel ;
+         sel= (sel->context.outer_context ?
+               sel->context.outer_context->select_lex:
+               NULL))
     {
       List_iterator<TABLE_LIST> li(sel->leaf_tables);
       TABLE_LIST *tbl;