fix: IN(subquery) data corruption in ungrouped aggregates with NOT NULL columns

[vimalprakashts]

Summary

• Data corruption bug: IN(subquery) returns 1 instead of NULL in ungrouped aggregate queries where no rows match the WHERE clause, when the LHS column is declared NOT NULL
• Wrong values are physically stored via INSERT...SELECT, corrupting persistent data
• Root cause: the IN expression compiler skipped the IsNull check when the LHS column was NOT NULL, but NullRow (used in ungrouped aggregates with no matching rows) overrides all column values to NULL regardless of constraints
• Fix: always emit IsNull before NotFound/Found in IN expressions

Reproducer

CREATE TABLE src(a TEXT PRIMARY KEY, val REAL NOT NULL, flag INTEGER);
INSERT INTO src VALUES (NULL, 1.5, NULL);

-- Query returns 1|NULL instead of NULL|NULL
SELECT val IN (SELECT a FROM src), AVG(1) FROM src WHERE flag >= 99;

-- Wrong value gets stored (data corruption)
CREATE TABLE dst(in_result, agg_result);
INSERT INTO dst SELECT val IN (SELECT a FROM src), AVG(1) FROM src WHERE flag >= 99;
SELECT in_result, typeof(in_result) FROM dst;
-- SQLite: NULL|null
-- Turso (before fix): 1|integer

Simulator gap

IN(subquery) expression generation is commented out in sql_generation/generation/expr.rs line 177:

// TODO: skip InSelect as still need to implement ArbitratyFrom for Select

The differential fuzzer (which does generate IN subqueries) found this bug with seed 16648648351493581373.

Test plan

• 3 new regression tests in testing/runner/tests/in-subquery-ungrouped-aggregate.sqltest (all pass)
• Full sqltest suite: 6896 passed, 0 failed
• Core unit tests: 1339 passed
• cargo clippy clean
• Updated 3 bytecode snapshot tests

[turso-bot]

Please review @PThorpe92