Description:
in sql/sql_optimizer.cc:262 ,using dump_TABLE_LIST_graph() function dump parsed tree info, cause mysqld crashed:

zhanghe@node3:~/database/mysql-server$ git diff sql/sql_optimizer.cc
diff --git a/sql/sql_optimizer.cc b/sql/sql_optimizer.cc
index 1879cdcb1ee..039f6e2b14d 100644
--- a/sql/sql_optimizer.cc
+++ b/sql/sql_optimizer.cc
@@ -260,7 +260,8 @@ bool JOIN::optimize() {
   // The base ref items from query block are assigned as JOIN's ref items
   ref_items[REF_SLICE_ACTIVE] = select_lex->base_ref_items;
 
-  /* dump_TABLE_LIST_graph(select_lex, select_lex->leaf_tables); */
+  dump_TABLE_LIST_graph(select_lex, select_lex->leaf_tables);

How to repeat:
1. compile source tree and set config option WITH_DEBUG=on
shell> cmake -S mysql-server/ -B mysql-debug-8/ -DWITH_DEBUG=ON -DWITH_BOOST=/home/zhanghe/boost_1_70_0  -DWITH_SYSTEMD=ON -DOPTIMIZER_TRACE=1 -DCMAKE_INSTALL_PREFIX=/home/zhanghe/mysql
2. initilaize data dir and start mysql 
shell > cd /home/zhanghe/mysql; bin/mysqld &
3. crashed with SEGV

Suggested fix:
zhanghe@node3:~/database/mysql-server$ git diff sql/sql_test.cc
diff --git a/sql/sql_test.cc b/sql/sql_test.cc
index 02a4056d798..85fda77ad9f 100644
--- a/sql/sql_test.cc
+++ b/sql/sql_test.cc
@@ -553,7 +553,7 @@ void Dbug_table_list_dumper::dump_one_struct(TABLE_LIST *tbl) {
   if (tbl->nested_join)
     fprintf(out, "|<nested_j>nested_j=%p", tbl->nested_join);
   if (tbl->join_list) fprintf(out, "|<join_list>join_list=%p", tbl->join_list);
-  if (tbl->on_expr) fprintf(out, "|<on_expr>on_expr=%p", tbl->on_expr);
+  // if (tbl->on_expr) fprintf(out, "|<on_expr>on_expr=%p", tbl->on_expr);
   fprintf(out, "\"\n");
   fprintf(out, "  shape = \"record\"\n];\n\n");
 
@@ -615,6 +615,7 @@ int Dbug_table_list_dumper::dump_graph(SELECT_LEX *select_lex,
 
   TABLE_LIST *tbl;
   tables_fifo.reset();
+  tbl_lists.reset();
   dump_one_struct(first_leaf);
   while (tables_fifo.pop_first(&tbl)) {
     dump_one_struct(tbl);
@@ -636,7 +637,7 @@ int Dbug_table_list_dumper::dump_graph(SELECT_LEX *select_lex,
   fputs("}", out);
   fclose(out);
 
-  char filename2[500];
+  char filename2[506];
   filename[strlen(filename) - 1] = 0;
   filename[strlen(filename) - 1] = 0;
   sprintf(filename2, "%s.query", filename);

the patch fixed this issue

Attachment: fixed_crash.patch (text/x-patch), 1.12 KiB.

add version info:
zhanghe@node3:~/database/mysql-server$ git branch -a
* 8.0
  remotes/origin/5.5
  remotes/origin/5.6
  remotes/origin/5.7
  remotes/origin/8.0
  remotes/origin/HEAD -> origin/8.0
  remotes/origin/cluster-7.2
  remotes/origin/cluster-7.3
  remotes/origin/cluster-7.4
  remotes/origin/cluster-7.5
  remotes/origin/cluster-7.6
zhanghe@node3:~/database/mysql-se

modify os version

Hi Mr. Zhang,

I build my source tree with all debug options, but it runs just fine.

I am not able to crash it at all.

Hence, how can we repeat the crash ?????

hi, Sinisa Milivojevic!
   the original source tree hasn't problem, these code has been commented , in file sql_optimizer.cc:263, sql_optimizer.cc:269 of function dump_TABLE_LIST_graph
, i think it's a very useful debug function, so subscribe this issue.

Hi Mr. zhang,

I must admit that I truly do not understand much of what you have written here.

Second, if you are changing our source code, I have to set this bug to "Not a bug". We do not support MySQL server built from a changed source. We do however support our Plugin interfaces.

ok, now i understood this rule. please set it 'not a bug'.

Thank you Mr. zhang,

You are truly welcome to report bugs on our unchanged code.

You can also file a feature request with your patch that would improve the functionality or speed of our software.