SIGSEGV in JOIN::optimize_inner or Assertion `fixed == 0' failed in Item_equal::fix_fields, server crashes after 2nd execution of PS

--source include/have_innodb.inc

CREATE TABLE t1 (pk int primary key, i1 int, i2 int, v1 varchar(1), v2 varchar(1), KEY i1 (i1), KEY v2 (v2,i1)) ENGINE=InnoDB ;

INSERT INTO t1 VALUES (12,1,1,'r','r');

CREATE TABLE t2 (pk int, i1 int, i2 int, v1 varchar(1), v2 varchar(1)) ENGINE=InnoDB ;

CREATE TABLE t3 (pk int, i1 int, i2 int, v1 varchar(1), v2 varchar(1)) ENGINE=InnoDB ;

INSERT INTO t3 VALUES (19,1,9,NULL,NULL),(20,5,6,'r','r');

prepare stmt from "

SELECT 1 FROM t1

WHERE t1.pk = t1.i1 

	AND ((t1.pk,t1.i1) IN (SELECT t3.pk, COUNT(t3.pk) FROM t3

          WHERE EXISTS (SELECT 1 FROM (t1 JOIN t3 ON (t3.i2 = t1.i1)) WHERE t3.v1 = t1.v1)));";

execute stmt;

execute stmt;

 10.4 55dd0776566000c5ea12e177df0c784b500ab7c1

Thread 1 (Thread 0x7f22998d7700 (LWP 2335)):

#0  0x00007f22a178bccb in ?? () from /lib/x86_64-linux-gnu/libgcc_s.so.1

#1  0x00007f22a178d668 in _Unwind_Backtrace () from /lib/x86_64-linux-gnu/libgcc_s.so.1

#2  0x00007f22a14c8b4f in __GI___backtrace (array=<optimized out>, size=<optimized out>) at ../sysdeps/x86_64/backtrace.c:110

#3  0x0000557a517d65b4 in my_print_stacktrace (stack_bottom=0x7f22998d6cf0 "", thread_stack=299008, silent=0 '\000') at /10.4/mysys/stacktrace.c:269

#4  0x0000557a510276d0 in handle_fatal_signal (sig=11) at /10.4/sql/signal_handler.cc:166

#5  <signal handler called>

#6  0x0000000000000002 in ?? ()

#7  0x0000557a50d72b52 in JOIN::optimize_inner (this=0x7f223c015b08) at /10.4/sql/sql_select.cc:1687

#8  0x0000557a50d71ceb in JOIN::optimize (this=0x7f223c015b08) at /10.4/sql/sql_select.cc:1448

#9  0x0000557a510f8c42 in Item_in_subselect::optimize (this=0x7f223c04c688, out_rows=0x7f22998d48f8, cost=0x7f22998d4900) at /10.4/sql/item_subselect.cc:770

#10 0x0000557a50ef2189 in setup_jtbm_semi_joins (join=0x7f223c015418, join_list=0x7f223c047430, eq_list=...) at /10.4/sql/opt_subselect.cc:5964

#11 0x0000557a50d72d5c in JOIN::optimize_inner (this=0x7f223c015418) at /10.4/sql/sql_select.cc:1716

#12 0x0000557a50d71ceb in JOIN::optimize (this=0x7f223c015418) at /10.4/sql/sql_select.cc:1448

#13 0x0000557a50d7bd8b in mysql_select (thd=0x7f223c000b00, tables=0x7f223c047798, wild_num=0, fields=..., conds=0x7f223c0151c8, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2416184064, result=0x7f223c04d1a8, unit=0x7f223c0457c8, select_lex=0x7f223c047288) at /10.4/sql/sql_select.cc:4274

#14 0x0000557a50d6d78e in handle_select (thd=0x7f223c000b00, lex=0x7f223c045700, result=0x7f223c04d1a8, setup_tables_done_option=0) at /10.4/sql/sql_select.cc:382

#15 0x0000557a50d37e53 in execute_sqlcom_select (thd=0x7f223c000b00, all_tables=0x7f223c047798) at /10.4/sql/sql_parse.cc:6550

#16 0x0000557a50d2e2aa in mysql_execute_command (thd=0x7f223c000b00) at /10.4/sql/sql_parse.cc:3772

#17 0x0000557a50d59b81 in Prepared_statement::execute (this=0x7f223c0452a0, expanded_query=0x7f22998d5ab0, open_cursor=false) at /10.4/sql/sql_prepare.cc:4766

#18 0x0000557a50d57f5e in Prepared_statement::execute_loop (this=0x7f223c0452a0, expanded_query=0x7f22998d5ab0, open_cursor=false, packet=0x0, packet_end=0x0) at /10.4/sql/sql_prepare.cc:4194

#19 0x0000557a50d55b8d in mysql_sql_stmt_execute (thd=0x7f223c000b00) at /10.4/sql/sql_prepare.cc:3302

#20 0x0000557a50d2e2ef in mysql_execute_command (thd=0x7f223c000b00) at /10.4/sql/sql_parse.cc:3788

#21 0x0000557a50d3bc3b in mysql_parse (thd=0x7f223c000b00, rawbuf=0x7f223c014e98 "execute stmt", length=12, parser_state=0x7f22998d6470, is_com_multi=false, is_next_command=false) at /10.4/sql/sql_parse.cc:8085

#22 0x0000557a50d28d06 in dispatch_command (command=COM_QUERY, thd=0x7f223c000b00, packet=0x7f223c179421 "execute stmt", packet_length=12, is_com_multi=false, is_next_command=false) at /10.4/sql/sql_parse.cc:1850

#23 0x0000557a50d27723 in do_command (thd=0x7f223c000b00) at /10.4/sql/sql_parse.cc:1395

#24 0x0000557a50e8fd7f in do_handle_one_connection (connect=0x557a549d8150) at /10.4/sql/sql_connect.cc:1402

#25 0x0000557a50e8fad0 in handle_one_connection (arg=0x557a549d8150) at /10.4/sql/sql_connect.cc:1308

#26 0x0000557a517662f9 in pfs_spawn_thread (arg=0x557a549df130) at /10.4/storage/perfschema/pfs.cc:1862

#27 0x00007f22a20256ba in start_thread (arg=0x7f22998d7700) at pthread_create.c:333

#28 0x00007f22a14ba41d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109

# returns assertion

prepare stmt from "

SELECT 1 FROM t1

WHERE t1.pk = t1.i1 

	AND ((t1.pk,t1.i1) IN (SELECT t3.pk, COUNT(t3.pk) FROM (t3 JOIN t2 ON (t2.v1 = t3.v2))

          WHERE EXISTS (SELECT 1 FROM (t1 JOIN t3 ON (t3.i2 = t1.i1)) WHERE t3.v1 = t1.v1)));";

Thread 1 (Thread 0x7f1abffff700 (LWP 2672)):

#0  __pthread_kill (threadid=<optimized out>, signo=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:62

#1  0x000055af031596a6 in my_write_core (sig=6) at /10.4/mysys/stacktrace.c:481

#2  0x000055af029aaafb in handle_fatal_signal (sig=6) at /10.4/sql/signal_handler.cc:305

#3  <signal handler called>

#4  0x00007f1acbb2e428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54

#5  0x00007f1acbb3002a in __GI_abort () at abort.c:89

#6  0x00007f1acbb26bd7 in __assert_fail_base (fmt=<optimized out>, assertion=assertion@entry=0x55af03392761 "fixed == 0", file=file@entry=0x55af03392630 "/10.4/sql/item_cmpfunc.cc", line=line@entry=6643, function=function@entry=0x55af033956c0 <Item_equal::fix_fields(THD*, Item**)::__PRETTY_FUNCTION__> "virtual bool Item_equal::fix_fields(THD*, Item**)") at assert.c:92

#7  0x00007f1acbb26c82 in __GI___assert_fail (assertion=0x55af03392761 "fixed == 0", file=0x55af03392630 "/10.4/sql/item_cmpfunc.cc", line=6643, function=0x55af033956c0 <Item_equal::fix_fields(THD*, Item**)::__PRETTY_FUNCTION__> "virtual bool Item_equal::fix_fields(THD*, Item**)") at assert.c:101

#8  0x000055af029fff52 in Item_equal::fix_fields (this=0x7f1a68016bf0, thd=0x7f1a68000b00, ref=0x7f1a68015e20) at /10.4/sql/item_cmpfunc.cc:6643

#9  0x000055af026f5b52 in JOIN::optimize_inner (this=0x7f1a68015c70) at /10.4/sql/sql_select.cc:1687

#10 0x000055af026f4ceb in JOIN::optimize (this=0x7f1a68015c70) at /10.4/sql/sql_select.cc:1448

#11 0x000055af02a7bc42 in Item_in_subselect::optimize (this=0x7f1a6804d780, out_rows=0x7f1abfffc8f8, cost=0x7f1abfffc900) at /10.4/sql/item_subselect.cc:770

#12 0x000055af02875189 in setup_jtbm_semi_joins (join=0x7f1a68015580, join_list=0x7f1a68047470, eq_list=...) at /10.4/sql/opt_subselect.cc:5964

#13 0x000055af026f5d5c in JOIN::optimize_inner (this=0x7f1a68015580) at /10.4/sql/sql_select.cc:1716

#14 0x000055af026f4ceb in JOIN::optimize (this=0x7f1a68015580) at /10.4/sql/sql_select.cc:1448

#15 0x000055af026fed8b in mysql_select (thd=0x7f1a68000b00, tables=0x7f1a680477d8, wild_num=0, fields=..., conds=0x7f1a68015320, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2416184064, result=0x7f1a6804e370, unit=0x7f1a680457c8, select_lex=0x7f1a680472c8) at /10.4/sql/sql_select.cc:4274

#16 0x000055af026f078e in handle_select (thd=0x7f1a68000b00, lex=0x7f1a68045700, result=0x7f1a6804e370, setup_tables_done_option=0) at /10.4/sql/sql_select.cc:382

#17 0x000055af026bae53 in execute_sqlcom_select (thd=0x7f1a68000b00, all_tables=0x7f1a680477d8) at /10.4/sql/sql_parse.cc:6550

#18 0x000055af026b12aa in mysql_execute_command (thd=0x7f1a68000b00) at /10.4/sql/sql_parse.cc:3772

#19 0x000055af026dcb81 in Prepared_statement::execute (this=0x7f1a680452a0, expanded_query=0x7f1abfffdab0, open_cursor=false) at /10.4/sql/sql_prepare.cc:4766

#20 0x000055af026daf5e in Prepared_statement::execute_loop (this=0x7f1a680452a0, expanded_query=0x7f1abfffdab0, open_cursor=false, packet=0x0, packet_end=0x0) at /10.4/sql/sql_prepare.cc:4194

#21 0x000055af026d8b8d in mysql_sql_stmt_execute (thd=0x7f1a68000b00) at /10.4/sql/sql_prepare.cc:3302

#22 0x000055af026b12ef in mysql_execute_command (thd=0x7f1a68000b00) at /10.4/sql/sql_parse.cc:3788

#23 0x000055af026bec3b in mysql_parse (thd=0x7f1a68000b00, rawbuf=0x7f1a68014e98 "execute stmt", length=12, parser_state=0x7f1abfffe470, is_com_multi=false, is_next_command=false) at /10.4/sql/sql_parse.cc:8085

#24 0x000055af026abd06 in dispatch_command (command=COM_QUERY, thd=0x7f1a68000b00, packet=0x7f1a68179421 "execute stmt", packet_length=12, is_com_multi=false, is_next_command=false) at /10.4/sql/sql_parse.cc:1850

#25 0x000055af026aa723 in do_command (thd=0x7f1a68000b00) at /10.4/sql/sql_parse.cc:1395

#26 0x000055af02812d7f in do_handle_one_connection (connect=0x55af06912e70) at /10.4/sql/sql_connect.cc:1402

#27 0x000055af02812ad0 in handle_one_connection (arg=0x55af06912e70) at /10.4/sql/sql_connect.cc:1308

#28 0x000055af030e92f9 in pfs_spawn_thread (arg=0x55af06919e50) at /10.4/storage/perfschema/pfs.cc:1862

#29 0x00007f1acc76b6ba in start_thread (arg=0x7f1abffff700) at pthread_create.c:333

#30 0x00007f1acbc0041d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109

#3  <signal handler called>

#4  0x00005593b9705278 in vtable for Type_handler_date ()

#5  0x00005593b82e2b52 in JOIN::optimize_inner (this=0x7fa33c015de8) at /10.4/sql/sql_select.cc:1687

#6  0x00005593b82e1ceb in JOIN::optimize (this=0x7fa33c015de8) at /10.4/sql/sql_select.cc:1448

#7  0x00005593b8668c42 in Item_in_subselect::optimize (this=0x7fa33c077a48, out_rows=0x7fa38c1468f8, cost=0x7fa38c146900) at /10.4/sql/item_subselect.cc:770

#8  0x00005593b8462189 in setup_jtbm_semi_joins (join=0x7fa33c0156e8, join_list=0x7fa33c06dec0, eq_list=...) at /10.4/sql/opt_subselect.cc:5964

#9  0x00005593b82e2d5c in JOIN::optimize_inner (this=0x7fa33c0156e8) at /10.4/sql/sql_select.cc:1716

#10 0x00005593b82e1ceb in JOIN::optimize (this=0x7fa33c0156e8) at /10.4/sql/sql_select.cc:1448

#11 0x00005593b82ebd8b in mysql_select (thd=0x7fa33c000b00, tables=0x7fa33c06e420, wild_num=0, fields=..., conds=0x7fa33c0153e8, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2416184064, result=0x7fa33c0784c0, unit=0x7fa33c06c088, select_lex=0x7fa33c06dd18) at /10.4/sql/sql_select.cc:4274

#12 0x00005593b82dd78e in handle_select (thd=0x7fa33c000b00, lex=0x7fa33c06bfc0, result=0x7fa33c0784c0, setup_tables_done_option=0) at /10.4/sql/sql_select.cc:382

#13 0x00005593b82a7e53 in execute_sqlcom_select (thd=0x7fa33c000b00, all_tables=0x7fa33c06e420) at /10.4/sql/sql_parse.cc:6550

#14 0x00005593b829e2aa in mysql_execute_command (thd=0x7fa33c000b00) at /10.4/sql/sql_parse.cc:3772

#15 0x00005593b82c9b81 in Prepared_statement::execute (this=0x7fa33c06bb60, expanded_query=0x7fa38c147ab0, open_cursor=false) at /10.4/sql/sql_prepare.cc:4766

#16 0x00005593b82c7f5e in Prepared_statement::execute_loop (this=0x7fa33c06bb60, expanded_query=0x7fa38c147ab0, open_cursor=false, packet=0x0, packet_end=0x0) at /10.4/sql/sql_prepare.cc:4194

#17 0x00005593b82c5b8d in mysql_sql_stmt_execute (thd=0x7fa33c000b00) at /10.4/sql/sql_prepare.cc:3302

#18 0x00005593b829e2ef in mysql_execute_command (thd=0x7fa33c000b00) at /10.4/sql/sql_parse.cc:3788

#19 0x00005593b82abc3b in mysql_parse (thd=0x7fa33c000b00, rawbuf=0x7fa33c014e98 "execute stmt", length=12, parser_state=0x7fa38c148470, is_com_multi=false, is_next_command=false) at /10.4/sql/sql_parse.cc:8085

#20 0x00005593b8298d06 in dispatch_command (command=COM_QUERY, thd=0x7fa33c000b00, packet=0x7fa33c1791d1 "execute stmt", packet_length=12, is_com_multi=false, is_next_command=false) at /10.4/sql/sql_parse.cc:1850

#21 0x00005593b8297723 in do_command (thd=0x7fa33c000b00) at /10.4/sql/sql_parse.cc:1395

#22 0x00005593b83ffd7f in do_handle_one_connection (connect=0x5593bbd78080) at /10.4/sql/sql_connect.cc:1402

#23 0x00005593b83ffad0 in handle_one_connection (arg=0x5593bbd78080) at /10.4/sql/sql_connect.cc:1308

#24 0x00005593b8cd62f9 in pfs_spawn_thread (arg=0x5593bbd7f060) at /10.4/storage/perfschema/pfs.cc:1862

#25 0x00007fa393a366ba in start_thread (arg=0x7fa38c149700) at pthread_create.c:333

#26 0x00007fa392ecb41d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109

prepare stmt from "

SELECT 1 FROM t1

WHERE t1.pk = t1.i1 AND (t1.i2 >= SOME (SELECT t1.i2 FROM t1))

	AND ((t1.pk,t1.i1) IN (SELECT t3.pk, COUNT(t3.pk) FROM t3

          WHERE EXISTS (SELECT 1 FROM (t1 JOIN t3 ON (t3.i2 = t1.i1)) WHERE t3.v1 = t1.v1)));";