Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

index out of range [0] with length 0 in chunk.appendCellByCell->chunk.(*Column).IsNull #55878

Closed
ycybfhb opened this issue Sep 5, 2024 · 1 comment

Comments

@ycybfhb
Copy link

ycybfhb commented Sep 5, 2024

Bug Report

Please answer these questions before submitting your issue. Thanks!

1. Minimal reproduce step (Required)

SQL to init database
create table t_dci ( 
c_dph7 int ,
c_l1t tinyint ,
c_d3wokzls77 int ,
c_bywfl tinyint unique ,
c_kzre text ,
c_fzqupuma int not null ,
c_w9qyk_fpj double not null ,
c_ib1xsf3c8d tinyint ,
primary key(c_d3wokzls77, c_dph7) CLUSTERED) pre_split_regions=6;

insert into t_dci (c_dph7, c_l1t, c_d3wokzls77, c_bywfl, c_kzre, c_fzqupuma, c_w9qyk_fpj, c_ib1xsf3c8d) values 
  (-514271861, (NOT NOT(cast((9934 || 22838) as unsigned))), -619026511, (NOT NOT(cast((cast(cast(null as decimal) as decimal) > cast(329968852857868263 as signed)) as unsigned))), cast(null as char), -347826715, 99.79, ((212481776 is NULL)) 
    or (0<>0)), 
  (-1674338467, 1=1, -399873462, (NOT NOT(cast((cast('xz_' as char) <=> cast(cast(null as char) as char)) as unsigned))), 'w_2zjli', -1076974335, 58.22, (-1828123053 not in (
    601205857))), 
  (-111793546, 1=1, -1905435943, (NOT NOT(cast((7165905730096120571 >= 32769.8) as unsigned))), 'ye', 385426697, 28.62, (('jrb97' like '%')) 
    or (((NOT NOT(cast((cast(cast(null as decimal) as decimal) = cast(cast(null as double) as double)) as unsigned)))) 
      and (1=1))), 
  (1391099485, ('euwb686' not like '%'), 448379592, (NOT NOT(cast((cast(cast(null as decimal) as decimal) > cast(19662 as signed)) as unsigned))), '_omij4w4p', 2134449301, 92.74, 1=1);

alter table t_dci add column c_gs6c2wzbdg text;

create table t_rc ( 
c_m2y int ,
c_yu tinyint not null ,
primary key(c_m2y) CLUSTERED) pre_split_regions=2;

create table t__9r63 ( 
c_g7eofzlxn int ,
c_r58lkh double ,
c_x2erxo10w int ,
c_wsr tinyint ,
c_hd2v4v0 double ,
c_tb3u text ,
c_onfeptr2q tinyint unique ,
primary key(c_g7eofzlxn, c_x2erxo10w) CLUSTERED) pre_split_regions=7;

alter table t__9r63 add column c_o8tsf double;

insert into t__9r63 (c_g7eofzlxn, c_r58lkh, c_x2erxo10w, c_wsr, c_hd2v4v0, c_tb3u, c_onfeptr2q, c_o8tsf) values 
  (1275540443, 9223372036854775806.5, -1407328577, (NOT NOT(cast((-945767894 <= -8247562720541611887) as unsigned))), 35.15, 'l7ngfavtf2', (NOT NOT(cast((cast(cast(null as signed) as signed) > cast(-1581230237 as signed)) as unsigned))), 22.55), 
  (0, 6.4, -23, (-4 is not NULL), -256.4, 'nrqgupym', (NOT NOT(cast((cast(null as char) < cast(null as char)) as unsigned))), 49.2), 
  (-2005512947, 14.81, 1215057043, ((NOT NOT(cast((cast(-4255 as signed) <=> cast(-9223372036854775807.2 as double)) as unsigned)))) 
    or ((1928377790 is NULL)), 93.95, 'ycra', (NOT NOT(cast((-4902061839617880638 < cast(null as signed)) as unsigned))), 53.76), 
  (-865548105, 27.38, -932309610, 1=1, 65.29, cast(null as char), (NOT NOT(cast((cast(cast(null as char) as char) != cast(cast(null as char) as char)) as unsigned))), 2.71);

create table t_glzh3lb0ro ( 
c_kffac5e63 int not null unique ,
c_p int ,
c_i3ml int ,
c_c7njaqnyv7 int not null ,
c_wd3x double ,
c__n3bhft5z int not null ,
c_pf8vmpo8 int not null ,
primary key(c__n3bhft5z, c_p) NONCLUSTERED) shard_row_id_bits=9 pre_split_regions=7;

alter table t_rc add column c_b48gd04utl text;


SQL that causes error
WITH
cte_3 AS (
SELECT
  left(
      cast(ref_11.c_tb3u as char), 
      cast(-235769694 as signed)) as c11,
  cast((select var_pop(c_yu) from t_rc)
       as signed) as c29,
  ref_11.c_tb3u as c38,
  avg(
        cast(ref_10.c_c7njaqnyv7 as signed)) over (partition by ref_11.c_hd2v4v0 order by ref_11.c_g7eofzlxn, ref_11.c_x2erxo10w) as c53,
  ref_10.c_i3ml as c60,
  ref_10.c_i3ml as c61,
  length(
      cast(ref_11.c_tb3u as char)) as c62
FROM
  (t_glzh3lb0ro as ref_10
      right outer join t__9r63 as ref_11
      on (ref_10.c_kffac5e63 = ref_11.c_g7eofzlxn ))
LIMIT 57
),
cte_4 AS (
SELECT
  ref_22.c_yu as c3
FROM
  t_rc as ref_22
WHERE
  0<>0
ORDER BY
  c3 asc
)
SELECT
  repeat(
      cast(ref_23.c_kzre as char), 
      67) as c7
FROM
  t_dci as ref_23
WHERE
  (case when (NOT NOT(cast((cast(ref_23.c_w9qyk_fpj as double) < cast(ref_23.c_bywfl as signed)) as unsigned))) then ref_23.c_kzre else ref_23.c_gs6c2wzbdg end
       >= ( 
    select  
          subq_0.c0 as c0
        from 
          (select  
                ref_24.c_b48gd04utl as c0, 
                ref_24.c_yu as c1, 
                ref_24.c_m2y as c2, 
                ref_24.c_m2y as c3, 
                287616624 as c4, 
                ref_24.c_yu as c5, 
                ref_24.c_b48gd04utl as c6, 
                ref_23.c_l1t as c7
              from 
                t_rc as ref_24
              where (ref_23.c_l1t is NULL)
              limit 103) as subq_0
        where ((select c0 from cte_4 order by c0 limit 1 offset 4)
             is NULL)
      union
      (
      select distinct 
          (select c_b48gd04utl from t_rc order by c_b48gd04utl limit 1 offset 1)
             as c0
        from 
          t_dci as ref_25
        where (ltrim(
            cast(ref_25.c_gs6c2wzbdg as char)) not in (
          select  
                ref_26.c11 as c0
              from 
                cte_3 as ref_26
              where (NOT NOT(cast((cast(ref_26.c62 as signed) && cast(ref_26.c29 as signed)) as unsigned)))
            union
            (
            select  
                ref_27.c38 as c0
              from 
                cte_3 as ref_27
              where 1=1
            )))
      )
       limit 1));

2. What did you expect to see? (Required)

Expect no crashes

3. What did you see instead (Required)

runtime error: index out of range [0] with length 0
github.com/pingcap/errors.AddStack
	/root/go/pkg/mod/github.com/pingcap/errors@v0.11.5-0.20240318064555-6bd07397691f/errors.go:178
github.com/pingcap/errors.Trace
	/root/go/pkg/mod/github.com/pingcap/errors@v0.11.5-0.20240318064555-6bd07397691f/juju_adaptor.go:15
github.com/pingcap/tidb/pkg/util.GetRecoverError
	/workspace/source/tidb/pkg/util/util.go:288
github.com/pingcap/tidb/pkg/executor/internal/exec.Next.func1
	/workspace/source/tidb/pkg/executor/internal/exec/executor.go:435
runtime.gopanic
	/usr/local/go/src/runtime/panic.go:914
runtime.goPanicIndex
	/usr/local/go/src/runtime/panic.go:114
github.com/pingcap/tidb/pkg/util/chunk.(*Column).IsNull
	/workspace/source/tidb/pkg/util/chunk/column.go:197
github.com/pingcap/tidb/pkg/util/chunk.appendCellByCell
	/workspace/source/tidb/pkg/util/chunk/chunk.go:453
github.com/pingcap/tidb/pkg/util/chunk.(*Chunk).AppendPartialRow
	/workspace/source/tidb/pkg/util/chunk/chunk.go:419
github.com/pingcap/tidb/pkg/util/chunk.(*Chunk).AppendRow
	/workspace/source/tidb/pkg/util/chunk/chunk.go:410
github.com/pingcap/tidb/pkg/executor.(*SelectionExec).Next
	/workspace/source/tidb/pkg/executor/executor.go:1618
github.com/pingcap/tidb/pkg/executor/internal/exec.Next
	/workspace/source/tidb/pkg/executor/internal/exec/executor.go:451
github.com/pingcap/tidb/pkg/executor.(*ProjectionExec).unParallelExecute
	/workspace/source/tidb/pkg/executor/projection.go:218
github.com/pingcap/tidb/pkg/executor.(*ProjectionExec).Next
	/workspace/source/tidb/pkg/executor/projection.go:205
github.com/pingcap/tidb/pkg/executor/internal/exec.Next
	/workspace/source/tidb/pkg/executor/internal/exec/executor.go:451
github.com/pingcap/tidb/pkg/executor.(*cteProducer).computeSeedPart
	/workspace/source/tidb/pkg/executor/cte.go:390
github.com/pingcap/tidb/pkg/executor.(*cteProducer).produce
	/workspace/source/tidb/pkg/executor/cte.go:363
github.com/pingcap/tidb/pkg/executor.(*CTEExec).Next
	/workspace/source/tidb/pkg/executor/cte.go:114
github.com/pingcap/tidb/pkg/executor/internal/exec.Next
	/workspace/source/tidb/pkg/executor/internal/exec/executor.go:451
github.com/pingcap/tidb/pkg/executor.(*SelectionExec).Next
	/workspace/source/tidb/pkg/executor/executor.go:1621
github.com/pingcap/tidb/pkg/executor/internal/exec.Next
	/workspace/source/tidb/pkg/executor/internal/exec/executor.go:451
github.com/pingcap/tidb/pkg/executor.(*ProjectionExec).unParallelExecute
	/workspace/source/tidb/pkg/executor/projection.go:218
github.com/pingcap/tidb/pkg/executor.(*ProjectionExec).Next
	/workspace/source/tidb/pkg/executor/projection.go:205
github.com/pingcap/tidb/pkg/executor/internal/exec.Next
	/workspace/source/tidb/pkg/executor/internal/exec/executor.go:451
github.com/pingcap/tidb/pkg/executor/unionexec.(*UnionExec).resultPuller
	/workspace/source/tidb/pkg/executor/unionexec/union.go:164
runtime.goexit
	/usr/local/go/src/runtime/asm_amd64.s:1650

4. What is your TiDB version? (Required)

Release Version: v8.4.0-alpha-66-g1167e0c
Edition: Community
Git Commit Hash: 1167e0c06fc8e2dd066bd974315284bc0e884acc
Git Branch: HEAD
UTC Build Time: 2024-09-03 01:15:19
GoVersion: go1.21.13
Race Enabled: false
Check Table Before Drop: false
Store: tikv

We are the BASS team from the School of Cyber Science and Technology at Beihang University. Our main focus is on system software security, operating systems, and program analysis research, as well as the development of automated program testing frameworks for detecting software defects. Using our self-developed database vulnerability testing tool, we have identified the above-mentioned vulnerabilities in TiDB that may lead to database crashes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants