runtime error: index out of range [1] with length 1 on SELECT

[DerZc]

Bug Report

Please answer these questions before submitting your issue. Thanks!

1. Minimal reproduce step (Required)

The following program triggers a runtime error in CLI:

USE test;
DROP DATABASE IF EXISTS database41;
CREATE DATABASE database41;
USE database41;
CREATE TABLE t0(c0 DECIMAL );
REPLACE INTO t0 VALUES (0.4117160754744159);
CREATE VIEW v0(c0) AS SELECT NULL FROM t0 WHERE t0.c0;

SELECT v0.c0, t0.c0 FROM  v0 RIGHT  OUTER JOIN t0 ON ((v0.c0)LIKE(v0.c0)) WHERE ((v0.c0)OR( NOT EXISTS(SELECT v0.c0 AS c0 FROM v0, t0)));

This is the error message:

ERROR 1105 (HY000) at line 24: runtime error: index out of range [1] with length 1

2. What did you expect to see? (Required)

No error.

3. What did you see instead (Required)

A runtime error.

4. What is your TiDB version? (Required)

Release Version: v7.1.0-alpha-298-g9fcf6b962\nEdition: Community\nGit Commit Hash: 9fcf6b9629a140c3beb37928a2012eaa310973ce\nGit Branch: master\nUTC Build Time: 2023-04-20 12:25:51\nGoVersion: go1.20.3\nRace Enabled: false\nTiKV Min Version: 6.2.0-alpha\nCheck Table Before Drop: false\nStore: unistore

[zanmato1984]

Error in log:

[2023/04/23 06:49:14.064 +00:00] [INFO] [conn.go:1151] ["command dispatched failed"] [conn=6224324329723658647] [connInfo="id:6224324329723658647, addr:172.18.0.1:56346 status:10, collation:utf8mb4_general_ci, user:root"] [command=Query] [status="inTxn:0, autocommit:1"] [sql="SELECT v0.c0, t0.c0 FROM v0 RIGHT OUTER JOIN t0 ON ((v0.c0)LIKE(v0.c0)) WHERE ((v0.c0)OR( NOT EXISTS(SELECT v0.c0 AS c0 FROM v0, t0)))"] [txn_mode=PESSIMISTIC] [timestamp=440987170642591746] [err="runtime error: index out of range [1] with length 1\ngithub.com/pingcap/tidb/executor.(*recordSet).Next.func1\n\t/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/executor/adapter.go:146\nruntime.gopanic\n\t/usr/local/go/src/runtime/panic.go:884\nruntime.goPanicIndex\n\t/usr/local/go/src/runtime/panic.go:113\ngithub.com/pingcap/tidb/util/chunk.appendCellByCell\n\t/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/util/chunk/chunk.go:421\ngithub.com/pingcap/tidb/util/chunk.(*Chunk).AppendPartialRow\n\t/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/util/chunk/chunk.go:381\ngithub.com/pingcap/tidb/util/chunk.(*Chunk).AppendRow\n\t/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/util/chunk/chunk.go:372\ngithub.com/pingcap/tidb/executor.(*SelectionExec).Next\n\t/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/executor/executor.go:1663\ngithub.com/pingcap/tidb/executor.Next\n\t/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/executor/executor.go:326\ngithub.com/pingcap/tidb/executor.(*ExecStmt).next\n\t/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/executor/adapter.go:1194\ngithub.com/pingcap/tidb/executor.(*recordSet).Next\n\t/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/executor/adapter.go:150\ngithub.com/pingcap/tidb/server.(*tidbResultSet).Next\n\t/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/server/driver_tidb.go:428\ngithub.com/pingcap/tidb/server.(*clientConn).writeChunks\n\t/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/server/conn.go:2275\ngithub.com/pingcap/tidb/server.(*clientConn).writeResultSet\n\t/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/server/conn.go:2218\ngithub.com/pingcap/tidb/server.(*clientConn).handleStmt\n\t/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/server/conn.go:2091\ngithub.com/pingcap/tidb/server.(*clientConn).handleQuery\n\t/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/server/conn.go:1852\ngithub.com/pingcap/tidb/server.(*clientConn).dispatch\n\t/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/server/conn.go:1339\ngithub.com/pingcap/tidb/server.(*clientConn).Run\n\t/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/server/conn.go:1120\ngithub.com/pingcap/tidb/server.(*Server).onConn\n\t/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/server/server.go:677\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_arm64.s:1172"]

Seems like the chunk to filter lacks the tailing offset element (offset array is one more element than data array).

Downgrading to moderate.

[guo-shaoge]

The plan:

+-------------------------------+---------+-----------+---------------+--------------------------------------------------------+
| id                            | estRows | task      | access object | operator info                                          |
+-------------------------------+---------+-----------+---------------+--------------------------------------------------------+
| Selection_28                  | 0.80    | root      |               | or(istrue_with_null(cast(Column#3, double BINARY)), 1) |
| └─HashJoin_29                 | 1.00    | root      |               | CARTESIAN right outer join                             |
|   ├─Projection_31(Build)      | 0.80    | root      |               | <nil>->Column#3                                        |
|   │ └─TableDual_32            | 0.80    | root      |               | rows:0                                                 |
|   └─TableReader_34(Probe)     | 1.00    | root      |               | data:TableFullScan_33                                  |
|     └─TableFullScan_33        | 1.00    | cop[tikv] | table:t0      | keep order:false                                       |
+-------------------------------+---------+-----------+---------------+--------------------------------------------------------+
6 rows in set (0.005 sec)

output chunk of HashJoin_29 is as following: the first datum is error, because it's a NULL datum, so it should be a fixed datum, but its elemBuf is nil, so the chunk append logic assume it's variable length. So we got panic in chunk append logic which is called by Selection_28(code)

(dlv) p e.childResult.columns
[]*github.com/pingcap/tidb/util/chunk.Column len: 2, cap: 2, [
	*{
		length: 1,
		nullBitmap: []uint8 len: 1, cap: 4, [0],
		offsets: []int64 len: 1, cap: 33, [0],
		data: []uint8 len: 8, cap: 256, [0,0,0,0,0,0,0,0],
		elemBuf: []uint8 len: 0, cap: 0, nil,
		avoidReusing: false,},
	*{
		length: 1,
		nullBitmap: []uint8 len: 1, cap: 4, [1],
		offsets: []int64 len: 0, cap: 0, nil,
		data: []uint8 len: 40, cap: 1280, [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],
		elemBuf: []uint8 len: 40, cap: 40, [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],
		avoidReusing: false,},

This happens when we copy default null datum to the join row, chunk.elemBuf is missed.

Before copy, the default null datum(j.defaultInner):

	*{
		length: 1,
		nullBitmap: []uint8 len: 1, cap: 1, [0],
		offsets: []int64 len: 0, cap: 0, nil,
		data: []uint8 len: 8, cap: 8, [0,0,0,0,0,0,0,0],
		elemBuf: []uint8 len: 8, cap: 8, [0,0,0,0,0,0,0,0],
		avoidReusing: false,},

After copy:

	*{
		length: 1,
		nullBitmap: []uint8 len: 1, cap: 4, [0],
		offsets: []int64 len: 1, cap: 33, [0],
		data: []uint8 len: 8, cap: 256, [0,0,0,0,0,0,0,0],
		elemBuf: []uint8 len: 0, cap: 0, nil,
		avoidReusing: false,},