search

pingcap / tidb

TiDB is an open-source, cloud-native, distributed, MySQL-Compatible database for elastic scale and real-time analytics. Try AI-powered Chat2Query free at : https://www.pingcap.com/tidb-serverless/
https://pingcap.com
Apache License 2.0
36.89k stars 5.81k forks source link

runtime error: index out of range [-1] in `core.(*LogicalProjection).TryToGetChildProp` #53732

Closed r33s3n6 closed 1 month ago

r33s3n6 commented 3 months ago

Bug Report

Please answer these questions before submitting your issue. Thanks!

1. Minimal reproduce step (Required)

create table t_ot8lohr ( 
c_tausij int ,
c_q7_e5485m tinyint ,
c_gk06ao9l text ,
c_hymp tinyint ,
c_dbby9f_xj int unique ,
c_b1wzx9ayt3 int ,
primary key(c_b1wzx9ayt3, c_dbby9f_xj) CLUSTERED) pre_split_regions=5;

alter table t_ot8lohr add column c_fw text;

alter table t_ot8lohr add column c_s1_2 tinyint;

create table t_ldpj7bp ( 
c_w_jr14qm2 int ,
c_t3nd927 int ,
c_ts int ,
c_s text ,
c_qchmg double ,
c_r int ,
c_olb3fsg6 text ,
c_zkbe tinyint ,
primary key(c_w_jr14qm2) NONCLUSTERED) shard_row_id_bits=8 pre_split_regions=5;

create table t_d3zi ( 
c_kh2bh int unique ,
c_fug9i5u6s text not null ,
c_ar5p4u double unique ,
primary key(c_kh2bh) CLUSTERED) pre_split_regions=2;

WITH
cte_6 AS (
SELECT
  cast(nullif(
      ref_12.c_fw, 
      ref_12.c_gk06ao9l
      ) as char) as c0,
  ref_12.c_gk06ao9l as c1,
  cast(nullif(
      ref_12.c_s1_2, 
      (ref_12.c_gk06ao9l like 'zbq_0gfhg')
      ) as unsigned) as c2,
  ref_12.c_tausij as c3,
  ref_12.c_q7_e5485m as c4,
  ref_12.c_dbby9f_xj as c5,
  ref_12.c_fw as c6,
  case when (ref_12.c_fw like 'm0%0v_yy5') then 1627816122 else ref_12.c_b1wzx9ayt3 end
       as c7,
  ref_12.c_hymp as c8,
  (select c_kh2bh from t_d3zi order by c_kh2bh limit 1 offset 4)
       as c9,
  case when (ref_12.c_tausij between ref_12.c_dbby9f_xj and ref_12.c_b1wzx9ayt3) then ref_12.c_hymp else (ref_12.c_q7_e5485m in (
        select  
              0<>0 as c0
            from 
              t_d3zi as ref_13
            where 0<>0
          union
          (
          select  
              0<>0 as c0
            from 
              t_ot8lohr as ref_14
            where 1=1
          ))) end
       as c10,
  case when (((NOT NOT(cast( (cast(cast(null as char) as char) <> cast(cast(null as char) as char)) as unsigned)))) 
          or (((NOT NOT(cast( (cast(null as signed) = 0<>0) as unsigned)))) 
            and (1=1))) 
        or (1=1) then ref_12.c_b1wzx9ayt3 else case when (ref_12.c_tausij not in (
          select  
                510416017 as c0
              from 
                t_d3zi as ref_15
              where 0<>0
            union
            (
            select distinct 
                -1672700381 as c0
              from 
                t_d3zi as ref_16
              where 0<>0
            ))) then ref_12.c_tausij else ref_12.c_b1wzx9ayt3 end
         end
       as c11
FROM
  t_ot8lohr as ref_12
WHERE
  0<>0
ORDER BY
  c0, c1, c2, c3, c4, c5, c6, c7, c8, c9, c10, c11 ASC
LIMIT 106
),
cte_11 AS (
SELECT
  ref_32.c_fw as c10
FROM
  t_ot8lohr as ref_32
WHERE
  ((NOT NOT(cast( (cast(ref_32.c_s1_2 as signed) <> cast(8543206161972668374 as signed)) as unsigned)))) 
    or (((ref_32.c_dbby9f_xj in (
        select  
              -1355902245 as c0
            from 
              t_ldpj7bp as ref_33
            where (1=1) 
              or (0<>0)
          union
          (
          select  
              1726075521 as c0
            from 
              t_ldpj7bp as ref_34
            where (1=1) 
              and (1=1)
          )))) 
      and ((cast( (cast(0<>0 as unsigned) ^ cast(2959261798443851486 as signed)) as signed) >= ( 
        select  
            -4601281837643267233 as c0
          from 
            t_ldpj7bp as ref_35
          where (ref_32.c_fw like '%r_nn2zs')
          order by c0 desc
          limit 1))))
)
SELECT
  cume_dist() over win_vus2fher4 as c0
FROM
  cte_6 as ref_69
WHERE
  1=1
  window win_vus2fher4 as ( partition by ref_69.c5, (select c10 from cte_11 order by c10 limit 1 offset 5)
       order by ref_69.c0, ref_69.c1, ref_69.c2, ref_69.c3, ref_69.c4, ref_69.c5, ref_69.c6, ref_69.c7, ref_69.c8, ref_69.c9, ref_69.c10, ref_69.c11 asc)
ORDER BY
  c0 DESC
LIMIT 91;

2. What did you expect to see? (Required)

Expect no crashes

3. What did you see instead (Required)

"runtime error: index out of range [-1]"] [stack="github.com/pingcap/tidb/pkg/server.(*clientConn).Run.func1
    /workspace/source/tidb/pkg/server/conn.go:1015
runtime.gopanic
    /usr/local/go/src/runtime/panic.go:914
github.com/pingcap/tidb/pkg/executor.(*Compiler).Compile.func1
    /workspace/source/tidb/pkg/executor/compiler.go:56
runtime.gopanic
    /usr/local/go/src/runtime/panic.go:914
runtime.goPanicIndex
    /usr/local/go/src/runtime/panic.go:114
github.com/pingcap/tidb/pkg/planner/core.(*LogicalProjection).TryToGetChildProp
    /workspace/source/tidb/pkg/planner/core/exhaust_physical_plans.go:2558
github.com/pingcap/tidb/pkg/planner/core.(*LogicalProjection).exhaustPhysicalPlans
    /workspace/source/tidb/pkg/planner/core/exhaust_physical_plans.go:2603
github.com/pingcap/tidb/pkg/planner/core.(*baseLogicalPlan).findBestTask
    /workspace/source/tidb/pkg/planner/core/find_best_task.go:580
github.com/pingcap/tidb/pkg/planner/core.(*baseLogicalPlan).iteratePhysicalPlan
    /workspace/source/tidb/pkg/planner/core/find_best_task.go:308
github.com/pingcap/tidb/pkg/planner/core.(*baseLogicalPlan).enumeratePhysicalPlans4Task
    /workspace/source/tidb/pkg/planner/core/find_best_task.go:234
github.com/pingcap/tidb/pkg/planner/core.(*baseLogicalPlan).findBestTask
    /workspace/source/tidb/pkg/planner/core/find_best_task.go:620
github.com/pingcap/tidb/pkg/planner/core.(*baseLogicalPlan).iteratePhysicalPlan
    /workspace/source/tidb/pkg/planner/core/find_best_task.go:308
github.com/pingcap/tidb/pkg/planner/core.(*baseLogicalPlan).enumeratePhysicalPlans4Task
    /workspace/source/tidb/pkg/planner/core/find_best_task.go:234
github.com/pingcap/tidb/pkg/planner/core.(*baseLogicalPlan).findBestTask
    /workspace/source/tidb/pkg/planner/core/find_best_task.go:620
github.com/pingcap/tidb/pkg/planner/core.(*baseLogicalPlan).iteratePhysicalPlan
    /workspace/source/tidb/pkg/planner/core/find_best_task.go:308
github.com/pingcap/tidb/pkg/planner/core.(*baseLogicalPlan).enumeratePhysicalPlans4Task
    /workspace/source/tidb/pkg/planner/core/find_best_task.go:234
github.com/pingcap/tidb/pkg/planner/core.(*baseLogicalPlan).findBestTask
    /workspace/source/tidb/pkg/planner/core/find_best_task.go:620
github.com/pingcap/tidb/pkg/planner/core.physicalOptimize
    /workspace/source/tidb/pkg/planner/core/optimizer.go:1214
github.com/pingcap/tidb/pkg/planner/core.doOptimize
    /workspace/source/tidb/pkg/planner/core/optimizer.go:298
github.com/pingcap/tidb/pkg/planner/core.DoOptimize
    /workspace/source/tidb/pkg/planner/core/optimizer.go:348
github.com/pingcap/tidb/pkg/planner.optimize
    /workspace/source/tidb/pkg/planner/optimize.go:502
github.com/pingcap/tidb/pkg/planner.Optimize
    /workspace/source/tidb/pkg/planner/optimize.go:333
github.com/pingcap/tidb/pkg/executor.(*Compiler).Compile
    /workspace/source/tidb/pkg/executor/compiler.go:104
github.com/pingcap/tidb/pkg/session.(*session).ExecuteStmt
    /workspace/source/tidb/pkg/session/session.go:2086
github.com/pingcap/tidb/pkg/server.(*TiDBContext).ExecuteStmt
    /workspace/source/tidb/pkg/server/driver_tidb.go:294
github.com/pingcap/tidb/pkg/server.(*clientConn).handleStmt
    /workspace/source/tidb/pkg/server/conn.go:2016
github.com/pingcap/tidb/pkg/server.(*clientConn).handleQuery
    /workspace/source/tidb/pkg/server/conn.go:1769
github.com/pingcap/tidb/pkg/server.(*clientConn).dispatch
    /workspace/source/tidb/pkg/server/conn.go:1343
github.com/pingcap/tidb/pkg/server.(*clientConn).Run
    /workspace/source/tidb/pkg/server/conn.go:1113
github.com/pingcap/tidb/pkg/server.(*Server).onConn
    /workspace/source/tidb/pkg/server/server.go:739"]

4. What is your TiDB version? (Required)

Release Version: v8.1.0
Edition: Community
Git Commit Hash: 945d07c5d5c7a1ae212f6013adfb187f2de24b23
Git Branch: HEAD
UTC Build Time: 2024-05-21 03:51:57
GoVersion: go1.21.10
Race Enabled: false
Check Table Before Drop: false
Store: tikv

We are the BASS team from the School of Cyber Science and Technology at Beihang University. Our main focus is on system software security, operating systems, and program analysis research, as well as the development of automated program testing frameworks for detecting software defects. Using our self-developed database vulnerability testing tool, we have identified the above-mentioned vulnerabilities in TiDB that may lead to database crashes.

fixdb commented 1 month ago

Can't reproduce this issue in 8.1 and later version master branch.