MDEV-35815: use-after-poison_in_get_hash_symbol

When a PREPARED statment is executed twice, it is crashing during the
second execution.

For the following query: -
PREPARE stmt FROM 'SELECT tbl.subject AS fld FROM v1 AS tbl
GROUP BY fld HAVING 0 AND fld != 1';

Here v1 is a view on top of a table having a single longtext column.
The column "subject" in v1 is defined as an expression using "ifnull"
function.

During the first execution:
The Item "fld" in the HAVING clause, is an Item_ref instance with name
"fld", where it has a ref to another Item_ref instance with the same name "fld"
which in turn has a reference to another Item with name "subject".
In the join prepare stage, while in the call to setup_copy_fields() from
make_aggr_tables_info(), the name field of the last Item instance
is replaced with the name in second Item_ref instance. However, after
the first execution is done, the meory for the second Item_ref is freed.

Now, during the second execution of the same statement, when trying to
access name field Item_ref instance, it was getting crashed, because,
that memory was already freed earlier.

The fix is to allocate a new memory in the stmt_arena for the second
Item_ref instance's name->str field.

Author: bsrikanth-mariadb

mysql-test/main/having.result

@@ -1001,3 +1001,22 @@ DROP TABLE t1,t2;
 #
 # End of 10.5 tests
 #
+#
+# MDEV-35815: Crash in ASAN build due to accessing use-after-poison memory error
+#
+SET @save_optimizer_trace=@@optimizer_trace;
+SET optimizer_trace= 'enabled=on';
+CREATE TABLE t1 (subject LONGTEXT);
+INSERT INTO t1 VALUES ('a'), ('b');
+CREATE VIEW v1 AS (SELECT ifnull(json_value(subject,'$.subject'),'') AS subject FROM t1);
+PREPARE stmt FROM 'SELECT tbl.subject AS fld FROM v1 AS tbl GROUP BY fld HAVING 0 AND fld != 1';
+EXECUTE stmt;
+fld
+EXECUTE stmt;
+fld
+DROP TABLE t1;
+DROP VIEW v1;
+SET optimizer_trace= @save_optimizer_trace;
+#
+# End of 10.11 tests
+#

mysql-test/main/having.test

@@ -1056,3 +1056,25 @@ DROP TABLE t1,t2;
 --echo #
 --echo # End of 10.5 tests
 --echo #
+
+--echo #
+--echo # MDEV-35815: Crash in ASAN build due to accessing use-after-poison memory error
+--echo #
+SET @save_optimizer_trace=@@optimizer_trace;
+SET optimizer_trace= 'enabled=on';
+
+CREATE TABLE t1 (subject LONGTEXT);
+INSERT INTO t1 VALUES ('a'), ('b');
+CREATE VIEW v1 AS (SELECT ifnull(json_value(subject,'$.subject'),'') AS subject FROM t1);
+
+PREPARE stmt FROM 'SELECT tbl.subject AS fld FROM v1 AS tbl GROUP BY fld HAVING 0 AND fld != 1';
+
+EXECUTE stmt;
+EXECUTE stmt;
+
+DROP TABLE t1;
+DROP VIEW v1;
+SET optimizer_trace= @save_optimizer_trace;
+--echo #
+--echo # End of 10.11 tests
+--echo #

sql/sql_select.cc

@@ -28086,6 +28086,13 @@ setup_copy_fields(THD *thd, TMP_TABLE_PARAM *param,
 	      real_pos->type() == Item::COND_ITEM) &&
 	     !real_pos->with_sum_func())
     {						// Save for send fields
+      if (pos->name.length > 0)
+      {
+        Query_arena_stmt on_stmt_arena(thd);
+        if (on_stmt_arena.arena_replaced() &&
+            !(thd->mem_root->flags & ROOT_FLAG_READ_ONLY))
+          pos->name.str= strdup_root(thd->stmt_arena->mem_root, pos->name.str);
+      }
       LEX_CSTRING real_name= pos->name;
       pos= real_pos;
       pos->name= real_name;