Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

invalid memory address or nil pointer dereference in (*SortExec).Next (*SortExec).fetchRowChunks and index out of range [72] with length 0 in (*SortedRowContainer).GetSortedRowAndAlwaysAppendToChunk #52984

Closed
GaranR opened this issue Apr 29, 2024 · 3 comments
Closed

invalid memory address or nil pointer dereference in (*SortExec).Next (*SortExec).fetchRowChunks and index out of range [72] with length 0 in (*SortedRowContainer).GetSortedRowAndAlwaysAppendToChunk #52984

GaranR opened this issue Apr 29, 2024 · 3 comments
Labels
may-affects-5.4 This bug maybe affects 5.4.x versions. may-affects-6.1 may-affects-6.5 may-affects-7.1 may-affects-7.5 may-affects-8.1 severity/major sig/execution SIG execution type/bug This issue is a bug.

Comments

@GaranR
Copy link

GaranR commented Apr 29, 2024
edited

Bug Report

Please answer these questions before submitting your issue. Thanks!

1. Minimal reproduce step (Required)

First execute the following valid.sql
valid.txt

Then a crash occurs when executing the error.sql below
error.txt

2. What did you expect to see? (Required)

Expect no crashes

3. What did you see instead (Required)

runtime error: invalid memory address or nil pointer dereference
runtime error: index out of range [72] with length 0

tidb.log:

[2024/04/17 11:58:05.882 +00:00] [ERROR] [shuffle.go:259] ["shuffle panicked"] [error="runtime error: invalid memory address or nil pointer dereference"] [stack="github.com/pingcap/tidb/pkg/executor.recoveryShuffleExec
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/shuffle.go:259
github.com/pingcap/tidb/pkg/executor.(*shuffleWorker).run.func1
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/shuffle.go:388
runtime.gopanic
	/usr/local/go/src/runtime/panic.go:914
runtime.panicmem
	/usr/local/go/src/runtime/panic.go:261
runtime.sigpanic
	/usr/local/go/src/runtime/signal_unix.go:861
github.com/pingcap/tidb/pkg/util/chunk.(*SortedRowContainer).Add
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/util/chunk/row_container.go:615
github.com/pingcap/tidb/pkg/executor.(*SortExec).fetchRowChunks
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/sort.go:210
github.com/pingcap/tidb/pkg/executor.(*SortExec).Next
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/sort.go:117
github.com/pingcap/tidb/pkg/executor/internal/exec.Next
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/internal/exec/executor.go:283
github.com/pingcap/tidb/pkg/executor.(*PipelinedWindowExec).fetchChild
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/pipelined_window.go:211
github.com/pingcap/tidb/pkg/executor.(*PipelinedWindowExec).getRowsInPartition
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/pipelined_window.go:182
github.com/pingcap/tidb/pkg/executor.(*PipelinedWindowExec).Next
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/pipelined_window.go:127
github.com/pingcap/tidb/pkg/executor/internal/exec.Next
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/internal/exec/executor.go:283
github.com/pingcap/tidb/pkg/executor.(*shuffleWorker).run
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/shuffle.go:398"]


[2024/04/17 11:58:05.887 +00:00] [ERROR] [shuffle.go:259] ["shuffle panicked"] [error="runtime error: invalid memory address or nil pointer dereference"] [stack="github.com/pingcap/tidb/pkg/executor.recoveryShuffleExec
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/shuffle.go:259
github.com/pingcap/tidb/pkg/executor.(*shuffleWorker).run.func1
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/shuffle.go:388
runtime.gopanic
	/usr/local/go/src/runtime/panic.go:914
runtime.panicmem
	/usr/local/go/src/runtime/panic.go:261
runtime.sigpanic
	/usr/local/go/src/runtime/signal_unix.go:861
github.com/pingcap/tidb/pkg/executor.(*SortExec).Next
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/sort.go:132
github.com/pingcap/tidb/pkg/executor/internal/exec.Next
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/internal/exec/executor.go:283
github.com/pingcap/tidb/pkg/executor.(*PipelinedWindowExec).fetchChild
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/pipelined_window.go:211
github.com/pingcap/tidb/pkg/executor.(*PipelinedWindowExec).getRowsInPartition
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/pipelined_window.go:182
github.com/pingcap/tidb/pkg/executor.(*PipelinedWindowExec).Next
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/pipelined_window.go:127
github.com/pingcap/tidb/pkg/executor/internal/exec.Next
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/internal/exec/executor.go:283
github.com/pingcap/tidb/pkg/executor.(*shuffleWorker).run
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/shuffle.go:398"]


[2024/04/17 11:58:05.892 +00:00] [ERROR] [shuffle.go:259] ["shuffle panicked"] [error="runtime error: invalid memory address or nil pointer dereference"] [stack="github.com/pingcap/tidb/pkg/executor.recoveryShuffleExec
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/shuffle.go:259
github.com/pingcap/tidb/pkg/executor.(*shuffleWorker).run.func1
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/shuffle.go:388
runtime.gopanic
	/usr/local/go/src/runtime/panic.go:914
runtime.panicmem
	/usr/local/go/src/runtime/panic.go:261
runtime.sigpanic
	/usr/local/go/src/runtime/signal_unix.go:861
github.com/pingcap/tidb/pkg/executor.(*SortExec).fetchRowChunks
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/sort.go:240
github.com/pingcap/tidb/pkg/executor.(*SortExec).Next
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/sort.go:117
github.com/pingcap/tidb/pkg/executor/internal/exec.Next
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/internal/exec/executor.go:283
github.com/pingcap/tidb/pkg/executor.(*PipelinedWindowExec).fetchChild
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/pipelined_window.go:211
github.com/pingcap/tidb/pkg/executor.(*PipelinedWindowExec).getRowsInPartition
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/pipelined_window.go:182
github.com/pingcap/tidb/pkg/executor.(*PipelinedWindowExec).Next
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/pipelined_window.go:127
github.com/pingcap/tidb/pkg/executor/internal/exec.Next
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/internal/exec/executor.go:283
github.com/pingcap/tidb/pkg/executor.(*shuffleWorker).run
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/shuffle.go:398"]
	
	
[2024/04/17 11:58:05.898 +00:00] [ERROR] [shuffle.go:259] ["shuffle panicked"] [error="runtime error: index out of range [72] with length 0"] [stack="github.com/pingcap/tidb/pkg/executor.recoveryShuffleExec
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/shuffle.go:259
github.com/pingcap/tidb/pkg/executor.(*shuffleWorker).run.func1
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/shuffle.go:388
runtime.gopanic
	/usr/local/go/src/runtime/panic.go:914
runtime.goPanicIndex
	/usr/local/go/src/runtime/panic.go:114
github.com/pingcap/tidb/pkg/util/chunk.(*SortedRowContainer).GetSortedRowAndAlwaysAppendToChunk
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/util/chunk/row_container.go:637
github.com/pingcap/tidb/pkg/executor.(*SortExec).Next
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/sort.go:133
github.com/pingcap/tidb/pkg/executor/internal/exec.Next
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/internal/exec/executor.go:283
github.com/pingcap/tidb/pkg/executor.(*PipelinedWindowExec).fetchChild
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/pipelined_window.go:211
github.com/pingcap/tidb/pkg/executor.(*PipelinedWindowExec).getRowsInPartition
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/pipelined_window.go:182
github.com/pingcap/tidb/pkg/executor.(*PipelinedWindowExec).Next
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/pipelined_window.go:127
github.com/pingcap/tidb/pkg/executor/internal/exec.Next
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/internal/exec/executor.go:283
github.com/pingcap/tidb/pkg/executor.(*shuffleWorker).run
	/home/jenkins/agent/workspace/build-common/go/src/github.com/pingcap/tidb/pkg/executor/shuffle.go:398"]

4. What is your TiDB version? (Required)

+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| tidb_version()                                                                                                                                                                                                                                                 |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Release Version: v7.5.1
Edition: Community
Git Commit Hash: 7d16cc79e81bbf573124df3fd9351c26963f3e70
Git Branch: heads/refs/tags/v7.5.1
UTC Build Time: 2024-02-27 14:28:32
GoVersion: go1.21.6
Race Enabled: false
Check Table Before Drop: false
Store: tikv |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

We are the BASS team from the School of Cyber Science and Technology at Beihang University. Our main focus is on system software security, operating systems, and program analysis research, as well as the development of automated program testing frameworks for detecting software defects. Using our self-developed database vulnerability testing tool, we have identified the above-mentioned vulnerabilities in TiDB that may lead to database crashes.
@GaranR GaranR added the type/bug This issue is a bug. label Apr 29, 2024
@GaranR GaranR changed the title invalid memory address or nil pointer dereference in (*SortExec).Next (*SortedRowContainer).Add (*SortExec).fetchRowChunks and index out of range [72] with length 0 in (*SortedRowContainer).GetSortedRowAndAlwaysAppendToChunk invalid memory address or nil pointer dereference in (*SortExec).Next (*SortExec).fetchRowChunks and index out of range [72] with length 0 in (*SortedRowContainer).GetSortedRowAndAlwaysAppendToChunk Apr 29, 2024
@yibin87
Copy link
Contributor

yibin87 commented May 6, 2024

Same panic stack with #52980 , close it as duplicated

@yibin87
Copy link
Contributor

yibin87 commented May 6, 2024

/close

@ti-chi-bot ti-chi-bot bot closed this as completed May 6, 2024
@ti-chi-bot ti-chi-bot
Copy link

ti-chi-bot bot commented May 6, 2024

@yibin87: Closing this issue.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
may-affects-5.4 This bug maybe affects 5.4.x versions. may-affects-6.1 may-affects-6.5 may-affects-7.1 may-affects-7.5 may-affects-8.1 severity/major sig/execution SIG execution type/bug This issue is a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jebter @yibin87 @GaranR