Join Crash When dealing with inner join involving subquery and like operator

[TheoristCoder]

Bug Report

1. Minimal reproduce step (Required)

CREATE TABLE t1(c0 INT );

CREATE  VIEW v0(c0) AS SELECT NULL AS col_0 FROM t1 WHERE ((t1.c0));

SELECT *
FROM t1
          JOIN (SELECT ((v0.c0) LIKE (((v0.c0) + (v0.c0)))) AS col_0
                    FROM v0) as subQuery1 ON (subQuery1.col_0);

2. What did you expect to see? (Required)

Execute successfully

3. What did you see instead (Required)

[HY000][1105] other error: [components/ tidb_query_expr/ src/ types/ expr_builder. rs:310]: Invalid like (sig = LikeSig) signature: Evaluate error: [components/ tidb_query_expr/ src/ types/ function. rs:276]: Expect `Bytes`, received `Int`

4. What is your TiDB version? (Required)

Release Version: v9.0.0-beta.1.pre-547-g4d34cac87c
Edition: Community
Git Commit Hash: 4d34cac87c4f78db4a11bccc97c2f601219d1b9f
Git Branch: HEAD
UTC Build Time: 2025-04-11 05:02:15
GoVersion: go1.23.8
Race Enabled: false
Check Table Before Drop: false
Store: tikv

[TheoristCoder]

@hawkingrei I meet lots of join crashes when I test TiDB nightly build version. I would appreciate if you can fix them and I also want to identify if they are duplicated after your fix.

[solotzg]

This case works as expected on LTS versions. Since it breaks the previous normal behavior, this issue should be masked as critical. cc @windtalker

[windtalker]

This is a planner's bug, in
(v0.c0) LIKE (((v0.c0) + (v0.c0)))
v0.c0's type is TypeNull, when build like function, it require all its argument type is TypeString, otherwise, it will add cast to cast the argument to string.
In WrapWithCastAsString:

tidb/pkg/expression/builtin_cast.go

Lines 2631 to 2635 in 1d4514a

	func WrapWithCastAsString(ctx BuildContext, expr Expression) Expression {
	exprTp := expr.GetType(ctx.GetEvalCtx())
	if exprTp.EvalType() == types.ETString {
	return expr
	}

It only wrap cast if exprTp.EvalType() != types.ETString, but typeNull's eval type is ETString, so no cast is added.
However, after the view is expanded, the type of v0.c0 is converted to TypeInt, so the error happens.
In v8.5.x, after view expansion, the type of v0.c0 is not changed, that is why LTS version does not throw error.
I think this is a planner's bug, so change the sig to sig/planner.

[TheoristCoder]

Thanks for your detailed analysis!

[hawkingrei]

@TheoristCoder You are truly a genius at finding fuzz bugs;this bug was actually introduced by me. 🤣

[TheoristCoder]

@TheoristCoder You are truly a genius at finding fuzz bugs;this bug was actually introduced by me. 🤣

😂 That is very interesting! Hope you can fix it!