-
Notifications
You must be signed in to change notification settings - Fork 5.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
invalid memory address or nil pointer dereference in expression.inferCollation
#53580
Comments
A smaller reproduce: create table t (col TEXT); select
1
from
(
select
t.col as c0,
46578369 as c1
from
t
) as t
where
case
when (
t.c0 in (
t.c0,
cast(
(cast(1 as unsigned) - cast(t.c1 as signed)) as char
)
)
) then 1
else 2
end; It's because the I propose to use |
Thanks again for the report 🍻, you have done a good job. I'm a little curious how does the "vulnerability testing tool" work? Is it a better/special fuzzing technology or does it have other strategy to find the bad query? BTW, it'll be really really helpful / cool if it can simplify the found query. The simpler the query is, the easier it'll be for us to locate the issue 🤝 (I understand it's a difficult feature, as it usually requires deep knowledge to inspect the problem and give a simpler reproduction). |
Hello, we are developing a new fuzz testing tool that incorporates a new strategy. We have also implemented a method to simplify the creation of table statements and query statements. When submitting bugs in the future, we will try to provide a simplified PoC. |
A simpler case: select
1
from
(
select
t.col as c0,
46578369 as c1
from
t
) as t
where
t.c0 in (
t.c0,
cast(
(cast(1 as unsigned) - t.c1) as char
)
); |
Bug Report
Please answer these questions before submitting your issue. Thanks!
1. Minimal reproduce step (Required)
First execute the following valid.sql
valid.txt
Then a crash occurs when executing the error.sql below
error.txt
2. What did you expect to see? (Required)
Expect no crashes
3. What did you see instead (Required)
tidb.log:
4. What is your TiDB version? (Required)
We are the BASS team from the School of Cyber Science and Technology at Beihang University. Our main focus is on system software security, operating systems, and program analysis research, as well as the development of automated program testing frameworks for detecting software defects. Using our self-developed database vulnerability testing tool, we have identified the above-mentioned vulnerabilities in TiDB that may lead to database crashes.
The text was updated successfully, but these errors were encountered: