Crash in Item_func_not::fix_fields on HAVING (NOT a) AND TRUE

Summary

Server crash (SIGSEGV) occurs when executing a SELECT with GROUP BY and a compound HAVING condition containing a NOT operator.

The crash is observed on MariaDB 12.3.1 ASAN build. A related case (MDEV-19520) fixing `HAVING NOT a` no longer crashes, but wrapped forms like `(NOT a) AND TRUE` still trigger a crash during optimization.

Version

MariaDB 12.3.1-MariaDB-asan-log

Minimal reproducer

CREATE TABLE t1 (a INT);

INSERT INTO t1 VALUES (0), (1);

SELECT a

FROM t1

GROUP BY a

HAVING (NOT a) AND TRUE;

Observed result: ERROR 2026 (HY000) at line 1: TLS/SSL error: unexpected eof while reading

Control

Bare NOT predicate executes successfully:

SELECT a

FROM t1

GROUP BY a

HAVING NOT a;

Expected output:

+---+

| a |

+---+

| 0 |

+---+

Workaround

Disabling the condition pushdown avoids the crash:

SET SESSION optimizer_switch='condition_pushdown_from_having=off';

SELECT a

FROM t1

GROUP BY a

HAVING (NOT a) AND TRUE;

Output:

+---+

| a |

+---+

| 0 |

+---+

Backtrace

Representative frames from mysqld.err:

Item_func_not::fix_fields()                    sql/item_cmpfunc.cc:6840

st_select_lex::pushdown_from_having_into_where()  sql/sql_lex.cc:12646

JOIN::optimize_inner()                         sql/sql_select.cc:2511

JOIN::optimize()                               sql/sql_select.cc:2018

mysql_select() / handle_select() / mysql_execute_command()

Expected result

Query should complete normally and return:

+---+

| a |

+---+

| 0 |

+---+

No SIGSEGV or internal crash should occur.

Notes

• The crash is caused by `Item_func_not` nodes surviving compound HAVING predicates during `condition_pushdown_from_having`.
• The fix for MDEV-19520 only normalizes top-level `NOT` predicates; compound equivalents are not handled.
• Suggested fix: normalize `NOT` predicates inside AND/OR wrappers or make `pushdown_from_having_into_where` robust to remaining `Item_func_not` nodes.

Environment