MySQL Bugs: #107723: Assertion in add_having_as_tmp_table

Bug #107723	Assertion in add_having_as_tmp_table_cond() failure in MySQL 5.7.38
Submitted:	1 Jul 2022 11:02	Modified:	1 Jul 2022 11:43
Reporter:	Wang Ke	Email Updates:
Status:	Verified	Impact on me:	None
Category:	MySQL Server: Optimizer	Severity:	S6 (Debug Builds)
Version:	5.7.38	OS:	Any
Assigned to:		CPU Architecture:	Any
Tags:	assertion failure

Description:
An assertion failure occurred in mysql-5.7.38-debug-asan:

Log file:

```
2022-07-01T10:53:01.740019Z 0 [Note] /home/mysql-server/mysql-5.7.38-origin-dev/bin/mysqld: ready for connections.
Version: '5.7.38-debug-asan'  socket: '/tmp/mysql.sock'  port: 3306  Source distribution
mysqld: /home/mysql-server/mysql-5.7.38/sql/sql_select.cc:3440: bool JOIN::add_having_as_tmp_table_cond(uint): Assertion `having_cond->has_subquery() || !(having_cond->used_tables() & ~(1 | PSEUDO_TABLE_BITS))' failed.
10:54:16 UTC - mysqld got signal 6 ;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.
Attempting to collect some information that could help diagnose the problem.
As this is a crash and something is definitely wrong, the information
collection process might fail.

key_buffer_size=8388608
read_buffer_size=131072
max_used_connections=1
max_threads=151
thread_count=1
connection_count=1
It is possible that mysqld could use up to
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 68262 K  bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x628000090100
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 7fba34554d60 thread_stack 0x40000
/home/mysql-server/mysql-5.7.38-origin-dev/bin/mysqld(__interceptor_backtrace+0x5b)[0xe4a13b]
/home/mysql-server/mysql-5.7.38-origin-dev/bin/mysqld(my_print_stacktrace+0x105)[0x32cf815]
/home/mysql-server/mysql-5.7.38-origin-dev/bin/mysqld(handle_fatal_signal+0x6ae)[0xf0c06e]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x11390)[0x7fba5b2f2390]
/lib/x86_64-linux-gnu/libc.so.6(gsignal+0x38)[0x7fba5a23b438]
/lib/x86_64-linux-gnu/libc.so.6(abort+0x16a)[0x7fba5a23d03a]
/lib/x86_64-linux-gnu/libc.so.6(+0x2dbe7)[0x7fba5a233be7]
/lib/x86_64-linux-gnu/libc.so.6(+0x2dc92)[0x7fba5a233c92]
/home/mysql-server/mysql-5.7.38-origin-dev/bin/mysqld(_ZN4JOIN28add_having_as_tmp_table_condEj+0xc47)[0x288bb27]
/home/mysql-server/mysql-5.7.38-origin-dev/bin/mysqld(_ZN4JOIN20make_tmp_tables_infoEv+0x3bf8)[0x288f928]
/home/mysql-server/mysql-5.7.38-origin-dev/bin/mysqld(_ZN4JOIN8optimizeEv+0x7a39)[0x26a7e79]
/home/mysql-server/mysql-5.7.38-origin-dev/bin/mysqld(_ZN13st_select_lex8optimizeEP3THD+0x294)[0x286a594]
/home/mysql-server/mysql-5.7.38-origin-dev/bin/mysqld(_Z12handle_queryP3THDP3LEXP12Query_resultyy+0x9e2)[0x2869c72]
/home/mysql-server/mysql-5.7.38-origin-dev/bin/mysqld[0x2752fa4]
/home/mysql-server/mysql-5.7.38-origin-dev/bin/mysqld(_Z21mysql_execute_commandP3THDb+0x337c)[0x273842c]
/home/mysql-server/mysql-5.7.38-origin-dev/bin/mysqld(_Z11mysql_parseP3THDP12Parser_state+0x137a)[0x273140a]
/home/mysql-server/mysql-5.7.38-origin-dev/bin/mysqld(_Z16dispatch_commandP3THDPK8COM_DATA19enum_server_command+0x38de)[0x272b10e]
/home/mysql-server/mysql-5.7.38-origin-dev/bin/mysqld(_Z10do_commandP3THD+0x99a)[0x272e9fa]
/home/mysql-server/mysql-5.7.38-origin-dev/bin/mysqld(handle_connection+0x482)[0x2b5c6d2]
/home/mysql-server/mysql-5.7.38-origin-dev/bin/mysqld(pfs_spawn_thread+0x324)[0x433d7a4]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x76ba)[0x7fba5b2e86ba]
/lib/x86_64-linux-gnu/libc.so.6(clone+0x6d)[0x7fba5a30d51d]

Trying to get some variables.
Some pointers may be invalid and cause the dump to abort.
Query (611000109cf0): SELECT HIGH_PRIORITY ra1 . a , 2 ca0 FROM t1 ra0 , t1 ra1 WHERE ra1 . a = ra1 . b HAVING 1 IN ( SELECT ra1 . a ORDER BY ra0 . b DESC ) ORDER BY ra1 . a NOT IN ( 's' , ra1 . a )
Connection ID (thread ID): 2
Status: NOT_KILLED

The manual page at http://dev.mysql.com/doc/mysql/en/crashing.html contains
information that should help you find out what is causing the crash.
```

It's observed that release build isn't affected.

How to repeat:
Test case:

```
CREATE TABLE t1 ( a INT , b VARCHAR ( 1 ) , KEY ( b , a ) ) ENGINE = InnoDB ;
INSERT INTO t1 VALUES ( 1 , 'v' ) , ( 2 , 's' ) ;
CREATE TABLE t2 ( c INT , KEY ( c ) ) ENGINE = InnoDB ;
INSERT INTO t2 VALUES ( 1 ) , ( 3 ) ;
SELECT HIGH_PRIORITY ra1 . a , 2 ca0 FROM t1 ra0 , t1 ra1 WHERE ra1 . a = ra1 . b HAVING 1 IN ( SELECT ra1 . a ORDER BY ra0 . b DESC ) ORDER BY ra1 . a NOT IN ( 's' , ra1 . a ) ;
```

Hello Wang Ke,

Thank you for the report and test case.
Observed that 5.7.38 debug build is affected with provided test case.

regards,
Umesh

- 5.7.38 release build not affected

rm -rf 107723/
bin/mysqld --initialize-insecure --basedir=$PWD --datadir=$PWD/107723 --log-error-verbosity=3
bin/mysqld --no-defaults --basedir=$PWD --datadir=$PWD/107723 --core-file --socket=/tmp/mysql.sock --port=3306 --log-error=$PWD/107723/log.err --log-error-verbosity=3 --secure-file-priv=""  --performance-schema=ON 2>&1 &
bin/mysql -uroot -S /tmp/mysql.sock
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.7.38 MySQL Community Server (GPL)

Copyright (c) 2000, 2022, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> create database test;
Query OK, 1 row affected (0.00 sec)

mysql> use test
Database changed
mysql> CREATE TABLE t1 ( a INT , b VARCHAR ( 1 ) , KEY ( b , a ) ) ENGINE = InnoDB ;
Query OK, 0 rows affected (0.01 sec)

mysql> INSERT INTO t1 VALUES ( 1 , 'v' ) , ( 2 , 's' ) ;
Query OK, 2 rows affected (0.01 sec)
Records: 2  Duplicates: 0  Warnings: 0

mysql> CREATE TABLE t2 ( c INT , KEY ( c ) ) ENGINE = InnoDB ;
Query OK, 0 rows affected (0.01 sec)

mysql> INSERT INTO t2 VALUES ( 1 ) , ( 3 ) ;
Query OK, 2 rows affected (0.00 sec)
Records: 2  Duplicates: 0  Warnings: 0

mysql> SELECT HIGH_PRIORITY ra1 . a , 2 ca0 FROM t1 ra0 , t1 ra1 WHERE ra1 . a = ra1 . b HAVING 1 IN ( SELECT ra1 . a ORDER BY ra0 . b DESC ) ORDER BY ra1 . a NOT IN ( 's' , ra1 . a ) ;
Empty set, 2 warnings (0.00 sec)

-- 5.7.38 debug build affected

 bin/mysql -uroot -S /tmp/mysql.sock
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.7.38-debug MySQL Community Server - Debug (GPL)

Copyright (c) 2000, 2022, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> use test
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> SELECT HIGH_PRIORITY ra1 . a , 2 ca0 FROM t1 ra0 , t1 ra1 WHERE ra1 . a = ra1 . b HAVING 1 IN ( SELECT ra1 . a ORDER BY ra0 . b DESC ) ORDER BY ra1 . a NOT IN ( 's' , ra1 . a ) ;
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql>