Bug #112720 Query triggers an assertion Failure in eval_const_cond
Submitted: 13 Oct 2023 15:41 Modified: 14 Oct 2023 14:23
Reporter: Yupeng Yang Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: DML Severity:S6 (Debug Builds)
Version:8.1.0, 8.0.34 OS:Ubuntu (20.04)
Assigned to: CPU Architecture:Any

[13 Oct 2023 15:41] Yupeng Yang 
Description:
Hi there, issuing the following query in the MySQL client against a debug-asan build MySQL Server 8.1.0 triggers an assertion failure and crashes the server.

```
select 1 as i union select 2 order by ( i < LEFT ( 100 + 20 , BINARY ( case when i < ( select ( select 'zero' as "text" union select 1 + ISNULL ( ( i < 0 ) and ( select ( SELECT case when 0E11 then 0E11 end as "float" WHERE ( SELECT ( select ( SELECT case when 0E11 then 3 end as "float" WHERE 0E11 / 0 ) as "text" ) WHERE ( SELECT case when 0E11 then 0E11 end as "float" WHERE - TRUE and LOCALTIMESTAMP ( 4 ) is not null ) ) || ' !' ) as "text" ) is not null or ( i < 0 ) * 0 ) ) as "text" ) then 1 / 0 when ( select 193965 + 4 as "text" ) then 1 else 2 / 0 end ) ) ) ;
```

Crash dump:

```
2023-10-13T03:20:30.372758Z 0 [System] [MY-015015] [Server] MySQL Server - start.
2023-10-13T03:20:30.635079Z 0 [System] [MY-010116] [Server] /usr/local/mysql/bin/mysqld (mysqld 8.1.0-debug-asan) starting as process 78
2023-10-13T03:20:30.666534Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started.
2023-10-13T03:20:31.951499Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended.
2023-10-13T03:20:35.576834Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed.
2023-10-13T03:20:35.576913Z 0 [System] [MY-013602] [Server] Channel mysql_main configured to support TLS. Encrypted connections are now supported for this channel.
2023-10-13T03:20:35.902517Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Bind-address: '::' port: 33060, socket: /tmp/mysqlx.sock
2023-10-13T03:20:35.906590Z 0 [System] [MY-010931] [Server] /usr/local/mysql/bin/mysqld: ready for connections. Version: '8.1.0-debug-asan'  socket: '/tmp/mysql.sock'  port: 3306  Source distribution.
mysqld: /home/mysql/sql/item_func.cc:313: bool eval_const_cond(THD *, Item *, bool *): Assertion `cond->may_evaluate_const(thd)' failed.
2023-10-13T10:27:55Z UTC - mysqld got signal 6 ;
Most likely, you have hit a bug, but this error can also be caused by malfunctioning hardware.
BuildID[sha1]=46567e8a0dcddd28c977d8fce98802ffe3eb8f57
Thread pointer: 0x627000670900
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 7fa337541940 thread_stack 0x100000
/usr/local/mysql/bin/mysqld(__interceptor_backtrace+0x5b) [0x55c1f5abf99b]
/usr/local/mysql/bin/mysqld(my_print_stacktrace(unsigned char const*, unsigned long)+0xf9) [0x55c1f969bc49]
/usr/local/mysql/bin/mysqld(print_fatal_signal(int)+0x4fa) [0x55c1f726f2ba]
/usr/local/mysql/bin/mysqld(handle_fatal_signal+0xba) [0x55c1f726f6ea]
/lib/x86_64-linux-gnu/libc.so.6(+0x42520) [0x7fa361293520]
/lib/x86_64-linux-gnu/libc.so.6(pthread_kill+0x12c) [0x7fa3612e79fc]
/lib/x86_64-linux-gnu/libc.so.6(raise+0x16) [0x7fa361293476]
/lib/x86_64-linux-gnu/libc.so.6(abort+0xd3) [0x7fa3612797f3]
/lib/x86_64-linux-gnu/libc.so.6(+0x2871b) [0x7fa36127971b]
/lib/x86_64-linux-gnu/libc.so.6(+0x39e96) [0x7fa36128ae96]
/usr/local/mysql/bin/mysqld(eval_const_cond(THD*, Item*, bool*)+0xfb) [0x55c1f5ecc48b]
/usr/local/mysql/bin/mysqld(remove_eq_conds(THD*, Item*, Item**, Item::cond_result*)+0x66e) [0x55c1f6b4cece]
/usr/local/mysql/bin/mysqld(remove_eq_conds(THD*, Item*, Item**, Item::cond_result*)+0x289) [0x55c1f6b4cae9]
/usr/local/mysql/bin/mysqld(optimize_cond(THD*, Item**, COND_EQUAL**, mem_root_deque<Table_ref*>*, Item::cond_result*)+0x976) [0x55c1f6b3fdf6]
/usr/local/mysql/bin/mysqld(JOIN::optimize(bool)+0x14b8) [0x55c1f6b38f98]
/usr/local/mysql/bin/mysqld(Query_block::optimize(THD*, bool)+0x20d) [0x55c1f6e27a4d]
/usr/local/mysql/bin/mysqld(Query_expression::optimize(THD*, TABLE*, bool, bool)+0x312) [0x55c1f6fd0912]
/usr/local/mysql/bin/mysqld(Query_block::optimize(THD*, bool)+0x325) [0x55c1f6e27b65]
/usr/local/mysql/bin/mysqld(Query_expression::optimize(THD*, TABLE*, bool, bool)+0x312) [0x55c1f6fd0912]
/usr/local/mysql/bin/mysqld(Item_subselect::exec(THD*)+0x586) [0x55c1f6079d66]
/usr/local/mysql/bin/mysqld(Item_singlerow_subselect::val_str(String*)+0xd0) [0x55c1f6080d60]
/usr/local/mysql/bin/mysqld(Item::evaluate(THD*, String*)+0x51a) [0x55c1f5fa706a]
/usr/local/mysql/bin/mysqld(Item::update_null_value()+0x15d) [0x55c1f5fa69ed]
/usr/local/mysql/bin/mysqld(Item_subselect::is_null()+0x2c) [0x55c1f6099bdc]
/usr/local/mysql/bin/mysqld(+0x7e9e3a0) [0x55c1f60023a0]
/usr/local/mysql/bin/mysqld(Item_bool_func2::convert_constant_arg(THD*, Item*, Item**, bool*)+0x229) [0x55c1f6001cb9]
/usr/local/mysql/bin/mysqld(Item_bool_func2::resolve_type(THD*)+0x66d) [0x55c1f6004c4d]
/usr/local/mysql/bin/mysqld(Item_func::fix_fields(THD*, Item**)+0x3b9) [0x55c1f5ece139]
/usr/local/mysql/bin/mysqld(Item_func::fix_func_arg(THD*, Item**)+0xa7) [0x55c1f5ece697]
/usr/local/mysql/bin/mysqld(Item_func::fix_fields(THD*, Item**)+0x32f) [0x55c1f5ece0af]
/usr/local/mysql/bin/mysqld(Item_func_case::fix_fields(THD*, Item**)+0x117) [0x55c1f6024827]
/usr/local/mysql/bin/mysqld(Item_func::fix_func_arg(THD*, Item**)+0xa7) [0x55c1f5ece697]
/usr/local/mysql/bin/mysqld(Item_func::fix_fields(THD*, Item**)+0x32f) [0x55c1f5ece0af]
/usr/local/mysql/bin/mysqld(Item_str_func::fix_fields(THD*, Item**)+0x37) [0x55c1f61f2367]
/usr/local/mysql/bin/mysqld(Item_func::fix_func_arg(THD*, Item**)+0xa7) [0x55c1f5ece697]
/usr/local/mysql/bin/mysqld(Item_func::fix_fields(THD*, Item**)+0x32f) [0x55c1f5ece0af]
/usr/local/mysql/bin/mysqld(Item_str_func::fix_fields(THD*, Item**)+0x37) [0x55c1f61f2367]
/usr/local/mysql/bin/mysqld(Item_func::fix_func_arg(THD*, Item**)+0xa7) [0x55c1f5ece697]
/usr/local/mysql/bin/mysqld(Item_func::fix_fields(THD*, Item**)+0x32f) [0x55c1f5ece0af]
/usr/local/mysql/bin/mysqld(Item_cond::fix_fields(THD*, Item**)+0x727) [0x55c1f603bc87]
/usr/local/mysql/bin/mysqld(find_order_in_list(THD*, Bounds_checked_array<Item*>, Table_ref*, ORDER*, mem_root_deque<Item*>*, bool, bool)+0x1809) [0x55c1f6dd5229]
/usr/local/mysql/bin/mysqld(setup_order(THD*, Bounds_checked_array<Item*>, Table_ref*, mem_root_deque<Item*>*, ORDER*)+0x3ee) [0x55c1f6db178e]
/usr/local/mysql/bin/mysqld(Query_block::prepare(THD*, mem_root_deque<Item*>*)+0x157b) [0x55c1f6daa3ab]
/usr/local/mysql/bin/mysqld(Query_expression::prepare_query_term(THD*, Query_term*, Query_result*, unsigned long long, unsigned long long, int, Mem_root_array<bool>&)+0x1456) [0x55c1f6fccbe6]
/usr/local/mysql/bin/mysqld(Query_expression::prepare(THD*, Query_result*, mem_root_deque<Item*>*, unsigned long long, unsigned long long)+0x171f) [0x55c1f6fcfa6f]
/usr/local/mysql/bin/mysqld(Sql_cmd_select::prepare_inner(THD*)+0x441) [0x55c1f6e1e0e1]
/usr/local/mysql/bin/mysqld(Sql_cmd_dml::prepare(THD*)+0xabb) [0x55c1f6e1d1cb]
/usr/local/mysql/bin/mysqld(Sql_cmd_dml::execute(THD*)+0x563) [0x55c1f6e1e933]
/usr/local/mysql/bin/mysqld(mysql_execute_command(THD*, bool)+0x669d) [0x55c1f6cc383d]
/usr/local/mysql/bin/mysqld(dispatch_sql_command(THD*, Parser_state*)+0x14eb) [0x55c1f6cb908b]
/usr/local/mysql/bin/mysqld(dispatch_command(THD*, COM_DATA const*, enum_server_command)+0x2618) [0x55c1f6cae0a8]
/usr/local/mysql/bin/mysqld(do_command(THD*)+0xd48) [0x55c1f6cb54e8]
/usr/local/mysql/bin/mysqld(+0x90b9bc4) [0x55c1f721dbc4]
/usr/local/mysql/bin/mysqld(+0xcf2ecef) [0x55c1fb092cef]
/lib/x86_64-linux-gnu/libc.so.6(+0x94ac3) [0x7fa3612e5ac3]
/lib/x86_64-linux-gnu/libc.so.6(clone+0x44) [0x7fa361376bf4]
```

How to repeat:
Issue the mentioned query from the client.
[14 Oct 2023 14:23] MySQL Verification Team 
Hello Yupeng Yang,

Thank you for the report and test case.
Observed that 8.0.34 debug build affected.

regards,
Umesh
[14 Oct 2023 14:25] MySQL Verification Team 
- 8.0.34 debug build

 ./mtr --nocheck-testcases bug112720  --debug-server
Logging: ./mtr  --nocheck-testcases bug112720 --debug-server
MySQL Version 8.0.34
Checking supported features
 - Binaries are debug compiled
Using 'all' suites
Collecting tests
Checking leftover processes
Removing old var directory
Creating var directory '/export/home/tmp/ushastry/mysql-8.0.34/mysql-test/var'
Installing system database
Using parallel: 1

==============================================================================
                  TEST NAME                       RESULT  TIME (ms) COMMENT
------------------------------------------------------------------------------
select 1 as i union select 2 order by ( i < LEFT ( 100 + 20 , BINARY ( case when i < ( select ( select 'zero' as "text" union select 1 + ISNULL ( ( i < 0 ) and ( select ( SELECT case when 0E11 then 0E11 end as "float" WHERE ( SELECT ( select ( SELECT case when 0E11 then 3 end as "float" WHERE 0E11 / 0 ) as "text" ) WHERE ( SELECT case when 0E11 then 0E11 end as "float" WHERE - TRUE and LOCALTIMESTAMP ( 4 ) is not null ) ) || ' !' ) as "text" ) is not null or ( i < 0 ) * 0 ) ) as "text" ) then 1 / 0 when ( select 193965 + 4 as "text" ) then 1 else 2 / 0 end ) ) ) ;
[ 50%] main.bug112720                            [ fail ]
        Test ended at 2023-10-14 16:22:02

CURRENT_TEST: main.bug112720
mysqltest: At line 1: Query 'select 1 as i union select 2 order by ( i < LEFT ( 100 + 20 , BINARY ( case when i < ( select ( select 'zero' as "text" union select 1 + ISNULL ( ( i < 0 ) and ( select ( SELECT case when 0E11 then 0E11 end as "float" WHERE ( SELECT ( select ( SELECT case when 0E11 then 3 end as "float" WHERE 0E11 / 0 ) as "text" ) WHERE ( SELECT case when 0E11 then 0E11 end as "float" WHERE - TRUE and LOCALTIMESTAMP ( 4 ) is not null ) ) || ' !' ) as "text" ) is not null or ( i < 0 ) * 0 ) ) as "text" ) then 1 / 0 when ( select 193965 + 4 as "text" ) then 1 else 2 / 0 end ) ) ) ' failed.
ERROR 2013 (HY000): Lost connection to MySQL server during query
[14 Oct 2023 14:25] MySQL Verification Team 
-bt

#0  0x00007f61747b5aa1 in pthread_kill () from /lib64/libpthread.so.0
#1  0x000000000402c28e in my_write_core(int) ()
#2  0x00000000032d235e in handle_fatal_signal ()
#3  <signal handler called>
#4  0x00007f6172b00387 in raise () from /lib64/libc.so.6
#5  0x00007f6172b01a78 in abort () from /lib64/libc.so.6
#6  0x00007f6172af91a6 in __assert_fail_base () from /lib64/libc.so.6
#7  0x00007f6172af9252 in __assert_fail () from /lib64/libc.so.6
#8  0x000000000347b0e5 in eval_const_cond(THD*, Item*, bool*) ()
#9  0x000000000313e8f5 in remove_eq_conds(THD*, Item*, Item**, Item::cond_result*) [clone .localalias] ()
#10 0x000000000313e7ce in remove_eq_conds(THD*, Item*, Item**, Item::cond_result*) [clone .localalias] ()
#11 0x000000000314c938 in optimize_cond(THD*, Item**, COND_EQUAL**, mem_root_deque<Table_ref*>*, Item::cond_result*) ()
#12 0x000000000314ffee in JOIN::optimize(bool) ()
#13 0x00000000031b755f in Query_block::optimize(THD*, bool) ()
#14 0x000000000322d695 in Query_expression::optimize(THD*, TABLE*, bool, bool) ()
#15 0x00000000031b75cb in Query_block::optimize(THD*, bool) ()
#16 0x000000000322d695 in Query_expression::optimize(THD*, TABLE*, bool, bool) ()
#17 0x00000000034ccc93 in Item_subselect::exec(THD*) ()
#18 0x00000000034c5689 in Item_singlerow_subselect::val_str(String*) ()
#19 0x000000000341b384 in Item::evaluate(THD*, String*) ()
#20 0x000000000341b4c2 in Item::update_null_value() ()
#21 0x00000000034cdda5 in Item_subselect::is_null() ()
#22 0x0000000003436b48 in convert_constant_item(THD*, Item_field*, Item**, bool*) ()
#23 0x000000000343c044 in Item_bool_func2::convert_constant_arg(THD*, Item*, Item**, bool*) ()
#24 0x000000000343c26d in Item_bool_func2::resolve_type(THD*) ()
#25 0x000000000347b300 in Item_func::fix_fields(THD*, Item**) ()
#26 0x000000000347b10b in Item_func::fix_func_arg(THD*, Item**) ()
#27 0x000000000347b2ee in Item_func::fix_fields(THD*, Item**) ()
#28 0x0000000003432910 in Item_func_case::fix_fields(THD*, Item**) ()
#29 0x000000000347b10b in Item_func::fix_func_arg(THD*, Item**) ()
#30 0x000000000347b2ee in Item_func::fix_fields(THD*, Item**) ()
#31 0x00000000034b3e58 in Item_str_func::fix_fields(THD*, Item**) ()
#32 0x000000000347b10b in Item_func::fix_func_arg(THD*, Item**) ()
#33 0x000000000347b2ee in Item_func::fix_fields(THD*, Item**) ()
#34 0x00000000034b3e58 in Item_str_func::fix_fields(THD*, Item**) ()
#35 0x000000000347b10b in Item_func::fix_func_arg(THD*, Item**) ()
#36 0x000000000347b2ee in Item_func::fix_fields(THD*, Item**) ()
#37 0x00000000031a0037 in find_order_in_list(THD*, Bounds_checked_array<Item*>, Table_ref*, ORDER*, mem_root_deque<Item*>*, bool, bool) ()
#38 0x00000000031a0291 in setup_order(THD*, Bounds_checked_array<Item*>, Table_ref*, mem_root_deque<Item*>*, ORDER*) ()
#39 0x00000000031aa44b in Query_block::prepare(THD*, mem_root_deque<Item*>*) ()
#40 0x000000000322b4d3 in Query_expression::prepare_query_term(THD*, Query_term*, Query_result*, unsigned long long, unsigned long long, int, Mem_root_array<bool>&) [clone .localalias] ()
#41 0x000000000322c19c in Query_expression::prepare(THD*, Query_result*, mem_root_deque<Item*>*, unsigned long long, unsigned long long) ()
#42 0x00000000031b6b6e in Sql_cmd_select::prepare_inner(THD*) ()
#43 0x00000000031c05c5 in Sql_cmd_dml::prepare(THD*) ()
#44 0x00000000031c08ed in Sql_cmd_dml::execute(THD*) ()
#45 0x0000000003161263 in mysql_execute_command(THD*, bool) ()
#46 0x00000000031626a2 in dispatch_sql_command(THD*, Parser_state*) ()
#47 0x0000000003163cd5 in dispatch_command(THD*, COM_DATA const*, enum_server_command) ()
#48 0x000000000316596c in do_command(THD*) ()
#49 0x00000000032c437c in handle_connection ()
#50 0x00000000047e1af5 in pfs_spawn_thread ()
#51 0x00007f61747b0ea5 in start_thread () from /lib64/libpthread.so.0
#52 0x00007f6172bc8b2d in clone () from /lib64/libc.so.6