tidb icon indicating copy to clipboard operation
tidb copied to clipboard
verified publisher icon pingcap

index out of range [0] with length 0 in `AppendMyDecimal`, `AppendPartialRow`, `AppendInt64`, `AppendFloat64`, `AppendUint64`

Open GaranR opened this issue 1 year ago • 0 comments

Bug Report

Please answer these questions before submitting your issue. Thanks!

1. Minimal reproduce step (Required)

First execute the following valid.sql valid.txt

Then a crash occurs when executing the error.sql below error.txt

Additionally, here are some similar bugs, where AppendMyDecimal is replaced by AppendPartialRow, AppendInt64, AppendFloat64, AppendUint64 in the call stack. These can be reproduced with the following PoC. Append_bugs.zip

2. What did you expect to see? (Required)

Expect no crashes

3. What did you see instead (Required)

runtime error: index out of range [0] with length 0

tidb.log:

[2024/04/17 11:57:27.233 +00:00] [ERROR] [shuffle.go:259] ["shuffle panicked"] [error="runtime error: index out of range [0] with length 0"] [stack="github.com/pingcap/tidb/pkg/executor.recoveryShuffleExec
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/shuffle.go:259
github.com/pingcap/tidb/pkg/executor.(*shuffleWorker).run.func1
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/shuffle.go:388
runtime.gopanic
	/usr/local/go/src/runtime/panic.go:914
runtime.goPanicIndex
	/usr/local/go/src/runtime/panic.go:114
github.com/pingcap/tidb/pkg/util/chunk.(*Column).AppendMyDecimal
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/util/chunk/column.go:36
github.com/pingcap/tidb/pkg/util/chunk.(*Chunk).AppendMyDecimal
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/util/chunk/chunk.go:538
github.com/pingcap/tidb/pkg/executor/aggfuncs.(*sum4Decimal).AppendFinalResult2Chunk
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/aggfuncs/func_sum.go:185
github.com/pingcap/tidb/pkg/executor.(*PipelinedWindowExec).produce
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/pipelined_window.go:404
github.com/pingcap/tidb/pkg/executor.(*PipelinedWindowExec).Next
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/pipelined_window.go:155
github.com/pingcap/tidb/pkg/executor/internal/exec.Next
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/internal/exec/executor.go:283
github.com/pingcap/tidb/pkg/executor.(*shuffleWorker).run
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/shuffle.go:398"]
[2024/04/17 11:57:27.233 +00:00] [ERROR] [shuffle.go:259] ["shuffle panicked"] [error="runtime error: index out of range [0] with length 0"] [stack="github.com/pingcap/tidb/pkg/executor.recoveryShuffleExec
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/shuffle.go:259
github.com/pingcap/tidb/pkg/executor.(*shuffleWorker).run.func1
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/shuffle.go:388
runtime.gopanic
	/usr/local/go/src/runtime/panic.go:914
runtime.goPanicIndex
	/usr/local/go/src/runtime/panic.go:114
github.com/pingcap/tidb/pkg/util/chunk.(*Column).AppendMyDecimal
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/util/chunk/column.go:36
github.com/pingcap/tidb/pkg/util/chunk.(*Chunk).AppendMyDecimal
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/util/chunk/chunk.go:538
github.com/pingcap/tidb/pkg/executor/aggfuncs.(*sum4Decimal).AppendFinalResult2Chunk
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/aggfuncs/func_sum.go:185
github.com/pingcap/tidb/pkg/executor.(*PipelinedWindowExec).produce
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/pipelined_window.go:404
github.com/pingcap/tidb/pkg/executor.(*PipelinedWindowExec).Next
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/pipelined_window.go:155
github.com/pingcap/tidb/pkg/executor/internal/exec.Next
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/internal/exec/executor.go:283
github.com/pingcap/tidb/pkg/executor.(*shuffleWorker).run
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/shuffle.go:398"]
[2024/04/17 11:57:27.233 +00:00] [ERROR] [shuffle.go:259] ["shuffle panicked"] [error="runtime error: index out of range [0] with length 0"] [stack="github.com/pingcap/tidb/pkg/executor.recoveryShuffleExec
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/shuffle.go:259
github.com/pingcap/tidb/pkg/executor.(*shuffleWorker).run.func1
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/shuffle.go:388
runtime.gopanic
	/usr/local/go/src/runtime/panic.go:914
runtime.goPanicIndex
	/usr/local/go/src/runtime/panic.go:114
github.com/pingcap/tidb/pkg/util/chunk.(*Column).AppendMyDecimal
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/util/chunk/column.go:36
github.com/pingcap/tidb/pkg/util/chunk.(*Chunk).AppendMyDecimal
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/util/chunk/chunk.go:538
github.com/pingcap/tidb/pkg/executor/aggfuncs.(*sum4Decimal).AppendFinalResult2Chunk
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/aggfuncs/func_sum.go:185
github.com/pingcap/tidb/pkg/executor.(*PipelinedWindowExec).produce
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/pipelined_window.go:404
github.com/pingcap/tidb/pkg/executor.(*PipelinedWindowExec).Next
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/pipelined_window.go:155
github.com/pingcap/tidb/pkg/executor/internal/exec.Next
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/internal/exec/executor.go:283
github.com/pingcap/tidb/pkg/executor.(*shuffleWorker).run
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/shuffle.go:398"]
[2024/04/17 11:57:27.233 +00:00] [ERROR] [shuffle.go:259] ["shuffle panicked"] [error="runtime error: index out of range [0] with length 0"] [stack="github.com/pingcap/tidb/pkg/executor.recoveryShuffleExec
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/shuffle.go:259
github.com/pingcap/tidb/pkg/executor.(*shuffleWorker).run.func1
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/shuffle.go:388
runtime.gopanic
	/usr/local/go/src/runtime/panic.go:914
runtime.goPanicIndex
	/usr/local/go/src/runtime/panic.go:114
github.com/pingcap/tidb/pkg/util/chunk.(*Column).AppendMyDecimal
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/util/chunk/column.go:36
github.com/pingcap/tidb/pkg/util/chunk.(*Chunk).AppendMyDecimal
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/util/chunk/chunk.go:538
github.com/pingcap/tidb/pkg/executor/aggfuncs.(*sum4Decimal).AppendFinalResult2Chunk
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/aggfuncs/func_sum.go:185
github.com/pingcap/tidb/pkg/executor.(*PipelinedWindowExec).produce
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/pipelined_window.go:404
github.com/pingcap/tidb/pkg/executor.(*PipelinedWindowExec).Next
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/pipelined_window.go:155
github.com/pingcap/tidb/pkg/executor/internal/exec.Next
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/internal/exec/executor.go:283
github.com/pingcap/tidb/pkg/executor.(*shuffleWorker).run
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/shuffle.go:398"]
[2024/04/17 11:57:27.233 +00:00] [ERROR] [shuffle.go:259] ["shuffle panicked"] [error="runtime error: index out of range [0] with length 0"] [stack="github.com/pingcap/tidb/pkg/executor.recoveryShuffleExec
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/shuffle.go:259
github.com/pingcap/tidb/pkg/executor.(*shuffleWorker).run.func1
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/shuffle.go:388
runtime.gopanic
	/usr/local/go/src/runtime/panic.go:914
runtime.goPanicIndex
	/usr/local/go/src/runtime/panic.go:114
github.com/pingcap/tidb/pkg/util/chunk.(*Column).AppendMyDecimal
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/util/chunk/column.go:36
github.com/pingcap/tidb/pkg/util/chunk.(*Chunk).AppendMyDecimal
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/util/chunk/chunk.go:538
github.com/pingcap/tidb/pkg/executor/aggfuncs.(*sum4Decimal).AppendFinalResult2Chunk
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/aggfuncs/func_sum.go:185
github.com/pingcap/tidb/pkg/executor.(*PipelinedWindowExec).produce
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/pipelined_window.go:404
github.com/pingcap/tidb/pkg/executor.(*PipelinedWindowExec).Next
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/pipelined_window.go:155
github.com/pingcap/tidb/pkg/executor/internal/exec.Next
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/internal/exec/executor.go:283
github.com/pingcap/tidb/pkg/executor.(*shuffleWorker).run
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/shuffle.go:398"]
[2024/04/17 11:57:27.234 +00:00] [WARN] [session.go:2245] ["compile SQL failed"] [conn=408946074] [session_alias=] [error="runtime error: index out of range [0] with length 0"] [SQL="(check error.sql above)"]
[2024/04/17 11:57:27.234 +00:00] [INFO] [conn.go:1124] ["command dispatched failed"] [conn=408946074] [session_alias=] [connInfo="id:408946074, addr:10.0.2.1:49770 status:10, collation:utf8mb4_0900_ai_ci, user:root"] [command=Query] [status="inTxn:0, autocommit:1"] [sql="(check error.sql above)"] [txn_mode=PESSIMISTIC] [timestamp=449145745486905355] [err="runtime error: index out of range [0] with length 0
github.com/pingcap/tidb/pkg/executor.recoveryShuffleExec
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/shuffle.go:258
github.com/pingcap/tidb/pkg/executor.(*shuffleWorker).run.func1
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/shuffle.go:388
runtime.gopanic
	/usr/local/go/src/runtime/panic.go:914
runtime.goPanicIndex
	/usr/local/go/src/runtime/panic.go:114
github.com/pingcap/tidb/pkg/util/chunk.(*Column).AppendMyDecimal
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/util/chunk/column.go:36
github.com/pingcap/tidb/pkg/util/chunk.(*Chunk).AppendMyDecimal
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/util/chunk/chunk.go:538
github.com/pingcap/tidb/pkg/executor/aggfuncs.(*sum4Decimal).AppendFinalResult2Chunk
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/aggfuncs/func_sum.go:185
github.com/pingcap/tidb/pkg/executor.(*PipelinedWindowExec).produce
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/pipelined_window.go:404
github.com/pingcap/tidb/pkg/executor.(*PipelinedWindowExec).Next
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/pipelined_window.go:155
github.com/pingcap/tidb/pkg/executor/internal/exec.Next
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/internal/exec/executor.go:283
github.com/pingcap/tidb/pkg/executor.(*shuffleWorker).run
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/shuffle.go:398
runtime.goexit
	/usr/local/go/src/runtime/asm_amd64.s:1650"]

4. What is your TiDB version? (Required)

+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| tidb_version()                                                                                                                                                                                                                                                 |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Release Version: v7.5.1
Edition: Community
Git Commit Hash: 7d16cc79e81bbf573124df3fd9351c26963f3e70
Git Branch: heads/refs/tags/v7.5.1
UTC Build Time: 2024-02-27 14:28:32
GoVersion: go1.21.6
Race Enabled: false
Check Table Before Drop: false
Store: tikv |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

We are the BASS team from the School of Cyber Science and Technology at Beihang University. Our main focus is on system software security, operating systems, and program analysis research, as well as the development of automated program testing frameworks for detecting software defects. Using our self-developed database vulnerability testing tool, we have identified the above-mentioned vulnerabilities in TiDB that may lead to database crashes.

GaranR avatar Apr 29 '24 08:04 GaranR