Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AST fuzzer (ubsan): nan is outside the range of representable values of type 'unsigned int' #42978

Closed
devcrafter opened this issue Nov 4, 2022 · 2 comments
Closed

AST fuzzer (ubsan): nan is outside the range of representable values of type 'unsigned int' #42978

devcrafter opened this issue Nov 4, 2022 · 2 comments
Labels
duplicate fuzz Problem found by one of the fuzzers testing Special issue with list of bugs found by CI

Comments

@devcrafter
Copy link
Member

devcrafter commented Nov 4, 2022
edited
Loading

Describe the bug
A link to the report

Query:

SELECT median(a) AS ma, median(b) AS mb, NULL, argMin(10, 3, materialize(NULL)), toTypeName(ma), toTypeName(mb) 
FROM decimal__fuzz_45 WITH TOTALS

Error message and/or stacktrace

    #0 0x21617a17 in DB::QuantileReservoirSampler<unsigned int>::get(double) build_docker/../src/AggregateFunctions/QuantileReservoirSampler.h:61:39
    #1 0x21617a17 in DB::AggregateFunctionQuantile<unsigned int, DB::QuantileReservoirSampler<unsigned int>, DB::NameQuantile, false, void, false>::insertResultInto(char*, DB::IColumn&, DB::Arena*) const build_docker/../src/AggregateFunctions/AggregateFunctionQuantile.h:191:72
    #2 0x2c3b2dd8 in DB::ColumnAggregateFunction::convertToValues(COW<DB::IColumn>::mutable_ptr<DB::IColumn>) build_docker/../src/Columns/ColumnAggregateFunction.cpp:168:15
    #3 0x2da1f2bc in DB::finalizeChunk(DB::Chunk&, std::__1::vector<bool, std::__1::allocator<bool>> const&) build_docker/../src/Processors/Transforms/finalizeChunk.cpp:26:18
    #4 0x2d9d854a in DB::TotalsHavingTransform::transform(DB::Chunk&) build_docker/../src/Processors/Transforms/TotalsHavingTransform.cpp:173:9
    #5 0x25e87e0a in DB::ISimpleTransform::transform(DB::Chunk&, DB::Chunk&) build_docker/../src/Processors/ISimpleTransform.h:32:9
    #6 0x2d50b61b in DB::ISimpleTransform::work() build_docker/../src/Processors/ISimpleTransform.cpp:89:9
    #7 0x2d53681e in DB::executeJob(DB::ExecutingGraph::Node*, DB::ReadProgressCallback*) build_docker/../src/Processors/Executors/ExecutionThreadContext.cpp:47:26
    #8 0x2d53681e in DB::ExecutionThreadContext::executeTask() build_docker/../src/Processors/Executors/ExecutionThreadContext.cpp:92:9
    #9 0x2d5262ba in DB::PipelineExecutor::executeStepImpl(unsigned long, std::__1::atomic<bool>*) build_docker/../src/Processors/Executors/PipelineExecutor.cpp:229:26
    #10 0x2d527930 in DB::PipelineExecutor::executeSingleThread(unsigned long) build_docker/../src/Processors/Executors/PipelineExecutor.cpp:195:5
    #11 0x2d527930 in DB::PipelineExecutor::spawnThreads()::$_0::operator()() const build_docker/../src/Processors/Executors/PipelineExecutor.cpp:316:17
    #12 0x2d527930 in decltype(std::declval<DB::PipelineExecutor::spawnThreads()::$_0&>()()) std::__1::__invoke[abi:v15003]<DB::PipelineExecutor::spawnThreads()::$_0&>(DB::PipelineExecutor::spawnThreads()::$_0&) build_docker/../contrib/libcxx/include/__functional/invoke.h:394:23
    #13 0x2d527930 in decltype(auto) std::__1::__apply_tuple_impl[abi:v15003]<DB::PipelineExecutor::spawnThreads()::$_0&, std::__1::tuple<>&>(DB::PipelineExecutor::spawnThreads()::$_0&, std::__1::tuple<>&, std::__1::__tuple_indices<>) build_docker/../contrib/libcxx/include/tuple:1789:1
    #14 0x2d527930 in decltype(auto) std::__1::apply[abi:v15003]<DB::PipelineExecutor::spawnThreads()::$_0&, std::__1::tuple<>&>(DB::PipelineExecutor::spawnThreads()::$_0&, std::__1::tuple<>&) build_docker/../contrib/libcxx/include/tuple:1798:1
    #15 0x2d527930 in ThreadFromGlobalPoolImpl<true>::ThreadFromGlobalPoolImpl<DB::PipelineExecutor::spawnThreads()::$_0>(DB::PipelineExecutor::spawnThreads()::$_0&&)::'lambda'()::operator()() build_docker/../src/Common/ThreadPool.h:196:13
    #16 0x2d527930 in decltype(std::declval<DB::PipelineExecutor::spawnThreads()::$_0>()()) std::__1::__invoke[abi:v15003]<ThreadFromGlobalPoolImpl<true>::ThreadFromGlobalPoolImpl<DB::PipelineExecutor::spawnThreads()::$_0>(DB::PipelineExecutor::spawnThreads()::$_0&&)::'lambda'()&>(DB::PipelineExecutor::spawnThreads()::$_0&&) build_docker/../contrib/libcxx/include/__functional/invoke.h:394:23
    #17 0x2d527930 in void std::__1::__invoke_void_return_wrapper<void, true>::__call<ThreadFromGlobalPoolImpl<true>::ThreadFromGlobalPoolImpl<DB::PipelineExecutor::spawnThreads()::$_0>(DB::PipelineExecutor::spawnThreads()::$_0&&)::'lambda'()&>(ThreadFromGlobalPoolImpl<true>::ThreadFromGlobalPoolImpl<DB::PipelineExecutor::spawnThreads()::$_0>(DB::PipelineExecutor::spawnThreads()::$_0&&)::'lambda'()&) build_docker/../contrib/libcxx/include/__functional/invoke.h:479:9
    #18 0x2d527930 in std::__1::__function::__default_alloc_func<ThreadFromGlobalPoolImpl<true>::ThreadFromGlobalPoolImpl<DB::PipelineExecutor::spawnThreads()::$_0>(DB::PipelineExecutor::spawnThreads()::$_0&&)::'lambda'(), void ()>::operator()[abi:v15003]() build_docker/../contrib/libcxx/include/__functional/function.h:235:12
    #19 0x2d527930 in void std::__1::__function::__policy_invoker<void ()>::__call_impl<std::__1::__function::__default_alloc_func<ThreadFromGlobalPoolImpl<true>::ThreadFromGlobalPoolImpl<DB::PipelineExecutor::spawnThreads()::$_0>(DB::PipelineExecutor::spawnThreads()::$_0&&)::'lambda'(), void ()>>(std::__1::__function::__policy_storage const*) build_docker/../contrib/libcxx/include/__functional/function.h:716:16
    #20 0x2058a479 in std::__1::__function::__policy_func<void ()>::operator()[abi:v15003]() const build_docker/../contrib/libcxx/include/__functional/function.h:848:16
    #21 0x2058a479 in std::__1::function<void ()>::operator()() const build_docker/../contrib/libcxx/include/__functional/function.h:1197:12
    #22 0x2058a479 in ThreadPoolImpl<std::__1::thread>::worker(std::__1::__list_iterator<std::__1::thread, void*>) build_docker/../src/Common/ThreadPool.cpp:294:17
    #23 0x2058df63 in void ThreadPoolImpl<std::__1::thread>::scheduleImpl<void>(std::__1::function<void ()>, long, std::__1::optional<unsigned long>, bool)::'lambda0'()::operator()() const build_docker/../src/Common/ThreadPool.cpp:144:73
    #24 0x2058df63 in decltype(std::declval<void>()()) std::__1::__invoke[abi:v15003]<void ThreadPoolImpl<std::__1::thread>::scheduleImpl<void>(std::__1::function<void ()>, long, std::__1::optional<unsigned long>, bool)::'lambda0'()>(void&&) build_docker/../contrib/libcxx/include/__functional/invoke.h:394:23
    #25 0x2058df63 in void std::__1::__thread_execute[abi:v15003]<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct>>, void ThreadPoolImpl<std::__1::thread>::scheduleImpl<void>(std::__1::function<void ()>, long, std::__1::optional<unsigned long>, bool)::'lambda0'()>(std::__1::tuple<void, void ThreadPoolImpl<std::__1::thread>::scheduleImpl<void>(std::__1::function<void ()>, long, std::__1::optional<unsigned long>, bool)::'lambda0'()>&, std::__1::__tuple_indices<>) build_docker/../contrib/libcxx/include/thread:284:5
    #26 0x2058df63 in void* std::__1::__thread_proxy[abi:v15003]<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct>>, void ThreadPoolImpl<std::__1::thread>::scheduleImpl<void>(std::__1::function<void ()>, long, std::__1::optional<unsigned long>, bool)::'lambda0'()>>(void*) build_docker/../contrib/libcxx/include/thread:295:5
    #27 0x7fcd45960608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
    #28 0x7fcd45885132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/AggregateFunctions/QuantileReservoirSampler.h:61:39 in
@devcrafter devcrafter added testing Special issue with list of bugs found by CI fuzz Problem found by one of the fuzzers labels Nov 4, 2022
@devcrafter devcrafter changed the title UBSan: nan is outside the range of representable values of type 'unsigned int' AST fuzzer (ubsan): nan is outside the range of representable values of type 'unsigned int' Nov 4, 2022
@devcrafter devcrafter mentioned this issue Nov 4, 2022
Merged
@devcrafter devcrafter self-assigned this Nov 9, 2022
@devcrafter devcrafter mentioned this issue Nov 9, 2022
Closed
devcrafter added a commit that referenced this issue Nov 9, 2022
@devcrafter
Fix(UBSan): convertion NaN to unsigned int in Reservoir Sampler
31c3f87 
See #42978
@serxa
Copy link
Member

serxa commented Nov 22, 2022

Another repro here #42660
../src/AggregateFunctions/QuantileReservoirSampler.h:72:44: runtime error: nan is outside the range of representable values of type 'unsigned int' Received signal -3 Received signal Unknown signal (-3)

2022.11.22 14:47:24.639486 [ 416 ] {} <Fatal> BaseDaemon: ########################################
2022.11.22 14:47:24.639620 [ 416 ] {} <Fatal> BaseDaemon: (version 22.12.1.1, build id: 9BD122FF2B39C952BBB84A340BE2A5B6BA913D16) (from thread 407) (query_id: 72e118ce-8800-4377-a51a-fc50dd6fe6da) (query: SELECT quantiles(1.1920928955078125e-7)(d) FROM datetime__fuzz_0 WHERE snowflakeToDateTime(-2147483648, NULL) WITH TOTALS) Received signal Unknown signal (-3)
2022.11.22 14:47:24.639664 [ 416 ] {} <Fatal> BaseDaemon: Sanitizer trap.
2022.11.22 14:47:24.639712 [ 416 ] {} <Fatal> BaseDaemon: Stack trace: 0x21065fe3 0x21309816 0x168d3bb6 0x168e5c83 0x2225372d 0x2224fea9 0x2d1b72d7 0x2e861efd 0x2e81b12b 0x26c58e4b 0x2e34e03c 0x2e3793df 0x2e368cdb 0x2e36a351 0x2112b2ba 0x2112eda4 0x7f8458bb9609 0x7f8458ade133
2022.11.22 14:47:24.653126 [ 416 ] {} <Fatal> BaseDaemon: 0.1. inlined from ./build_docker/../src/Common/StackTrace.cpp:332: StackTrace::tryCapture()
2022.11.22 14:47:24.653173 [ 416 ] {} <Fatal> BaseDaemon: 0. ./build_docker/../src/Common/StackTrace.cpp:293: StackTrace::StackTrace() @ 0x21065fe3 in /workspace/clickhouse
2022.11.22 14:47:24.677226 [ 416 ] {} <Fatal> BaseDaemon: 1. ./build_docker/../src/Daemon/BaseDaemon.cpp:0: sanitizerDeathCallback() @ 0x21309816 in /workspace/clickhouse
2022.11.22 14:47:25.750097 [ 416 ] {} <Fatal> BaseDaemon: 2. __sanitizer::Die() @ 0x168d3bb6 in /workspace/clickhouse
2022.11.22 14:47:26.803026 [ 416 ] {} <Fatal> BaseDaemon: 3. ? @ 0x168e5c83 in /workspace/clickhouse
2022.11.22 14:47:26.902155 [ 416 ] {} <Fatal> BaseDaemon: 4. ./build_docker/../src/AggregateFunctions/QuantileReservoirSampler.h:0: DB::QuantileReservoirSampler<unsigned int>::getMany(double const*, unsigned long const*, unsigned long, unsigned int*) @ 0x2225372d in /workspace/clickhouse
2022.11.22 14:47:27.000073 [ 416 ] {} <Fatal> BaseDaemon: 5. ./build_docker/../src/AggregateFunctions/AggregateFunctionQuantile.h:193: DB::AggregateFunctionQuantile<unsigned int, DB::QuantileReservoirSampler<unsigned int>, DB::NameQuantiles, false, void, true>::insertResultInto(char*, DB::IColumn&, DB::Arena*) const @ 0x2224fea9 in /workspace/clickhouse
2022.11.22 14:47:27.017102 [ 416 ] {} <Fatal> BaseDaemon: 6. ./build_docker/../src/Columns/ColumnAggregateFunction.cpp:167: DB::ColumnAggregateFunction::convertToValues(COW<DB::IColumn>::mutable_ptr<DB::IColumn>) @ 0x2d1b72d7 in /workspace/clickhouse
2022.11.22 14:47:27.026749 [ 416 ] {} <Fatal> BaseDaemon: 7.1. inlined from ./build_docker/../contrib/boost/boost/smart_ptr/intrusive_ptr.hpp:138: intrusive_ptr<DB::IColumn>
2022.11.22 14:47:27.026781 [ 416 ] {} <Fatal> BaseDaemon: 7.2. inlined from ./build_docker/../src/Common/COW.h:144: immutable_ptr<DB::IColumn>
2022.11.22 14:47:27.026799 [ 416 ] {} <Fatal> BaseDaemon: 7. ./build_docker/../src/Processors/Transforms/finalizeChunk.cpp:26: DB::finalizeChunk(DB::Chunk&, std::__1::vector<bool, std::__1::allocator<bool>> const&) @ 0x2e861efd in /workspace/clickhouse
2022.11.22 14:47:27.046725 [ 416 ] {} <Fatal> BaseDaemon: 8.1. inlined from ./build_docker/../src/Processors/Chunk.h:88: DB::Chunk::getNumRows() const
2022.11.22 14:47:27.046755 [ 416 ] {} <Fatal> BaseDaemon: 8. ./build_docker/../src/Processors/Transforms/TotalsHavingTransform.cpp:175: DB::TotalsHavingTransform::transform(DB::Chunk&) @ 0x2e81b12b in /workspace/clickhouse
2022.11.22 14:47:27.067789 [ 416 ] {} <Fatal> BaseDaemon: 9. ./build_docker/../src/Processors/ISimpleTransform.h:33: DB::ISimpleTransform::transform(DB::Chunk&, DB::Chunk&) @ 0x26c58e4b in /workspace/clickhouse
2022.11.22 14:47:27.081573 [ 416 ] {} <Fatal> BaseDaemon: 10. ./build_docker/../src/Processors/ISimpleTransform.cpp:99: DB::ISimpleTransform::work() @ 0x2e34e03c in /workspace/clickhouse
2022.11.22 14:47:27.089126 [ 416 ] {} <Fatal> BaseDaemon: 11.1. inlined from ./build_docker/../src/Processors/Executors/ExecutionThreadContext.cpp:50: DB::executeJob(DB::ExecutingGraph::Node*, DB::ReadProgressCallback*)
2022.11.22 14:47:27.089153 [ 416 ] {} <Fatal> BaseDaemon: 11. ./build_docker/../src/Processors/Executors/ExecutionThreadContext.cpp:92: DB::ExecutionThreadContext::executeTask() @ 0x2e3793df in /workspace/clickhouse
2022.11.22 14:47:27.109359 [ 416 ] {} <Fatal> BaseDaemon: 12. ./build_docker/../src/Processors/Executors/PipelineExecutor.cpp:229: DB::PipelineExecutor::executeStepImpl(unsigned long, std::__1::atomic<bool>*) @ 0x2e368cdb in /workspace/clickhouse
2022.11.22 14:47:27.131229 [ 416 ] {} <Fatal> BaseDaemon: 13.1. inlined from ./build_docker/../src/Processors/Executors/PipelineExecutor.cpp:0: operator()
2022.11.22 14:47:27.131271 [ 416 ] {} <Fatal> BaseDaemon: 13.2. inlined from ./build_docker/../contrib/libcxx/include/__functional/invoke.h:394: decltype(std::declval<DB::PipelineExecutor::spawnThreads()::$_0>()()) std::__1::__invoke[abi:v15003]<ThreadFromGlobalPoolImpl<true>::ThreadFromGlobalPoolImpl<DB::PipelineExecutor::spawnThreads()::$_0>(DB::PipelineExecutor::spawnThreads()::$_0&&)::'lambda'()&>(DB::PipelineExecutor::spawnThreads()::$_0&&)
2022.11.22 14:47:27.131295 [ 416 ] {} <Fatal> BaseDaemon: 13.3. inlined from ./build_docker/../contrib/libcxx/include/__functional/invoke.h:479: void std::__1::__invoke_void_return_wrapper<void, true>::__call<ThreadFromGlobalPoolImpl<true>::ThreadFromGlobalPoolImpl<DB::PipelineExecutor::spawnThreads()::$_0>(DB::PipelineExecutor::spawnThreads()::$_0&&)::'lambda'()&>(ThreadFromGlobalPoolImpl<true>::ThreadFromGlobalPoolImpl<DB::PipelineExecutor::spawnThreads()::$_0>(DB::PipelineExecutor::spawnThreads()::$_0&&)::'lambda'()&)
2022.11.22 14:47:27.131318 [ 416 ] {} <Fatal> BaseDaemon: 13.4. inlined from ./build_docker/../contrib/libcxx/include/__functional/function.h:235: std::__1::__function::__default_alloc_func<ThreadFromGlobalPoolImpl<true>::ThreadFromGlobalPoolImpl<DB::PipelineExecutor::spawnThreads()::$_0>(DB::PipelineExecutor::spawnThreads()::$_0&&)::'lambda'(), void ()>::operator()[abi:v15003]()
2022.11.22 14:47:27.131340 [ 416 ] {} <Fatal> BaseDaemon: 13. ./build_docker/../contrib/libcxx/include/__functional/function.h:716: void std::__1::__function::__policy_invoker<void ()>::__call_impl<std::__1::__function::__default_alloc_func<ThreadFromGlobalPoolImpl<true>::ThreadFromGlobalPoolImpl<DB::PipelineExecutor::spawnThreads()::$_0>(DB::PipelineExecutor::spawnThreads()::$_0&&)::'lambda'(), void ()>>(std::__1::__function::__policy_storage const*) @ 0x2e36a351 in /workspace/clickhouse
2022.11.22 14:47:27.143902 [ 416 ] {} <Fatal> BaseDaemon: 14.1. inlined from ./build_docker/../base/base/strong_typedef.h:23: StrongTypedef<std::__1::integral_constant<bool, true> >
2022.11.22 14:47:27.143935 [ 416 ] {} <Fatal> BaseDaemon: 14.2. inlined from ./build_docker/../src/Common/OpenTelemetryTraceContext.h:39: DB::OpenTelemetry::Span::isTraceEnabled() const
2022.11.22 14:47:27.143953 [ 416 ] {} <Fatal> BaseDaemon: 14. ./build_docker/../src/Common/ThreadPool.cpp:296: ThreadPoolImpl<std::__1::thread>::worker(std::__1::__list_iterator<std::__1::thread, void*>) @ 0x2112b2ba in /workspace/clickhouse
2022.11.22 14:47:27.158975 [ 416 ] {} <Fatal> BaseDaemon: 15. ./build_docker/../src/Common/ThreadPool.cpp:0: void* std::__1::__thread_proxy[abi:v15003]<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct>>, void ThreadPoolImpl<std::__1::thread>::scheduleImpl<void>(std::__1::function<void ()>, long, std::__1::optional<unsigned long>, bool)::'lambda0'()>>(void*) @ 0x2112eda4 in /workspace/clickhouse
2022.11.22 14:47:27.159014 [ 416 ] {} <Fatal> BaseDaemon: 16. ? @ 0x7f8458bb9609 in ?
2022.11.22 14:47:27.159033 [ 416 ] {} <Fatal> BaseDaemon: 17. clone @ 0x7f8458ade133 in ?
2022.11.22 14:47:27.159061 [ 416 ] {} <Fatal> BaseDaemon: Integrity check of the executable skipped because the reference checksum could not be read.

@serxa serxa mentioned this issue Nov 22, 2022
Merged
@kssenii kssenii mentioned this issue Dec 8, 2022
Merged
@alexey-milovidov
Copy link
Member

This error is major: #44066

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
duplicate fuzz Problem found by one of the fuzzers testing Special issue with list of bugs found by CI
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix(UBSan): convertion NaN to unsigned int in Reservoir Sampler ClickHouse/ClickHouse
3 participants
@devcrafter @serxa @alexey-milovidov