Fix correlated subquery COUNT(*) returning NULL in ungrouped aggregates

[bendechrai]

Summary

Correlated scalar subqueries with COUNT(*) return NULL instead of 0 in ungrouped
aggregate queries when no rows match the outer WHERE clause. This is a data
corruption bug: the wrong NULL gets persisted via INSERT...SELECT and cannot be
recovered by a future patch.

This PR includes both the bug fix and a DST simulator improvement that catches
this bug class via differential testing.

Repro:

CREATE TABLE t1(a INTEGER, b INTEGER);
CREATE TABLE t2(a INTEGER, b INTEGER);
SELECT COUNT(*), (SELECT COUNT(*) FROM t2 WHERE t2.a = t1.a) FROM t1;

Expected (SQLite): 0|0
Before this PR: 0|NULL

Data corruption proof

CREATE TABLE dst(cnt INTEGER, sub_cnt INTEGER);
INSERT INTO dst SELECT COUNT(*), (SELECT COUNT(*) FROM t2 WHERE t2.a = t1.a) FROM t1;
SELECT cnt, typeof(cnt), sub_cnt, typeof(sub_cnt) FROM dst;

Expected (SQLite): 0|integer|0|integer
Before this PR: 0|integer||null -- NULL persisted to disk

Root cause

Correlated subqueries are emitted inside the scan loop body (in open_loop via
main_loop.rs). When no rows match, the loop body never executes at runtime,
the subquery bytecode never runs, and the result register keeps its initial NULL.

In emit_ungrouped_aggregation, the fallback path re-evaluates non-aggregate
columns via translate_expr_no_constant_opt, but this only reads the (still-NULL)
result register -- it does not re-execute the subquery.

Fix

• Before open_loop consumes the subquery plans, clone the plans for correlated
  subqueries in ungrouped aggregate queries (new field
  TranslateCtx::deferred_ungrouped_agg_subqueries).
• In emit_ungrouped_aggregation's fallback path (loop never ran), drain and
  emit these deferred subqueries via emit_non_from_clause_subquery. Cursors
  are in NullRow state, so correlated column refs resolve to NULL and COUNT(*)
  correctly returns 0.
• Skip this for contains_constant_false_condition (WHERE 0), where the Goto
  skips cursor initialization entirely.

DST simulator improvement

The simulator previously generated no aggregate functions and no correlated
subqueries. This PR adds query generation for:

SELECT COUNT(*), (SELECT COUNT(*) FROM t2 WHERE t2.col = t1.col) FROM t1 WHERE ...

Changes to sql_generation:

• Predicate::count_star(), subquery(), qualified_column() helpers
• Select::count_with_correlated_subquery() factory method
• 15% chance branch in Select::arbitrary() when 2+ tables exist
• dependencies() updated to track inner tables of subquery expressions

The differential testing oracle (Turso vs SQLite) now catches this bug class
automatically. Without this generation, the simulator passes on the buggy code;
with it, the mismatch is detected within seconds.

Before / After / SQLite comparison

Query	SQLite	Before	After
Empty table: SELECT COUNT(*), (SELECT COUNT(*) ...)	0|0	0|NULL	0|0
WHERE filters all rows	0|0	0|NULL	0|0
INSERT...SELECT typeof(sub_cnt)	integer	null	integer
Positive case (rows match)	3|2	3|2	3|2

Related PRs (different bugs)

• fix: IN(subquery) data corruption in ungrouped aggregates with NOT NULL columns #5591: IN subquery wrong value in ungrouped aggregate (stale cursor data, not missing eval)
• Fix stale values in ungrouped aggregate queries with no matching rows #5578: stale values from coroutine columns in ungrouped aggregates (CTE/FROM-clause subqueries)

Test plan

• New sqltest: correlated-subquery-ungrouped-aggregate.sqltest (6 cases)
• Full sqltest suite: 7223 passed, 0 new failures
• Simulator differential mode catches bug on buggy code, passes on fixed code
• cargo clippy --workspace --all-features --all-targets -- --deny=warnings
• cargo fmt

[turso-bot]

Please review @PThorpe92

[codspeed-hq]

Merging this PR will degrade performance by 15.5%

❌ 1 regressed benchmark
✅ 278 untouched benchmarks
⏩ 105 skipped benchmarks¹

⚠️ Please fix the performance issues or acknowledge them on CodSpeed.

Performance Changes

	Mode	Benchmark	BASE	HEAD	Efficiency
❌	Simulation	ltrim_with_pattern	1.2 µs	1.4 µs	-15.5%

---

_{Comparing bendechrai:fix/correlated-subquery-ungrouped-aggregate (92895ad) with main (35ffd30)²}

Footnotes

1. 105 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

2. No successful run was found on main (adb9f4b) during the generation of this report, so 35ffd30 was used instead as the comparison base. There might be some changes unrelated to this pull request in this report. ↩

[LeMikaelF]

I'm looking at the EXPLAINs for this, SQLite, and main, and there's something fishy with this fix, there's 3 AggFinal opcodes and the program is almost twice as long as SQLite's for the following query:

select count(*), (select count(*) where t.a) from t;

I see that you marked this as a draft again, so I'll let you work on it and review it again when you mark it ready again.