Bug #111462 Server crash after running crafted SELECT statement
Submitted: 16 Jun 2023 13:10 Modified: 16 Jun 2023 13:18
Reporter: QI XIAODONG Email Updates:
Status: Duplicate Impact on me:
None 
Category:MySQL Server Severity:S1 (Critical)
Version:8.0.33 OS:Linux (Ubuntu 22.04)
Assigned to: CPU Architecture:x86 (x86_64)

[16 Jun 2023 13:10] QI XIAODONG
Description:
MySQL server could crash with crafted SELECT statement.

/usr/sbin/mysqld  Ver 8.0.33-0ubuntu0.22.04.2 for Linux on x86_64 ((Ubuntu))
mysql  Ver 8.0.33-0ubuntu0.22.04.2 for Linux on x86_64 ((Ubuntu))

As you may think they're the same bug. I'm posting every stacktrace of the bug. THE STACK TRACES ARE DIFFERENT.

Thank you

2023-06-02T19:38:28Z UTC - mysqld got signal 11 ;
Most likely, you have hit a bug, but this error can also be caused by malfunctioning hardware.
BuildID[sha1]=03172b8eeae9ab733eff94a4fc191f6acced9b6d
Thread pointer: 0x7f2564000fd0
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 7f25a4510c80 thread_stack 0x100000
/usr/sbin/mysqld(my_print_stacktrace(unsigned char const*, unsigned long)+0x41) [0x56311a50e961]
/usr/sbin/mysqld(print_fatal_signal(int)+0x3bc) [0x563119b30b9c]
/usr/sbin/mysqld(handle_fatal_signal+0x95) [0x563119b30c45]
/lib/x86_64-linux-gnu/libc.so.6(+0x42520) [0x7f25cfda8520]
/usr/sbin/mysqld(Query_expression::optimize(THD*, TABLE*, bool, bool)+0x1ac) [0x563119aa968c]
/usr/sbin/mysqld(Item_subselect::exec(THD*)+0x1a7) [0x563119d15f87]
/usr/sbin/mysqld(Item_singlerow_subselect::val_decimal(my_decimal*)+0x56) [0x563119cf8526]
/usr/sbin/mysqld(Item::evaluate(THD*, String*)+0x152) [0x563119c5c8d2]
/usr/sbin/mysqld(Item::update_null_value()+0x80) [0x563119c5c970]
/usr/sbin/mysqld(+0xa3ebb5) [0x563119977bb5]
/usr/sbin/mysqld(Item_func_isnotnull::val_int()+0x1b) [0x563119c58a0b]
/usr/sbin/mysqld(Item::val_bool()+0xcd) [0x563119c453bd]
/usr/sbin/mysqld(remove_eq_conds(THD*, Item*, Item**, Item::cond_result*)+0x168) [0x5631199dc598]
/usr/sbin/mysqld(remove_eq_conds(THD*, Item*, Item**, Item::cond_result*)+0xd6) [0x5631199dc506]
/usr/sbin/mysqld(optimize_cond(THD*, Item**, COND_EQUAL**, mem_root_deque<Table_ref*>*, Item::cond_result*)+0x292) [0x5631199ea312]
/usr/sbin/mysqld(JOIN::optimize(bool)+0x700) [0x5631199ced30]
/usr/sbin/mysqld(Query_block::optimize(THD*, bool)+0xc4) [0x563119a48744]
/usr/sbin/mysqld(Query_expression::optimize(THD*, TABLE*, bool, bool)+0xb9) [0x563119aa9599]
/usr/sbin/mysqld(Sql_cmd_dml::execute_inner(THD*)+0x34) [0x563119a3c084]
/usr/sbin/mysqld(Sql_cmd_dml::execute(THD*)+0x1c2) [0x563119a3b512]
/usr/sbin/mysqld(mysql_execute_command(THD*, bool)+0x9e8) [0x5631199f0a28]
/usr/sbin/mysqld(dispatch_sql_command(THD*, Parser_state*)+0x57c) [0x5631199f435c]
/usr/sbin/mysqld(dispatch_command(THD*, COM_DATA const*, enum_server_command)+0x1a5d) [0x5631199f655d]
/usr/sbin/mysqld(do_command(THD*)+0x24d) [0x5631199f70bd]
/usr/sbin/mysqld(+0xbf02a8) [0x563119b292a8]
/usr/sbin/mysqld(+0x19c2c5e) [0x56311a8fbc5e]
/lib/x86_64-linux-gnu/libc.so.6(+0x94b43) [0x7f25cfdfab43]
/lib/x86_64-linux-gnu/libc.so.6(clone+0x44) [0x7f25cfe8bbb4]

Trying to get some variables.
Some pointers may be invalid and cause the dump to abort.
Query (7f2564d98060): select     subq_1.c4 as c0,    subq_1.c8 as c1,    subq_1.c7 as c2,    subq_1.c0 as c3,    subq_1.c7 as c4,    subq_1.c8 as c5 from    (select           (select v1 from test.table18)            as c0,          ref_3.v1 as c1,          ref_2.v1 as c2,          ref_2.v1 as c3,          subq_0.c0 as c4,          ref_2.v0 as c5,          ref_2.v0 as c6,          ref_2.v1 as c7,          subq_0.c0 as c8       from          (select                   ref_0.v1 as c0               from                  test.table18 as ref_0               where (((true)                      or ((EXISTS (                         select                               ref_0.v0 as c0,                              98 as c1,                              94 as c2,                              ref_1.v1 as c3,                              (select v1 from test.table18)                                as c4,                              ref_0.v0 as c5,                              ref_0.v1 as c6,                              ref_1.v1 as c7,        
Connection ID (thread ID): 8
Status: NOT_KILLED

How to repeat:

1. Start MySQL Server Ver 8.0.33-0ubuntu0.22.04.2 for Linux on x86_64 ((Ubuntu))
2. Start MySQL Client Ver 8.0.33-0ubuntu0.22.04.2 for Linux on x86_64 ((Ubuntu))
3. Pipe init.sql into client 
4. Pipe case 130.sql into client 
5. Server crashed with stacktrace

(see the attached video)
[16 Jun 2023 13:16] QI XIAODONG
mysql-bug-data-111462-retry.zip  uploaded  successfully...
[16 Jun 2023 13:18] MySQL Verification Team
Please do not submit the same bug more than once. An existing bug report already describes this very problem. Even if you feel that your issue is somewhat different, the resolution is likely
to be the same. Because of this, we hope you add your comments to the original bug instead.

Thank you for your interest in MySQL.