search

pingcap / tidb

TiDB is an open-source, cloud-native, distributed, MySQL-Compatible database for elastic scale and real-time analytics. Try AI-powered Chat2Query free at : https://www.pingcap.com/tidb-serverless/
https://pingcap.com
Apache License 2.0
36.97k stars 5.82k forks source link

runtime error: invalid memory address or nil pointer dereference with `JSON_EXTRACT` #56300

Open suyZhong opened 2 days ago

suyZhong commented 2 days ago

Bug Report

Please answer these questions before submitting your issue. Thanks!

1. Minimal reproduce step (Required)

DROP DATABASE IF EXISTS db0;
CREATE DATABASE db0;
USE db0;

CREATE  TABLE  t0(c0 INT); 
CREATE VIEW v0(c0, c1, c2) AS SELECT 2023, NULL, 2.718 FROM t0;

SELECT * FROM v0 NATURAL RIGHT JOIN t0 WHERE ((1 % v0.c1) IN (JSON_EXTRACT('a', '')<=>(v0.c2='f'), v0.c1)) IS NULL;
-- ERROR 1105 (HY000): runtime error: invalid memory address or nil pointer dereference

2. What did you expect to see? (Required)

No runtime error.

3. What did you see instead (Required)

server log:


[2024/09/25 09:01:01.952 +00:00] [ERROR] [conn.go:1041] ["connection running loop panic"] [conn=2097196] [session_alias=] [lastSQL="SELECT * FROM v0 NATURAL RIGHT JOIN t0 WHERE ((1 % v0.c1) IN (JSON_EXTRACT('a', '')<=>(v0.c2='f'), v0.c1)) IS NULL"] [err="runtime error: invalid memory address or nil pointer dereference"] 
[stack="github.com/pingcap/tidb/pkg/server.(*clientConn).Run.func1
    /workspace/source/tidb/pkg/server/conn.go:1044
runtime.gopanic
    /usr/local/go/src/runtime/panic.go:914
github.com/pingcap/tidb/pkg/executor.(*Compiler).Compile.func1    /workspace/source/tidb/pkg/executor/compiler.go:58
runtime.gopanic
    /usr/local/go/src/runtime/panic.go:914
runtime.panicmem
    /usr/local/go/src/runtime/panic.go:261
runtime.sigpanic
    /usr/local/go/src/runtime/signal_unix.go:861
github.com/pingcap/tidb/pkg/expression.(*isNullFunctionClass).getFunction
    /workspace/source/tidb/pkg/expression/builtin_op.go:1079
github.com/pingcap/tidb/pkg/expression.newFunctionImpl
    /workspace/source/tidb/pkg/expression/scalar_function.go:260
github.com/pingcap/tidb/pkg/expression.NewFunction
    /workspace/source/tidb/pkg/expression/scalar_function.go:309
github.com/pingcap/tidb/pkg/expression.NewFunctionInternal
    /workspace/source/tidb/pkg/expression/scalar_function.go:329
github.com/pingcap/tidb/pkg/expression.evaluateExprWithNullInNullRejectCheck
    /workspace/source/tidb/pkg/expression/expression.go:994
github.com/pingcap/tidb/pkg/expression.EvaluateExprWithNull
    /workspace/source/tidb/pkg/expression/expression.go:920
github.com/pingcap/tidb/pkg/planner/util.isNullRejectedSimpleExpr
    /workspace/source/tidb/pkg/planner/util/null_misc.go:109
github.com/pingcap/tidb/pkg/planner/util.IsNullRejected
    /workspace/source/tidb/pkg/planner/util/null_misc.go:91
github.com/pingcap/tidb/pkg/planner/core/operator/logicalop.(*LogicalJoin).ConvertOuterToInnerJoin
    /workspace/source/tidb/pkg/planner/core/operator/logicalop/logical_join.go:666
github.com/pingcap/tidb/pkg/planner/core/operator/logicalop.(*LogicalSelection).ConvertOuterToInnerJoin
    /workspace/source/tidb/pkg/planner/core/operator/logicalop/logical_selection.go:297
github.com/pingcap/tidb/pkg/planner/core/operator/logicalop.(*LogicalProjection).ConvertOuterToInnerJoin
    /workspace/source/tidb/pkg/planner/core/operator/logicalop/logical_projection.go:524
github.com/pingcap/tidb/pkg/planner/core.(*ConvertOuterToInnerJoin).Optimize
    /workspace/source/tidb/pkg/planner/core/rule_outer_to_inner_join.go:42
github.com/pingcap/tidb/pkg/planner/core.logicalOptimize
    /workspace/source/tidb/pkg/planner/core/optimizer.go:978
github.com/pingcap/tidb/pkg/planner/core.doOptimize
    /workspace/source/tidb/pkg/planner/core/optimizer.go:259
github.com/pingcap/tidb/pkg/planner/core.DoOptimize
    /workspace/source/tidb/pkg/planner/core/optimizer.go:318
github.com/pingcap/tidb/pkg/planner.optimize
    /workspace/source/tidb/pkg/planner/optimize.go:529
github.com/pingcap/tidb/pkg/planner.Optimize
    /workspace/source/tidb/pkg/planner/optimize.go:360
github.com/pingcap/tidb/pkg/executor.(*Compiler).Compile
    /workspace/source/tidb/pkg/executor/compiler.go:101
github.com/pingcap/tidb/pkg/session.(*session).ExecuteStmt
    /workspace/source/tidb/pkg/session/session.go:2097
github.com/pingcap/tidb/pkg/server.(*TiDBContext).ExecuteStmt
    /workspace/source/tidb/pkg/server/driver_tidb.go:291
github.com/pingcap/tidb/pkg/server.(*clientConn).handleStmt
    /workspace/source/tidb/pkg/server/conn.go:2026
github.com/pingcap/tidb/pkg/server.(*clientConn).handleQuery
    /workspace/source/tidb/pkg/server/conn.go:1779
github.com/pingcap/tidb/pkg/server.(*clientConn).dispatch
    /workspace/source/tidb/pkg/server/conn.go:1378
github.com/pingcap/tidb/pkg/server.(*clientConn).Run
    /workspace/source/tidb/pkg/server/conn.go:1147
github.com/pingcap/tidb/pkg/server.(*Server).onConn
    /workspace/source/tidb/pkg/server/server.go:741"]

4. What is your TiDB version? (Required)

select tidb_version();
ERROR 2013 (HY000): Lost connection to MySQL server during query
No connection. Trying to reconnect...
Connection id:    2097198
Current database: db0

+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| tidb_version()                                                                                                                                                                                                                                                       |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Release Version: v8.4.0-alpha-244-ga5e07a2
Edition: Community
Git Commit Hash: a5e07a2ed360f29216c912775ce482f536f4102b
Git Branch: HEAD
UTC Build Time: 2024-09-25 05:10:21
GoVersion: go1.21.13
Race Enabled: false
Check Table Before Drop: false
Store: unistore |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
suyZhong commented 2 days ago

/label fuzz/sqlancer

hawkingrei commented 1 day ago

In Mysql, We will get this error message.

MySQL root@127.0.0.1:test> explain select * from v0 WHERE ((1 % v0.c1) IN (JSON_EXTRACT('a', '')<=>(v0.c2='f'), v0.c1)) IS NULL
(3141, 'Invalid JSON text in argument 1 to function json_extract: "Invalid value." at position 0.')

TiDB forgot to check this value leading to this bug.