Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

index out of range [0] with length 0 in executor.(*PipelinedWindowExec).fetchChild #55883

Closed
ycybfhb opened this issue Sep 5, 2024 · 2 comments
Closed

index out of range [0] with length 0 in executor.(*PipelinedWindowExec).fetchChild #55883

ycybfhb opened this issue Sep 5, 2024 · 2 comments
Labels
impact/panic may-affects-5.4 This bug maybe affects 5.4.x versions. may-affects-6.1 may-affects-6.5 may-affects-7.1 may-affects-7.5 may-affects-8.1 severity/major sig/execution SIG execution type/bug The issue is confirmed as a bug.

Comments

@ycybfhb
Copy link

ycybfhb commented Sep 5, 2024

Bug Report

Please answer these questions before submitting your issue. Thanks!

1. Minimal reproduce step (Required)

SQL to init database

init.sql.txt

SQL that causes error 
/* error message: 
Database execute error: HY000, [MySQL][ODBC 8.4(a) Driver][mysqld-8.0.11-TiDB-v8.4.0-alpha-66-g1167e0c]runtime error: index out of range [0] with length 0
 */

WITH 
cte_0 AS (select  
    ref_0.c_g7eofzlxn as c0, 
    ref_0.c_onfeptr2q as c1, 
    ref_0.c_wsr as c2, 
    hex(
      cast(ref_0.c_tb3u as char)) as c3, 
    (select c_dph7 from t_dci order by c_dph7 limit 1 offset 3)
       as c4, 
    ref_0.c_wsr as c5, 
    
    last_value(
      cast(cast(coalesce(
        ref_0.c_r58lkh, 
        ref_0.c_o8tsf
        ) as double) as double)) over win_eyydm4o6 as c6, 
    ref_0.c_g7eofzlxn as c7, 
    ref_0.c_hd2v4v0 as c8, 
    bit_length(
      cast(ref_0.c_tb3u as char)) as c9, 
    cast((select stddev_pop(c_l1t) from t_dci)
       as signed) as c10
  from 
    t__9r63 as ref_0
  where ((select max(c_wd3x) from t_glzh3lb0ro)
       is not NULL)
  window win_eyydm4o6 as ( partition by ref_0.c_tb3u order by case when (substring_index(
          cast(cast(null as char) as char), 
          cast(ref_0.c_tb3u as char), 
          cast(case when (NOT NOT(cast((cast(ref_0.c_tb3u as char) <= cast(ref_0.c_tb3u as char)) as unsigned))) then ref_0.c_onfeptr2q else (NOT NOT(cast((cast(ref_0.c_tb3u as char) <= cast(ref_0.c_tb3u as char)) as unsigned))) end
             as signed)) is NULL) then (select avg(c_yu) from t_rc)
         else ref_0.c_r58lkh end
      , ref_0.c_hd2v4v0 asc)
  limit 164), 
cte_1 AS (select  
    subq_0.c0 as c0, 
    case when (NOT NOT(cast((cast(case when ((-32768 between (select count(c_kzre) from t_dci)
                   and cast(subq_0.c1 as signed))) 
              and ((EXISTS (
                select  
                    ref_10.c_ib1xsf3c8d as c0, 
                    ref_10.c_l1t as c1, 
                    ref_10.c_w9qyk_fpj as c2, 
                    ref_10.c_l1t as c3, 
                    ref_10.c_fzqupuma as c4, 
                    ref_10.c_dph7 as c5, 
                    subq_0.c0 as c6, 
                    ref_10.c_dph7 as c7, 
                    (select c_ib1xsf3c8d from t_dci order by c_ib1xsf3c8d limit 1 offset 6)
                       as c8
                  from 
                    t_dci as ref_10
                  where (NOT NOT(cast((cast(ref_10.c_dph7 as signed) <=> cast(ref_10.c_dph7 as signed)) as unsigned)))))) then cast(subq_0.c1 as signed) else cast(subq_0.c1 as signed) end
             as signed) XOR cast(subq_0.c1 as decimal)) as unsigned))) then subq_0.c1 else (NOT NOT(cast((cast(-5157916613297694473 as signed) >= cast(5743193980728219846 as signed)) as unsigned))) end
       as c1, 
    cast((cast(cast(null as signed) as signed) ^ cast(subq_0.c1 as decimal)) as signed) as c2
  from 
    (select  
          left(
            cast(ref_1.c_gs6c2wzbdg as char), 
            cast(ref_1.c_fzqupuma as signed)) as c0, 
          ref_1.c_l1t as c1
        from 
          t_dci as ref_1
        where ((ref_1.c_fzqupuma between ref_1.c_fzqupuma and ref_1.c_d3wokzls77)) 
          or ((ref_1.c_fzqupuma not in (
            select distinct 
                ref_2.c_s as c0
              from 
                t_jg8o as ref_2
              where 0<>0)))
        limit 68) as subq_0
  where (cast((cast(subq_0.c1 as signed) = cast(abs(
        cast((select c_wd3x from t_glzh3lb0ro order by c_wd3x limit 1 offset 6)
           as double)) as double)) as unsigned) >= ( 
    select distinct 
          (cast((select count(c_wd3x) from t_glzh3lb0ro)
               as double) like '_dgnd2') as c0
        from 
          t_jg8o as ref_3
        where (ref_3.c_otj13 > ( 
          select  
              ref_4.c_kffac5e63 as c0
            from 
              t_glzh3lb0ro as ref_4
            where (NOT NOT(cast((cast(ref_3.c__qy as double) <= cast(-4 as signed)) as unsigned)))
            limit 1))
      union all
      (
      select  
          (((NOT NOT(cast((cast(subq_0.c0 as char) != cast(subq_0.c0 as char)) as unsigned)))) 
              and ((NOT NOT(cast((cast(ref_6.c_wd3x as double) >= cast(ref_6.c_pf8vmpo8 as signed)) as unsigned))))) 
            or ((subq_0.c1 = ( 
              select  
                    (ref_7.c_x2erxo10w is NULL) as c0
                  from 
                    t__9r63 as ref_7
                  where (ref_6.c_c7njaqnyv7 between ref_5.c_c7njaqnyv7 and ref_5.c_i3ml)
                union
                (
                select  
                    (ref_8.c_wsr >= ( 
                      select  
                          (0<>0) 
                            and ((NOT NOT(cast((ref_9.c_kzre > ref_9.c_kzre) as unsigned)))) as c0
                        from 
                          t_dci as ref_9
                        where (ref_9.c_l1t in (
                          (NOT NOT(cast((ref_5.c_pf8vmpo8 XOR ref_9.c_dph7) as unsigned))), ((subq_0.c0 like 'x_rqxzwy')) 
                            and (0<>0), 1=1, 1=1))
                        limit 1)) as c0
                  from 
                    t__9r63 as ref_8
                  where (NOT NOT(cast((cast(7631005874134976722 as signed) <> cast(ref_5.c_p as decimal)) as unsigned)))
                )
                 limit 1))) as c0
        from 
          (t_glzh3lb0ro as ref_5
            right outer join t_glzh3lb0ro as ref_6
            on ((ref_5.c_kffac5e63 between ref_5.c__n3bhft5z and ref_6.c_pf8vmpo8)))
        where (NOT NOT(cast((cast(ref_6.c_wd3x as double) >= cast(ref_6.c__n3bhft5z as decimal)) as unsigned)))
      )
       limit 1))), 
cte_2 AS (select  
    subq_1.c9 as c0, 
    ref_11.c_s as c1, 
    subq_1.c6 as c2, 
    ref_11.c_tazb9 as c3, 
    cast(nullif(
      cast((round(
          cast(subq_1.c5 as signed)) DIV ref_11.c_tazb9) as decimal), 
      cast(ref_11.c_s as decimal)
      ) as decimal) as c4, 
    subq_1.c3 as c5
  from 
    (t_jg8o as ref_11
      left outer join (select  
            ref_12.c_o8tsf as c0, 
            ref_12.c_tb3u as c1, 
            (select c_yu from t_rc order by c_yu limit 1 offset 2)
               as c2, 
            ref_12.c_onfeptr2q as c3, 
            (select max(c_w9qyk_fpj) from t_dci)
               as c4, 
            cast((select min(c_yu) from t_rc)
               as signed) as c5, 
            ref_12.c_onfeptr2q as c6, 
            ref_12.c_g7eofzlxn as c7, 
            ref_12.c_wsr as c8, 
            ref_12.c_g7eofzlxn as c9, 
            (select min(c_wd3x) from t_glzh3lb0ro)
               as c10, 
            ref_12.c_x2erxo10w as c11
          from 
            t__9r63 as ref_12
          where (ref_12.c_o8tsf is not NULL)
          limit 46) as subq_1
      on (ref_11.c_mgjb = subq_1.c1 ))
  where (ref_11.c_cz not like 'cbsc__')
  order by c0, c1, c2, c3, c4, c5 desc), 
cte_3 AS (select  
    subq_2.c9 as c0, 
    subq_2.c2 as c1, 
    subq_2.c9 as c2, 
    subq_2.c10 as c3, 
    
      last_value(
        cast(8022090491670986216 as signed)) over (partition by subq_2.c2, subq_2.c4, subq_2.c5 order by subq_2.c7, subq_2.c2) as c4, 
    substring(
      cast(subq_2.c1 as char), 
      cast((subq_2.c8 between cast(((select c_yu from t_rc order by c_yu limit 1 offset 1)
             & subq_2.c11) as signed) and case when 0<>0 then subq_2.c6 else subq_2.c8 end
          ) as unsigned)) as c5, 
    (select c_o8tsf from t__9r63 order by c_o8tsf limit 1 offset 4)
       as c6, 
    subq_2.c4 as c7, 
    subq_2.c3 as c8, 
    subq_2.c4 as c9
  from 
    (select  
          1353459160 as c0, 
          right(
            cast(ref_13.c_tb3u as char), 
            cast(ref_13.c_g7eofzlxn as signed)) as c1, 
          ref_13.c_tb3u as c2, 
          ref_13.c_tb3u as c3, 
          ref_13.c_g7eofzlxn as c4, 
          ref_13.c_g7eofzlxn as c5, 
          ref_13.c_x2erxo10w as c6, 
          ref_13.c_onfeptr2q as c7, 
          ref_13.c_g7eofzlxn as c8, 
          ref_13.c_tb3u as c9, 
          ref_13.c_wsr as c10, 
          ref_13.c_r58lkh as c11
        from 
          t__9r63 as ref_13
        where 0<>0) as subq_2
  where ((NOT NOT(cast((cast(subq_2.c9 as char) <=> cast(cast((-5368 % (NOT NOT(cast((cast(subq_2.c0 as signed) != cast(subq_2.c0 as decimal)) as unsigned)))) as char) as char)) as unsigned)))) 
    and ((subq_2.c4 not in (
      select distinct 
          ref_15.c__n3bhft5z as c0
        from 
          (t_rc as ref_14
            left outer join (t_glzh3lb0ro as ref_15
              right outer join t_jg8o as ref_16
              on (ref_15.c_i3ml = ref_16.c_otj13 ))
            on ((NOT NOT(cast((6436645 <=> ref_15.c_i3ml) as unsigned)))))
        where 1=1)))), 
cte_4 AS (select  
    (select c_r58lkh from t__9r63 order by c_r58lkh limit 1 offset 3)
       as c0, 
    ref_17.c_g7eofzlxn as c1, 
    cast((cast(7896960142232066781 as signed) % cast(ref_17.c_x2erxo10w as decimal)) as decimal) as c2, 
    ref_17.c_tb3u as c3
  from 
    t__9r63 as ref_17
  where (NOT NOT(cast((cast(ref_17.c_tb3u as char) <=> cast(case when (ref_17.c_g7eofzlxn <> ( 
          select  
              ref_17.c_x2erxo10w as c0
            from 
              t_dci as ref_18
            where (NOT NOT(cast((cast(ref_17.c_x2erxo10w as signed) >= cast((select c_w9qyk_fpj from t_dci order by c_w9qyk_fpj limit 1 offset 5)
                   as double)) as unsigned)))
            limit 1)) then cast(ref_17.c_tb3u as char) else cast(ref_17.c_tb3u as char) end
         as char)) as unsigned)))), 
cte_5 AS (select  
    case when (EXISTS (
        select  
            ref_28.c_bywfl as c0, 
            (select c_hd2v4v0 from t__9r63 order by c_hd2v4v0 limit 1 offset 40)
               as c1, 
            ref_32.c_kzre as c2, 
            ref_27.c_m0qqv_cl4x as c3, 
            ref_27.c_cz as c4, 
            ref_33.c_wd3x as c5, 
            ref_27.c_tazb9 as c6, 
            ref_20.c_o8tsf as c7
          from 
            (t_dci as ref_30
              cross join ((t__9r63 as ref_31
                  cross join t_dci as ref_32
                  )
                right outer join t_glzh3lb0ro as ref_33
                on (1=1))
              )
          where (ref_26.c_g7eofzlxn between cast(null as signed) and ref_20.c_x2erxo10w))) then ref_26.c_o8tsf else ref_27.c_ovz0 end
       as c0, 
    ref_24.c_c7njaqnyv7 as c1, 
    
      var_pop(
        cast(abs(
          cast(ref_20.c_g7eofzlxn as signed)) as signed)) over (partition by ref_28.c_w9qyk_fpj order by ref_25.c_w9qyk_fpj) as c2, 
    1100678181 as c3, 
    ref_27.c_tazb9 as c4
  from 
    ((((t_jg8o as ref_19
            cross join t__9r63 as ref_20
            )
          right outer join (t_rc as ref_21
            left outer join t_dci as ref_22
            on ((NOT NOT(cast((ref_22.c_w9qyk_fpj && -5470311046237625194) as unsigned)))))
          on (ref_20.c_onfeptr2q = ref_22.c_l1t ))
        inner join ((t_jg8o as ref_23
            right outer join t_glzh3lb0ro as ref_24
            on ((ref_24.c_i3ml is not NULL)))
          left outer join t_dci as ref_25
          on ((ref_25.c_gs6c2wzbdg not like 'si_')))
        on ((NOT NOT(cast((cast(-2052596667448592269 as signed) != cast(ref_22.c_w9qyk_fpj as double)) as unsigned)))))
      right outer join (t__9r63 as ref_26
        left outer join (t_jg8o as ref_27
          right outer join t_dci as ref_28
          on ((ref_28.c_bywfl is NULL)))
        on (0<>0))
      on ((ref_23.c_m0qqv_cl4x is NULL)))
  where (EXISTS (
    select  
        (select c_foveoe from t_jg8o order by c_foveoe limit 1 offset 1)
           as c0, 
        ref_29.c_g7eofzlxn as c1, 
        ref_29.c_hd2v4v0 as c2, 
        ln(
          cast((1=1) 
            or ((NOT NOT(cast((cast((NOT NOT(cast((cast(ref_29.c_onfeptr2q as signed) <> cast(ref_19.c__qy as double)) as unsigned))) as unsigned) >= cast(ref_22.c_d3wokzls77 as signed)) as unsigned)))) as unsigned)) as c3
      from 
        t__9r63 as ref_29
      where (ref_29.c_g7eofzlxn between ref_22.c_fzqupuma and ref_28.c_dph7)
      limit 121))
  limit 66)
select distinct 
    687572879 as c0, 
    (select var_pop(c_wd3x) from t_glzh3lb0ro)
       as c1, 
    log(
      cast(cast((cast(cast((ref_36.c7 + ref_36.c10) as decimal) as decimal) % cast(ref_36.c10 as signed)) as decimal) as decimal)) as c2, 
    ref_36.c10 as c3, 
    
      stddev_samp(
        cast(case when (ref_35.c_mgjb not like 'o%e%9bz') then ref_35.c_tazb9 else (select c_g7eofzlxn from t__9r63 order by c_g7eofzlxn limit 1 offset 4)
             end
           as signed)) over (partition by ref_35.c_ovz0 order by ref_35.c_m0qqv_cl4x, ref_35.c_m0qqv_cl4x) as c4, 
    substring(
      cast(ref_35.c_mgjb as char), 
      cast(case when (NOT NOT(cast((cast(ref_35.c_mgjb as char) <= cast(ref_35.c_m0qqv_cl4x as char)) as unsigned))) then (select c_wsr from t__9r63 order by c_wsr limit 1 offset 4)
           else (ref_36.c3 like '_9i4qw') end
         as unsigned)) as c5, 
    atan(
      cast((select count(c_wd3x) from t_glzh3lb0ro)
         as double)) as c6, 
    cast((select stddev_samp(c_wsr) from t__9r63)
       as unsigned) as c7, 
    
      lead(
        cast((select c_foveoe from t_jg8o order by c_foveoe limit 1 offset 3)
           as char), 
        3) over (partition by ref_36.c6 order by ref_36.c7) as c8, 
    substring(
      cast(ref_35.c_jbb as char), 
      cast((ref_36.c0 > ( 
        select  
            (select count(c_dph7) from t_dci)
               as c0
          from 
            cte_2 as ref_41
          where ((ref_35.c_ovz0 in (
              select  
                  ref_42.c6 as c0
                from 
                  cte_3 as ref_42
                where (NOT NOT(cast((cast(0<>0 as unsigned) <= cast(ref_42.c7 as signed)) as unsigned)))))) 
            or ((ref_35.c_otj13 = ( 
              select  
                  ref_41.c1 as c0
                from 
                  t__9r63 as ref_43
                where (NOT NOT(cast((ref_35.c_jbb != ref_43.c_tb3u) as unsigned)))
                limit 1)))
          limit 1)) as unsigned)) as c9
  from 
    ((select  
            ref_34.c_yu as c0, 
            ref_34.c_b48gd04utl as c1
          from 
            t_rc as ref_34
          where (cast((select sum(c_wsr) from t__9r63)
               as signed) is NULL)) as subq_3
      inner join (t_jg8o as ref_35
        inner join cte_0 as ref_36
        on (ref_35.c_otj13 = ref_36.c0 ))
      on (((NOT NOT(cast((cast(ref_35.c_cz as char) <> cast(ref_35.c_a90ol as char)) as unsigned)))) 
          or ((NOT NOT(cast((cast(ref_35.c_ovz0 as double) XOR cast(ref_35.c_tazb9 as decimal)) as unsigned))))))
  where ((subq_3.c1 not in (
      select distinct 
          ref_37.c_kzre as c0
        from 
          t_dci as ref_37
        where (ref_37.c_fzqupuma is not NULL)))) 
    and ((((subq_3.c1 >= ( 
          select  
                ref_35.c_foveoe as c0
              from 
                t_jg8o as ref_38
              where (ref_35.c_cz like '_')
            union all
            (
            select  
                subq_3.c1 as c0
              from 
                cte_2 as ref_39
              where (EXISTS (
                select  
                    ref_40.c9 as c0, 
                    ref_40.c3 as c1, 
                    ref_36.c2 as c2, 
                    ref_40.c5 as c3, 
                    ref_40.c0 as c4, 
                    525328153 as c5, 
                    ref_40.c0 as c6, 
                    ref_40.c3 as c7
                  from 
                    cte_3 as ref_40
                  where (NOT NOT(cast((cast(ref_35.c_tazb9 as signed) < cast((select min(c_dph7) from t_dci)
                         as signed)) as unsigned)))))
            )
             limit 1))) 
        or ((NOT NOT(cast((cast(ref_36.c3 as char) >= cast(ref_35.c_cz as char)) as unsigned))))) 
      and (1=1));

2. What did you expect to see? (Required)

Expect no crashes

3. What did you see instead (Required)

runtime error: index out of range [0] with length 0
github.com/pingcap/errors.AddStack
	/root/go/pkg/mod/github.com/pingcap/[email protected]/errors.go:178
github.com/pingcap/errors.Trace
	/root/go/pkg/mod/github.com/pingcap/[email protected]/juju_adaptor.go:15
github.com/pingcap/tidb/pkg/executor.(*PipelinedWindowExec).fetchChild
	/workspace/source/tidb/pkg/executor/pipelined_window.go:203
github.com/pingcap/tidb/pkg/executor.(*PipelinedWindowExec).getRowsInPartition
	/workspace/source/tidb/pkg/executor/pipelined_window.go:172
github.com/pingcap/tidb/pkg/executor.(*PipelinedWindowExec).Next
	/workspace/source/tidb/pkg/executor/pipelined_window.go:117
github.com/pingcap/tidb/pkg/executor/internal/exec.Next
	/workspace/source/tidb/pkg/executor/internal/exec/executor.go:451
github.com/pingcap/tidb/pkg/executor.(*ProjectionExec).unParallelExecute
	/workspace/source/tidb/pkg/executor/projection.go:218
github.com/pingcap/tidb/pkg/executor.(*ProjectionExec).Next
	/workspace/source/tidb/pkg/executor/projection.go:205
github.com/pingcap/tidb/pkg/executor/internal/exec.Next
	/workspace/source/tidb/pkg/executor/internal/exec/executor.go:451
github.com/pingcap/tidb/pkg/executor/sortexec.(*SortExec).fetchChunksFromChild
	/workspace/source/tidb/pkg/executor/sortexec/sort.go:730
github.com/pingcap/tidb/pkg/executor/sortexec.(*SortExec).fetchChunksParallel.func2
	/workspace/source/tidb/pkg/executor/sortexec/sort.go:679
github.com/pingcap/tidb/pkg/util.(*WaitGroupWrapper).Run.func1
	/workspace/source/tidb/pkg/util/wait_group_wrapper.go:157
runtime.goexit
	/usr/local/go/src/runtime/asm_amd64.s:1650

4. What is your TiDB version? (Required)

Release Version: v8.4.0-alpha-66-g1167e0c
Edition: Community
Git Commit Hash: 1167e0c06fc8e2dd066bd974315284bc0e884acc
Git Branch: HEAD
UTC Build Time: 2024-09-03 01:15:19
GoVersion: go1.21.13
Race Enabled: false
Check Table Before Drop: false
Store: tikv

We are the BASS team from the School of Cyber Science and Technology at Beihang University. Our main focus is on system software security, operating systems, and program analysis research, as well as the development of automated program testing frameworks for detecting software defects. Using our self-developed database vulnerability testing tool, we have identified the above-mentioned vulnerabilities in TiDB that may lead to database crashes.
@ycybfhb ycybfhb added the type/bug The issue is confirmed as a bug. label Sep 5, 2024
@windtalker
Copy link
Contributor

duplicated with #55885

@windtalker
Copy link
Contributor

closing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
impact/panic may-affects-5.4 This bug maybe affects 5.4.x versions. may-affects-6.1 may-affects-6.5 may-affects-7.1 may-affects-7.5 may-affects-8.1 severity/major sig/execution SIG execution type/bug The issue is confirmed as a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@windtalker @jebter @ycybfhb