MySQL Bugs: #111461: Server crash after running crafted SELECT statement

Bug #111461	Server crash after running crafted SELECT statement
Submitted:	16 Jun 2023 12:57	Modified:	16 Jun 2023 13:07
Reporter:	QI XIAODONG	Email Updates:
Status:	Duplicate	Impact on me:	None
Category:	MySQL Server	Severity:	S3 (Non-critical)
Version:	8.0.33	OS:	Linux (Ubuntu 22.04)
Assigned to:		CPU Architecture:	x86 (x86_64)

Description:
MySQL server could crash with crafted SELECT statement.

/usr/sbin/mysqld  Ver 8.0.33-0ubuntu0.22.04.2 for Linux on x86_64 ((Ubuntu))
mysql  Ver 8.0.33-0ubuntu0.22.04.2 for Linux on x86_64 ((Ubuntu))

How to repeat:
1. Start MySQL Server Ver 8.0.33-0ubuntu0.22.04.2 for Linux on x86_64 ((Ubuntu))
2. Start MySQL Client Ver 8.0.33-0ubuntu0.22.04.2 for Linux on x86_64 ((Ubuntu))
3. Pipe init.sql into client 
4. Pipe case 127.sql into client 
5. Server crashed with stacktrace

(see the attached video)

Uploaded mysql-bug-data-111461.zip to Oracle SFTP server

Please do not submit the same bug more than once. An existing bug report already describes this very problem. Even if you feel that your issue is somewhat different, the resolution is likely
to be the same. Because of this, we hope you add your comments to the original bug instead.

Thank you for your interest in MySQL.

The original bug number is:

https://bugs.mysql.com/bug.php?id=111460

Duplicate.

As you think the bug is a dup. I'm attaching my stacktrace of this bug to prove that they're different. I'm going to post another 7 bugs today.

2023-06-02T17:53:35Z UTC - mysqld got signal 11 ;
Most likely, you have hit a bug, but this error can also be caused by malfunctioning hardware.
BuildID[sha1]=03172b8eeae9ab733eff94a4fc191f6acced9b6d
Thread pointer: 0x7f9d64000fd0
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 7f9db460dc80 thread_stack 0x100000
/usr/sbin/mysqld(my_print_stacktrace(unsigned char const*, unsigned long)+0x41) [0x563ad3d32961]
/usr/sbin/mysqld(print_fatal_signal(int)+0x3bc) [0x563ad3354b9c]
/usr/sbin/mysqld(handle_fatal_signal+0x95) [0x563ad3354c45]
/lib/x86_64-linux-gnu/libc.so.6(+0x42520) [0x7f9dcb2ed520]
/usr/sbin/mysqld(Query_expression::optimize(THD*, TABLE*, bool, bool)+0x1ac) [0x563ad32cd68c]
/usr/sbin/mysqld(Item_subselect::exec(THD*)+0x1a7) [0x563ad3539f87]
/usr/sbin/mysqld(Item_singlerow_subselect::val_real()+0x49) [0x563ad351c349]
/usr/sbin/mysqld(Item::evaluate(THD*, String*)+0x117) [0x563ad3480897]
/usr/sbin/mysqld(Item::update_null_value()+0x80) [0x563ad3480970]
/usr/sbin/mysqld(+0xa3ebb5) [0x563ad319bbb5]
/usr/sbin/mysqld(Item_func_isnull::resolve_type(THD*)+0x107) [0x563ad347efe7]
/usr/sbin/mysqld(Item_func::fix_fields(THD*, Item**)+0x117) [0x563ad34e0187]
/usr/sbin/mysqld(Item_func_isnull::fix_fields(THD*, Item**)+0x32) [0x563ad3485c22]
/usr/sbin/mysqld(Query_block::setup_join_cond(THD*, mem_root_deque<Table_ref*>*, bool)+0xda) [0x563ad32517ea]
/usr/sbin/mysqld(Query_block::setup_join_cond(THD*, mem_root_deque<Table_ref*>*, bool)+0x85) [0x563ad3251795]
/usr/sbin/mysqld(Query_block::setup_conds(THD*)+0x136) [0x563ad3251a56]
/usr/sbin/mysqld(Query_block::prepare(THD*, mem_root_deque<Item*>*)+0x465) [0x563ad3247aa5]
/usr/sbin/mysqld(Query_expression::prepare(THD*, Query_result*, mem_root_deque<Item*>*, unsigned long long, unsigned long long)+0x1d5) [0x563ad32de6f5]
/usr/sbin/mysqld(Item_subselect::fix_fields(THD*, Item**)+0x196) [0x563ad3539c36]
/usr/sbin/mysqld(Query_block::setup_join_cond(THD*, mem_root_deque<Table_ref*>*, bool)+0xda) [0x563ad32517ea]
/usr/sbin/mysqld(Query_block::setup_join_cond(THD*, mem_root_deque<Table_ref*>*, bool)+0x85) [0x563ad3251795]
/usr/sbin/mysqld(Query_block::setup_conds(THD*)+0x136) [0x563ad3251a56]
/usr/sbin/mysqld(Query_block::prepare(THD*, mem_root_deque<Item*>*)+0x465) [0x563ad3247aa5]
/usr/sbin/mysqld(Sql_cmd_select::prepare_inner(THD*)+0x100) [0x563ad325f240]
/usr/sbin/mysqld(Sql_cmd_dml::prepare(THD*)+0x2b9) [0x563ad326c309]
/usr/sbin/mysqld(Sql_cmd_dml::execute(THD*)+0xf2) [0x563ad325f442]
/usr/sbin/mysqld(mysql_execute_command(THD*, bool)+0x9e8) [0x563ad3214a28]
/usr/sbin/mysqld(dispatch_sql_command(THD*, Parser_state*)+0x57c) [0x563ad321835c]
/usr/sbin/mysqld(dispatch_command(THD*, COM_DATA const*, enum_server_command)+0x1a5d) [0x563ad321a55d]
/usr/sbin/mysqld(do_command(THD*)+0x24d) [0x563ad321b0bd]
/usr/sbin/mysqld(+0xbf02a8) [0x563ad334d2a8]
/usr/sbin/mysqld(+0x19c2c5e) [0x563ad411fc5e]
/lib/x86_64-linux-gnu/libc.so.6(+0x94b43) [0x7f9dcb33fb43]
/lib/x86_64-linux-gnu/libc.so.6(clone+0x44) [0x7f9dcb3d0bb4]

Trying to get some variables.
Some pointers may be invalid and cause the dump to abort.
Query (7f9d6508de00): WITH  jennifer_0 AS (select       coalesce(ref_0.v3,       ref_0.v3) as c0,      ref_0.v5 as c1,      ref_0.v1 as c2,      ref_0.v0 as c3,      ref_0.v1 as c4,      ref_0.v1 as c5,      ref_0.v1 as c6,      ref_0.v1 as c7,      ref_0.v2 as c8,      ref_0.v1 as c9   from      test.table15 as ref_0   where ((false)        and (ref_0.v7 is not NULL))      or (EXISTS (       select             ref_1.v4 as c0,            ref_1.v5 as c1,            ref_0.v4 as c2,            ref_0.v7 as c3         from            test.table15 as ref_1         where (false)            or ((false)              or (false))))),   jennifer_1 AS (select       ref_2.v6 as c0   from      test.table15 as ref_2   where ref_2.v1 is NULL),   jennifer_2 AS (select       subq_0.c0 as c0,      subq_0.c1 as c1,      subq_0.c2 as c2,      subq_0.c2 as c3,      subq_0.c2 as c4,      subq_0.c1 as c5,      subq_0.c0 as c6,      subq_0.c2 as c7,      subq_0.c1 as c8,      subq_0.c3 as c9,      subq_0.c3 as c10,      nullif(subq_0.c2,       subq_0.c2) a
Connection ID (thread ID): 8
Status: NOT_KILLED