Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

invalid memory address or nil pointer dereference in memory.(*Tracker).AttachTo #55881

Closed
ycybfhb opened this issue Sep 5, 2024 · 1 comment · Fixed by #57294
Closed

invalid memory address or nil pointer dereference in memory.(*Tracker).AttachTo #55881

ycybfhb opened this issue Sep 5, 2024 · 1 comment · Fixed by #57294
Labels
affects-6.1 This bug affects the 6.1.x(LTS) versions. affects-6.5 This bug affects the 6.5.x(LTS) versions. affects-7.1 This bug affects the 7.1.x(LTS) versions. affects-7.5 This bug affects the 7.5.x(LTS) versions. affects-8.1 This bug affects the 8.1.x(LTS) versions. affects-8.5 This bug affects the 8.5.x(LTS) versions. impact/panic severity/major sig/execution SIG execution type/bug The issue is confirmed as a bug.

Comments

@ycybfhb
Copy link

ycybfhb commented Sep 5, 2024

Bug Report

Please answer these questions before submitting your issue. Thanks!

1. Minimal reproduce step (Required)

SQL to init database

init.sql.txt

SQL that causes error
/* error message: 
Database execute error: HY000, [MySQL][ODBC 8.4(a) Driver][mysqld-8.0.11-TiDB-v8.4.0-alpha-66-g1167e0c]runtime error: invalid memory address or nil pointer dereference
 */

WITH 
cte_0 AS (select  
    ref_0.c_cz as c0, 
    
      sum(
        cast(ref_2.c_dph7 as signed)) over (partition by ref_4.c_g7eofzlxn order by ref_2.c_ib1xsf3c8d) as c1, 
    cast((ref_3.c_otj13 DIV ref_1.c_hd2v4v0) as double) as c2
  from 
    (t_jg8o as ref_0
      right outer join (((t__9r63 as ref_1
            right outer join t_dci as ref_2
            on ((NOT NOT(cast((cast(ref_1.c_hd2v4v0 as double) >= cast(ref_2.c_l1t as signed)) as unsigned)))))
          inner join t_jg8o as ref_3
          on ((NOT NOT(cast((cast(ref_2.c_kzre as char) <=> cast(ref_3.c_a90ol as char)) as unsigned)))))
        left outer join (t__9r63 as ref_4
          cross join t_jg8o as ref_5
          )
        on ((NOT NOT(cast((cast(ref_2.c_w9qyk_fpj as double) = cast(ref_5.c__qy as double)) as unsigned)))))
      on ((NOT NOT(cast((cast(ref_1.c_hd2v4v0 as double) <=> cast(ref_4.c_onfeptr2q as signed)) as unsigned)))))
  where (cast((ref_0.c_s ^ ref_5.c_z) as char) like 'n_')
  limit 81), 
cte_1 AS (select  
    cast((cast(subq_1.c6 as decimal) > cast(round(
        cast(subq_0.c3 as decimal)) as decimal)) as unsigned) as c0, 
    subq_1.c0 as c1, 
    subq_0.c0 as c2, 
    ltrim(
      cast(subq_0.c0 as char)) as c3, 
    subq_1.c2 as c4, 
    subq_1.c0 as c5, 
    bit_length(
      cast(subq_0.c0 as char)) as c6, 
    subq_0.c2 as c7, 
    subq_0.c1 as c8, 
    subq_1.c2 as c9
  from 
    ((select  
            ref_8.c_tb3u as c0, 
            ref_8.c_x2erxo10w as c1, 
            ref_7.c_c7njaqnyv7 as c2, 
            ref_7.c_i3ml as c3, 
            ref_7.c__n3bhft5z as c4, 
            ref_8.c_wsr as c5
          from 
            ((t_dci as ref_6
                right outer join t_glzh3lb0ro as ref_7
                on (0<>0))
              cross join t__9r63 as ref_8
              )
          where (NOT NOT(cast((cast(ref_6.c_kzre as char) > cast(ref_6.c_gs6c2wzbdg as char)) as unsigned)))
          order by c0, c1, c2, c3, c4, c5 asc) as subq_0
      cross join (select  
            ref_9.c_b48gd04utl as c0, 
            ref_9.c_yu as c1, 
            ref_9.c_b48gd04utl as c2, 
            ref_9.c_yu as c3, 
            ref_9.c_yu as c4, 
            ref_9.c_b48gd04utl as c5, 
            -1092927402 as c6, 
            ref_9.c_yu as c7, 
            ref_9.c_b48gd04utl as c8, 
            ref_9.c_b48gd04utl as c9, 
            ref_9.c_yu as c10
          from 
            t_rc as ref_9
          where (NOT NOT(cast((ref_9.c_m2y = ref_9.c_m2y) as unsigned)))
          limit 85) as subq_1
      )
  where (NOT NOT(cast((cast(subq_0.c4 as signed) != cast(subq_1.c7 as signed)) as unsigned)))
  order by c0, c1, c2, c3, c4, c5, c6, c7, c8, c9 desc
  limit 60), 
cte_2 AS (select distinct 
    ref_10.c_w9qyk_fpj as c0, 
    ref_10.c_bywfl as c1, 
    case when (ref_10.c_dph7 not in (
        select  
            1344916137 as c0
          from 
            t_glzh3lb0ro as ref_15
          where ((NOT NOT(cast((cast(cast(null as char) as char) >= cast('nql' as char)) as unsigned)))) 
            and ((NOT NOT(cast((cast(ref_15.c_i3ml as signed) <=> cast(ref_15.c_wd3x as double)) as unsigned)))))) then ref_10.c_gs6c2wzbdg else (select c_tb3u from t__9r63 order by c_tb3u limit 1 offset 4)
         end
       as c2, 
    ref_10.c_ib1xsf3c8d as c3, 
    ref_10.c_kzre as c4, 
    cast((cast(ref_10.c_bywfl as decimal) % cast(1=1 as unsigned)) as decimal) as c5, 
    ref_10.c_l1t as c6, 
    cast(nullif(
      ref_10.c_d3wokzls77, 
      ref_10.c_fzqupuma
      ) as signed) as c7, 
    (select c_wsr from t__9r63 order by c_wsr limit 1 offset 4)
       as c8, 
    locate(
      cast((select c_b48gd04utl from t_rc order by c_b48gd04utl limit 1 offset 15)
         as char), 
      cast(ref_10.c_gs6c2wzbdg as char), 
      cast(case when (NOT NOT(cast((cast(ref_10.c_bywfl as unsigned) > cast((ref_10.c_kzre not like '%78ij_zdi') as unsigned)) as unsigned))) then -5848773938183963038 else round(
          cast(4682555756345700129 as signed), 
          cast(ref_10.c_d3wokzls77 as signed)) end
         as signed)) as c9
  from 
    t_dci as ref_10
  where ((ref_10.c_d3wokzls77 in (
      select  
          ref_14.c_m2y as c0
        from 
          ((t_rc as ref_11
              inner join (t_rc as ref_12
                right outer join t__9r63 as ref_13
                on ((NOT NOT(cast((ref_13.c_tb3u < ref_13.c_tb3u) as unsigned)))))
              on (ref_11.c_b48gd04utl = ref_12.c_b48gd04utl ))
            left outer join t_rc as ref_14
            on (((NOT NOT(cast((cast(((NOT NOT(cast((cast(ref_14.c_yu as unsigned) > cast(ref_13.c_hd2v4v0 as double)) as unsigned)))) 
                      and ((((NOT NOT(cast((cast(4713478292361382451 as signed) && cast(ref_13.c_wsr as signed)) as unsigned)))) 
                          and (0<>0)) 
                        or ((NOT NOT(cast((cast(ref_13.c_tb3u as char) > cast(ref_13.c_tb3u as char)) as unsigned))))) as unsigned) <> cast(ref_12.c_yu as signed)) as unsigned)))) 
                or ((NOT NOT(cast((cast(ref_11.c_b48gd04utl as char) < cast(ref_13.c_tb3u as char)) as unsigned))))))
        where (NOT NOT(cast((cast(ref_13.c_tb3u as char) = cast(ref_13.c_tb3u as char)) as unsigned)))))) 
    and ((((NOT NOT(cast((cast(ref_10.c_dph7 as decimal) <> cast(ref_10.c_w9qyk_fpj as double)) as unsigned)))) 
        or ((((select c_b48gd04utl from t_rc order by c_b48gd04utl limit 1 offset 5)
               like '%')) 
          and ((NOT NOT(cast((cast(65536 as signed) XOR cast(ref_10.c_w9qyk_fpj as double)) as unsigned)))))) 
      and ((cast((cast(ref_10.c_ib1xsf3c8d as signed) DIV cast(cast((cast(ref_10.c_ib1xsf3c8d as unsigned) ^ cast(-740470748171434511 as signed)) as signed) as signed)) as char) not like '%bl')))), 
cte_3 AS (select  
    subq_2.c2 as c0, 
    cast((cast(subq_2.c10 as signed) <> cast(subq_2.c8 as signed)) as unsigned) as c1, 
    subq_2.c9 as c2, 
    subq_2.c1 as c3
  from 
    (select  
          var_pop(
          cast(0<>0 as unsigned)) as c0, 
          count(
          cast((NOT NOT(cast((cast(ref_16.c_l1t as signed) || cast((select c_l1t from t_dci order by c_l1t limit 1 offset 4)
                 as signed)) as unsigned))) as unsigned)) as c1, 
          ref_16.c_l1t as c2, 
          count(
          cast((select count(c_ovz0) from t_jg8o)
             as char)) as c3, 
          count(
          cast(ref_16.c_kzre as char)) as c4, 
          count(
          cast(ref_16.c_kzre as char)) as c5, 
          count(
          cast(ref_16.c_ib1xsf3c8d as decimal)) as c6, 
          count(
          cast((select c_r58lkh from t__9r63 order by c_r58lkh limit 1 offset 1)
             as double)) as c7, 
          count(
          cast(ref_16.c_w9qyk_fpj as double)) as c8, 
          stddev_samp(
          cast((NOT NOT(cast((cast(127 as signed) && cast(ref_16.c_ib1xsf3c8d as signed)) as unsigned))) as unsigned)) as c9, 
          count(
          cast(ref_16.c_ib1xsf3c8d as unsigned)) as c10, 
          count(
          cast(ref_16.c_gs6c2wzbdg as char)) as c11
        from 
          t_dci as ref_16
        where (ref_16.c_dph7 <= ( 
          select  
              ref_17.c_otj13 as c0
            from 
              t_jg8o as ref_17
            where (NOT NOT(cast((cast(ref_17.c_s as signed) != cast(ref_17.c__qy as double)) as unsigned)))
            limit 1))
        group by ref_16.c_l1t) as subq_2
  where (inet_ntoa(
      cast(subq_2.c1 as signed)) not like 'wtkzz_bzg')), 
cte_4 AS (select  
    ref_19.c_w9qyk_fpj as c0, 
    ref_19.c_kzre as c1, 
    ref_18.c_m2y as c2, 
    ref_18.c_yu as c3, 
    ref_19.c_fzqupuma as c4, 
    ref_18.c_m2y as c5, 
    ref_19.c_ib1xsf3c8d as c6
  from 
    (t_rc as ref_18
      right outer join t_dci as ref_19
      on (((ref_19.c_gs6c2wzbdg like 'w___kbw')) 
          or ((NOT NOT(cast((cast(ref_19.c_bywfl as signed) && cast(ref_19.c_ib1xsf3c8d as signed)) as unsigned))))))
  where (case when 1=1 then ref_19.c_gs6c2wzbdg else ref_19.c_kzre end
       like 't_g')
  order by c0, c1, c2, c3, c4, c5, c6 asc), 
cte_5 AS (select  
    subq_3.c9 as c0
  from 
    ((select  
            ref_20.c_kzre as c0, 
            ref_20.c_l1t as c1, 
            cast(cast(null as signed) as signed) as c2, 
            ref_20.c_w9qyk_fpj as c3, 
            ref_20.c_dph7 as c4, 
            -453645943 as c5, 
            ref_20.c_dph7 as c6, 
            ref_20.c_kzre as c7, 
            ref_20.c_kzre as c8, 
            ref_20.c_gs6c2wzbdg as c9, 
            ref_20.c_kzre as c10
          from 
            t_dci as ref_20
          where (NOT NOT(cast((cast((select sum(c_yu) from t_rc)
                 as double) && cast(ref_20.c_dph7 as signed)) as unsigned)))) as subq_3
      cross join (select  
            ref_21.c_otj13 as c0, 
            937315269 as c1, 
            -355306303 as c2
          from 
            t_jg8o as ref_21
          where (NOT NOT(cast((cast(ref_21.c_cz as char) <= cast((select c_b48gd04utl from t_rc order by c_b48gd04utl limit 1 offset 6)
                 as char)) as unsigned)))
          limit 78) as subq_4
      )
  where (subq_3.c10 like 'm_b_48h'))
select  
    subq_5.c1 as c0, 
    subq_5.c0 as c1, 
    (select c_yu from t_rc order by c_yu limit 1 offset 6)
       as c2, 
    subq_5.c0 as c3, 
    case when (NOT NOT(cast((cast(subq_5.c0 as signed) > cast(cast((subq_5.c1 DIV subq_5.c0) as decimal) as decimal)) as unsigned))) then subq_5.c1 else (subq_5.c1 is not NULL) end
       as c4, 
    case when (NOT NOT(cast((cast((select c_ovz0 from t_jg8o order by c_ovz0 limit 1 offset 3)
             as double) <=> cast(((NOT NOT(cast((cast(cast(null as double) as double) XOR cast(5.9 as double)) as unsigned)))) 
            or ((((NOT NOT(cast((cast(-834732799192564823 as signed) <> cast(subq_5.c1 as decimal)) as unsigned)))) 
                and ((NOT NOT(cast((cast(41 as signed) >= cast(33.16 as double)) as unsigned))))) 
              or ((subq_5.c2 like 'j_wsa'))) as unsigned)) as unsigned))) then cast((cast(case when (subq_5.c1 in (
            select distinct 
                (NOT NOT(cast((cast(ref_23.c_hd2v4v0 as double) < cast(ref_23.c_r58lkh as double)) as unsigned))) as c0
              from 
                t__9r63 as ref_23
              where (NOT NOT(cast((cast(ref_23.c_o8tsf as double) <=> cast(-8933200491588434896 as signed)) as unsigned))))) then cast(subq_5.c3 as signed) else cast(subq_5.c0 as signed) end
           as signed) || cast(subq_5.c3 as signed)) as unsigned) else (subq_5.c2 < ( 
        select  
              subq_5.c2 as c0
            from 
              (cte_5 as ref_24
                cross join t_glzh3lb0ro as ref_25
                )
            where 1=1
          union all
          (
          select  
              subq_5.c2 as c0
            from 
              cte_3 as ref_26
            where ((subq_5.c2 is not NULL)) 
              or ((subq_5.c3 is NULL))
          )
           limit 1)) end
       as c5, 
    cast((case when (EXISTS (
          select  
              subq_5.c0 as c0, 
              subq_5.c3 as c1, 
              ref_27.c0 as c2, 
              ref_27.c6 as c3, 
              cast((select stddev_samp(c_l1t) from t_dci)
                 as signed) as c4, 
              ref_27.c0 as c5, 
              ref_27.c3 as c6, 
              subq_5.c3 as c7, 
              cast((select avg(c_l1t) from t_dci)
                 as signed) as c8
            from 
              cte_4 as ref_27
            where (NOT NOT(cast((cast(subq_5.c2 as char) <=> cast(ref_27.c1 as char)) as unsigned))))) then cast(null as double) else -4294967295.0 end
         > subq_5.c1) as unsigned) as c6, 
    (select c1 from cte_3 order by c1 limit 1 offset 3)
       as c7, 
    subq_5.c2 as c8, 
    cast((select count(c_b48gd04utl) from t_rc)
       as char) as c9, 
    subq_5.c2 as c10, 
    subq_5.c3 as c11, 
    subq_5.c3 as c12, 
    (select c_hd2v4v0 from t__9r63 order by c_hd2v4v0 limit 1 offset 4)
       as c13, 
    subq_5.c0 as c14, 
    subq_5.c0 as c15, 
    cast((select sum(c_yu) from t_rc)
       as signed) as c16, 
    subq_5.c0 as c17, 
    subq_5.c2 as c18, 
    subq_5.c3 as c19, 
    subq_5.c1 as c20, 
    subq_5.c3 as c21, 
    subq_5.c2 as c22, 
    subq_5.c3 as c23, 
    subq_5.c3 as c24, 
    subq_5.c1 as c25, 
    cast(nullif(
      rpad(
        cast(subq_5.c2 as char), 
        75, 
        cast(subq_5.c2 as char)), 
      subq_5.c2
      ) as char) as c26, 
    subq_5.c0 as c27, 
    subq_5.c0 as c28, 
    cast(cast(null as signed) as signed) as c29, 
    (select c_yu from t_rc order by c_yu limit 1 offset 6)
       as c30, 
    subq_5.c3 as c31, 
    subq_5.c3 as c32, 
    case when (NOT NOT(cast((subq_5.c0 < cast((-2147483647.2 / -123630112) as double)) as unsigned))) then subq_5.c1 else (subq_5.c3 between subq_5.c3 and subq_5.c3) end
       as c33, 
    case when (1742643624 not in (
        select  
              ref_28.c_x2erxo10w as c0
            from 
              t__9r63 as ref_28
            where ((NOT NOT(cast((cast((NOT NOT(cast((cast(cast(null as char) as char) >= cast(ref_28.c_tb3u as char)) as unsigned))) as unsigned) > cast(ref_28.c_x2erxo10w as signed)) as unsigned)))) 
              or ((ref_28.c_wsr not in (
                1=1, (NOT NOT(cast((cast(ref_28.c_wsr as signed) < cast(29 as signed)) as unsigned))), (ref_28.c_r58lkh not in (
                  ref_28.c_r58lkh, ref_28.c_r58lkh, ref_28.c_o8tsf, ref_28.c_r58lkh, ref_28.c_hd2v4v0)))))
          union
          (
          select  
              ref_29.c4 as c0
            from 
              cte_4 as ref_29
            where (NOT NOT(cast((cast(ref_29.c0 as double) = cast(ref_29.c6 as signed)) as unsigned)))
          ))) then subq_5.c0 else (NOT NOT(cast((cast(subq_5.c1 as signed) < cast(round(
            cast((select c_m2y from t_rc order by c_m2y limit 1 offset 2)
               as signed)) as signed)) as unsigned))) end
       as c34, 
    subq_5.c2 as c35, 
    subq_5.c0 as c36, 
    subq_5.c2 as c37, 
    subq_5.c1 as c38, 
    cast((cast(32769.0 as double) > cast(28405 as signed)) as unsigned) as c39, 
    subq_5.c3 as c40, 
    acos(
      cast(cast((cast((select c_ovz0 from t_jg8o order by c_ovz0 limit 1 offset 4)
           as double) | cast(subq_5.c3 as signed)) as signed) as signed)) as c41, 
    subq_5.c0 as c42, 
    subq_5.c3 as c43, 
    cast((cast(subq_5.c1 as decimal) <= cast(truncate(
        cast(subq_5.c3 as signed), 
        cast(subq_5.c3 as signed)) as signed)) as unsigned) as c44, 
    subq_5.c3 as c45, 
    right(
      cast((select c_kzre from t_dci order by c_kzre limit 1 offset 5)
         as char), 
      cast((508067673 < ( 
        select  
            subq_5.c3 as c0
          from 
            t__9r63 as ref_30
          where (NOT NOT(cast((cast(ref_30.c_hd2v4v0 as double) >= cast(0<>0 as unsigned)) as unsigned)))
          limit 1)) as unsigned)) as c46, 
    subq_5.c3 as c47, 
    cast(nullif(
      subq_5.c0, 
      (subq_5.c2 not in (
        select  
              ref_31.c0 as c0
            from 
              cte_0 as ref_31
            where 0<>0
          union
          (
          select  
              ref_32.c_m0qqv_cl4x as c0
            from 
              t_jg8o as ref_32
            where 0<>0
          )))
      ) as unsigned) as c48, 
    subq_5.c3 as c49, 
    subq_5.c3 as c50, 
    subq_5.c3 as c51, 
    subq_5.c1 as c52, 
    degrees(
      cast(2681972376301496118 as signed)) as c53, 
    case when 0<>0 then cast((cast(subq_5.c1 as signed) - cast(cast((cast((select var_pop(c_ovz0) from t_jg8o)
             as double) % cast(-2552831182259509367 as signed)) as double) as double)) as double) else cast((case when (NOT NOT(cast(((subq_5.c1 not in (
                select  
                    (NOT NOT(cast((cast(32769.4 as double) < cast(cast(null as double) as double)) as unsigned))) as c0
                  from 
                    cte_1 as ref_33
                  where (NOT NOT(cast((cast(69.66 as double) > cast(ref_33.c7 as signed)) as unsigned)))
                  order by c0 desc)) || subq_5.c0) as unsigned))) then cast(cast(null as double) as double) else round(
            cast(9223372036854775807.7 as double)) end
           + subq_5.c1) as double) end
       as c54, 
    cast((cast((NOT NOT(cast((cast(subq_5.c2 as char) <=> cast(cast(null as char) as char)) as unsigned))) as unsigned) | cast(
        last_value(
          cast(subq_5.c3 as decimal)) over (partition by subq_5.c1, subq_5.c0 order by subq_5.c3, subq_5.c0) as decimal)) as signed) as c55, 
    subq_5.c3 as c56, 
    subq_5.c0 as c57, 
    subq_5.c1 as c58, 
    cast((cast((subq_5.c3 between subq_5.c3 and subq_5.c3) as unsigned) <= cast(subq_5.c1 as signed)) as unsigned) as c59, 
    cast(coalesce(
      cast((cast((0<>0) 
          and ((EXISTS (
            select  
                ref_34.c_s as c0, 
                ref_34.c_mgjb as c1, 
                ref_34.c_m0qqv_cl4x as c2, 
                ref_34.c_cz as c3, 
                ref_34.c_a90ol as c4, 
                ref_34.c_s as c5
              from 
                t_jg8o as ref_34
              where (NOT NOT(cast((cast(ref_34.c_z as signed) > cast((select c_wsr from t__9r63 order by c_wsr limit 1 offset 3)
                     as unsigned)) as unsigned)))
              limit 127))) as unsigned) | cast(truncate(
          cast(subq_5.c0 as decimal), 
          cast(subq_5.c3 as signed)) as decimal)) as signed), 
      cast(coalesce(
        5554697334594895989, 
        cast((cast(31.30 as double) << cast(subq_5.c1 as signed)) as signed)
        ) as signed)
      ) as signed) as c60, 
    cast((cast((select c_wsr from t__9r63 order by c_wsr limit 1 offset 2)
         as signed) & cast(subq_5.c1 as unsigned)) as signed) as c61, 
    subq_5.c0 as c62, 
    subq_5.c2 as c63, 
    radians(
      cast(257.0 as double)) as c64, 
    subq_5.c2 as c65, 
    subq_5.c1 as c66, 
    cast(((subq_5.c2 not like 'n_8wi17_aw') >> (cast((cast(cast(coalesce(
            126.0, 
            cast((select c_wd3x from t_glzh3lb0ro order by c_wd3x limit 1 offset 2)
               as double)
            ) as double) as double) <=> cast((NOT NOT(cast((cast((select c_r58lkh from t__9r63 order by c_r58lkh limit 1 offset 2)
                 as double) XOR cast(cast(null as signed) as signed)) as unsigned))) as unsigned)) as unsigned) > ( 
        select  
              (ref_35.c_a90ol not like 'j8_o') as c0
            from 
              t_jg8o as ref_35
            where (EXISTS (
              select  
                  ref_36.c0 as c0, 
                  ref_35.c_cz as c1, 
                  ref_36.c0 as c2, 
                  ref_36.c3 as c3, 
                  ref_35.c_ovz0 as c4, 
                  (select c_tazb9 from t_jg8o order by c_tazb9 limit 1 offset 3)
                     as c5, 
                  ref_36.c1 as c6, 
                  ref_36.c3 as c7
                from 
                  cte_3 as ref_36
                where (EXISTS (
                  select  
                      322327666 as c0, 
                      cast(null as signed) as c1, 
                      ref_37.c2 as c2, 
                      ref_37.c4 as c3, 
                      ref_36.c0 as c4, 
                      ref_37.c3 as c5, 
                      ref_36.c2 as c6, 
                      ref_37.c4 as c7, 
                      ref_37.c4 as c8
                    from 
                      cte_1 as ref_37
                    where (NOT NOT(cast((cast((select c_otj13 from t_jg8o order by c_otj13 limit 1 offset 2)
                           as signed) = cast(ref_35.c_s as signed)) as unsigned)))))))
          union
          (
          select  
              (subq_5.c2 not like 'e1b70pe0_n') as c0
            from 
              cte_5 as ref_38
            where (NOT NOT(cast((cast(subq_5.c3 as decimal) || cast((select count(c_wsr) from t__9r63)
                   as signed)) as unsigned)))
          )
           limit 1))) as signed) as c67, 
    cast((cast(subq_5.c3 as decimal) / cast(truncate(
        cast(subq_5.c3 as signed), 
        cast(subq_5.c3 as signed)) as signed)) as decimal) as c68, 
    subq_5.c1 as c69, 
    subq_5.c3 as c70, 
    hex(
      cast(subq_5.c2 as char)) as c71, 
    quote(
      cast(subq_5.c2 as char)) as c72, 
    subq_5.c0 as c73, 
    subq_5.c3 as c74, 
    subq_5.c3 as c75, 
    subq_5.c2 as c76, 
    subq_5.c3 as c77, 
    subq_5.c3 as c78, 
    sqrt(
      cast(subq_5.c3 as signed)) as c79, 
    subq_5.c1 as c80, 
    subq_5.c2 as c81, 
    subq_5.c3 as c82, 
    subq_5.c1 as c83, 
    cast((subq_5.c2 != subq_5.c2) as unsigned) as c84, 
    subq_5.c1 as c85
  from 
    (select  
          ref_22.c_bywfl as c0, 
          ref_22.c_bywfl as c1, 
          ref_22.c_kzre as c2, 
          ref_22.c_d3wokzls77 as c3
        from 
          t_dci as ref_22
        where (NOT NOT(cast((cast((select count(c_tb3u) from t__9r63)
               as char) || cast(21273 as signed)) as unsigned)))) as subq_5
  where ((subq_5.c3 between subq_5.c3 and subq_5.c3)) 
    or (('slfyrqos' not like 'm_qpy'))
  limit 110;

2. What did you expect to see? (Required)

Expect no crashes

3. What did you see instead (Required)

runtime error: invalid memory address or nil pointer dereference
github.com/pingcap/errors.AddStack
	/root/go/pkg/mod/github.com/pingcap/errors@v0.11.5-0.20240318064555-6bd07397691f/errors.go:178
github.com/pingcap/errors.Trace
	/root/go/pkg/mod/github.com/pingcap/errors@v0.11.5-0.20240318064555-6bd07397691f/juju_adaptor.go:15
github.com/pingcap/tidb/pkg/util.GetRecoverError
	/workspace/source/tidb/pkg/util/util.go:288
github.com/pingcap/tidb/pkg/executor/internal/exec.Next.func1
	/workspace/source/tidb/pkg/executor/internal/exec/executor.go:435
runtime.gopanic
	/usr/local/go/src/runtime/panic.go:914
runtime.panicmem
	/usr/local/go/src/runtime/panic.go:261
runtime.sigpanic
	/usr/local/go/src/runtime/signal_unix.go:861
github.com/pingcap/tidb/pkg/util/memory.(*Tracker).AttachTo
	/workspace/source/tidb/pkg/util/memory/tracker.go:330
github.com/pingcap/tidb/pkg/executor.setupCTEStorageTracker
	/workspace/source/tidb/pkg/executor/cte.go:577
github.com/pingcap/tidb/pkg/executor.(*cteProducer).produce
	/workspace/source/tidb/pkg/executor/cte.go:346
github.com/pingcap/tidb/pkg/executor.(*CTEExec).Next
	/workspace/source/tidb/pkg/executor/cte.go:114
github.com/pingcap/tidb/pkg/executor/internal/exec.Next
	/workspace/source/tidb/pkg/executor/internal/exec/executor.go:451
github.com/pingcap/tidb/pkg/executor/join.(*buildWorkerBase).fetchBuildSideRows
	/workspace/source/tidb/pkg/executor/join/hash_join_base.go:253
github.com/pingcap/tidb/pkg/executor/join.(*HashJoinV1Exec).fetchAndBuildHashTable.func2
	/workspace/source/tidb/pkg/executor/join/hash_join_v1.go:1037
github.com/pingcap/tidb/pkg/util.(*WaitGroupWrapper).RunWithRecover.func1
	/workspace/source/tidb/pkg/util/wait_group_wrapper.go:189
runtime.goexit
	/usr/local/go/src/runtime/asm_amd64.s:1650

4. What is your TiDB version? (Required)

Release Version: v8.4.0-alpha-66-g1167e0c
Edition: Community
Git Commit Hash: 1167e0c06fc8e2dd066bd974315284bc0e884acc
Git Branch: HEAD
UTC Build Time: 2024-09-03 01:15:19
GoVersion: go1.21.13
Race Enabled: false
Check Table Before Drop: false
Store: tikv

We are the BASS team from the School of Cyber Science and Technology at Beihang University. Our main focus is on system software security, operating systems, and program analysis research, as well as the development of automated program testing frameworks for detecting software defects. Using our self-developed database vulnerability testing tool, we have identified the above-mentioned vulnerabilities in TiDB that may lead to database crashes.

@windtalker
Copy link
Contributor

The root cause is

  1. In TiDB, If multiple CTEExec need to read from a same CTE table, TiDB will create a cteProducer, and all CTEExec will share the same cteProducer
  2. CTEExec use
e.producer.resTbl.Lock()
defer e.producer.resTbl.Unlock()

to avoid multi-thread issues. And for the first CTEExec that tries to read cteProducer, it will trigger the calculation of cteProducer, and save cte results in cteProducer for other CTEExec to read.

tidb/pkg/executor/cte.go

Lines 110 to 117 in 4371a1d

func (e *CTEExec) Next(ctx context.Context, req *chunk.Chunk) (err error) {
e.producer.resTbl.Lock()
defer e.producer.resTbl.Unlock()
if !e.producer.resTbl.Done() {
if err = e.producer.produce(ctx); err != nil {
return err
}
}

3. The following is part of the query plan

|               │   │ └─Apply_678(Probe)                             | 8.00    | root      |                                              | CARTESIAN left outer join
|               │   │   ├─HashJoin_679(Build)                        | 8.00    | root      |                                              | CARTESIAN left outer semi join, other cond:eq(issuedb.t_dci.c_bywfl, Column#346)
|               │   │   │ ├─HashAgg_685(Build)                       | 5.12    | root      |                                              | group by:Column#672, funcs:firstrow(Column#672)->Column#346
|               │   │   │ │ └─Projection_780                         | 6.40    | root      |                                              | not(not(cast(lt(cast(issuedb.t__9r63.c_hd2v4v0, double BINARY), cast(issuedb.t__9r63.c_r58lkh, double BINARY)), bigint(22) UNSIGNED BINARY)))->Column|               │   │   │ │   └─TableReader_688                      | 6.40    | root      |                                              | data:Selection_687
|               │   │   │ │     └─Selection_687                      | 6.40    | cop[tikv] |                                              | istrue_with_null(cast(nulleq(cast(issuedb.t__9r63.c_o8tsf, double BINARY), -8.933200491588435e+18), bigint(22) UNSIGNED BINARY))
|               │   │   │ │       └─TableFullScan_686                | 8.00    | cop[tikv] | table:ref_23                                 | keep order:false, stats:pseudo
|               │   │   │ └─TableReader_681(Probe)                   | 8.00    | root      |                                              | data:TableFullScan_680
|               │   │   │   └─TableFullScan_680                      | 8.00    | cop[tikv] | table:ref_22                                 | keep order:false
|               │   │   └─Limit_691(Probe)                           | 8.00    | root      |                                              | offset:0, count:1
|               │   │     └─Union_692                                | 8.00    | root      |                                              |
|               │   │       ├─Projection_693                         | 8.00    | root      |                                              | issuedb.t_dci.c_kzre->Column#363
|               │   │       │ └─Limit_696                            | 8.00    | root      |                                              | offset:0, count:1
|               │   │       │   └─HashJoin_697                       | 8.00    | root      |                                              | CARTESIAN inner join
|               │   │       │     ├─IndexReader_708(Build)           | 704.00  | root      |                                              | index:IndexFullScan_707
|               │   │       │     │ └─IndexFullScan_707              | 704.00  | cop[tikv] | table:ref_25, index:c_kffac5e63(c_kffac5e63) | keep order:false, stats:pseudo
|               │   │       │     └─CTEFullScan_699(Probe)           | 499.20  | root      | CTE:cte_5 AS ref_24                          | data:CTE_2
|               │   │       └─Projection_719                         | 8.00    | root      |                                              | issuedb.t_dci.c_kzre->Column#363
|               │   │         └─Limit_722                            | 8.00    | root      |                                              | offset:0, count:1
|               │   │           └─Selection_724                      | 8.00    | root      |                                              | or(not(isnull(issuedb.t_dci.c_kzre)), 0)
|               │   │             └─CTEFullScan_726                  | 25.60   | root      | CTE:cte_3 AS ref_26                          | data:CTE_1

Note that CTEFullScan_699 is the apply side of Apply_678, and CTEFullScan_699 is under Limit_691 and Union_692.
4. Consider that case that

  • time 1: Apply_678 open Limit_691, then CTEFullScan_699 will be opened, but since there is Union_692 executor, it is possible that Limit_691 read enough data from Projection_693 that the Next() of CTEFullScan_699 is not even called.
  • time 2: Apply_678 will close Limit_691, which will close CTEFullScan_699, so cteproducer is closed

    tidb/pkg/executor/cte.go

    Lines 136 to 150 in 4371a1d

    if !e.producer.closed {
    failpoint.Inject("mock_cte_exec_panic_avoid_deadlock", func(v failpoint.Value) {
    ok := v.(bool)
    if ok {
    // mock an oom panic, returning ErrMemoryExceedForQuery for error identification in recovery work.
    panic(exeerrors.ErrMemoryExceedForQuery)
    }
    })
    // closeProducer() only close seedExec and recursiveExec, will not touch resTbl.
    // It means you can still read resTbl after call closeProducer().
    // You can even call all three functions(openProducer/produce/closeProducer) in CTEExec.Next().
    // Separating these three function calls is only to follow the abstraction of the volcano model.
    err := e.producer.closeProducer()
    firstErr = setFirstErr(firstErr, err, "close cte producer error")
    }
  • time 3: Apply_678 open Limit_691 again, and read data from Limit_691, this time, Projection_693 can not provide enough data, so Next() of CTEFullScan_699 will be called.
  • time 4: CTEFullScan_699 will try to trigger the calculation of cteProducer, because e.producer.resTbl.Done() is false. Then e.producer.produce(ctx) will be called on a closed cteProducer, and trigger the invalid memory address error

@ti-chi-bot ti-chi-bot bot added the affects-8.5 This bug affects the 8.5.x(LTS) versions. label Nov 1, 2024
@windtalker windtalker added affects-6.5 This bug affects the 6.5.x(LTS) versions. affects-7.1 This bug affects the 7.1.x(LTS) versions. affects-7.5 This bug affects the 7.5.x(LTS) versions. affects-8.1 This bug affects the 8.1.x(LTS) versions. affects-6.1 This bug affects the 6.1.x(LTS) versions. and removed may-affects-6.5 may-affects-7.1 may-affects-7.5 may-affects-8.1 may-affects-5.4 This bug maybe affects 5.4.x versions. may-affects-6.1 labels Nov 12, 2024
@ti-chi-bot ti-chi-bot bot closed this as completed in 738adb9 Nov 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
affects-6.1 This bug affects the 6.1.x(LTS) versions. affects-6.5 This bug affects the 6.5.x(LTS) versions. affects-7.1 This bug affects the 7.1.x(LTS) versions. affects-7.5 This bug affects the 7.5.x(LTS) versions. affects-8.1 This bug affects the 8.1.x(LTS) versions. affects-8.5 This bug affects the 8.5.x(LTS) versions. impact/panic severity/major sig/execution SIG execution type/bug The issue is confirmed as a bug.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants