Open ycybfhb opened 2 weeks ago
The root cause is
CTEExec
need to read from a same CTE table, TiDB will create a cteProducer
, and all CTEExec
will share the same cteProducer
CTEExec
use
e.producer.resTbl.Lock()
defer e.producer.resTbl.Unlock()
to avoid multi-thread issues. And for the first CTEExec
that tries to read cteProducer
, it will trigger the calculation of cteProducer
, and save cte results in cteProducer
for other CTEExec
to read.
https://github.com/pingcap/tidb/blob/4371a1d4850f8924ba922f179daa7680ef2976da/pkg/executor/cte.go#L110-L117
| │ │ └─Apply_678(Probe) | 8.00 | root | | CARTESIAN left outer join
| │ │ ├─HashJoin_679(Build) | 8.00 | root | | CARTESIAN left outer semi join, other cond:eq(issuedb.t_dci.c_bywfl, Column#346)
| │ │ │ ├─HashAgg_685(Build) | 5.12 | root | | group by:Column#672, funcs:firstrow(Column#672)->Column#346
| │ │ │ │ └─Projection_780 | 6.40 | root | | not(not(cast(lt(cast(issuedb.t__9r63.c_hd2v4v0, double BINARY), cast(issuedb.t__9r63.c_r58lkh, double BINARY)), bigint(22) UNSIGNED BINARY)))->Column| │ │ │ │ └─TableReader_688 | 6.40 | root | | data:Selection_687
| │ │ │ │ └─Selection_687 | 6.40 | cop[tikv] | | istrue_with_null(cast(nulleq(cast(issuedb.t__9r63.c_o8tsf, double BINARY), -8.933200491588435e+18), bigint(22) UNSIGNED BINARY))
| │ │ │ │ └─TableFullScan_686 | 8.00 | cop[tikv] | table:ref_23 | keep order:false, stats:pseudo
| │ │ │ └─TableReader_681(Probe) | 8.00 | root | | data:TableFullScan_680
| │ │ │ └─TableFullScan_680 | 8.00 | cop[tikv] | table:ref_22 | keep order:false
| │ │ └─Limit_691(Probe) | 8.00 | root | | offset:0, count:1
| │ │ └─Union_692 | 8.00 | root | |
| │ │ ├─Projection_693 | 8.00 | root | | issuedb.t_dci.c_kzre->Column#363
| │ │ │ └─Limit_696 | 8.00 | root | | offset:0, count:1
| │ │ │ └─HashJoin_697 | 8.00 | root | | CARTESIAN inner join
| │ │ │ ├─IndexReader_708(Build) | 704.00 | root | | index:IndexFullScan_707
| │ │ │ │ └─IndexFullScan_707 | 704.00 | cop[tikv] | table:ref_25, index:c_kffac5e63(c_kffac5e63) | keep order:false, stats:pseudo
| │ │ │ └─CTEFullScan_699(Probe) | 499.20 | root | CTE:cte_5 AS ref_24 | data:CTE_2
| │ │ └─Projection_719 | 8.00 | root | | issuedb.t_dci.c_kzre->Column#363
| │ │ └─Limit_722 | 8.00 | root | | offset:0, count:1
| │ │ └─Selection_724 | 8.00 | root | | or(not(isnull(issuedb.t_dci.c_kzre)), 0)
| │ │ └─CTEFullScan_726 | 25.60 | root | CTE:cte_3 AS ref_26 | data:CTE_1
Note that CTEFullScan_699
is the apply side of Apply_678
, and CTEFullScan_699
is under Limit_691
and Union_692
.
Apply_678
open Limit_691
, then CTEFullScan_699
will be opened, but since there is Union_692
executor, it is possible that Limit_691
read enough data from Projection_693
that the Next()
of CTEFullScan_699
is not even called.Apply_678
will close Limit_691
, which will close CTEFullScan_699
, so cteproducer
is closed
https://github.com/pingcap/tidb/blob/4371a1d4850f8924ba922f179daa7680ef2976da/pkg/executor/cte.go#L136-L150Apply_678
open Limit_691
again, and read data from Limit_691
, this time, Projection_693
can not provide enough data, so Next()
of CTEFullScan_699
will be called.CTEFullScan_699
will try to trigger the calculation of cteProducer
, because e.producer.resTbl.Done()
is false. Then e.producer.produce(ctx)
will be called on a closed cteProducer
, and trigger the invalid memory address error
Bug Report
Please answer these questions before submitting your issue. Thanks!
1. Minimal reproduce step (Required)
SQL to init database
[init.sql.txt](https://github.com/user-attachments/files/16886980/init.sql.txt)SQL that causes error
```sql /* error message: Database execute error: HY000, [MySQL][ODBC 8.4(a) Driver][mysqld-8.0.11-TiDB-v8.4.0-alpha-66-g1167e0c]runtime error: invalid memory address or nil pointer dereference */ WITH cte_0 AS (select ref_0.c_cz as c0, sum( cast(ref_2.c_dph7 as signed)) over (partition by ref_4.c_g7eofzlxn order by ref_2.c_ib1xsf3c8d) as c1, cast((ref_3.c_otj13 DIV ref_1.c_hd2v4v0) as double) as c2 from (t_jg8o as ref_0 right outer join (((t__9r63 as ref_1 right outer join t_dci as ref_2 on ((NOT NOT(cast((cast(ref_1.c_hd2v4v0 as double) >= cast(ref_2.c_l1t as signed)) as unsigned))))) inner join t_jg8o as ref_3 on ((NOT NOT(cast((cast(ref_2.c_kzre as char) <=> cast(ref_3.c_a90ol as char)) as unsigned))))) left outer join (t__9r63 as ref_4 cross join t_jg8o as ref_5 ) on ((NOT NOT(cast((cast(ref_2.c_w9qyk_fpj as double) = cast(ref_5.c__qy as double)) as unsigned))))) on ((NOT NOT(cast((cast(ref_1.c_hd2v4v0 as double) <=> cast(ref_4.c_onfeptr2q as signed)) as unsigned))))) where (cast((ref_0.c_s ^ ref_5.c_z) as char) like 'n_') limit 81), cte_1 AS (select cast((cast(subq_1.c6 as decimal) > cast(round( cast(subq_0.c3 as decimal)) as decimal)) as unsigned) as c0, subq_1.c0 as c1, subq_0.c0 as c2, ltrim( cast(subq_0.c0 as char)) as c3, subq_1.c2 as c4, subq_1.c0 as c5, bit_length( cast(subq_0.c0 as char)) as c6, subq_0.c2 as c7, subq_0.c1 as c8, subq_1.c2 as c9 from ((select ref_8.c_tb3u as c0, ref_8.c_x2erxo10w as c1, ref_7.c_c7njaqnyv7 as c2, ref_7.c_i3ml as c3, ref_7.c__n3bhft5z as c4, ref_8.c_wsr as c5 from ((t_dci as ref_6 right outer join t_glzh3lb0ro as ref_7 on (0<>0)) cross join t__9r63 as ref_8 ) where (NOT NOT(cast((cast(ref_6.c_kzre as char) > cast(ref_6.c_gs6c2wzbdg as char)) as unsigned))) order by c0, c1, c2, c3, c4, c5 asc) as subq_0 cross join (select ref_9.c_b48gd04utl as c0, ref_9.c_yu as c1, ref_9.c_b48gd04utl as c2, ref_9.c_yu as c3, ref_9.c_yu as c4, ref_9.c_b48gd04utl as c5, -1092927402 as c6, ref_9.c_yu as c7, ref_9.c_b48gd04utl as c8, ref_9.c_b48gd04utl as c9, ref_9.c_yu as c10 from t_rc as ref_9 where (NOT NOT(cast((ref_9.c_m2y = ref_9.c_m2y) as unsigned))) limit 85) as subq_1 ) where (NOT NOT(cast((cast(subq_0.c4 as signed) != cast(subq_1.c7 as signed)) as unsigned))) order by c0, c1, c2, c3, c4, c5, c6, c7, c8, c9 desc limit 60), cte_2 AS (select distinct ref_10.c_w9qyk_fpj as c0, ref_10.c_bywfl as c1, case when (ref_10.c_dph7 not in ( select 1344916137 as c0 from t_glzh3lb0ro as ref_15 where ((NOT NOT(cast((cast(cast(null as char) as char) >= cast('nql' as char)) as unsigned)))) and ((NOT NOT(cast((cast(ref_15.c_i3ml as signed) <=> cast(ref_15.c_wd3x as double)) as unsigned)))))) then ref_10.c_gs6c2wzbdg else (select c_tb3u from t__9r63 order by c_tb3u limit 1 offset 4) end as c2, ref_10.c_ib1xsf3c8d as c3, ref_10.c_kzre as c4, cast((cast(ref_10.c_bywfl as decimal) % cast(1=1 as unsigned)) as decimal) as c5, ref_10.c_l1t as c6, cast(nullif( ref_10.c_d3wokzls77, ref_10.c_fzqupuma ) as signed) as c7, (select c_wsr from t__9r63 order by c_wsr limit 1 offset 4) as c8, locate( cast((select c_b48gd04utl from t_rc order by c_b48gd04utl limit 1 offset 15) as char), cast(ref_10.c_gs6c2wzbdg as char), cast(case when (NOT NOT(cast((cast(ref_10.c_bywfl as unsigned) > cast((ref_10.c_kzre not like '%78ij_zdi') as unsigned)) as unsigned))) then -5848773938183963038 else round( cast(4682555756345700129 as signed), cast(ref_10.c_d3wokzls77 as signed)) end as signed)) as c9 from t_dci as ref_10 where ((ref_10.c_d3wokzls77 in ( select ref_14.c_m2y as c0 from ((t_rc as ref_11 inner join (t_rc as ref_12 right outer join t__9r63 as ref_13 on ((NOT NOT(cast((ref_13.c_tb3u < ref_13.c_tb3u) as unsigned))))) on (ref_11.c_b48gd04utl = ref_12.c_b48gd04utl )) left outer join t_rc as ref_14 on (((NOT NOT(cast((cast(((NOT NOT(cast((cast(ref_14.c_yu as unsigned) > cast(ref_13.c_hd2v4v0 as double)) as unsigned)))) and ((((NOT NOT(cast((cast(4713478292361382451 as signed) && cast(ref_13.c_wsr as signed)) as unsigned)))) and (0<>0)) or ((NOT NOT(cast((cast(ref_13.c_tb3u as char) > cast(ref_13.c_tb3u as char)) as unsigned))))) as unsigned) <> cast(ref_12.c_yu as signed)) as unsigned)))) or ((NOT NOT(cast((cast(ref_11.c_b48gd04utl as char) < cast(ref_13.c_tb3u as char)) as unsigned)))))) where (NOT NOT(cast((cast(ref_13.c_tb3u as char) = cast(ref_13.c_tb3u as char)) as unsigned)))))) and ((((NOT NOT(cast((cast(ref_10.c_dph7 as decimal) <> cast(ref_10.c_w9qyk_fpj as double)) as unsigned)))) or ((((select c_b48gd04utl from t_rc order by c_b48gd04utl limit 1 offset 5) like '%')) and ((NOT NOT(cast((cast(65536 as signed) XOR cast(ref_10.c_w9qyk_fpj as double)) as unsigned)))))) and ((cast((cast(ref_10.c_ib1xsf3c8d as signed) DIV cast(cast((cast(ref_10.c_ib1xsf3c8d as unsigned) ^ cast(-740470748171434511 as signed)) as signed) as signed)) as char) not like '%bl')))), cte_3 AS (select subq_2.c2 as c0, cast((cast(subq_2.c10 as signed) <> cast(subq_2.c8 as signed)) as unsigned) as c1, subq_2.c9 as c2, subq_2.c1 as c3 from (select var_pop( cast(0<>0 as unsigned)) as c0, count( cast((NOT NOT(cast((cast(ref_16.c_l1t as signed) || cast((select c_l1t from t_dci order by c_l1t limit 1 offset 4) as signed)) as unsigned))) as unsigned)) as c1, ref_16.c_l1t as c2, count( cast((select count(c_ovz0) from t_jg8o) as char)) as c3, count( cast(ref_16.c_kzre as char)) as c4, count( cast(ref_16.c_kzre as char)) as c5, count( cast(ref_16.c_ib1xsf3c8d as decimal)) as c6, count( cast((select c_r58lkh from t__9r63 order by c_r58lkh limit 1 offset 1) as double)) as c7, count( cast(ref_16.c_w9qyk_fpj as double)) as c8, stddev_samp( cast((NOT NOT(cast((cast(127 as signed) && cast(ref_16.c_ib1xsf3c8d as signed)) as unsigned))) as unsigned)) as c9, count( cast(ref_16.c_ib1xsf3c8d as unsigned)) as c10, count( cast(ref_16.c_gs6c2wzbdg as char)) as c11 from t_dci as ref_16 where (ref_16.c_dph7 <= ( select ref_17.c_otj13 as c0 from t_jg8o as ref_17 where (NOT NOT(cast((cast(ref_17.c_s as signed) != cast(ref_17.c__qy as double)) as unsigned))) limit 1)) group by ref_16.c_l1t) as subq_2 where (inet_ntoa( cast(subq_2.c1 as signed)) not like 'wtkzz_bzg')), cte_4 AS (select ref_19.c_w9qyk_fpj as c0, ref_19.c_kzre as c1, ref_18.c_m2y as c2, ref_18.c_yu as c3, ref_19.c_fzqupuma as c4, ref_18.c_m2y as c5, ref_19.c_ib1xsf3c8d as c6 from (t_rc as ref_18 right outer join t_dci as ref_19 on (((ref_19.c_gs6c2wzbdg like 'w___kbw')) or ((NOT NOT(cast((cast(ref_19.c_bywfl as signed) && cast(ref_19.c_ib1xsf3c8d as signed)) as unsigned)))))) where (case when 1=1 then ref_19.c_gs6c2wzbdg else ref_19.c_kzre end like 't_g') order by c0, c1, c2, c3, c4, c5, c6 asc), cte_5 AS (select subq_3.c9 as c0 from ((select ref_20.c_kzre as c0, ref_20.c_l1t as c1, cast(cast(null as signed) as signed) as c2, ref_20.c_w9qyk_fpj as c3, ref_20.c_dph7 as c4, -453645943 as c5, ref_20.c_dph7 as c6, ref_20.c_kzre as c7, ref_20.c_kzre as c8, ref_20.c_gs6c2wzbdg as c9, ref_20.c_kzre as c10 from t_dci as ref_20 where (NOT NOT(cast((cast((select sum(c_yu) from t_rc) as double) && cast(ref_20.c_dph7 as signed)) as unsigned)))) as subq_3 cross join (select ref_21.c_otj13 as c0, 937315269 as c1, -355306303 as c2 from t_jg8o as ref_21 where (NOT NOT(cast((cast(ref_21.c_cz as char) <= cast((select c_b48gd04utl from t_rc order by c_b48gd04utl limit 1 offset 6) as char)) as unsigned))) limit 78) as subq_4 ) where (subq_3.c10 like 'm_b_48h')) select subq_5.c1 as c0, subq_5.c0 as c1, (select c_yu from t_rc order by c_yu limit 1 offset 6) as c2, subq_5.c0 as c3, case when (NOT NOT(cast((cast(subq_5.c0 as signed) > cast(cast((subq_5.c1 DIV subq_5.c0) as decimal) as decimal)) as unsigned))) then subq_5.c1 else (subq_5.c1 is not NULL) end as c4, case when (NOT NOT(cast((cast((select c_ovz0 from t_jg8o order by c_ovz0 limit 1 offset 3) as double) <=> cast(((NOT NOT(cast((cast(cast(null as double) as double) XOR cast(5.9 as double)) as unsigned)))) or ((((NOT NOT(cast((cast(-834732799192564823 as signed) <> cast(subq_5.c1 as decimal)) as unsigned)))) and ((NOT NOT(cast((cast(41 as signed) >= cast(33.16 as double)) as unsigned))))) or ((subq_5.c2 like 'j_wsa'))) as unsigned)) as unsigned))) then cast((cast(case when (subq_5.c1 in ( select distinct (NOT NOT(cast((cast(ref_23.c_hd2v4v0 as double) < cast(ref_23.c_r58lkh as double)) as unsigned))) as c0 from t__9r63 as ref_23 where (NOT NOT(cast((cast(ref_23.c_o8tsf as double) <=> cast(-8933200491588434896 as signed)) as unsigned))))) then cast(subq_5.c3 as signed) else cast(subq_5.c0 as signed) end as signed) || cast(subq_5.c3 as signed)) as unsigned) else (subq_5.c2 < ( select subq_5.c2 as c0 from (cte_5 as ref_24 cross join t_glzh3lb0ro as ref_25 ) where 1=1 union all ( select subq_5.c2 as c0 from cte_3 as ref_26 where ((subq_5.c2 is not NULL)) or ((subq_5.c3 is NULL)) ) limit 1)) end as c5, cast((case when (EXISTS ( select subq_5.c0 as c0, subq_5.c3 as c1, ref_27.c0 as c2, ref_27.c6 as c3, cast((select stddev_samp(c_l1t) from t_dci) as signed) as c4, ref_27.c0 as c5, ref_27.c3 as c6, subq_5.c3 as c7, cast((select avg(c_l1t) from t_dci) as signed) as c8 from cte_4 as ref_27 where (NOT NOT(cast((cast(subq_5.c2 as char) <=> cast(ref_27.c1 as char)) as unsigned))))) then cast(null as double) else -4294967295.0 end > subq_5.c1) as unsigned) as c6, (select c1 from cte_3 order by c1 limit 1 offset 3) as c7, subq_5.c2 as c8, cast((select count(c_b48gd04utl) from t_rc) as char) as c9, subq_5.c2 as c10, subq_5.c3 as c11, subq_5.c3 as c12, (select c_hd2v4v0 from t__9r63 order by c_hd2v4v0 limit 1 offset 4) as c13, subq_5.c0 as c14, subq_5.c0 as c15, cast((select sum(c_yu) from t_rc) as signed) as c16, subq_5.c0 as c17, subq_5.c2 as c18, subq_5.c3 as c19, subq_5.c1 as c20, subq_5.c3 as c21, subq_5.c2 as c22, subq_5.c3 as c23, subq_5.c3 as c24, subq_5.c1 as c25, cast(nullif( rpad( cast(subq_5.c2 as char), 75, cast(subq_5.c2 as char)), subq_5.c2 ) as char) as c26, subq_5.c0 as c27, subq_5.c0 as c28, cast(cast(null as signed) as signed) as c29, (select c_yu from t_rc order by c_yu limit 1 offset 6) as c30, subq_5.c3 as c31, subq_5.c3 as c32, case when (NOT NOT(cast((subq_5.c0 < cast((-2147483647.2 / -123630112) as double)) as unsigned))) then subq_5.c1 else (subq_5.c3 between subq_5.c3 and subq_5.c3) end as c33, case when (1742643624 not in ( select ref_28.c_x2erxo10w as c0 from t__9r63 as ref_28 where ((NOT NOT(cast((cast((NOT NOT(cast((cast(cast(null as char) as char) >= cast(ref_28.c_tb3u as char)) as unsigned))) as unsigned) > cast(ref_28.c_x2erxo10w as signed)) as unsigned)))) or ((ref_28.c_wsr not in ( 1=1, (NOT NOT(cast((cast(ref_28.c_wsr as signed) < cast(29 as signed)) as unsigned))), (ref_28.c_r58lkh not in ( ref_28.c_r58lkh, ref_28.c_r58lkh, ref_28.c_o8tsf, ref_28.c_r58lkh, ref_28.c_hd2v4v0))))) union ( select ref_29.c4 as c0 from cte_4 as ref_29 where (NOT NOT(cast((cast(ref_29.c0 as double) = cast(ref_29.c6 as signed)) as unsigned))) ))) then subq_5.c0 else (NOT NOT(cast((cast(subq_5.c1 as signed) < cast(round( cast((select c_m2y from t_rc order by c_m2y limit 1 offset 2) as signed)) as signed)) as unsigned))) end as c34, subq_5.c2 as c35, subq_5.c0 as c36, subq_5.c2 as c37, subq_5.c1 as c38, cast((cast(32769.0 as double) > cast(28405 as signed)) as unsigned) as c39, subq_5.c3 as c40, acos( cast(cast((cast((select c_ovz0 from t_jg8o order by c_ovz0 limit 1 offset 4) as double) | cast(subq_5.c3 as signed)) as signed) as signed)) as c41, subq_5.c0 as c42, subq_5.c3 as c43, cast((cast(subq_5.c1 as decimal) <= cast(truncate( cast(subq_5.c3 as signed), cast(subq_5.c3 as signed)) as signed)) as unsigned) as c44, subq_5.c3 as c45, right( cast((select c_kzre from t_dci order by c_kzre limit 1 offset 5) as char), cast((508067673 < ( select subq_5.c3 as c0 from t__9r63 as ref_30 where (NOT NOT(cast((cast(ref_30.c_hd2v4v0 as double) >= cast(0<>0 as unsigned)) as unsigned))) limit 1)) as unsigned)) as c46, subq_5.c3 as c47, cast(nullif( subq_5.c0, (subq_5.c2 not in ( select ref_31.c0 as c0 from cte_0 as ref_31 where 0<>0 union ( select ref_32.c_m0qqv_cl4x as c0 from t_jg8o as ref_32 where 0<>0 ))) ) as unsigned) as c48, subq_5.c3 as c49, subq_5.c3 as c50, subq_5.c3 as c51, subq_5.c1 as c52, degrees( cast(2681972376301496118 as signed)) as c53, case when 0<>0 then cast((cast(subq_5.c1 as signed) - cast(cast((cast((select var_pop(c_ovz0) from t_jg8o) as double) % cast(-2552831182259509367 as signed)) as double) as double)) as double) else cast((case when (NOT NOT(cast(((subq_5.c1 not in ( select (NOT NOT(cast((cast(32769.4 as double) < cast(cast(null as double) as double)) as unsigned))) as c0 from cte_1 as ref_33 where (NOT NOT(cast((cast(69.66 as double) > cast(ref_33.c7 as signed)) as unsigned))) order by c0 desc)) || subq_5.c0) as unsigned))) then cast(cast(null as double) as double) else round( cast(9223372036854775807.7 as double)) end + subq_5.c1) as double) end as c54, cast((cast((NOT NOT(cast((cast(subq_5.c2 as char) <=> cast(cast(null as char) as char)) as unsigned))) as unsigned) | cast( last_value( cast(subq_5.c3 as decimal)) over (partition by subq_5.c1, subq_5.c0 order by subq_5.c3, subq_5.c0) as decimal)) as signed) as c55, subq_5.c3 as c56, subq_5.c0 as c57, subq_5.c1 as c58, cast((cast((subq_5.c3 between subq_5.c3 and subq_5.c3) as unsigned) <= cast(subq_5.c1 as signed)) as unsigned) as c59, cast(coalesce( cast((cast((0<>0) and ((EXISTS ( select ref_34.c_s as c0, ref_34.c_mgjb as c1, ref_34.c_m0qqv_cl4x as c2, ref_34.c_cz as c3, ref_34.c_a90ol as c4, ref_34.c_s as c5 from t_jg8o as ref_34 where (NOT NOT(cast((cast(ref_34.c_z as signed) > cast((select c_wsr from t__9r63 order by c_wsr limit 1 offset 3) as unsigned)) as unsigned))) limit 127))) as unsigned) | cast(truncate( cast(subq_5.c0 as decimal), cast(subq_5.c3 as signed)) as decimal)) as signed), cast(coalesce( 5554697334594895989, cast((cast(31.30 as double) << cast(subq_5.c1 as signed)) as signed) ) as signed) ) as signed) as c60, cast((cast((select c_wsr from t__9r63 order by c_wsr limit 1 offset 2) as signed) & cast(subq_5.c1 as unsigned)) as signed) as c61, subq_5.c0 as c62, subq_5.c2 as c63, radians( cast(257.0 as double)) as c64, subq_5.c2 as c65, subq_5.c1 as c66, cast(((subq_5.c2 not like 'n_8wi17_aw') >> (cast((cast(cast(coalesce( 126.0, cast((select c_wd3x from t_glzh3lb0ro order by c_wd3x limit 1 offset 2) as double) ) as double) as double) <=> cast((NOT NOT(cast((cast((select c_r58lkh from t__9r63 order by c_r58lkh limit 1 offset 2) as double) XOR cast(cast(null as signed) as signed)) as unsigned))) as unsigned)) as unsigned) > ( select (ref_35.c_a90ol not like 'j8_o') as c0 from t_jg8o as ref_35 where (EXISTS ( select ref_36.c0 as c0, ref_35.c_cz as c1, ref_36.c0 as c2, ref_36.c3 as c3, ref_35.c_ovz0 as c4, (select c_tazb9 from t_jg8o order by c_tazb9 limit 1 offset 3) as c5, ref_36.c1 as c6, ref_36.c3 as c7 from cte_3 as ref_36 where (EXISTS ( select 322327666 as c0, cast(null as signed) as c1, ref_37.c2 as c2, ref_37.c4 as c3, ref_36.c0 as c4, ref_37.c3 as c5, ref_36.c2 as c6, ref_37.c4 as c7, ref_37.c4 as c8 from cte_1 as ref_37 where (NOT NOT(cast((cast((select c_otj13 from t_jg8o order by c_otj13 limit 1 offset 2) as signed) = cast(ref_35.c_s as signed)) as unsigned))))))) union ( select (subq_5.c2 not like 'e1b70pe0_n') as c0 from cte_5 as ref_38 where (NOT NOT(cast((cast(subq_5.c3 as decimal) || cast((select count(c_wsr) from t__9r63) as signed)) as unsigned))) ) limit 1))) as signed) as c67, cast((cast(subq_5.c3 as decimal) / cast(truncate( cast(subq_5.c3 as signed), cast(subq_5.c3 as signed)) as signed)) as decimal) as c68, subq_5.c1 as c69, subq_5.c3 as c70, hex( cast(subq_5.c2 as char)) as c71, quote( cast(subq_5.c2 as char)) as c72, subq_5.c0 as c73, subq_5.c3 as c74, subq_5.c3 as c75, subq_5.c2 as c76, subq_5.c3 as c77, subq_5.c3 as c78, sqrt( cast(subq_5.c3 as signed)) as c79, subq_5.c1 as c80, subq_5.c2 as c81, subq_5.c3 as c82, subq_5.c1 as c83, cast((subq_5.c2 != subq_5.c2) as unsigned) as c84, subq_5.c1 as c85 from (select ref_22.c_bywfl as c0, ref_22.c_bywfl as c1, ref_22.c_kzre as c2, ref_22.c_d3wokzls77 as c3 from t_dci as ref_22 where (NOT NOT(cast((cast((select count(c_tb3u) from t__9r63) as char) || cast(21273 as signed)) as unsigned)))) as subq_5 where ((subq_5.c3 between subq_5.c3 and subq_5.c3)) or (('slfyrqos' not like 'm_qpy')) limit 110; ```2. What did you expect to see? (Required)
Expect no crashes
3. What did you see instead (Required)
4. What is your TiDB version? (Required)
We are the BASS team from the School of Cyber Science and Technology at Beihang University. Our main focus is on system software security, operating systems, and program analysis research, as well as the development of automated program testing frameworks for detecting software defects. Using our self-developed database vulnerability testing tool, we have identified the above-mentioned vulnerabilities in TiDB that may lead to database crashes.