Improvements to the algorithm that determines which SELECT in a sequence
of nested SELECT statements that an aggregate function belongs to. This
resolves an issue identified by dbsqlfuzz.
FossilOrigin-Name: d768007473f4ed40abbdf2c7e501b580b1cc37c1620c7cb90af1f208a8c35145
diff --git a/src/expr.c b/src/expr.c
index 0332dc3..ba464f9 100644
--- a/src/expr.c
+++ b/src/expr.c
@@ -5297,7 +5297,10 @@
}
if( i<nSrc ){
p->nThis++;
- }else{
+ }else if( nSrc==0 || pExpr->iTable<pSrc->a[0].iCursor ){
+ /* In a well-formed parse tree (no name resolution errors),
+ /* TK_COLUMN nodes with smaller Expr.iTable values are in an
+ ** outer context. Those are the only ones to count as "other" */
p->nOther++;
}
}
@@ -5314,8 +5317,9 @@
Walker w;
struct SrcCount cnt;
assert( pExpr->op==TK_AGG_FUNCTION );
+ memset(&w, 0, sizeof(w));
w.xExprCallback = exprSrcCount;
- w.xSelectCallback = 0;
+ w.xSelectCallback = sqlite3SelectWalkNoop;
w.u.pSrcCount = &cnt;
cnt.pSrc = pSrcList;
cnt.nThis = 0;