Description:
Dear MySQL developers,
I used my new fuzzer to fuzz MySQL and found a logic bug that make MySQL server output inconsistent results.
How to repeat:
*** Set up the database ***
create table t1 (vkey int, pkey int);
insert into t1 values (3, 13000);
insert into t1 values (5, 15000);
insert into t1 values (28, 38000);
*** Test Case 1 ***
select
count(*) as c_1
from
t1 as ref_0
where (REPEAT(REPEAT(case when (null <= ref_0.vkey) then (null) else (case when false then ('o#W4O') else ('o#W4O') end) end, ref_0.vkey), ref_0.pkey)) >= 'i';
I simplified "(case when false then ('o#W4O') else ('o#W4O') end)" to "('o#W4O')", and got Test Case 2:
*** Test Case 2 ***
select
count(*) as c_1
from
t1 as ref_0
where (REPEAT(REPEAT(case when (null <= ref_0.vkey) then (null) else ('o#W4O') end, ref_0.vkey), ref_0.pkey)) >= 'i';
*** Expected results ***
Test Case 1 and Test Case 2 return the same results.
*** Actual results ***
Test Case 1 and Test Case 2 return inconsistent results.
Test Case 1 return:
+-----+
| c_1 |
+-----+
| 2 |
+-----+
1 row in set, 1 warning (0.01 sec)
Test Case 2 return:
+-----+
| c_1 |
+-----+
| 3 |
+-----+
1 row in set (0.01 sec)
*** Note ***
The bug can be reproduced in version 8.0.3 - 8.0.34. In version 5.6, 5.7 and 8.0.0 - 8.0.2, both Test Case 1 and 2 return the same results:
+-----+
| c_1 |
+-----+
| 2 |
+-----+
1 row in set, 1 warning (0.00 sec)
In version 5.5, Test Case 1 and Test Case 2 also return inconsistent results:
Test Case 1 return:
+-----+
| c_1 |
+-----+
| 1 |
+-----+
1 row in set, 2 warnings (0.00 sec)
Test Case 2 return:
+-----+
| c_1 |
+-----+
| 2 |
+-----+
1 row in set, 1 warning (0.01 sec)
Description: Dear MySQL developers, I used my new fuzzer to fuzz MySQL and found a logic bug that make MySQL server output inconsistent results. How to repeat: *** Set up the database *** create table t1 (vkey int, pkey int); insert into t1 values (3, 13000); insert into t1 values (5, 15000); insert into t1 values (28, 38000); *** Test Case 1 *** select count(*) as c_1 from t1 as ref_0 where (REPEAT(REPEAT(case when (null <= ref_0.vkey) then (null) else (case when false then ('o#W4O') else ('o#W4O') end) end, ref_0.vkey), ref_0.pkey)) >= 'i'; I simplified "(case when false then ('o#W4O') else ('o#W4O') end)" to "('o#W4O')", and got Test Case 2: *** Test Case 2 *** select count(*) as c_1 from t1 as ref_0 where (REPEAT(REPEAT(case when (null <= ref_0.vkey) then (null) else ('o#W4O') end, ref_0.vkey), ref_0.pkey)) >= 'i'; *** Expected results *** Test Case 1 and Test Case 2 return the same results. *** Actual results *** Test Case 1 and Test Case 2 return inconsistent results. Test Case 1 return: +-----+ | c_1 | +-----+ | 2 | +-----+ 1 row in set, 1 warning (0.01 sec) Test Case 2 return: +-----+ | c_1 | +-----+ | 3 | +-----+ 1 row in set (0.01 sec) *** Note *** The bug can be reproduced in version 8.0.3 - 8.0.34. In version 5.6, 5.7 and 8.0.0 - 8.0.2, both Test Case 1 and 2 return the same results: +-----+ | c_1 | +-----+ | 2 | +-----+ 1 row in set, 1 warning (0.00 sec) In version 5.5, Test Case 1 and Test Case 2 also return inconsistent results: Test Case 1 return: +-----+ | c_1 | +-----+ | 1 | +-----+ 1 row in set, 2 warnings (0.00 sec) Test Case 2 return: +-----+ | c_1 | +-----+ | 2 | +-----+ 1 row in set, 1 warning (0.01 sec)