MySQL Bugs: #112698: Assertion failure in Item_func_like::Item_func

Bug #112698	Assertion failure in Item_func_like::Item_func_like
Submitted:	12 Oct 2023 7:03	Modified:	12 Oct 2023 7:12
Reporter:	Wang Ke	Email Updates:
Status:	Verified	Impact on me:	None
Category:	MySQL Server: Parser	Severity:	S6 (Debug Builds)
Version:	8.1.0, 8.0.34	OS:	Any
Assigned to:		CPU Architecture:	Any
Tags:	parser error

Description:
A SELECT statement triggered a crash in MySQL 8.1.0 debug version.

Here is the Asan log (debug version):

```
mysqld: /home/mysql-8.1.0/sql/item_cmpfunc.h:2377: Item_func_like::Item_func_like(const POS &, Item *, Item *, Item *): Assertion `escape_arg != nullptr' failed.
2023-10-12T03:15:29Z UTC - mysqld got signal 6 ;
Most likely, you have hit a bug, but this error can also be caused by malfunctioning hardware.
BuildID[sha1]=d41d0359075d9acaf807cea3acc3b128cdec5219
Thread pointer: 0x6270002bc100
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 7f53b0d00a20 thread_stack 0x100000
/home/mysql-8.1.0-origin/bin/mysqld(__interceptor_backtrace+0x5b) [0x649134b]
/home/mysql-8.1.0-origin/bin/mysqld(my_print_stacktrace(unsigned char const*, unsigned long)+0x10d) [0xbfde8ed]
/home/mysql-8.1.0-origin/bin/mysqld(print_fatal_signal(int)+0x552) [0x8979ee2]
/home/mysql-8.1.0-origin/bin/mysqld(handle_fatal_signal+0x175) [0x897a5c5]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x11390) [0x7f53e2673390]
/lib/x86_64-linux-gnu/libc.so.6(gsignal+0x38) [0x7f53e095c438]
/lib/x86_64-linux-gnu/libc.so.6(abort+0x16a) [0x7f53e095e03a]
/lib/x86_64-linux-gnu/libc.so.6(+0x2dbe7) [0x7f53e0954be7]
/lib/x86_64-linux-gnu/libc.so.6(+0x2dc92) [0x7f53e0954c92]
/home/mysql-8.1.0-origin/bin/mysqld() [0x7bcb3e1]
/home/mysql-8.1.0-origin/bin/mysqld(my_sql_parser_parse(THD*, Parse_tree_root**)+0xa5c6) [0x7b42c86]
/home/mysql-8.1.0-origin/bin/mysqld(THD::sql_parser()+0xec) [0x7af60ec]
/home/mysql-8.1.0-origin/bin/mysqld(parse_sql(THD*, Parser_state*, Object_creation_ctx*)+0x6b2) [0x80bc692]
/home/mysql-8.1.0-origin/bin/mysqld(dispatch_sql_command(THD*, Parser_state*)+0x525) [0x8093865]
/home/mysql-8.1.0-origin/bin/mysqld(dispatch_command(THD*, COM_DATA const*, enum_server_command)+0x377a) [0x808522a]
/home/mysql-8.1.0-origin/bin/mysqld(do_command(THD*)+0x12ee) [0x80902be]
/home/mysql-8.1.0-origin/bin/mysqld() [0x88ff832]
/home/mysql-8.1.0-origin/bin/mysqld() [0xeb1629a]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x76ba) [0x7f53e26696ba]
/lib/x86_64-linux-gnu/libc.so.6(clone+0x6d) [0x7f53e0a2e51d]

Trying to get some variables.
Some pointers may be invalid and cause the dump to abort.
Query (6120002f4c70): SELECT CAST( TIME 'x' AS DOUBLE ARRAY ) ca5 FROM v0 ra10 LEFT JOIN v0 AS ra11 ON 255 / 1.000000 AND maketime( 2147483648 , 'deadbeef' NOT LIKE 'deadbeef' ESCAPE CAST( false || true AS CHAR ARRAY ) ) UNION SELECT CAST( NOW( ) AS FLOAT ) ca6 FROM v1 ra12
Connection ID (thread ID): 8
Status: NOT_KILLED

The manual page at http://dev.mysql.com/doc/mysql/en/crashing.html contains
information that should help you find out what is causing the crash.
2023-10-12T03:15:29.462294Z mysqld_safe Number of processes running now: 0
2023-10-12T03:15:29.464185Z mysqld_safe mysqld restarted
```

In release version:

```
Server version: 8.1.0-asan Source distribution

Copyright (c) 2000, 2023, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> create database mytest;
Query OK, 1 row affected (0.02 sec)

mysql> use mytest
Database changed
mysql> SELECT CAST( TIME 'x' AS DOUBLE ARRAY ) ca5 FROM v0 ra10 LEFT JOIN v0 AS ra11 ON 255 / 1.000000 AND maketime( 2147483648 , 'deadbeef' NOT LIKE 'deadbeef' ESCAPE CAST
( false || true AS CHAR ARRAY ) ) UNION SELECT CAST( NOW( ) AS FLOAT ) ca6 FROM v1 ra12 ;
ERROR 1235 (42000): This version of MySQL doesn't yet support 'CAST-ing data to array of DOUBLE'
mysql> 
```

How to repeat:
Test case:

```
SELECT CAST( TIME 'x' AS DOUBLE ARRAY ) ca5 FROM v0 ra10 LEFT JOIN v0 AS ra11 ON 255 / 1.000000 AND maketime( 2147483648 , 'deadbeef' NOT LIKE 'deadbeef' ESCAPE CAST( false || true AS CHAR ARRAY ) ) UNION SELECT CAST( NOW( ) AS FLOAT ) ca6 FROM v1 ra12 ;
```

Hello Wang Ke,

Thank you for the report and test case.
Observed that 8.0.34 debug build is affected.

regards,
Umesh

-- debug build

 ./mtr --nocheck-testcases bug112698 --debug-server
Logging: ./mtr  --nocheck-testcases bug112698 --debug-server
MySQL Version 8.0.34
Checking supported features
 - Binaries are debug compiled
Using 'all' suites
Collecting tests
Checking leftover processes
Removing old var directory
Creating var directory '/export/home/tmp/ushastry/mysql-8.0.34/mysql-test/var'
Installing system database
Using parallel: 1

==============================================================================
                  TEST NAME                       RESULT  TIME (ms) COMMENT
------------------------------------------------------------------------------
SELECT CAST( TIME 'x' AS DOUBLE ARRAY ) ca5 FROM v0 ra10 LEFT JOIN v0 AS ra11 ON 255 / 1.000000 AND maketime( 2147483648 , 'deadbeef' NOT LIKE 'deadbeef' ESCAPE CAST( false || true AS CHAR ARRAY ) ) UNION SELECT CAST( NOW( ) AS FLOAT ) ca6 FROM v1 ra12 ;
[ 50%] main.bug112698                            [ fail ]
        Test ended at 2023-10-12 09:12:05

CURRENT_TEST: main.bug112698
mysqltest: At line 1: Query 'SELECT CAST( TIME 'x' AS DOUBLE ARRAY ) ca5 FROM v0 ra10 LEFT JOIN v0 AS ra11 ON 255 / 1.000000 AND maketime( 2147483648 , 'deadbeef' NOT LIKE 'deadbeef' ESCAPE CAST( false || true AS CHAR ARRAY ) ) UNION SELECT CAST( NOW( ) AS FLOAT ) ca6 FROM v1 ra12 ' failed.
ERROR 2013 (HY000): Lost connection to MySQL server during query

-bt

#0  0x00007f65c2ff0aa1 in pthread_kill () from /lib64/libpthread.so.0
#1  0x000000000402c28e in my_write_core(int) ()
#2  0x00000000032d235e in handle_fatal_signal ()
#3  <signal handler called>
#4  0x00007f65c133b387 in raise () from /lib64/libc.so.6
#5  0x00007f65c133ca78 in abort () from /lib64/libc.so.6
#6  0x00007f65c13341a6 in __assert_fail_base () from /lib64/libc.so.6
#7  0x00007f65c1334252 in __assert_fail () from /lib64/libc.so.6
#8  0x000000000330791d in Item_func_like::Item_func_like(YYLTYPE const&, Item*, Item*, Item*) ()
#9  0x00000000032ec83d in MYSQLparse(THD*, Parse_tree_root**) ()
#10 0x00000000030c3945 in THD::sql_parser() ()
#11 0x000000000315a07c in parse_sql(THD*, Parser_state*, Object_creation_ctx*) ()
#12 0x00000000031622b6 in dispatch_sql_command(THD*, Parser_state*) ()
#13 0x0000000003163cd5 in dispatch_command(THD*, COM_DATA const*, enum_server_command) ()
#14 0x000000000316596c in do_command(THD*) ()
#15 0x00000000032c437c in handle_connection ()
#16 0x00000000047e1af5 in pfs_spawn_thread ()
#17 0x00007f65c2febea5 in start_thread () from /lib64/libpthread.so.0
#18 0x00007f65c1403b2d in clone () from /lib64/libc.so.6

Posted by developer:
 
Duplicate of bug#35451479.
Fixed in 8.2.0.