Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

index out of range [-1] in (*expressionRewriter).inToExpression #52769

Open
GaranR opened this issue Apr 19, 2024 · 1 comment
Open

index out of range [-1] in (*expressionRewriter).inToExpression #52769

GaranR opened this issue Apr 19, 2024 · 1 comment
Assignees
@qw4990
Labels
impact/panic may-affects-5.4 This bug maybe affects 5.4.x versions. may-affects-6.1 may-affects-6.5 may-affects-7.1 may-affects-7.5 may-affects-8.1 severity/moderate sig/planner SIG: Planner type/bug The issue is confirmed as a bug.

Comments

@GaranR
Copy link

GaranR commented Apr 19, 2024

Bug Report

Please answer these questions before submitting your issue. Thanks!

1. Minimal reproduce step (Required)

First execute the following valid.sql
valid.txt

Then a crash occurs when executing the error.sql below
error4.txt

2. What did you expect to see? (Required)

Expect no crashes

3. What did you see instead (Required)

runtime error: index out of range [-1]

tidb.log:

[2024/04/17 11:57:26.623 +00:00] [ERROR] [conn.go:990] ["connection running loop panic"] [conn=408946066] [session_alias=] [lastSQL="(check error.sql above)"] [err="runtime error: index out of range [-1]"] [stack="github.com/pingcap/tidb/pkg/server.(*clientConn).Run.func1
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/server/conn.go:993
runtime.gopanic
	/usr/local/go/src/runtime/panic.go:914
github.com/pingcap/tidb/pkg/executor.(*Compiler).Compile.func1
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/compiler.go:54
runtime.gopanic
	/usr/local/go/src/runtime/panic.go:914
runtime.goPanicIndex
	/usr/local/go/src/runtime/panic.go:114
github.com/pingcap/tidb/pkg/planner/core.(*expressionRewriter).inToExpression
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/planner/core/expression_rewriter.go:1656
github.com/pingcap/tidb/pkg/planner/core.(*expressionRewriter).Leave
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/planner/core/expression_rewriter.go:1328
github.com/pingcap/tidb/pkg/parser/ast.(*PatternInExpr).Accept
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/parser/ast/expressions.go:770
github.com/pingcap/tidb/pkg/planner/core.(*PlanBuilder).rewriteExprNode
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/planner/core/expression_rewriter.go:201
github.com/pingcap/tidb/pkg/planner/core.(*PlanBuilder).rewriteWithPreprocess
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/planner/core/expression_rewriter.go:146
github.com/pingcap/tidb/pkg/planner/core.(*PlanBuilder).rewrite
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/planner/core/expression_rewriter.go:114
github.com/pingcap/tidb/pkg/planner/core.(*PlanBuilder).buildSelection
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/planner/core/logical_plan_builder.go:1393
github.com/pingcap/tidb/pkg/planner/core.(*PlanBuilder).buildSelect
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/planner/core/logical_plan_builder.go:4516
github.com/pingcap/tidb/pkg/planner/core.(*PlanBuilder).buildResultSetNode
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/planner/core/logical_plan_builder.go:573
github.com/pingcap/tidb/pkg/planner/core.(*expressionRewriter).buildSubquery
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/planner/core/expression_rewriter.go:350
github.com/pingcap/tidb/pkg/planner/core.(*expressionRewriter).handleExistSubquery
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/planner/core/expression_rewriter.go:841
github.com/pingcap/tidb/pkg/planner/core.(*expressionRewriter).Enter
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/planner/core/expression_rewriter.go:395
github.com/pingcap/tidb/pkg/parser/ast.(*ExistsSubqueryExpr).Accept
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/parser/ast/expressions.go:672
github.com/pingcap/tidb/pkg/parser/ast.(*ParenthesesExpr).Accept
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/parser/ast/expressions.go:1016
github.com/pingcap/tidb/pkg/parser/ast.(*BinaryOperationExpr).Accept
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/parser/ast/expressions.go:217
github.com/pingcap/tidb/pkg/parser/ast.(*BinaryOperationExpr).Accept
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/parser/ast/expressions.go:217
github.com/pingcap/tidb/pkg/parser/ast.(*ParenthesesExpr).Accept
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/parser/ast/expressions.go:1016
github.com/pingcap/tidb/pkg/parser/ast.(*FuncCastExpr).Accept
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/parser/ast/functions.go:669
github.com/pingcap/tidb/pkg/planner/core.(*PlanBuilder).rewriteExprNode
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/planner/core/expression_rewriter.go:201
github.com/pingcap/tidb/pkg/planner/core.(*PlanBuilder).rewriteWithPreprocess
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/planner/core/expression_rewriter.go:146
github.com/pingcap/tidb/pkg/planner/core.(*PlanBuilder).rewrite
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/planner/core/expression_rewriter.go:114
github.com/pingcap/tidb/pkg/planner/core.(*PlanBuilder).buildAggregation
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/planner/core/logical_plan_builder.go:370
github.com/pingcap/tidb/pkg/planner/core.(*PlanBuilder).buildSelect
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/planner/core/logical_plan_builder.go:4570
github.com/pingcap/tidb/pkg/planner/core.(*PlanBuilder).buildResultSetNode
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/planner/core/logical_plan_builder.go:573
github.com/pingcap/tidb/pkg/planner/core.(*PlanBuilder).buildCte
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/planner/core/logical_plan_builder.go:7697
github.com/pingcap/tidb/pkg/planner/core.(*PlanBuilder).buildWith
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/planner/core/logical_plan_builder.go:7948
github.com/pingcap/tidb/pkg/planner/core.(*PlanBuilder).buildSelect
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/planner/core/logical_plan_builder.go:4436
github.com/pingcap/tidb/pkg/planner/core.(*PlanBuilder).Build
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/planner/core/planbuilder.go:859
github.com/pingcap/tidb/pkg/planner.buildLogicalPlan
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/planner/optimize.go:576
github.com/pingcap/tidb/pkg/planner.optimize
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/planner/optimize.go:494
github.com/pingcap/tidb/pkg/planner.Optimize
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/planner/optimize.go:352
github.com/pingcap/tidb/pkg/executor.(*Compiler).Compile
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/compiler.go:98
github.com/pingcap/tidb/pkg/session.(*session).ExecuteStmt
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/session/session.go:2221
github.com/pingcap/tidb/pkg/server.(*TiDBContext).ExecuteStmt
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/server/driver_tidb.go:292
github.com/pingcap/tidb/pkg/server.(*clientConn).handleStmt
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/server/conn.go:2064
github.com/pingcap/tidb/pkg/server.(*clientConn).handleQuery
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/server/conn.go:1831
github.com/pingcap/tidb/pkg/server.(*clientConn).dispatch
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/server/conn.go:1318
github.com/pingcap/tidb/pkg/server.(*clientConn).Run
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/server/conn.go:1091
github.com/pingcap/tidb/pkg/server.(*Server).onConn
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/server/server.go:715"]

4. What is your TiDB version? (Required)

+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| tidb_version()                                                                                                                                                                                                                                                 |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Release Version: v7.5.1
Edition: Community
Git Commit Hash: 7d16cc79e81bbf573124df3fd9351c26963f3e70
Git Branch: heads/refs/tags/v7.5.1
UTC Build Time: 2024-02-27 14:28:32
GoVersion: go1.21.6
Race Enabled: false
Check Table Before Drop: false
Store: tikv |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

We are the BASS team from the School of Cyber Science and Technology at Beihang University. Our main focus is on system software security, operating systems, and program analysis research, as well as the development of automated program testing frameworks for detecting software defects. Using our self-developed database vulnerability testing tool, we have identified the above-mentioned vulnerabilities in TiDB that may lead to database crashes.
@GaranR GaranR added the type/bug The issue is confirmed as a bug. label Apr 19, 2024
@qw4990 qw4990 self-assigned this May 8, 2024
@qw4990
Copy link
Contributor

qw4990 commented May 14, 2024

Degrade this case from Major to Moderate since it's too extreme (48 CTEs and more than 2600 lines), not common

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@qw4990 qw4990

Labels
impact/panic may-affects-5.4 This bug maybe affects 5.4.x versions. may-affects-6.1 may-affects-6.5 may-affects-7.1 may-affects-7.5 may-affects-8.1 severity/moderate sig/planner SIG: Planner type/bug The issue is confirmed as a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jebter @qw4990 @GaranR