nullptr dereference in Roaring Bitmap functions #18911

alexey-milovidov · 2021-01-11T00:32:20Z

Describe the bug
https://clickhouse-test-reports.s3.yandex.net/0/f7e7725b8e6ca51d020eb05a8e78628231a78b08/fuzzer/report.html#fail1

How to reproduce

It is always reproducing after:

CREATE TABLE bitmap_test(pickup_date Date, city_id UInt32, uid UInt32)ENGINE = Memory;
INSERT INTO bitmap_test SELECT '2019-01-01', 1, number FROM numbers(1,50);
INSERT INTO bitmap_test SELECT '2019-01-02', 1, number FROM numbers(11,60);
INSERT INTO bitmap_test SELECT '2019-01-03', 2, number FROM numbers(1,10);

SELECT
    bitmapCardinality(day_today) AS today_users,
    bitmapCardinality(day_before) AS before_users,
    bitmapOrCardinality(day_today, day_before) AS all_users,
    bitmapAndCardinality(day_today, day_before) AS old_users,
    bitmapAndnotCardinality(day_today, day_before) AS new_users,
    bitmapXorCardinality(day_today, day_before) AS diff_users
FROM 
(
    SELECT
        city_id,
        groupBitmapState(uid) AS day_today
    FROM bitmap_test
    WHERE pickup_date = '2019-01-02'
    GROUP BY
        rand((rand((rand('') % nan) = NULL) % 7) % rand(NULL)),
        city_id
) AS js1
ALL LEFT JOIN 
(
    SELECT
        city_id,
        groupBitmapState(uid) AS day_before
    FROM bitmap_test
    WHERE pickup_date = '2019-01-01'
    GROUP BY city_id
) AS js2 USING (city_id)

2021.01.10 18:02:22.570561 [ 51 ] {} <Trace> BaseDaemon: Received signal 11
2021.01.10 18:02:22.570919 [ 145 ] {} <Fatal> BaseDaemon: ########################################
2021.01.10 18:02:22.571385 [ 145 ] {} <Fatal> BaseDaemon: (version 20.13.1.5638 (official build), build id: AE52A812C77CD51984B95C53DF4AD0BB3264C79A) (from thread 105) (query_id: ab7bcf40-5940-4247-895c-d1c387f828e4) Received signal Segmentation fault (11)
2021.01.10 18:02:22.571677 [ 145 ] {} <Fatal> BaseDaemon: Address: NULL pointer. Access: read. Address not mapped to object.
2021.01.10 18:02:22.571982 [ 145 ] {} <Fatal> BaseDaemon: Stack trace: 0x1f429bc4 0x1f410366 0x1291ed2b 0x13e0bf47 0x13e0e9de 0x13e0e990 0x13e0e5ee 0x13e0d4b5 0x13baa02e 0x13bb0353 0x13bb12f5 0x1ac02842 0x1ac01fb6 0x1c3cb119 0x1b9357e5 0x1c121e18 0x1c18895c 0x1c1888bf 0x1c18887d 0x1c18882d 0x1c1887fd 0x1c18795e 0x1198acd5 0x11989f65 0x1c18609d 0x1c186a69 0x1c18aca9 0x1c18ac0d
2021.01.10 18:02:22.623897 [ 145 ] {} <Fatal> BaseDaemon: 4. ./obj-x86_64-linux-gnu/../contrib/croaring/include/roaring/roaring_array.h:79: ra_get_index @ 0x1f429bc4 in /workspace/clickhouse
2021.01.10 18:02:22.676961 [ 145 ] {} <Fatal> BaseDaemon: 5. ./obj-x86_64-linux-gnu/../contrib/croaring/src/roaring.c:2656: roaring_bitmap_contains @ 0x1f410366 in /workspace/clickhouse
2021.01.10 18:02:22.682454 [ 145 ] {} <Fatal> BaseDaemon: 6. ./obj-x86_64-linux-gnu/../contrib/croaring/cpp/roaring.hh:170: roaring::Roaring::contains(unsigned int) const @ 0x1291ed2b in /workspace/clickhouse
2021.01.10 18:02:22.692876 [ 145 ] {} <Fatal> BaseDaemon: 7. ./obj-x86_64-linux-gnu/../src/AggregateFunctions/AggregateFunctionGroupBitmapData.h:267: _ZNK2DB25RoaringBitmapWithSmallSetIjLDu32EE18rb_and_cardinalityERKS1_ @ 0x13e0bf47 in /workspace/clickhouse
2021.01.10 18:02:22.703332 [ 145 ] {} <Fatal> BaseDaemon: 8. ./obj-x86_64-linux-gnu/../src/AggregateFunctions/AggregateFunctionGroupBitmapData.h:286: _ZNK2DB25RoaringBitmapWithSmallSetIjLDu32EE17rb_or_cardinalityERKS1_ @ 0x13e0e9de in /workspace/clickhouse
2021.01.10 18:02:22.713929 [ 145 ] {} <Fatal> BaseDaemon: 9. ./obj-x86_64-linux-gnu/../src/Functions/FunctionsBitmap.h:661: DB::BitmapOrCardinalityImpl<unsigned int>::apply(DB::AggregateFunctionGroupBitmapData<unsigned int> const&, DB::AggregateFunctionGroupBitmapData<unsigned int> const&) @ 0x13e0e990 in /workspace/clickhouse
2021.01.10 18:02:22.724331 [ 145 ] {} <Fatal> BaseDaemon: 10. ./obj-x86_64-linux-gnu/../src/Functions/FunctionsBitmap.h:890: void DB::FunctionBitmapCardinality<DB::BitmapOrCardinalityImpl, DB::NameBitmapOrCardinality, unsigned long>::executeIntType<unsigned int>(std::__1::vector<DB::ColumnWithTypeAndName, std::__1::allocator<DB::ColumnWithTypeAndName> > const&, unsigned long, DB::PODArray<unsigned long, 4096ul, Allocator<false, false>, 15ul, 16ul>&) const @ 0x13e0e5ee in /workspace/clickhouse
2021.01.10 18:02:22.734778 [ 145 ] {} <Fatal> BaseDaemon: 11. ./obj-x86_64-linux-gnu/../src/Functions/FunctionsBitmap.h:848: DB::FunctionBitmapCardinality<DB::BitmapOrCardinalityImpl, DB::NameBitmapOrCardinality, unsigned long>::executeImpl(std::__1::vector<DB::ColumnWithTypeAndName, std::__1::allocator<DB::ColumnWithTypeAndName> > const&, std::__1::shared_ptr<DB::IDataType const> const&, unsigned long) const @ 0x13e0d4b5 in /workspace/clickhouse

The text was updated successfully, but these errors were encountered:

alexey-milovidov · 2021-01-11T00:36:37Z

@amosbird @sundy-li Could you please help coordinate with people who are responsible for these functions?

sundy-li · 2021-01-11T01:59:59Z

Seems it's an easy task to find the bug, I'll look at it.

alexey-milovidov added fuzz Problem found by one of the fuzzers help wanted labels Jan 11, 2021

alexey-milovidov added the crash Crash / segfault / abort label Jan 11, 2021

alexey-milovidov assigned sundy-li Jan 11, 2021

sundy-li mentioned this issue Jan 11, 2021

Fix bitmapOrCardinality using wrong variable #18912

Merged

alexey-milovidov closed this as completed in #18912 Jan 11, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

nullptr dereference in Roaring Bitmap functions #18911

nullptr dereference in Roaring Bitmap functions #18911

alexey-milovidov commented Jan 11, 2021 •

edited

alexey-milovidov commented Jan 11, 2021

sundy-li commented Jan 11, 2021

nullptr dereference in Roaring Bitmap functions #18911

nullptr dereference in Roaring Bitmap functions #18911

Comments

alexey-milovidov commented Jan 11, 2021 • edited

alexey-milovidov commented Jan 11, 2021

sundy-li commented Jan 11, 2021

alexey-milovidov commented Jan 11, 2021 •

edited