Malicious SQL statement which directly crashes TiDB server by triggering stack overflow

[JZuming]

Bug Report

Please answer these questions before submitting your issue. Thanks!

1. Minimal reproduce step (Required)

Setup the environment:

tidb/bin/tidb-server &
mysql -h "127.0.0.1" -u root -P 4000 -D testdb < mysql_bk.sql

mysql_bk.sql: mysql_bk.sql.txt

Testcase

mysql -h "127.0.0.1" -u root -P 4000 -D testdb
mysql> WITH
cte_0 AS (select
    1 as c1,
    (FIRST_VALUE(1) over (partition by subq_0.c0) < 1) as c3,
    (select c4 from t_cpsvpb) as c7,
    1 as c11
  from
    (select
          ref_0.c_13sfid as c0
        from
          t_x7zqmd as ref_0
        where 0 <> 0) as subq_0)
select 1
  from
    ((t_037irb as ref_6 cross join cte_0 as ref_7)
      inner join (t_037irb as ref_8 inner join cte_0 as ref_9 on (ref_8.c_nrh3o = ref_9.c11 ))
      on (ref_7.c1 = ref_8.c_j9alg ));

2. What did you expect to see? (Required)

Testcase does not crash the TiDB server.

3. What did you see instead (Required)

Testcase crashed the TiDB server. The log shows that it may trigger a stack overflow bug.

The log of the TiDB server: log.txt

4. What is your TiDB version? (Required)

Release Version: v5.4.0-alpha-133-g20b9a4d8c
Edition: Community
Git Commit Hash: 20b9a4d8ca32449c5003963eb7d382633c3ed25e
Git Branch: master
UTC Build Time: 2021-11-17 08:53:20
GoVersion: go1.16
Race Enabled: false
TiKV Min Version: v3.0.0-60965b006877ca7234adaced7890d7b029ed1306
Check Table Before Drop: false

[morgo]

Verified as described against master:

$ mysql testdb
..
tidb> WITH
    -> cte_0 AS (select
    ->     1 as c1,
    ->     (FIRST_VALUE(1) over (partition by subq_0.c0) < 1) as c3,
    ->     (select c4 from t_cpsvpb) as c7,
    ->     1 as c11
    ->   from
    ->     (select
    ->           ref_0.c_13sfid as c0
    ->         from
    ->           t_x7zqmd as ref_0
    ->         where 0 <> 0) as subq_0)
    -> select 1
    ->   from
    ->     ((t_037irb as ref_6 cross join cte_0 as ref_7)
    ->       inner join (t_037irb as ref_8 inner join cte_0 as ref_9 on (ref_8.c_nrh3o = ref_9.c11 ))
    ->       on (ref_7.c1 = ref_8.c_j9alg ));
ERROR 2013 (HY000): Lost connection to MySQL server during query
No connection. Trying to reconnect...
ERROR 2003 (HY000): Can't connect to MySQL server on '127.0.0.1:4000' (111)
ERROR: 
Can't connect to the server

Stack trace shows:

github.com/pingcap/tidb/util/memory.reArrangeFallback(0x4303c60, 0xc012734d40, 0x4303ca0, 0xc013404360, 0x0, 0x0)
	/home/morgo/go/src/github.com/morgo/tidb/util/memory/tracker.go:183 +0x16f fp=0xc0336703a8 sp=0xc0336703a0 pc=0x1ff198f
github.com/pingcap/tidb/util/memory.reArrangeFallback(0x4303c60, 0xc012f2dff0, 0x4303ca0, 0xc013404360, 0x0, 0x0)
	/home/morgo/go/src/github.com/morgo/tidb/util/memory/tracker.go:194 +0xfc fp=0xc0336703f0 sp=0xc0336703a8 pc=0x1ff191c
github.com/pingcap/tidb/util/memory.reArrangeFallback(0x4303c60, 0xc01325fc70, 0x4303ca0, 0xc013404360, 0x0, 0x0)
	/home/morgo/go/src/github.com/morgo/tidb/util/memory/tracker.go:194 +0xfc fp=0xc033670438 sp=0xc0336703f0 pc=0x1ff191c
github.com/pingcap/tidb/util/memory.reArrangeFallback(0x4303ca0, 0xc01300b7a0, 0x4303ca0, 0xc013404360, 0x0, 0x0)

[bb7133]

PTAL @wjhuang2016

[wjhuang2016]

/cc @guo-shaoge

[mjonss]

Related to memory.reArrangeFallback: #30353

[wjhuang2016]

mysql> select (FIRST_VALUE(1) over (partition by subq_0.c0) < 1) as c3, (select c4 from t_cpsvpb) as c7, 1 as c11 from (select ref_0.c_13sfid as c0 from t_x7zqmd as ref_0 where 0 <> 0) as subq_0;
ERROR 1105 (HY000): runtime error: invalid memory address or nil pointer dereference

It has nothing to do with CTE, it seems that related to window function.