Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

substring_index may lead tiflash crash in some corner cases #9116

Closed
windtalker opened this issue Jun 4, 2024 · 0 comments · Fixed by #9137
Closed

substring_index may lead tiflash crash in some corner cases #9116

windtalker opened this issue Jun 4, 2024 · 0 comments · Fixed by #9137
Assignees
@wshwsh12
Labels
affects-5.3 affects-5.4 affects-6.1 affects-6.5 affects-7.1 affects-7.5 affects-8.1 component/compute report/customer Customers have encountered this bug. severity/major type/bug The issue is confirmed as a bug.

Comments

@windtalker
Copy link
Contributor

windtalker commented Jun 4, 2024
edited
Loading

Bug Report

Please answer these questions before submitting your issue. Thanks!

1. Minimal reproduce step (Required)

For substring_index(string, delim, count)
if the string contains n delims, where n >= 1 and n < count, and the string end with delim, then

tiflash/dbms/src/Functions/FunctionsString.cpp

Lines 5223 to 5233 in 9929b19

while (pos < end)
{
const UInt8 * match = delim_searcher->search(pos, end - pos);
--count;
if (match == end || count == 0)
{
copyDataToResult(res_data, res_offset, begin, match);
break;
}
pos = match + delim_size;
}

When finding the last match of delim, if (match == end || count == 0) is false, so pos is updated to match + delim_size, since the string ends with delim, pos is actually equal to end, which makes pos < end false, and the function returns without calling copyDataToResult. This will make the result corrupt since copyDataToResult is expected to be called for every input row.

A simple reproduce is

mysql> drop table test;
Query OK, 0 rows affected (0.61 sec)

mysql> create table test(value varchar(512));
Query OK, 0 rows affected (0.25 sec)

mysql> insert into test values('aaa:bbb:');
Query OK, 1 row affected (0.03 sec)

mysql> insert into test select * from test;
Query OK, 1 row affected (0.01 sec)
Records: 1  Duplicates: 0  Warnings: 0

mysql> insert into test select * from test;
Query OK, 2 rows affected (0.01 sec)
Records: 2  Duplicates: 0  Warnings: 0

mysql> insert into test select * from test;
Query OK, 4 rows affected (0.02 sec)
Records: 4  Duplicates: 0  Warnings: 0

mysql> insert into test select * from test;
Query OK, 8 rows affected (0.02 sec)
Records: 8  Duplicates: 0  Warnings: 0

mysql> insert into test select * from test;
Query OK, 16 rows affected (0.04 sec)
Records: 16  Duplicates: 0  Warnings: 0

mysql> alter table test set tiflash replica 1;
Query OK, 0 rows affected (0.34 sec)

mysql> select aaa from ( select SUBSTRING_INDEX( SUBSTRING_INDEX( SUBSTRING_INDEX(value, ',', 1), ':', 3 ), ':', -1 ) as aaa from test ) tb_1 where aaa is not null;
ERROR 1105 (HY000): rpc error: code = Unavailable desc = error reading from server: EOF

2. What did you expect to see? (Required)

3. What did you see instead (Required)

4. What is your TiFlash version? (Required)
@windtalker windtalker added type/bug The issue is confirmed as a bug. report/customer Customers have encountered this bug. severity/major labels Jun 4, 2024
@wshwsh12 wshwsh12 self-assigned this Jun 4, 2024
@wshwsh12 wshwsh12 mentioned this issue Jun 11, 2024
Merged
12 tasks
@ti-chi-bot ti-chi-bot bot closed this as completed in 7d7622e Jun 11, 2024
This was referenced Jun 11, 2024
Merged
Merged
Merged
This was referenced Jun 11, 2024
Merged
Merged
Closed
ti-chi-bot bot pushed a commit that referenced this issue Jun 12, 2024
@ti-chi-bot @wshwsh12
expression: fix substring_index crash tiflash in some case (#9137) (#…
1603952 
…9141)

close #9116

Fix tiflash crash caused by function `substring_index` in some corner cases

Co-authored-by: wshwsh12 <793703860@qq.com>
ti-chi-bot bot pushed a commit that referenced this issue Jun 12, 2024
@ti-chi-bot @wshwsh12
expression: fix substring_index crash tiflash in some case (#9137) (#…
e23142e 
…9143)

close #9116

Fix tiflash crash caused by function `substring_index` in some corner cases

Co-authored-by: wshwsh12 <793703860@qq.com>
ti-chi-bot bot pushed a commit that referenced this issue Jun 12, 2024
@ti-chi-bot @wshwsh12
expression: fix substring_index crash tiflash in some case (#9137) (#…
15f6afa 
…9139)

close #9116

Fix tiflash crash caused by function `substring_index` in some corner cases

Co-authored-by: wshwsh12 <793703860@qq.com>
ti-chi-bot bot pushed a commit that referenced this issue Jun 12, 2024
@ti-chi-bot @wshwsh12
expression: fix substring_index crash tiflash in some case (#9137) (#…
8f6f5fa 
…9142)

close #9116

Fix tiflash crash caused by function `substring_index` in some corner cases

Co-authored-by: wshwsh12 <793703860@qq.com>
ti-chi-bot bot added a commit that referenced this issue Jun 13, 2024
@ti-chi-bot @wshwsh12 @ti-chi-bot
expression: fix substring_index crash tiflash in some case (#9137) (#…
3962fba 
…9140)

close #9116

Fix tiflash crash caused by function `substring_index` in some corner cases

Co-authored-by: wshwsh12 <793703860@qq.com>
Co-authored-by: ti-chi-bot[bot] <108142056+ti-chi-bot[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wshwsh12 wshwsh12

Labels
affects-5.3 affects-5.4 affects-6.1 affects-6.5 affects-7.1 affects-7.5 affects-8.1 component/compute report/customer Customers have encountered this bug. severity/major type/bug The issue is confirmed as a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

expression: fix substring_index crash tiflash in some case wshwsh12/tiflash
2 participants
@windtalker @wshwsh12