runtime error: invalid memory address or nil pointer dereference in `expression.wrapWithIsTrue` when connecting with ODBC

[ycybfhb]

Bug Report

Please answer these questions before submitting your issue. Thanks!

1. Minimal reproduce step (Required)

When executing the following statements while connecting via ODBC and isql, the error arises; however, this error does not occur when using MySQL Shell to connect.

create table t_v9j7pczzae (
c_ujz7bl int not null ,
c_vn6le_d1 tinyint ,
primary key(c_ujz7bl) CLUSTERED) pre_split_regions=2;

alter table t_v9j7pczzae add column c_scumyadrv text;

alter table t_v9j7pczzae add column c_kcx0j text;

create table t_e1zf (
c_u int ,
c_mp0_ int unique ,
c_nzzo tinyint ,
c_gzqjr text ,
c_i7 int ,
c_kha8o3k tinyint ,
primary key(c_i7) CLUSTERED) pre_split_regions=6;

create table t_yygypcbial (
c_wr int unique ,
c_j9v0 tinyint ,
c_z4a75bg286 double unique ,
c_ilu int unique ,
c_rqt2sz_vlw int ,
c_y54r text ,
primary key(c_ilu) CLUSTERED) pre_split_regions=2;

SELECT
  (select c_gzqjr from t_e1zf order by c_gzqjr limit 1 offset 2)
       as c3
FROM
  ((t_yygypcbial as ref_1
        left outer join t_v9j7pczzae as ref_2
        on ((ref_1.c_wr between ref_1.c_rqt2sz_vlw and ref_1.c_rqt2sz_vlw)))
      left outer join t_e1zf as ref_3
      on ((ref_3.c_i7 between ref_3.c_u and ref_3.c_i7)))
WHERE
  (NOT NOT(cast( (cast(cast(nullif(
        unhex(
          cast(cast( (cast((select count(c_nzzo) from t_e1zf)
               as signed) % cast(ref_1.c_wr as signed)) as char) as char)),
        case when (ref_3.c_mp0_ is not NULL) then substring_index(
            cast(ref_2.c_scumyadrv as char),
            cast(ref_1.c_y54r as char),
            cast(ref_3.c_nzzo as signed)) else ref_3.c_gzqjr end

        ) as char) as char) < cast(ref_2.c_kcx0j as char)) as unsigned)));

2. What did you expect to see? (Required)

Expect no crashes

3. What did you see instead (Required)

[S1000][MySQL][ODBC 8.4(a) Driver][mysqld-8.0.11-TiDB-v8.2.0-alpha-580-g73472c2]runtime error: invalid memory address or nil pointer dereference
[ISQL]ERROR: Could not SQLExecute

tidb.log:

[2024/07/23 05:39:03.464 +00:00] [ERROR] [conn.go:1037] ["connection running loop panic"] [conn=2076273980] [session_alias=]
[err="runtime error: invalid memory address or nil pointer dereference"] [stack="github.com/pingcap/tidb/pkg/server.(*clientConn).Run.func1
    /workspace/source/tidb/pkg/server/conn.go:1040
runtime.gopanic
    /usr/local/go/src/runtime/panic.go:914
github.com/pingcap/tidb/pkg/executor.(*Compiler).Compile.func1
    /workspace/source/tidb/pkg/executor/compiler.go:57
runtime.gopanic
    /usr/local/go/src/runtime/panic.go:914
runtime.panicmem
    /usr/local/go/src/runtime/panic.go:261
runtime.sigpanic
    /usr/local/go/src/runtime/signal_unix.go:861
github.com/pingcap/tidb/pkg/expression.wrapWithIsTrue
    /workspace/source/tidb/pkg/expression/expression.go:1095
github.com/pingcap/tidb/pkg/expression.(*ifFunctionClass).getFunction
    /workspace/source/tidb/pkg/expression/builtin_control.go:643
github.com/pingcap/tidb/pkg/expression.newFunctionImpl
    /workspace/source/tidb/pkg/expression/scalar_function.go:252
github.com/pingcap/tidb/pkg/expression.NewFunction
    /workspace/source/tidb/pkg/expression/scalar_function.go:301
github.com/pingcap/tidb/pkg/expression.NewFunctionInternal
    /workspace/source/tidb/pkg/expression/scalar_function.go:321
github.com/pingcap/tidb/pkg/expression.evaluateExprWithNullInNullRejectCheck
    /workspace/source/tidb/pkg/expression/expression.go:946
github.com/pingcap/tidb/pkg/expression.evaluateExprWithNullInNullRejectCheck
    /workspace/source/tidb/pkg/expression/expression.go:909
github.com/pingcap/tidb/pkg/expression.evaluateExprWithNullInNullRejectCheck
    /workspace/source/tidb/pkg/expression/expression.go:909
github.com/pingcap/tidb/pkg/expression.evaluateExprWithNullInNullRejectCheck
    /workspace/source/tidb/pkg/expression/expression.go:909
github.com/pingcap/tidb/pkg/expression.evaluateExprWithNullInNullRejectCheck
    /workspace/source/tidb/pkg/expression/expression.go:909
github.com/pingcap/tidb/pkg/expression.evaluateExprWithNullInNullRejectCheck
    /workspace/source/tidb/pkg/expression/expression.go:909
github.com/pingcap/tidb/pkg/expression.evaluateExprWithNullInNullRejectCheck
    /workspace/source/tidb/pkg/expression/expression.go:909
github.com/pingcap/tidb/pkg/expression.EvaluateExprWithNull
    /workspace/source/tidb/pkg/expression/expression.go:872
github.com/pingcap/tidb/pkg/planner/util.isNullRejectedSimpleExpr
    /workspace/source/tidb/pkg/planner/util/null_misc.go:108
github.com/pingcap/tidb/pkg/planner/util.IsNullRejected
    /workspace/source/tidb/pkg/planner/util/null_misc.go:90
github.com/pingcap/tidb/pkg/planner/core.(*LogicalJoin).ConvertOuterToInnerJoin
    /workspace/source/tidb/pkg/planner/core/rule_outer_to_inner_join.go:78
github.com/pingcap/tidb/pkg/planner/core.(*LogicalSelection).ConvertOuterToInnerJoin
    /workspace/source/tidb/pkg/planner/core/logical_selection.go:294
github.com/pingcap/tidb/pkg/planner/core.(*LogicalProjection).ConvertOuterToInnerJoin
    /workspace/source/tidb/pkg/planner/core/logical_projection.go:457
github.com/pingcap/tidb/pkg/planner/core.(*convertOuterToInnerJoin).optimize
    /workspace/source/tidb/pkg/planner/core/rule_outer_to_inner_join.go:56
github.com/pingcap/tidb/pkg/planner/core.logicalOptimize
    /workspace/source/tidb/pkg/planner/core/optimizer.go:1012
github.com/pingcap/tidb/pkg/planner/core.doOptimize
    /workspace/source/tidb/pkg/planner/core/optimizer.go:296
github.com/pingcap/tidb/pkg/planner/core.DoOptimize
    /workspace/source/tidb/pkg/planner/core/optimizer.go:355
github.com/pingcap/tidb/pkg/planner.optimize
    /workspace/source/tidb/pkg/planner/optimize.go:525
github.com/pingcap/tidb/pkg/planner.Optimize
    /workspace/source/tidb/pkg/planner/optimize.go:356
github.com/pingcap/tidb/pkg/planner/core.generateNewPlan
    /workspace/source/tidb/pkg/planner/core/plan_cache.go:297
github.com/pingcap/tidb/pkg/planner/core.GetPlanFromPlanCache
    /workspace/source/tidb/pkg/planner/core/plan_cache.go:243
github.com/pingcap/tidb/pkg/planner.OptimizeExecStmt
    /workspace/source/tidb/pkg/planner/optimize.go:548
github.com/pingcap/tidb/pkg/planner.Optimize
    /workspace/source/tidb/pkg/planner/optimize.go:166
github.com/pingcap/tidb/pkg/executor.(*Compiler).Compile
    /workspace/source/tidb/pkg/executor/compiler.go:99
github.com/pingcap/tidb/pkg/session.(*session).ExecuteStmt
    /workspace/source/tidb/pkg/session/session.go:2098
github.com/pingcap/tidb/pkg/server.(*TiDBContext).ExecuteStmt
    /workspace/source/tidb/pkg/server/driver_tidb.go:291
github.com/pingcap/tidb/pkg/server.(*clientConn).executePreparedStmtAndWriteResult
    /workspace/source/tidb/pkg/server/conn_stmt.go:306
github.com/pingcap/tidb/pkg/server.(*clientConn).executePlanCacheStmt
    /workspace/source/tidb/pkg/server/conn_stmt.go:234
github.com/pingcap/tidb/pkg/server.(*clientConn).handleStmtExecute
    /workspace/source/tidb/pkg/server/conn_stmt.go:225
github.com/pingcap/tidb/pkg/server.(*clientConn).dispatch
    /workspace/source/tidb/pkg/server/conn.go:1399
github.com/pingcap/tidb/pkg/server.(*clientConn).Run
    /workspace/source/tidb/pkg/server/conn.go:1138
github.com/pingcap/tidb/pkg/server.(*Server).onConn
    /workspace/source/tidb/pkg/server/server.go:739"]

4. What is your TiDB version? (Required)

+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| tidb_version()                                                                                                                                                                                                                                                  |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Release Version: v8.2.0-alpha-580-g73472c2
Edition: Community
Git Commit Hash: 73472c2f3f9625b02013c5e4e9be563bb6ca9ca4
Git Branch: HEAD
UTC Build Time: 2024-07-13 04:50:17
GoVersion: go1.21.10
Race Enabled: false
Check Table Before Drop: false
Store: tikv|
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

We are the BASS team from the School of Cyber Science and Technology at Beihang University. Our main focus is on system software security, operating systems, and program analysis research, as well as the development of automated program testing frameworks for detecting software defects. Using our self-developed database vulnerability testing tool, we have identified the above-mentioned vulnerabilities in TiDB that may lead to database crashes.

[hawkingrei]

Can you give me code with ODBC?

[ycybfhb]

Hello, I installed unixodbc 2.3.9 and mysql-connector-odbc 8.4.0.

apt-get install -y unixodbc unixodbc-dev
apt-get install -y mysql-connector-odbc

And I used the MySQL ODBC 8.4 ANSI Driver to connect to the database.

/etc/odbcinst.ini

[MySQL ODBC 8.4 Unicode Driver]
DRIVER=/usr/lib/x86_64-linux-gnu/odbc/libmyodbc8w.so
UsageCount=1

[MySQL ODBC 8.4 ANSI Driver]
DRIVER=/usr/lib/x86_64-linux-gnu/odbc/libmyodbc8a.so
UsageCount=1

/etc/odbc.ini

[ODBC Data Sources]
TIMAIN = TiDB Main node

[TIMAIN]
Driver          = MySQL ODBC 8.4 ANSI Driver
Description     = TiDB Main node
Trace           = No
Server          = 10.1.2.21 
Database        = ti_main
Port            = 4000
Uid             = root

Link to the source code of mysql-connector-odbc.