Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

invalid memory address or nil pointer dereference in expression.BuildCastFunctionWithCheck #53603

Closed
ycybfhb opened this issue May 28, 2024 · 1 comment · Fixed by #53716
Closed

invalid memory address or nil pointer dereference in expression.BuildCastFunctionWithCheck #53603

ycybfhb opened this issue May 28, 2024 · 1 comment · Fixed by #53716
Assignees
@YangKeao
Labels
affects-6.1 This bug affects the 6.1.x(LTS) versions. affects-6.5 This bug affects the 6.5.x(LTS) versions. affects-7.1 This bug affects the 7.1.x(LTS) versions. affects-7.5 This bug affects the 7.5.x(LTS) versions. affects-8.1 This bug affects the 8.1.x(LTS) versions. component/executor impact/panic severity/major sig/planner SIG: Planner type/bug The issue is confirmed as a bug.

Comments

@ycybfhb
Copy link

ycybfhb commented May 28, 2024

Bug Report

Please answer these questions before submitting your issue. Thanks!

1. Minimal reproduce step (Required)

First execute the following valid.sql
valid.txt
Then a crash occurs when executing the error.sql below
error.txt

2. What did you expect to see? (Required)

Expect no crashes

3. What did you see instead (Required)

invalid memory address or nil pointer dereference

tidb.log:

[2024/05/28 03:36:05.951 +00:00] [ERROR] [conn.go:1013] ["connection running loop panic"] [conn=1776287812] [session_alias=] [err="runtime error: invalid memory address or nil pointer dereference"] [stack="github.com/pingcap/tidb/pkg/server.(*clientConn).Run.func1
	/workspace/source/tidb/pkg/server/conn.go:1016
runtime.gopanic
	/usr/local/go/src/runtime/panic.go:914
github.com/pingcap/tidb/pkg/executor.(*Compiler).Compile.func1
	/workspace/source/tidb/pkg/executor/compiler.go:57
runtime.gopanic
	/usr/local/go/src/runtime/panic.go:914
runtime.panicmem
	/usr/local/go/src/runtime/panic.go:261
runtime.sigpanic
	/usr/local/go/src/runtime/signal_unix.go:861
github.com/pingcap/tidb/pkg/expression.BuildCastFunctionWithCheck
	/workspace/source/tidb/pkg/expression/builtin_cast.go:2102
github.com/pingcap/tidb/pkg/expression.BuildCastFunction
	/workspace/source/tidb/pkg/expression/builtin_cast.go:2095
github.com/pingcap/tidb/pkg/expression.ColumnSubstituteImpl
	/workspace/source/tidb/pkg/expression/util.go:458
github.com/pingcap/tidb/pkg/expression.ColumnSubstituteImpl
	/workspace/source/tidb/pkg/expression/util.go:483
github.com/pingcap/tidb/pkg/expression.ColumnSubstituteImpl
	/workspace/source/tidb/pkg/expression/util.go:450
github.com/pingcap/tidb/pkg/expression.ColumnSubstituteImpl
	/workspace/source/tidb/pkg/expression/util.go:483
github.com/pingcap/tidb/pkg/expression.ColumnSubstituteImpl
	/workspace/source/tidb/pkg/expression/util.go:483
github.com/pingcap/tidb/pkg/expression.ColumnSubstituteImpl
	/workspace/source/tidb/pkg/expression/util.go:483
github.com/pingcap/tidb/pkg/expression.ColumnSubstituteImpl
	/workspace/source/tidb/pkg/expression/util.go:483
github.com/pingcap/tidb/pkg/expression.ColumnSubstituteImpl
	/workspace/source/tidb/pkg/expression/util.go:483
github.com/pingcap/tidb/pkg/planner/core.BreakDownPredicates
	/workspace/source/tidb/pkg/planner/core/rule_predicate_push_down.go:394
github.com/pingcap/tidb/pkg/planner/core.(*LogicalProjection).ConvertOuterToInnerJoin
	/workspace/source/tidb/pkg/planner/core/rule_outer_to_inner_join.go:145
github.com/pingcap/tidb/pkg/planner/core.(*baseLogicalPlan).ConvertOuterToInnerJoin
	/workspace/source/tidb/pkg/planner/core/rule_outer_to_inner_join.go:68
github.com/pingcap/tidb/pkg/planner/core.(*baseLogicalPlan).ConvertOuterToInnerJoin
	/workspace/source/tidb/pkg/planner/core/rule_outer_to_inner_join.go:68
github.com/pingcap/tidb/pkg/planner/core.(*LogicalSelection).ConvertOuterToInnerJoin
	/workspace/source/tidb/pkg/planner/core/rule_outer_to_inner_join.go:137
github.com/pingcap/tidb/pkg/planner/core.(*LogicalSelection).ConvertOuterToInnerJoin
	/workspace/source/tidb/pkg/planner/core/rule_outer_to_inner_join.go:137
github.com/pingcap/tidb/pkg/planner/core.(*LogicalJoin).ConvertOuterToInnerJoin
	/workspace/source/tidb/pkg/planner/core/rule_outer_to_inner_join.go:105
github.com/pingcap/tidb/pkg/planner/core.(*LogicalProjection).ConvertOuterToInnerJoin
	/workspace/source/tidb/pkg/planner/core/rule_outer_to_inner_join.go:147
github.com/pingcap/tidb/pkg/planner/core.(*baseLogicalPlan).ConvertOuterToInnerJoin
	/workspace/source/tidb/pkg/planner/core/rule_outer_to_inner_join.go:68
github.com/pingcap/tidb/pkg/planner/core.(*baseLogicalPlan).ConvertOuterToInnerJoin
	/workspace/source/tidb/pkg/planner/core/rule_outer_to_inner_join.go:68
github.com/pingcap/tidb/pkg/planner/core.(*convertOuterToInnerJoin).optimize
	/workspace/source/tidb/pkg/planner/core/rule_outer_to_inner_join.go:57
github.com/pingcap/tidb/pkg/planner/core.logicalOptimize
	/workspace/source/tidb/pkg/planner/core/optimizer.go:1005
github.com/pingcap/tidb/pkg/planner/core.doOptimize
	/workspace/source/tidb/pkg/planner/core/optimizer.go:289
github.com/pingcap/tidb/pkg/planner/core.DoOptimize
	/workspace/source/tidb/pkg/planner/core/optimizer.go:348
github.com/pingcap/tidb/pkg/planner.optimize
	/workspace/source/tidb/pkg/planner/optimize.go:503
github.com/pingcap/tidb/pkg/planner.Optimize
	/workspace/source/tidb/pkg/planner/optimize.go:334
github.com/pingcap/tidb/pkg/executor.(*Compiler).Compile
	/workspace/source/tidb/pkg/executor/compiler.go:99
github.com/pingcap/tidb/pkg/session.(*session).ExecuteStmt
	/workspace/source/tidb/pkg/session/session.go:2094
github.com/pingcap/tidb/pkg/server.(*TiDBContext).ExecuteStmt
	/workspace/source/tidb/pkg/server/driver_tidb.go:294
github.com/pingcap/tidb/pkg/server.(*clientConn).handleStmt
	/workspace/source/tidb/pkg/server/conn.go:2021
github.com/pingcap/tidb/pkg/server.(*clientConn).handleQuery
	/workspace/source/tidb/pkg/server/conn.go:1774
github.com/pingcap/tidb/pkg/server.(*clientConn).dispatch
	/workspace/source/tidb/pkg/server/conn.go:1348
github.com/pingcap/tidb/pkg/server.(*clientConn).Run
	/workspace/source/tidb/pkg/server/conn.go:1114
github.com/pingcap/tidb/pkg/server.(*Server).onConn
	/workspace/source/tidb/pkg/server/server.go:739"]

4. What is your TiDB version? (Required)

+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| tidb_version()                                                                                                                                                                                                                                                   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Release Version: v8.2.0-alpha-216-gfe5858b
Edition: Community
Git Commit Hash: fe5858b00cd63808ac414c6e102a353778b0aaa7
Git Branch: HEAD
UTC Build Time: 2024-05-23 01:44:42
GoVersion: go1.21.10
Race Enabled: false
Check Table Before Drop: false
Store: tikv |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

We are the BASS team from the School of Cyber Science and Technology at Beihang University. Our main focus is on system software security, operating systems, and program analysis research, as well as the development of automated program testing frameworks for detecting software defects. Using our self-developed database vulnerability testing tool, we have identified the above-mentioned vulnerabilities in TiDB that may lead to database crashes.
@ycybfhb ycybfhb added the type/bug The issue is confirmed as a bug. label May 28, 2024
@zanmato1984
Copy link
Contributor

From the stack:

...
github.com/pingcap/tidb/pkg/expression.BuildCastFunctionWithCheck
	/workspace/source/tidb/pkg/expression/builtin_cast.go:2102
github.com/pingcap/tidb/pkg/expression.BuildCastFunction
	/workspace/source/tidb/pkg/expression/builtin_cast.go:2095
github.com/pingcap/tidb/pkg/expression.ColumnSubstituteImpl
	/workspace/source/tidb/pkg/expression/util.go:458
github.com/pingcap/tidb/pkg/expression.ColumnSubstituteImpl
	/workspace/source/tidb/pkg/expression/util.go:483
github.com/pingcap/tidb/pkg/expression.ColumnSubstituteImpl
	/workspace/source/tidb/pkg/expression/util.go:450
github.com/pingcap/tidb/pkg/expression.ColumnSubstituteImpl
	/workspace/source/tidb/pkg/expression/util.go:483
github.com/pingcap/tidb/pkg/expression.ColumnSubstituteImpl
	/workspace/source/tidb/pkg/expression/util.go:483
github.com/pingcap/tidb/pkg/expression.ColumnSubstituteImpl
	/workspace/source/tidb/pkg/expression/util.go:483
github.com/pingcap/tidb/pkg/expression.ColumnSubstituteImpl
	/workspace/source/tidb/pkg/expression/util.go:483
github.com/pingcap/tidb/pkg/expression.ColumnSubstituteImpl
	/workspace/source/tidb/pkg/expression/util.go:483
github.com/pingcap/tidb/pkg/planner/core.BreakDownPredicates
	/workspace/source/tidb/pkg/planner/core/rule_predicate_push_down.go:394
github.com/pingcap/tidb/pkg/planner/core.(*LogicalProjection).ConvertOuterToInnerJoin
	/workspace/source/tidb/pkg/planner/core/rule_outer_to_inner_join.go:145
github.com/pingcap/tidb/pkg/planner/core.(*baseLogicalPlan).ConvertOuterToInnerJoin
	/workspace/source/tidb/pkg/planner/core/rule_outer_to_inner_join.go:68
github.com/pingcap/tidb/pkg/planner/core.(*baseLogicalPlan).ConvertOuterToInnerJoin
	/workspace/source/tidb/pkg/planner/core/rule_outer_to_inner_join.go:68
github.com/pingcap/tidb/pkg/planner/core.(*LogicalSelection).ConvertOuterToInnerJoin
	/workspace/source/tidb/pkg/planner/core/rule_outer_to_inner_join.go:137
github.com/pingcap/tidb/pkg/planner/core.(*LogicalSelection).ConvertOuterToInnerJoin
	/workspace/source/tidb/pkg/planner/core/rule_outer_to_inner_join.go:137
github.com/pingcap/tidb/pkg/planner/core.(*LogicalJoin).ConvertOuterToInnerJoin
	/workspace/source/tidb/pkg/planner/core/rule_outer_to_inner_join.go:105
github.com/pingcap/tidb/pkg/planner/core.(*LogicalProjection).ConvertOuterToInnerJoin
	/workspace/source/tidb/pkg/planner/core/rule_outer_to_inner_join.go:147
github.com/pingcap/tidb/pkg/planner/core.(*baseLogicalPlan).ConvertOuterToInnerJoin
	/workspace/source/tidb/pkg/planner/core/rule_outer_to_inner_join.go:68
github.com/pingcap/tidb/pkg/planner/core.(*baseLogicalPlan).ConvertOuterToInnerJoin
	/workspace/source/tidb/pkg/planner/core/rule_outer_to_inner_join.go:68
github.com/pingcap/tidb/pkg/planner/core.(*convertOuterToInnerJoin).optimize
	/workspace/source/tidb/pkg/planner/core/rule_outer_to_inner_join.go:57
github.com/pingcap/tidb/pkg/planner/core.logicalOptimize
	/workspace/source/tidb/pkg/planner/core/optimizer.go:1005
github.com/pingcap/tidb/pkg/planner/core.doOptimize
	/workspace/source/tidb/pkg/planner/core/optimizer.go:289
github.com/pingcap/tidb/pkg/planner/core.DoOptimize
	/workspace/source/tidb/pkg/planner/core/optimizer.go:348
github.com/pingcap/tidb/pkg/planner.optimize
	/workspace/source/tidb/pkg/planner/optimize.go:503
github.com/pingcap/tidb/pkg/planner.Optimize
	/workspace/source/tidb/pkg/planner/optimize.go:334
github.com/pingcap/tidb/pkg/executor.(*Compiler).Compile
	/workspace/source/tidb/pkg/executor/compiler.go:99
github.com/pingcap/tidb/pkg/session.(*session).ExecuteStmt
	/workspace/source/tidb/pkg/session/session.go:2094
github.com/pingcap/tidb/pkg/server.(*TiDBContext).ExecuteStmt
	/workspace/source/tidb/pkg/server/driver_tidb.go:294
github.com/pingcap/tidb/pkg/server.(*clientConn).handleStmt
	/workspace/source/tidb/pkg/server/conn.go:2021
github.com/pingcap/tidb/pkg/server.(*clientConn).handleQuery
	/workspace/source/tidb/pkg/server/conn.go:1774
github.com/pingcap/tidb/pkg/server.(*clientConn).dispatch
	/workspace/source/tidb/pkg/server/conn.go:1348
github.com/pingcap/tidb/pkg/server.(*clientConn).Run
	/workspace/source/tidb/pkg/server/conn.go:1114
github.com/pingcap/tidb/pkg/server.(*Server).onConn
	/workspace/source/tidb/pkg/server/server.go:739"]

Seems like the error happens in applying optimization rules, could you take a look first instead of asserting this is an issue of execution? @qw4990

@zanmato1984 zanmato1984 added sig/planner SIG: Planner and removed sig/execution SIG execution labels May 31, 2024
@YangKeao YangKeao mentioned this issue May 31, 2024
Merged
13 tasks
@qw4990 qw4990 added affects-6.1 This bug affects the 6.1.x(LTS) versions. affects-6.5 This bug affects the 6.5.x(LTS) versions. affects-7.1 This bug affects the 7.1.x(LTS) versions. affects-7.5 This bug affects the 7.5.x(LTS) versions. affects-8.1 This bug affects the 8.1.x(LTS) versions. and removed may-affects-5.4 This bug maybe affects 5.4.x versions. may-affects-6.1 may-affects-6.5 may-affects-7.1 may-affects-7.5 may-affects-8.1 labels Jun 3, 2024
@ti-chi-bot ti-chi-bot bot closed this as completed in 3d68bd2 Jun 3, 2024
@ti-chi-bot ti-chi-bot mentioned this issue Jun 4, 2024
Merged
13 tasks
ti-chi-bot bot pushed a commit that referenced this issue Jun 6, 2024
@ti-chi-bot
expression: fail ColumnSubstituteImpl if creating function returns …
4a4b42e 
…error (#53716) (#53815)

close #53580, close #53582, close #53594, close #53603
This was referenced Jun 25, 2024
Merged
Merged
Merged
ti-chi-bot bot pushed a commit that referenced this issue Jul 1, 2024
@ti-chi-bot
expression: fail ColumnSubstituteImpl if creating function returns …
c31e07c 
…error (#53716) (#54191)

close #53580, close #53582, close #53594, close #53603
ti-chi-bot bot pushed a commit that referenced this issue Aug 1, 2024
@ti-chi-bot
expression: fail ColumnSubstituteImpl if creating function returns …
809e75b 
…error (#53716) (#54193)

close #53580, close #53582, close #53594, close #53603
ti-chi-bot bot pushed a commit that referenced this issue Nov 4, 2024
@ti-chi-bot
expression: fail ColumnSubstituteImpl if creating function returns …
c8dbdab 
…error (#53716) (#54192)

close #53580, close #53582, close #53594, close #53603
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@YangKeao YangKeao

Labels
affects-6.1 This bug affects the 6.1.x(LTS) versions. affects-6.5 This bug affects the 6.5.x(LTS) versions. affects-7.1 This bug affects the 7.1.x(LTS) versions. affects-7.5 This bug affects the 7.5.x(LTS) versions. affects-8.1 This bug affects the 8.1.x(LTS) versions. component/executor impact/panic severity/major sig/planner SIG: Planner type/bug The issue is confirmed as a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

expression: fail ColumnSubstituteImpl if creating function returns error YangKeao/tidb
5 participants
@zanmato1984 @jebter @YangKeao @qw4990 @ycybfhb