invalid memory address or nil pointer dereference in `expression.inferCollation`

## Bug Report

Please answer these questions before submitting your issue. Thanks!

### 1. Minimal reproduce step (Required)
First execute the following valid.sql
[valid.txt](https://github.com/pingcap/tidb/files/15453251/valid.txt)
Then a crash occurs when executing the error.sql below
[error.txt](https://github.com/pingcap/tidb/files/15453255/error.txt)


### 2. What did you expect to see? (Required)
Expect no crashes

### 3. What did you see instead (Required)
```
runtime error: invalid memory address or nil pointer dereference
```
tidb.log:
```
[2024/05/27 04:41:12.123 +00:00] [ERROR] [conn.go:1013] ["connection running loop panic"] [conn=1904214040] [session_alias=] [err="runtime error: invalid memory address or nil pointer dereference"] [stack="github.com/pingcap/tidb/pkg/server.(*clientConn).Run.func1
	/workspace/source/tidb/pkg/server/conn.go:1016
runtime.gopanic
	/usr/local/go/src/runtime/panic.go:914
github.com/pingcap/tidb/pkg/executor.(*Compiler).Compile.func1
	/workspace/source/tidb/pkg/executor/compiler.go:57
runtime.gopanic
	/usr/local/go/src/runtime/panic.go:914
runtime.panicmem
	/usr/local/go/src/runtime/panic.go:261
runtime.sigpanic
	/usr/local/go/src/runtime/signal_unix.go:861
github.com/pingcap/tidb/pkg/expression.inferCollation
	/workspace/source/tidb/pkg/expression/collation.go:411
github.com/pingcap/tidb/pkg/expression.CheckAndDeriveCollationFromExprs
	/workspace/source/tidb/pkg/expression/collation.go:305
github.com/pingcap/tidb/pkg/expression.ColumnSubstituteImpl
	/workspace/source/tidb/pkg/expression/util.go:493
github.com/pingcap/tidb/pkg/expression.ColumnSubstituteImpl
	/workspace/source/tidb/pkg/expression/util.go:450
github.com/pingcap/tidb/pkg/expression.ColumnSubstituteImpl
	/workspace/source/tidb/pkg/expression/util.go:483
github.com/pingcap/tidb/pkg/expression.ColumnSubstituteImpl
	/workspace/source/tidb/pkg/expression/util.go:450
github.com/pingcap/tidb/pkg/expression.ColumnSubstituteImpl
	/workspace/source/tidb/pkg/expression/util.go:483
github.com/pingcap/tidb/pkg/expression.ColumnSubstituteImpl
	/workspace/source/tidb/pkg/expression/util.go:483
github.com/pingcap/tidb/pkg/planner/core.BreakDownPredicates
	/workspace/source/tidb/pkg/planner/core/rule_predicate_push_down.go:394
github.com/pingcap/tidb/pkg/planner/core.(*LogicalProjection).ConvertOuterToInnerJoin
	/workspace/source/tidb/pkg/planner/core/rule_outer_to_inner_join.go:145
github.com/pingcap/tidb/pkg/planner/core.(*baseLogicalPlan).ConvertOuterToInnerJoin
	/workspace/source/tidb/pkg/planner/core/rule_outer_to_inner_join.go:68
github.com/pingcap/tidb/pkg/planner/core.(*baseLogicalPlan).ConvertOuterToInnerJoin
	/workspace/source/tidb/pkg/planner/core/rule_outer_to_inner_join.go:68
github.com/pingcap/tidb/pkg/planner/core.(*LogicalJoin).ConvertOuterToInnerJoin
	/workspace/source/tidb/pkg/planner/core/rule_outer_to_inner_join.go:105
github.com/pingcap/tidb/pkg/planner/core.(*LogicalSelection).ConvertOuterToInnerJoin
	/workspace/source/tidb/pkg/planner/core/rule_outer_to_inner_join.go:137
github.com/pingcap/tidb/pkg/planner/core.(*LogicalProjection).ConvertOuterToInnerJoin
	/workspace/source/tidb/pkg/planner/core/rule_outer_to_inner_join.go:147
github.com/pingcap/tidb/pkg/planner/core.(*baseLogicalPlan).ConvertOuterToInnerJoin
	/workspace/source/tidb/pkg/planner/core/rule_outer_to_inner_join.go:68
github.com/pingcap/tidb/pkg/planner/core.(*baseLogicalPlan).ConvertOuterToInnerJoin
	/workspace/source/tidb/pkg/planner/core/rule_outer_to_inner_join.go:68
github.com/pingcap/tidb/pkg/planner/core.(*baseLogicalPlan).ConvertOuterToInnerJoin
	/workspace/source/tidb/pkg/planner/core/rule_outer_to_inner_join.go:68
github.com/pingcap/tidb/pkg/planner/core.(*baseLogicalPlan).ConvertOuterToInnerJoin
	/workspace/source/tidb/pkg/planner/core/rule_outer_to_inner_join.go:68
github.com/pingcap/tidb/pkg/planner/core.(*convertOuterToInnerJoin).optimize
	/workspace/source/tidb/pkg/planner/core/rule_outer_to_inner_join.go:57
github.com/pingcap/tidb/pkg/planner/core.logicalOptimize
	/workspace/source/tidb/pkg/planner/core/optimizer.go:1005
github.com/pingcap/tidb/pkg/planner/core.doOptimize
	/workspace/source/tidb/pkg/planner/core/optimizer.go:289
github.com/pingcap/tidb/pkg/planner/core.DoOptimize
	/workspace/source/tidb/pkg/planner/core/optimizer.go:348
github.com/pingcap/tidb/pkg/planner.optimize
	/workspace/source/tidb/pkg/planner/optimize.go:503
github.com/pingcap/tidb/pkg/planner.Optimize
	/workspace/source/tidb/pkg/planner/optimize.go:334
github.com/pingcap/tidb/pkg/executor.(*Compiler).Compile
	/workspace/source/tidb/pkg/executor/compiler.go:99
github.com/pingcap/tidb/pkg/session.(*session).ExecuteStmt
	/workspace/source/tidb/pkg/session/session.go:2094
github.com/pingcap/tidb/pkg/server.(*TiDBContext).ExecuteStmt
	/workspace/source/tidb/pkg/server/driver_tidb.go:294
github.com/pingcap/tidb/pkg/server.(*clientConn).handleStmt
	/workspace/source/tidb/pkg/server/conn.go:2021
github.com/pingcap/tidb/pkg/server.(*clientConn).handleQuery
	/workspace/source/tidb/pkg/server/conn.go:1774
github.com/pingcap/tidb/pkg/server.(*clientConn).dispatch
	/workspace/source/tidb/pkg/server/conn.go:1348
github.com/pingcap/tidb/pkg/server.(*clientConn).Run
	/workspace/source/tidb/pkg/server/conn.go:1114
github.com/pingcap/tidb/pkg/server.(*Server).onConn
	/workspace/source/tidb/pkg/server/server.go:739"]
```
### 4. What is your TiDB version? (Required)
```
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| tidb_version()                                                                                                                                                                                                                                                   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Release Version: v8.2.0-alpha-216-gfe5858b
Edition: Community
Git Commit Hash: fe5858b00cd63808ac414c6e102a353778b0aaa7
Git Branch: HEAD
UTC Build Time: 2024-05-23 01:44:42
GoVersion: go1.21.10
Race Enabled: false
Check Table Before Drop: false
Store: tikv |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
```

We are the BASS team from the School of Cyber Science and Technology at Beihang University. Our main focus is on system software security, operating systems, and program analysis research, as well as the development of automated program testing frameworks for detecting software defects. Using our self-developed database vulnerability testing tool, we have identified the above-mentioned vulnerabilities in TiDB that may lead to database crashes.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

invalid memory address or nil pointer dereference in `expression.inferCollation` #53580

Bug Report

1. Minimal reproduce step (Required)

2. What did you expect to see? (Required)

3. What did you see instead (Required)

4. What is your TiDB version? (Required)

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

invalid memory address or nil pointer dereference in expression.inferCollation #53580

Description

Bug Report

1. Minimal reproduce step (Required)

2. What did you expect to see? (Required)

3. What did you see instead (Required)

4. What is your TiDB version? (Required)

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

invalid memory address or nil pointer dereference in `expression.inferCollation` #53580