MDEV-7821 - Server crashes in Item_func_group_concat::fix_fields on 2nd

            execution of PS

GROUP_CONCAT() with ORDER BY column position may crash server on PS reexecution.

The problem was that arguments array of GROUP_CONCAT() was adjusted to point to
temporary elements (resolved ORDER BY fields) during first execution.

This patch expands rev. 08763096 to restore original arguments array as well.

mysql-test/r/func_gconcat.result

@@ -1103,3 +1103,19 @@ ORDER BY field;
 field
 c,c
 drop table t3, t2, t1;
+#
+# MDEV-7821 - Server crashes in Item_func_group_concat::fix_fields on 2nd
+#             execution of PS
+#
+CREATE TABLE t1(a INT);
+INSERT INTO t1 VALUES(1),(2);
+PREPARE stmt FROM "SELECT GROUP_CONCAT(t1a.a ORDER BY 1, t1a.a=0) FROM t1 AS t1a, t1 AS t1b GROUP BY t1a.a";
+EXECUTE stmt;
+GROUP_CONCAT(t1a.a ORDER BY 1, t1a.a=0)
+1,1
+2,2
+EXECUTE stmt;
+GROUP_CONCAT(t1a.a ORDER BY 1, t1a.a=0)
+1,1
+2,2
+DROP TABLE t1;

mysql-test/t/func_gconcat.test

@@ -821,3 +821,14 @@ FROM ( SELECT * FROM t2 ) AS sq2, t3
 ORDER BY field;
 
 drop table t3, t2, t1;
+
+--echo #
+--echo # MDEV-7821 - Server crashes in Item_func_group_concat::fix_fields on 2nd
+--echo #             execution of PS
+--echo #
+CREATE TABLE t1(a INT);
+INSERT INTO t1 VALUES(1),(2);
+PREPARE stmt FROM "SELECT GROUP_CONCAT(t1a.a ORDER BY 1, t1a.a=0) FROM t1 AS t1a, t1 AS t1b GROUP BY t1a.a";
+EXECUTE stmt;
+EXECUTE stmt;
+DROP TABLE t1;

sql/item_sum.cc

@@ -3300,6 +3300,8 @@ void Item_func_group_concat::cleanup()
     from Item_func_group_concat::setup() to point to runtime
     created objects, we need to reset them back to the original
     arguments of the function.
+
+    The very same applies to args array.
   */
   ORDER **order_ptr= order;
   for (uint i= 0; i < arg_count_order; i++)
@@ -3307,6 +3309,7 @@ void Item_func_group_concat::cleanup()
     (*order_ptr)->item= &args[arg_count_field + i];
     order_ptr++;
   }
+  memcpy(args, orig_args, sizeof(Item *) * arg_count);
   DBUG_VOID_RETURN;
 }