Index out of bounds in json_length

[riteme]

TiFlash is compiled with clang 12.0 and libc++.

Steps to reproduce:

1. Start TiFlash server:

$ cat single.toml 
tmp_path = "/tmp/tiflash/data/tmp"
display_name = "TiFlash"
# specify paths used for store data, multiple path should be seperated by comma
path = "/tmp/tiflash/data/db"
capacity = "107374182400"
# multi-paths example
# path = "/tmp/tiflash/data/db,/tmp/tiflash1,/tmp/tiflash2"
# capacity = "0,0,0"
mark_cache_size = 5368709120
minmax_index_cache_size = 5368709120
tcp_port = 9000
http_port = 8123
[logger]
	count = 10
	errorlog = "/tmp/tiflash/log/error.log"
	size = "1000M"
	log = "/tmp/tiflash/log/server.log"
	level = "trace"
[application]
	runAsDaemon = true
[raft]
	# specify which storage engine we use. tmt or dt
	storage_engine = "dt"

$ path/to/tiflash_bin server --config single.toml
Logging trace to /tmp/tiflash/log/server.log
Logging errors to /tmp/tiflash/log/error.log
...

2. Run delta-merge-test:

$ cd path/to/tics/tests
$ ./run-test.sh delta-merge-test/query/expr/json.test

3. Error is reported at TiFlash server:

$ path/to/tiflash_bin server --config single.toml
Logging trace to /tmp/tiflash/log/server.log
Logging errors to /tmp/tiflash/log/error.log
...
/usr/lib/llvm-12/bin/../include/c++/v1/string_view:305: _LIBCPP_ASSERT '__pos < size()' failed. string_view[] index out of bounds

[riteme]

Stack trace:

(lldb) run server --config single.toml
Process 88760 launched: '/pingcap/run/tiflash-bin' (x86_64)
Logging trace to /tmp/tiflash/log/server.log
Logging errors to /tmp/tiflash/log/error.log
/usr/lib/llvm-12/bin/../include/c++/v1/string_view:305: _LIBCPP_ASSERT '__pos < size()' failed. string_view[] index out of bounds
Process 88760 stopped
* thread #68, name = 'AsyncBlockInput', stop reason = signal SIGABRT
    frame #0: 0x00007ffff4de2d22 libc.so.6`raise + 322
libc.so.6`raise:
->  0x7ffff4de2d22 <+322>: movq   0x108(%rsp), %rax
    0x7ffff4de2d2a <+330>: subq   %fs:0x28, %rax
    0x7ffff4de2d33 <+339>: jne    0x7ffff4de2d54            ; <+372>
    0x7ffff4de2d35 <+341>: movl   %r8d, %eax
(lldb) bt
error: need to add support for DW_TAG_base_type 'auto' encoded with DW_ATE = 0x0, bit_size = 0
* thread #68, name = 'AsyncBlockInput', stop reason = signal SIGABRT
  * frame #0: 0x00007ffff4de2d22 libc.so.6`raise + 322
    frame #1: 0x00007ffff4dcc862 libc.so.6`abort + 278
    frame #2: 0x000000000ed1599a tiflash-bin`std::__1::__libcpp_abort_debug_function(std::__1::__libcpp_debug_info const&) + 74
    frame #3: 0x0000000016d960ca tiflash-bin`std::__1::basic_string_view<char, std::__1::char_traits<char> >::operator[](this=0x00007fffcc4d3888, __pos=0) const at string_view:305:14
    frame #4: 0x00000000172f3cbd tiflash-bin`DB::GetJsonLength(raw_value=(__data = "", __size = 0)) at JSONCodec.cpp:280:13
    frame #5: 0x0000000010001d91 tiflash-bin`DB::FunctionJsonLength::executeImpl(this=0x00007fffcee04598, block=0x00007fffcc4d3b00, arguments=size=1, result=2) at FunctionsString.cpp:812:38
    frame #6: 0x000000000f05af4a tiflash-bin`DB::DefaultExecutable::executeImpl(this=0x00007fffcea210a8, block=0x00007fffcc4d3b00, arguments=size=1, result=2) at IFunction.h:303:26
    frame #7: 0x0000000017549470 tiflash-bin`DB::PreparedFunctionImpl::execute(this=0x00007fffcea210a8, block=0x00007fffcc4d3b00, args=size=1, result=2) at IFunction.cpp:218:5
    frame #8: 0x0000000017549635 tiflash-bin`DB::PreparedFunctionImpl::defaultImplementationForNulls(this=0x00007fffcea210a8, block=0x00007fffcc4d4b18, args=size=1, result=2) at IFunction.cpp:202:9
    frame #9: 0x0000000017549448 tiflash-bin`DB::PreparedFunctionImpl::execute(this=0x00007fffcea210a8, block=0x00007fffcc4d4b18, args=size=1, result=2) at IFunction.cpp:215:9
    frame #10: 0x000000000f05a2e3 tiflash-bin`DB::IFunctionBase::execute(this=0x00007fffcee05138, block=0x00007fffcc4d4b18, arguments=size=1, result=2) at IFunction.h:92:32
    frame #11: 0x0000000016760dfc tiflash-bin`DB::ExpressionAction::execute(this=0x00007fffcef50780, block=0x00007fffcc4d4b18) const at ExpressionActions.cpp:333:23
    frame #12: 0x00000000167651ce tiflash-bin`DB::ExpressionActions::execute(this=0x00007fffcef74018, block=0x00007fffcc4d4b18) const at ExpressionActions.cpp:660:16
    frame #13: 0x000000001698cbd1 tiflash-bin`DB::ExpressionBlockInputStream::readImpl(this=0x00007fffcef50020) at ExpressionBlockInputStream.cpp:39:17
    frame #14: 0x0000000015659dc9 tiflash-bin`DB::IProfilingBlockInputStream::read(this=0x00007fffcef50020, res_filter=0x00007fffcc4d4bf8, return_filter=false) at IProfilingBlockInputStream.cpp:61:19
    frame #15: 0x0000000015659ba9 tiflash-bin`DB::IProfilingBlockInputStream::read(this=0x00007fffcef50020) at IProfilingBlockInputStream.cpp:29:12
    frame #16: 0x00000000169eeae8 tiflash-bin`DB::PartialSortingBlockInputStream::readImpl(this=0x00007fffcef50520) at PartialSortingBlockInputStream.cpp:12:34
    frame #17: 0x0000000015659dc9 tiflash-bin`DB::IProfilingBlockInputStream::read(this=0x00007fffcef50520, res_filter=0x00007fffcc4d4e18, return_filter=false) at IProfilingBlockInputStream.cpp:61:19
    frame #18: 0x0000000015659ba9 tiflash-bin`DB::IProfilingBlockInputStream::read(this=0x00007fffcef50520) at IProfilingBlockInputStream.cpp:29:12
    frame #19: 0x00000000169a9547 tiflash-bin`DB::MergeSortingBlockInputStream::readImpl(this=0x00007fffcef89020) at MergeSortingBlockInputStream.cpp:93:47
    frame #20: 0x0000000015659dc9 tiflash-bin`DB::IProfilingBlockInputStream::read(this=0x00007fffcef89020, res_filter=0x00007fffcc4d59f8, return_filter=false) at IProfilingBlockInputStream.cpp:61:19
    frame #21: 0x0000000015659ba9 tiflash-bin`DB::IProfilingBlockInputStream::read(this=0x00007fffcef89020) at IProfilingBlockInputStream.cpp:29:12
    frame #22: 0x000000001698cb68 tiflash-bin`DB::ExpressionBlockInputStream::readImpl(this=0x00007fffcef50ca0) at ExpressionBlockInputStream.cpp:36:34
    frame #23: 0x0000000015659dc9 tiflash-bin`DB::IProfilingBlockInputStream::read(this=0x00007fffcef50ca0, res_filter=0x00007fffcc4d5c28, return_filter=false) at IProfilingBlockInputStream.cpp:61:19
    frame #24: 0x0000000015659ba9 tiflash-bin`DB::IProfilingBlockInputStream::read(this=0x00007fffcef50ca0) at IProfilingBlockInputStream.cpp:29:12
    frame #25: 0x000000000ee09a3c tiflash-bin`DB::AsynchronousBlockInputStream::calculate(this=0x00007fffd3fc39d0) at AsynchronousBlockInputStream.h:142:38
    frame #26: 0x000000000ee09928 tiflash-bin`DB::AsynchronousBlockInputStream::next(this=0x00007fffcee044b0)::'lambda'()::operator()() const at AsynchronousBlockInputStream.h:125:79
    frame #27: 0x000000000ee098fd tiflash-bin`decltype(__f=0x00007fffcee044b0)::'lambda'() const&>(fp)()) std::__1::__invoke_constexpr<DB::AsynchronousBlockInputStream::next()::'lambda'() const&>(DB::AsynchronousBlockInputStream::next()::'lambda'() const&) at type_traits:3700:1
    frame #28: 0x000000000ee098b1 tiflash-bin`decltype(__f=0x00007fffcee044b0, __t=size=0, (null)=__tuple_indices<> @ 0x00007fffcc4d5d38) std::__1::__apply_tuple_impl<DB::AsynchronousBlockInputStream::next()::'lambda'() const&, std::__1::tuple<> const>(DB::AsynchronousBlockInputStream::next()::'lambda'() const&, std::__1::tuple<> const&&, std::__1::__tuple_indices<>) at tuple:1415:1
    frame #29: 0x000000000ee09872 tiflash-bin`decltype(__f=0x00007fffcee044b0, __t=size=0) std::__1::apply<DB::AsynchronousBlockInputStream::next()::'lambda'() const&, std::__1::tuple<> const>(DB::AsynchronousBlockInputStream::next()::'lambda'() const&, std::__1::tuple<> const&&) at tuple:1424:1
    frame #30: 0x000000000ee097af tiflash-bin`std::__1::function<void ()> DB::ThreadFactory::newJob<DB::AsynchronousBlockInputStream::next(this=0x00007fffcee04488)::'lambda'()>(DB::AsynchronousBlockInputStream::next()::'lambda'()&&)::'lambda'()::operator()() const at ThreadFactory.h:52:20
    frame #31: 0x000000000ee0973d tiflash-bin`decltype(__f=0x00007fffcee04488)::'lambda'()>(fp)()) std::__1::__invoke<std::__1::function<void ()> DB::ThreadFactory::newJob<DB::AsynchronousBlockInputStream::next()::'lambda'()>(DB::AsynchronousBlockInputStream::next()::'lambda'()&&)::'lambda'()&>(DB::AsynchronousBlockInputStream::next()::'lambda'()&&) at type_traits:3694:1
    frame #32: 0x000000000ee096ed tiflash-bin`void std::__1::__invoke_void_return_wrapper<void, true>::__call<std::__1::function<void (__args=0x00007fffcee04488)> DB::ThreadFactory::newJob<DB::AsynchronousBlockInputStream::next()::'lambda'()>(DB::AsynchronousBlockInputStream::next()::'lambda'()&&)::'lambda'()&>(DB::AsynchronousBlockInputStream::next()::'lambda'()&&...) at __functional_base:348:9
    frame #33: 0x000000000ee096bd tiflash-bin`std::__1::__function::__alloc_func<std::__1::function<void ()> DB::ThreadFactory::newJob<DB::AsynchronousBlockInputStream::next()::'lambda'()>(DB::AsynchronousBlockInputStream::next()::'lambda'()&&)::'lambda'(), std::__1::allocator<std::__1::function<void ()> DB::ThreadFactory::newJob<DB::AsynchronousBlockInputStream::next()::'lambda'()>(DB::AsynchronousBlockInputStream::next()::'lambda'()&&)::'lambda'()>, void ()>::operator(this=0x00007fffcee04488)() at functional:1558:16
    frame #34: 0x000000000ee08899 tiflash-bin`std::__1::__function::__func<std::__1::function<void ()> DB::ThreadFactory::newJob<DB::AsynchronousBlockInputStream::next()::'lambda'()>(DB::AsynchronousBlockInputStream::next()::'lambda'()&&)::'lambda'(), std::__1::allocator<std::__1::function<void ()> DB::ThreadFactory::newJob<DB::AsynchronousBlockInputStream::next()::'lambda'()>(DB::AsynchronousBlockInputStream::next()::'lambda'()&&)::'lambda'()>, void ()>::operator(this=0x00007fffcee04480)() at functional:1732:12
    frame #35: 0x000000000ee36ee2 tiflash-bin`std::__1::__function::__value_func<void ()>::operator(this=0x00007fffcc4d5ef0)() const at functional:1885:16
    frame #36: 0x000000000ee36e85 tiflash-bin`std::__1::function<void ()>::operator(this=0x00007fffcc4d5ef0)() const at functional:2560:12
    frame #37: 0x00000000177593ff tiflash-bin`ThreadPool::worker(this=0x00007fffd3fc3c08) at ThreadPool.cpp:92:17
    frame #38: 0x0000000017759e79 tiflash-bin`ThreadPool::ThreadPool(this=0x00007fffcee28060)>)::$_0::operator()() const at ThreadPool.cpp:12:13
    frame #39: 0x0000000017759e0d tiflash-bin`decltype(__f=0x00007fffcee28060)>)::$_0>(fp)()) std::__1::__invoke<ThreadPool::ThreadPool(unsigned long, std::__1::function<void ()>)::$_0>(ThreadPool::ThreadPool(unsigned long, std::__1::function<void ()>)::$_0&&) at type_traits:3694:1
    frame #40: 0x0000000017759de5 tiflash-bin`void std::__1::__thread_execute<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, ThreadPool::ThreadPool(unsigned long, std::__1::function<void ()>)::$_0>(__t=size=2, (null)=__tuple_indices<> @ 0x00007fffcc4d5f88)>)::$_0>&, std::__1::__tuple_indices<>) at thread:280:5
    frame #41: 0x0000000017759b45 tiflash-bin`void* std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, ThreadPool::ThreadPool(unsigned long, std::__1::function<void ()>)::$_0> >(__vp=0x00007fffcee28050) at thread:291:5
    frame #42: 0x00007ffff4f7b259 libpthread.so.0`start_thread + 233
    frame #43: 0x00007ffff4ea45e3 libc.so.6`__clone + 67

[JaySon-Huang]

If the value is "NULL" or empty string, then FunctionJsonLength will call GetJsonLength with a 0 length string_view. It causes out-of-range access.

https://github.com/pingcap/tics/blob/90f8fab0e428f4ec57010cefeda94cb74c45642f/dbms/src/Functions/FunctionsString.cpp#L803-L814
https://github.com/pingcap/tics/blob/0fa52e725ec99dcc97944d1eb7946ac63960ffd6/dbms/src/Storages/Transaction/JSONCodec.cpp#L278-L281