Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

panic because of slice bounds out of range #20552

Closed
ChenPeng2013 opened this issue Oct 21, 2020 · 6 comments
Closed

panic because of slice bounds out of range #20552

ChenPeng2013 opened this issue Oct 21, 2020 · 6 comments
Assignees
@time-and-fate
Labels
severity/major sig/planner SIG: Planner type/bug The issue is confirmed as a bug.

Comments

@ChenPeng2013
Copy link
Contributor

Bug Report

Please answer these questions before submitting your issue. Thanks!

1. Minimal reproduce step (Required)

Drop table if exists t1;
CREATE TABLE t1(a INT, b INT);
INSERT INTO t1 VALUES(1,1),(2,2),(3,3);
ANALYZE TABLE t1;
SELECT * FROM t1 WHERE ISNULL(t1.a IN (SELECT t3.a FROM t1 t3));
select version();

2. What did you expect to see? (Required)

mysql> SELECT * FROM t1 WHERE ISNULL(t1.a IN (SELECT t3.a FROM t1 t3));
Empty set (0.00 sec)
mysql> select version();
+----------------------------------+
| version()                        |
+----------------------------------+
| 5.7.25-TiDB-v4.0.7-40-gc71000046 |
+----------------------------------+
1 row in set (0.00 sec)

3. What did you see instead (Required)

mysql> SELECT * FROM t1 WHERE ISNULL(t1.a IN (SELECT t3.a FROM t1 t3));
ERROR 1105 (HY000): runtime error: slice bounds out of range [-1:]
mysql> select version();
ERROR 2013 (HY000): Lost connection to MySQL server during query

4. What is your TiDB version? (Required)

master b71b6323fd4d5ebabff0dfa737aaad3c1cbe797f and release-4.0 c71000046cf1c5ade501cc2b14d3b130863f366d
@ChenPeng2013 ChenPeng2013 added the type/bug The issue is confirmed as a bug. label Oct 21, 2020
@lzmhhh123 lzmhhh123 added sig/execution SIG execution sig/planner SIG: Planner and removed sig/execution SIG execution labels Oct 21, 2020
@lzmhhh123
Copy link
Contributor

lzmhhh123 commented Oct 21, 2020
edited
Loading

[2020/10/21 13:19:49.532 +08:00] [ERROR] [conn.go:727] ["connection running loop panic"] [conn=1] [lastSQL="SELECT * FROM t1 WHERE ISNULL(t1.a IN (SELECT t3.a FROM t1 t3))"] [err="runtime error: slice bounds out of range [-1:]"] [stack="goroutine 431 [running]:\ngithub.com/pingcap/tidb/server.(*clientConn).Run.func1(0x69d0ac0, 0xc00f800cc0, 0xc00f631180)\n\t/Users/liuzhuomin/.gvm/pkgsets/go1.13/global/src/github.com/pingcap/tidb/server/conn.go:725 +0xee\npanic(0x620d180, 0xc0101f8c20)\n\t/usr/local/go/src/runtime/panic.go:679 +0x1b2\ngithub.com/pingcap/tidb/planner/core.(*expressionRewriter).funcCallToExpression(0xc010119860, 0xc010119790)\n\t/Users/liuzhuomin/.gvm/pkgsets/go1.13/global/src/github.com/pingcap/tidb/planner/core/expression_rewriter.go:1576 +0xabb\ngithub.com/pingcap/tidb/planner/core.(*expressionRewriter).Leave(0xc010119860, 0x69d1d80, 0xc010119790, 0x69fd7c0, 0xc010228840, 0x64fef01)\n\t/Users/liuzhuomin/.gvm/pkgsets/go1.13/global/src/github.com/pingcap/tidb/planner/core/expression_rewriter.go:982 +0x19c7\ngithub.com/pingcap/parser/ast.(*FuncCallExpr).Accept(0xc010119790, 0x699c280, 0xc010119860, 0xc0100fc780, 0xc00fc45f10, 0x0)\n\t/Users/liuzhuomin/go/pkg/mod/github.com/pingcap/parser@v0.0.0-20201014065945-fb6bde872a79/ast/functions.go:523 +0x182\ngithub.com/pingcap/tidb/planner/core.(*PlanBuilder).rewriteExprNode(0xc010215540, 0xc010119860, 0x69fd4c0, 0xc010119790, 0xc0100fc700, 0x0, 0x0, 0x0, 0x0, 0x0, ...)\n\t/Users/liuzhuomin/.gvm/pkgsets/go1.13/global/src/github.com/pingcap/tidb/planner/core/expression_rewriter.go:194 +0x8e\ngithub.com/pingcap/tidb/planner/core.(*PlanBuilder).rewriteWithPreprocess(0xc010215540, 0x69d0ac0, 0xc010232b10, 0x69fd4c0, 0xc010119790, 0x6a19ac0, 0xc0100fc780, 0x0, 0x0, 0x0, ...)\n\t/Users/liuzhuomin/.gvm/pkgsets/go1.13/global/src/github.com/pingcap/tidb/planner/core/expression_rewriter.go:141 +0x163\ngithub.com/pingcap/tidb/planner/core.(*PlanBuilder).rewrite(0xc010215540, 0x69d0ac0, 0xc010232b10, 0x69fd4c0, 0xc010119790, 0x6a19ac0, 0xc0100fc780, 0x0, 0x0, 0x0, ...)\n\t/Users/liuzhuomin/.gvm/pkgsets/go1.13/global/src/github.com/pingcap/tidb/planner/core/expression_rewriter.go:109 +0xb9\ngithub.com/pingcap/tidb/planner/core.(*PlanBuilder).buildSelection(0xc010215540, 0x69d0ac0, 0xc010232b10, 0x6a19ac0, 0xc0100fc780, 0x69fd4c0, 0xc010119790, 0x0, 0x2, 0x0, ...)\n\t/Users/liuzhuomin/.gvm/pkgsets/go1.13/global/src/github.com/pingcap/tidb/planner/core/logical_plan_builder.go:820 +0x216\ngithub.com/pingcap/tidb/planner/core.(*PlanBuilder).buildSelect(0xc010215540, 0x69d0ac0, 0xc010232b10, 0xc00f765770, 0x6a19ac0, 0xc0100fc780, 0x0, 0x0)\n\t/Users/liuzhuomin/.gvm/pkgsets/go1.13/global/src/github.com/pingcap/tidb/planner/core/logical_plan_builder.go:2712 +0x1667\ngithub.com/pingcap/tidb/planner/core.(*PlanBuilder).Build(0xc010215540, 0x69d0ac0, 0xc010232b10, 0x69d2940, 0xc00f765770, 0xc010215540, 0xc0101ebf40, 0x85908c0, 0x69d0ac0)\n\t/Users/liuzhuomin/.gvm/pkgsets/go1.13/global/src/github.com/pingcap/tidb/planner/core/planbuilder.go:592 +0xb37\ngithub.com/pingcap/tidb/planner.optimize(0x69d0ac0, 0xc010232b10, 0x6a1b1c0, 0xc0005eed20, 0x69d2940, 0xc00f765770, 0x6a0f080, 0xc00fc97680, 0x0, 0x0, ...)\n\t/Users/liuzhuomin/.gvm/pkgsets/go1.13/global/src/github.com/pingcap/tidb/planner/optimize.go:215 +0x1e9\ngithub.com/pingcap/tidb/planner.Optimize(0x69d0ac0, 0xc010232b10, 0x6a1b1c0, 0xc0005eed20, 0x69d2940, 0xc00f765770, 0x6a0f080, 0xc00fc97680, 0x0, 0x0, ...)\n\t/Users/liuzhuomin/.gvm/pkgsets/go1.13/global/src/github.com/pingcap/tidb/planner/optimize.go:114 +0x354\ngithub.com/pingcap/tidb/executor.(*Compiler).Compile(0xc00fc46da0, 0x69d0ac0, 0xc010232b10, 0x69da600, 0xc00f765770, 0x0, 0x0, 0x0)\n\t/Users/liuzhuomin/.gvm/pkgsets/go1.13/global/src/github.com/pingcap/tidb/executor/compiler.go:62 +0x294\ngithub.com/pingcap/tidb/session.(*session).ExecuteStmt(0xc0005eed20, 0x69d0ac0, 0xc010232a20, 0x69da600, 0xc00f765770, 0x0, 0x0, 0x0, 0x0)\n\t/Users/liuzhuomin/.gvm/pkgsets/go1.13/global/src/github.com/pingcap/tidb/session/session.go:1189 +0x1db\ngithub.com/pingcap/tidb/server.(*TiDBContext).ExecuteStmt(0xc00f801080, 0x69d0ac0, 0xc010232a20, 0x69da600, 0xc00f765770, 0xc00f6e5170, 0x69d0ac0, 0xc010232a20, 0x60fb1c0)\n\t/Users/liuzhuomin/.gvm/pkgsets/go1.13/global/src/github.com/pingcap/tidb/server/driver_tidb.go:198 +0x68\ngithub.com/pingcap/tidb/server.(*clientConn).h"]

@lzmhhh123
Copy link
Contributor

@winoros PTAL.

@newcworld
Copy link
Contributor

it seems when invoke expressionRewriter.handleInSubquery the subquery is rewrited to inner join.
So the FuncCallExpr will have no args

@ichn-hu ichn-hu mentioned this issue Nov 3, 2020
Closed
@time-and-fate time-and-fate mentioned this issue Nov 10, 2020
Closed
@winoros winoros assigned time-and-fate and unassigned winoros Nov 11, 2020
@time-and-fate
Copy link
Member

This issue can be closed because #19797 fixed it.

@ti-srebot
Copy link
Contributor

Please edit this comment or add a new comment to complete the following information

Not a bug

  1. Remove the 'type/bug' label
  2. Add notes to indicate why it is not a bug

Duplicate bug

  1. Add the 'type/duplicate' label
  2. Add the link to the original bug

Bug

Note: Make Sure that 'component', and 'severity' labels are added
Example for how to fill out the template: #20100

1. Root Cause Analysis (RCA) (optional)

2. Symptom (optional)

3. All Trigger Conditions (optional)

4. Workaround (optional)

5. Affected versions

6. Fixed versions

@time-and-fate
Copy link
Member

Please edit this comment or add a new comment to complete the following information

Not a bug

  1. Remove the 'type/bug' label

  2. Add notes to indicate why it is not a bug

Duplicate bug

  1. Add the 'type/duplicate' label

  2. Add the link to the original bug

Bug

1. Root Cause Analysis (RCA) (optional)

FuncCallExpr and CaseExpr need args be put on ctxStack, which means that asScalar should be true, however it wasn't set to true.

2. Symptom (optional)

SQLs like SELECT * FROM t1 WHERE ISNULL(t1.a IN (SELECT t3.a FROM t1 t3)); and SELECT * FROM t1 WHERE CASE (1 IN (SELECT a FROM t1)) WHEN 0 THEN 0 END; will cause panic.

3. All Trigger Conditions (optional)

use IN subquery inside a function call or a CASE...WHEN... operator

4. Workaround (optional)

5. Affected versions

[v4.0.0:v4.0.8]

6. Fixed versions

4.0.9

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@time-and-fate time-and-fate

Labels
severity/major sig/planner SIG: Planner type/bug The issue is confirmed as a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

planner: fix panic in expression rewriter caused by asScalar time-and-fate/tidb
8 participants
@jebter @ChenPeng2013 @eurekaka @winoros @time-and-fate @lzmhhh123 @ti-srebot @newcworld