heap-use-after-free in function concat #63006

nikitamikhaylov · 2024-04-25T21:14:59Z

(you don't have to strictly follow this form)

Describe the bug

Initially found here: https://s3.amazonaws.com/clickhouse-test-reports/62000/239f9e2059a0007225432c711baf131acf589b76/ast_fuzzer__tsan_.html

How to reproduce

SELECT
        6,
        concat(' World', toUInt128(6), 6, 6, 6, toNullable(6), materialize(toLowCardinality(toNullable(toUInt128(6))))),   concat(concat(' World', 6, toLowCardinality(6), ' World', toUInt256(6), materialize(6), 6, toNullable(6), 6, 6, NULL, 6, 6), ' World', 6, 6, 6, 6, toUInt256(6), NULL, 6, 6),  6,  6
FROM remote('127.0.0.{1,2}')
GROUP BY            toNullable(6)
    WITH ROLLUP
    WITH TOTALS

In release build it is just a segfault. https://fiddle.clickhouse.com/7224c3bf-50fd-44e3-9ab4-614acc0cf491

[7355c13997b5] 2024.04.25 21:12:20.810734 [ 728 ] <Fatal> BaseDaemon: ########################################
[7355c13997b5] 2024.04.25 21:12:20.810766 [ 728 ] <Fatal> BaseDaemon: (version 24.4.1.1664 (official build), build id: 8AA7CFAC69F7DBBDD7A7BB8EEDF70D7160D8D29B, git hash: f85d967f110014848587ded6c3fe4eedc55a8d08) (from thread 726) (query_id: cf447e1d-6ae6-4fff-8a16-13c622141ae6) (query: SELECT
        6,
        concat(' World', toUInt128(6), 6, 6, 6, toNullable(6), materialize(toLowCardinality(toNullable(toUInt128(6))))),   concat(concat(' World', 6, toLowCardinality(6), ' World', toUInt256(6), materialize(6), 6, toNullable(6), 6, 6, NULL, 6, 6), ' World', 6, 6, 6, 6, toUInt256(6), NULL, 6, 6),  6,  6
FROM remote('127.0.0.{1,2}')
GROUP BY            toNullable(6)
    WITH ROLLUP
    WITH TOTALS) Received signal Segmentation fault (11)
[7355c13997b5] 2024.04.25 21:12:20.810789 [ 728 ] <Fatal> BaseDaemon: Address: 0x7e27a2466000. Access: write. Attempted access has violated the permissions assigned to the memory area.
[7355c13997b5] 2024.04.25 21:12:20.810802 [ 728 ] <Fatal> BaseDaemon: Stack trace: 0x00000000089b6b95 0x00000000089b5d3f 0x00000000089b4eca 0x00000000089b4039 0x000000000790ce6e 0x000000000f6832be 0x000000000f683407 0x000000000f68430a 0x000000000f6853db 0x00000000103ee059 0x0000000012577f56 0x000000000e3b1630 0x00000000122e3cd2 0x0000000012301cda 0x00000000122f5fd0 0x00000000122f76f8 0x000000000ca4b1d9 0x000000000ca4ef4a 0x000000000ca4dd4d 0x00007e27c2a4f609 0x00007e27c296a353
[7355c13997b5] 2024.04.25 21:12:20.810867 [ 728 ] <Fatal> BaseDaemon: 2. void DB::FormatStringImpl::format<true, false>(String, std::vector<DB::PODArray<char8_t, 4096ul, Allocator<false, false>, 63ul, 64ul> const*, std::allocator<DB::PODArray<char8_t, 4096ul, Allocator<false, false>, 63ul, 64ul> const*>> const&, std::vector<DB::PODArray<unsigned long, 4096ul, Allocator<false, false>, 63ul, 64ul> const*, std::allocator<DB::PODArray<unsigned long, 4096ul, Allocator<false, false>, 63ul, 64ul> const*>> const&, std::vector<unsigned long, std::allocator<unsigned long>> const&, std::vector<std::optional<String>, std::allocator<std::optional<String>>> const&, DB::PODArray<char8_t, 4096ul, Allocator<false, false>, 63ul, 64ul>&, DB::PODArray<unsigned long, 4096ul, Allocator<false, false>, 63ul, 64ul>&, unsigned long) @ 0x00000000089b6b95
[7355c13997b5] 2024.04.25 21:12:20.810906 [ 728 ] <Fatal> BaseDaemon: 3. void DB::FormatStringImpl::formatExecute<String, std::vector<DB::PODArray<char8_t, 4096ul, Allocator<false, false>, 63ul, 64ul> const*, std::allocator<DB::PODArray<char8_t, 4096ul, Allocator<false, false>, 63ul, 64ul> const*>>&, std::vector<DB::PODArray<unsigned long, 4096ul, Allocator<false, false>, 63ul, 64ul> const*, std::allocator<DB::PODArray<unsigned long, 4096ul, Allocator<false, false>, 63ul, 64ul> const*>>&, std::vector<unsigned long, std::allocator<unsigned long>>&, std::vector<std::optional<String>, std::allocator<std::optional<String>>>&, DB::PODArray<char8_t, 4096ul, Allocator<false, false>, 63ul, 64ul>&, DB::PODArray<unsigned long, 4096ul, Allocator<false, false>, 63ul, 64ul>&, unsigned long&>(bool, bool, String&&, std::vector<DB::PODArray<char8_t, 4096ul, Allocator<false, false>, 63ul, 64ul> const*, std::allocator<DB::PODArray<char8_t, 4096ul, Allocator<false, false>, 63ul, 64ul> const*>>&, std::vector<DB::PODArray<unsigned long, 4096ul, Allocator<false, false>, 63ul, 64ul> const*, std::allocator<DB::PODArray<unsigned long, 4096ul, Allocator<false, false>, 63ul, 64ul> const*>>&, std::vector<unsigned long, std::allocator<unsigned long>>&, std::vector<std::optional<String>, std::allocator<std::optional<String>>>&, DB::PODArray<char8_t, 4096ul, Allocator<false, false>, 63ul, 64ul>&, DB::PODArray<unsigned long, 4096ul, Allocator<false, false>, 63ul, 64ul>&, unsigned long&) @ 0x00000000089b5d3f
[7355c13997b5] 2024.04.25 21:12:20.810952 [ 728 ] <Fatal> BaseDaemon: 4. DB::(anonymous namespace)::ConcatImpl<DB::(anonymous namespace)::NameConcat, false>::executeFormatImpl(std::vector<DB::ColumnWithTypeAndName, std::allocator<DB::ColumnWithTypeAndName>> const&, unsigned long) const @ 0x00000000089b4eca
[7355c13997b5] 2024.04.25 21:12:20.810996 [ 728 ] <Fatal> BaseDaemon: 5. DB::(anonymous namespace)::ConcatImpl<DB::(anonymous namespace)::NameConcat, false>::executeImpl(std::vector<DB::ColumnWithTypeAndName, std::allocator<DB::ColumnWithTypeAndName>> const&, std::shared_ptr<DB::IDataType const> const&, unsigned long) const (.e8b9d4f72864d6b3b1902e99eb0125d2) @ 0x00000000089b4039
[7355c13997b5] 2024.04.25 21:12:20.811047 [ 728 ] <Fatal> BaseDaemon: 6. DB::FunctionToExecutableFunctionAdaptor::executeImpl(std::vector<DB::ColumnWithTypeAndName, std::allocator<DB::ColumnWithTypeAndName>> const&, std::shared_ptr<DB::IDataType const> const&, unsigned long) const @ 0x000000000790ce6e
[7355c13997b5] 2024.04.25 21:12:20.811089 [ 728 ] <Fatal> BaseDaemon: 7. DB::IExecutableFunction::executeWithoutLowCardinalityColumns(std::vector<DB::ColumnWithTypeAndName, std::allocator<DB::ColumnWithTypeAndName>> const&, std::shared_ptr<DB::IDataType const> const&, unsigned long, bool) const @ 0x000000000f6832be
[7355c13997b5] 2024.04.25 21:12:20.811122 [ 728 ] <Fatal> BaseDaemon: 8. DB::IExecutableFunction::executeWithoutLowCardinalityColumns(std::vector<DB::ColumnWithTypeAndName, std::allocator<DB::ColumnWithTypeAndName>> const&, std::shared_ptr<DB::IDataType const> const&, unsigned long, bool) const @ 0x000000000f683407
[7355c13997b5] 2024.04.25 21:12:20.811154 [ 728 ] <Fatal> BaseDaemon: 9. DB::IExecutableFunction::executeWithoutSparseColumns(std::vector<DB::ColumnWithTypeAndName, std::allocator<DB::ColumnWithTypeAndName>> const&, std::shared_ptr<DB::IDataType const> const&, unsigned long, bool) const @ 0x000000000f68430a
[7355c13997b5] 2024.04.25 21:12:20.811189 [ 728 ] <Fatal> BaseDaemon: 10. DB::IExecutableFunction::execute(std::vector<DB::ColumnWithTypeAndName, std::allocator<DB::ColumnWithTypeAndName>> const&, std::shared_ptr<DB::IDataType const> const&, unsigned long, bool) const @ 0x000000000f6853db
[7355c13997b5] 2024.04.25 21:12:20.811230 [ 728 ] <Fatal> BaseDaemon: 11. DB::ExpressionActions::execute(DB::Block&, unsigned long&, bool, bool) const @ 0x00000000103ee059
[7355c13997b5] 2024.04.25 21:12:20.811271 [ 728 ] <Fatal> BaseDaemon: 12. DB::ExpressionTransform::transform(DB::Chunk&) @ 0x0000000012577f56
[7355c13997b5] 2024.04.25 21:12:20.811313 [ 728 ] <Fatal> BaseDaemon: 13. DB::ISimpleTransform::transform(DB::Chunk&, DB::Chunk&) @ 0x000000000e3b1630
[7355c13997b5] 2024.04.25 21:12:20.811346 [ 728 ] <Fatal> BaseDaemon: 14. DB::ISimpleTransform::work() @ 0x00000000122e3cd2
[7355c13997b5] 2024.04.25 21:12:20.811384 [ 728 ] <Fatal> BaseDaemon: 15. DB::ExecutionThreadContext::executeTask() @ 0x0000000012301cda
[7355c13997b5] 2024.04.25 21:12:20.811423 [ 728 ] <Fatal> BaseDaemon: 16. DB::PipelineExecutor::executeStepImpl(unsigned long, std::atomic<bool>*) @ 0x00000000122f5fd0
[7355c13997b5] 2024.04.25 21:12:20.811464 [ 728 ] <Fatal> BaseDaemon: 17. void std::__function::__policy_invoker<void ()>::__call_impl<std::__function::__default_alloc_func<DB::PipelineExecutor::spawnThreads()::$_0, void ()>>(std::__function::__policy_storage const*) @ 0x00000000122f76f8
[7355c13997b5] 2024.04.25 21:12:20.811517 [ 728 ] <Fatal> BaseDaemon: 18. ThreadPoolImpl<ThreadFromGlobalPoolImpl<false, true>>::worker(std::__list_iterator<ThreadFromGlobalPoolImpl<false, true>, void*>) @ 0x000000000ca4b1d9
[7355c13997b5] 2024.04.25 21:12:20.811571 [ 728 ] <Fatal> BaseDaemon: 19. void std::__function::__policy_invoker<void ()>::__call_impl<std::__function::__default_alloc_func<ThreadFromGlobalPoolImpl<false, true>::ThreadFromGlobalPoolImpl<void ThreadPoolImpl<ThreadFromGlobalPoolImpl<false, true>>::scheduleImpl<void>(std::function<void ()>, Priority, std::optional<unsigned long>, bool)::'lambda0'()>(void&&)::'lambda'(), void ()>>(std::__function::__policy_storage const*) @ 0x000000000ca4ef4a
[7355c13997b5] 2024.04.25 21:12:20.811617 [ 728 ] <Fatal> BaseDaemon: 20. void* std::__thread_proxy[abi:v15000]<std::tuple<std::unique_ptr<std::__thread_struct, std::default_delete<std::__thread_struct>>, void ThreadPoolImpl<std::thread>::scheduleImpl<void>(std::function<void ()>, Priority, std::optional<unsigned long>, bool)::'lambda0'()>>(void*) @ 0x000000000ca4dd4d
[7355c13997b5] 2024.04.25 21:12:20.811647 [ 728 ] <Fatal> BaseDaemon: 21. ? @ 0x00007e27c2a4f609
[7355c13997b5] 2024.04.25 21:12:20.811678 [ 728 ] <Fatal> BaseDaemon: 22. ? @ 0x00007e27c296a353
[7355c13997b5] 2024.04.25 21:12:20.928164 [ 728 ] <Fatal> BaseDaemon: Integrity check of the executable successfully passed (checksum: F74FB95FFD699B1B7280D6B242F52278)
[7355c13997b5] 2024.04.25 21:12:20.928462 [ 728 ] <Fatal> BaseDaemon: Report this error to https://github.com/ClickHouse/ClickHouse/issues
[7355c13997b5] 2024.04.25 21:12:20.928591 [ 728 ] <Fatal> BaseDaemon: Changed settings: output_format_pretty_color = 0, output_format_pretty_grid_charset = 'ASCII'

The text was updated successfully, but these errors were encountered:

davenger · 2024-05-01T14:49:18Z

Simpler repro

SELECT concat(toUInt128(6), toNullable(6), materialize(toLowCardinality(toNullable(6))))
FROM remote('127.0.0.{1,1}')
GROUP BY toNullable(6) settings allow_experimental_analyzer=1

I did some debugging here and it looks like this happens because we are trying to execute concat as if one column is LowCardianlity and the rest are const, but one of the columns somehow lost const-ness

(lldb) bt
* thread #4, name = 'TCPHandler', stop reason = signal SIGABRT
    frame #0: 0x00007ffff7c969fc libc.so.6`__GI___pthread_kill at pthread_kill.c:44:76
    frame #1: 0x00007ffff7c969b0 libc.so.6`__GI___pthread_kill [inlined] __pthread_kill_internal(signo=6, threadid=140731126019648) at pthread_kill.c:78:10
    frame #2: 0x00007ffff7c969b0 libc.so.6`__GI___pthread_kill(threadid=140731126019648, signo=6) at pthread_kill.c:89:10
    frame #3: 0x00007ffff7c42476 libc.so.6`__GI_raise(sig=6) at raise.c:26:13
    frame #4: 0x00007ffff7c287f3 libc.so.6`__GI_abort at abort.c:79:7
    frame #5: 0x00007ffff7c2871b libc.so.6`__assert_fail_base.cold at assert.c:92:3
    frame #6: 0x00007ffff7c39e96 libc.so.6`__GI___assert_fail(assertion="(n >= (static_cast<ssize_t>(pad_left_) ? -1 : 0)) && (n <= static_cast<ssize_t>(this->size()))", file="/home/davenger/src/ClickHouse/src/Common/PODArray.h", line=382, function="const T &DB::PODArray<unsigned long, 4096, Allocator<false, false>, 63, 64>::operator[](ssize_t) const [T = unsigned long, initial_bytes = 4096, TAllocator = Allocator<false, false>, pad_right_ = 63, pad_left_ = 64]") at assert.c:101:3
    frame #7: 0x000055557dd0b2c2 clickhouse`DB::PODArray<unsigned long, 4096ul, Allocator<false, false>, 63ul, 64ul>::operator[](this=0x0000507003f05f90, n=1) const at PODArray.h:382:9
    frame #8: 0x000055556d4f3591 clickhouse`void DB::FormatStringImpl::format<true, false>(pattern="{}{}{}", data=size=3, offsets=size=3, fixed_string_N=size=3, constant_strings=size=3, res_data=0x0000507003f06f70, res_offsets=0x0000507003f06f50, input_rows_count=3) at formatString.h:112:36
    frame #9: 0x000055556d4ea436 clickhouse`void DB::FormatStringImpl::formatExecute<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::vector<DB::PODArray<char8_t, 4096ul, Allocator<false, false>, 63ul, 64ul> const*, std::__1::allocator<DB::PODArray<char8_t, 4096ul, Allocator<false, false>, 63ul, 64ul> const*>>&, std::__1::vector<DB::PODArray<unsigned long, 4096ul, Allocator<false, false>, 63ul, 64ul> const*, std::__1::allocator<DB::PODArray<unsigned long, 4096ul, Allocator<false, false>, 63ul, 64ul> const*>>&, std::__1::vector<unsigned long, std::__1::allocator<unsigned long>>&, std::__1::vector<std::__1::optional<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>, std::__1::allocator<std::__1::optional<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>>>&, DB::PODArray<char8_t, 4096ul, Allocator<false, false>, 63ul, 64ul>&, DB::PODArray<unsigned long, 4096ul, Allocator<false, false>, 63ul, 64ul>&, unsigned long&>(possibly_has_column_string=true, possibly_has_column_fixed_string=false, args="", args=size=3, args=size=3, args=size=3, args=size=3, args=0x0000507003f06f70, args=0x0000507003f06f50, args=0x00007ffe84047020) at formatString.h:28:13
    frame #10: 0x000055556d4dbcb6 clickhouse`DB::(anonymous namespace)::ConcatImpl<DB::(anonymous namespace)::NameConcat, false>::executeFormatImpl(this=0x0000504004085528, arguments=size=3, input_rows_count=3) const at concat.cpp:172:9
    frame #11: 0x000055556d4d967a clickhouse`DB::(anonymous namespace)::ConcatImpl<DB::(anonymous namespace)::NameConcat, false>::executeImpl(this=0x0000504004085528, arguments=size=3, (null)=std::__1::shared_ptr<const DB::IDataType>::element_type @ 0x0000507003acd218 strong=2 weak=2, input_rows_count=3) const at concat.cpp:67:16
    frame #12: 0x0000555567cd2f09 clickhouse`DB::IFunction::executeImplDryRun(this=0x0000504004085528, arguments=size=3, result_type=std::__1::shared_ptr<const DB::IDataType>::element_type @ 0x0000507003acd218 strong=2 weak=2, input_rows_count=3) const at IFunction.h:432:16
    frame #13: 0x0000555568e47172 clickhouse`DB::FunctionToExecutableFunctionAdaptor::executeDryRunImpl(this=0x00005030020b7f50, arguments=size=3, result_type=std::__1::shared_ptr<const DB::IDataType>::element_type @ 0x0000507003acd218 strong=2 weak=2, input_rows_count=3) const at IFunctionAdaptors.h:26:26
    frame #14: 0x000055558df916b2 clickhouse`DB::IExecutableFunction::executeWithoutLowCardinalityColumns(this=0x00005030020b7f50, args=size=3, result_type=std::__1::shared_ptr<const DB::IDataType>::element_type @ 0x0000507003acd218 strong=2 weak=2, input_rows_count=3, dry_run=true) const at IFunction.cpp:246:15
    frame #15: 0x000055558df923e3 clickhouse`DB::IExecutableFunction::defaultImplementationForNulls(this=0x00005030020b7f50, args=size=3, result_type=std::__1::shared_ptr<const DB::IDataType>::element_type @ 0x00005080012ef038 strong=1 weak=2, input_rows_count=3, dry_run=true) const at IFunction.cpp:199:20
    frame #16: 0x000055558df91580 clickhouse`DB::IExecutableFunction::executeWithoutLowCardinalityColumns(this=0x00005030020b7f50, args=size=3, result_type=std::__1::shared_ptr<const DB::IDataType>::element_type @ 0x00005080012ef038 strong=1 weak=2, input_rows_count=3, dry_run=true) const at IFunction.cpp:241:20
    frame #17: 0x000055558df93712 clickhouse`DB::IExecutableFunction::executeWithoutSparseColumns(this=0x00005030020b7f50, arguments=size=3, result_type=std::__1::shared_ptr<const DB::IDataType>::element_type @ 0x00005080012ef2b8 strong=7 weak=2, input_rows_count=0, dry_run=true) const at IFunction.cpp:281:24
    frame #18: 0x000055558df96599 clickhouse`DB::IExecutableFunction::execute(this=0x00005030020b7f50, arguments=size=3, result_type=std::__1::shared_ptr<const DB::IDataType>::element_type @ 0x00005080012ef2b8 strong=7 weak=2, input_rows_count=0, dry_run=true) const at IFunction.cpp:378:16
    frame #19: 0x0000555591dd410e clickhouse`DB::executeActionForPartialResult(node=0x000050d000ac2b30, arguments=size=3, input_rows_count=0) at ActionsDAG.cpp:662:49
    frame #20: 0x0000555591dd3742 clickhouse`DB::ActionsDAG::evaluatePartialResult(node_to_column=size=4, outputs=size=1, input_rows_count=0, throw_on_error=true) at ActionsDAG.cpp:829:48
  * frame #21: 0x0000555591dd1b5f clickhouse`DB::ActionsDAG::updateHeader(this=0x000050b0006a8608, header=Block @ 0x00007ffe83c1ac20) const at ActionsDAG.cpp:739:26
    frame #22: 0x000055559bbe9ed7 clickhouse`DB::ExpressionTransform::transformHeader(header=Block @ 0x00007ffe83d19370, expression=0x000050b0006a8608) at ExpressionTransform.cpp:8:23
    frame #23: 0x000055559c301bab clickhouse`DB::ExpressionStep::ExpressionStep(this=0x0000512000ba3c40, input_stream_=0x00005160026ed4a0, actions_dag_=std::__1::shared_ptr<DB::ActionsDAG>::element_type @ 0x000050b0006a8608 strong=2 weak=1) at ExpressionStep.cpp:31:9
    frame #24: 0x00005555947f4528 clickhouse`std::__1::__unique_if<DB::ExpressionStep>::__unique_single std::__1::make_unique[abi:v15000]<DB::ExpressionStep, DB::DataStream const&, std::__1::shared_ptr<DB::ActionsDAG> const&>(__args=0x00005160026ed4a0, __args=std::__1::shared_ptr<DB::ActionsDAG>::element_type @ 0x000050b0006a8608 strong=2 weak=1) at unique_ptr.h:714:32
    frame #25: 0x00005555949af986 clickhouse`DB::(anonymous namespace)::addExpressionStep(query_plan=0x0000513001345698, expression_actions=std::__1::shared_ptr<DB::ActionsDAG>::element_type @ 0x000050b0006a8608 strong=2 weak=1, step_description="Projection", result_actions_to_execute=size=1) at Planner.cpp:337:28
    frame #26: 0x00005555949aa17d clickhouse`DB::Planner::buildPlanForQueryNode(this=0x0000513001345670) at Planner.cpp:1670:13
    frame #27: 0x000055559499d511 clickhouse`DB::Planner::buildQueryPlanIfNeeded(this=0x0000513001345670) at Planner.cpp:1240:9
    frame #28: 0x000055559499545d clickhouse`DB::InterpreterSelectQueryAnalyzer::getQueryPlan(this=0x0000513001345600) at InterpreterSelectQueryAnalyzer.cpp:205:13
    frame #29: 0x0000555595b0afb2 clickhouse`DB::executeQueryImpl(begin="SELECT concat(toUInt128(6), toNullable(6), materialize(toLowCardinality(toNullable(6))))\nFROM remote('127.0.0.{1,1}')\nGROUP BY toNullable(6) settings allow_experimental_analyzer=1", end="", context=std::__1::shared_ptr<DB::Context>::element_type @ 0x00005270004e5100 strong=3 weak=10, flags=(internal = false, distributed_backup_restore = false), stage=Complete, istr=0x0000000000000000) at executeQuery.cpp:1151:48
    frame #30: 0x0000555595aff04c clickhouse`DB::executeQuery(query="SELECT concat(toUInt128(6), toNullable(6), materialize(toLowCardinality(toNullable(6))))\nFROM remote('127.0.0.{1,1}')\nGROUP BY toNullable(6) settings allow_experimental_analyzer=1", context=std::__1::shared_ptr<DB::Context>::element_type @ 0x00005270004e5100 strong=3 weak=10, flags=(internal = false, distributed_backup_restore = false), stage=Complete) at executeQuery.cpp:1395:26
    frame #31: 0x000055559ab95f55 clickhouse`DB::TCPHandler::runImpl(this=0x000051b00197ff80) at TCPHandler.cpp:522:54
    frame #32: 0x000055559abc883e clickhouse`DB::TCPHandler::run(this=0x000051b00197ff80) at TCPHandler.cpp:2341:9
    frame #33: 0x00005555a718f0a5 clickhouse`Poco::Net::TCPServerConnection::start(this=0x000051b00197ff80) at TCPServerConnection.cpp:43:3
    frame #34: 0x00005555a718fbed clickhouse`Poco::Net::TCPServerDispatcher::run(this=0x00005110015a8780) at TCPServerDispatcher.cpp:115:20
    frame #35: 0x00005555a76909f4 clickhouse`Poco::PooledThread::run(this=0x0000516000017780) at ThreadPool.cpp:188:14
    frame #36: 0x00005555a768924a clickhouse`Poco::(anonymous namespace)::RunnableHolder::run(this=0x000050200000b670) at Thread.cpp:45:11
    frame #37: 0x00005555a76865dc clickhouse`Poco::ThreadImpl::runnableEntry(pThread=0x00005160000177b8) at Thread_POSIX.cpp:335:27
    frame #38: 0x0000555567c7665b clickhouse`asan_thread_start(void*) + 59
    frame #39: 0x00007ffff7c94ac3 libc.so.6`start_thread(arg=<unavailable>) at pthread_create.c:442:8
    frame #40: 0x00007ffff7d26850 libc.so.6`__clone3 at clone3.S:81

in frame 17 columns_without_low_cardinality[1] is non-const and has 0 rows while other columns have 3 rows

(lldb) fr s 17
frame #17: 0x000055558df93712 clickhouse`DB::IExecutableFunction::executeWithoutSparseColumns(this=0x00005030020b7f50, arguments=size=3, result_type=std::__1::shared_ptr<const DB::IDataType>::element_type @ 0x00005080012ef2b8 strong=7 weak=2, input_rows_count=0, dry_run=true) const at IFunction.cpp:281:24
   278 	                                        ? input_rows_count
   279 	                                        : columns_without_low_cardinality.front().column->size();
   280 	
-> 281 	            auto res = executeWithoutLowCardinalityColumns(columns_without_low_cardinality, dictionary_type, new_input_rows_count, dry_run);
   282 	            bool res_is_constant = isColumnConst(*res);
   283 	
   284 	            auto keys = res_is_constant
(lldb) p columns_without_low_cardinality[0].column->dumpStructure()
(String) "Const(size = 3, UInt128(size = 1))"
(lldb) p columns_without_low_cardinality[1].column->dumpStructure()
(String) "Nullable(size = 0, UInt8(size = 0), UInt8(size = 0))"
(lldb) p columns_without_low_cardinality[2].column->dumpStructure()
(String) "Nullable(size = 3, UInt8(size = 3), UInt8(size = 3))"

The non-const column Nullable(UInt8) _CAST(6_Nullable(UInt8), 'Nullable(UInt8)'_String) is coming tho ActionsDAG input

(lldb) fr s 21
frame #21: 0x0000555591dd1b5f clickhouse`DB::ActionsDAG::updateHeader(this=0x000050b0006a8608, header=Block @ 0x00007ffe83c1ac20) const at ActionsDAG.cpp:739:26
   736 	    ColumnsWithTypeAndName result_columns;
   737 	    try
   738 	    {
-> 739 	        result_columns = evaluatePartialResult(node_to_column, outputs, /* input_rows_count= */ 0, /* throw_on_error= */ true);
   740 	    }
   741 	    catch (Exception & e)
   742 	    {
(lldb) p this->dumpDAG()
0 : INPUT () (no column) Nullable(UInt8) _CAST(6_Nullable(UInt8), 'Nullable(UInt8)'_String)
1 : COLUMN () Const(UInt128) UInt128 _CAST('6'_UInt128, 'UInt128'_String)
2 : COLUMN () Const(ColumnLowCardinality) LowCardinality(Nullable(UInt8)) _CAST(6_LowCardinality(Nullable(UInt8)), 'LowCardinality(Nullable(UInt8))'_String)
3 : FUNCTION (2) (no column) LowCardinality(Nullable(UInt8)) materialize(_CAST(6_LowCardinality(Nullable(UInt8)), 'LowCardinality(Nullable(UInt8))'_String)) [materialize]
4 : FUNCTION (1, 0, 3) (no column) LowCardinality(Nullable(String)) concat(_CAST('6'_UInt128, 'UInt128'_String), _CAST(6_Nullable(UInt8), 'Nullable(UInt8)'_String), materialize(_CAST(6_LowCardinality(Nullable(UInt8)), 'LowCardinality(Nullable(UInt8))'_String))) [concat]
Output nodes: 4
Project input: 1
Projected output: 0

davenger · 2024-05-01T14:54:56Z

This doesn't repro with allow_experimental_analyzer=0.
Also I it doesn't repro if I change GROUP BY toNullable(6) to GROUP BY toNullable(7)

nikitamikhaylov added the fuzz Problem found by one of the fuzzers label Apr 25, 2024

nikitamikhaylov mentioned this issue Apr 25, 2024

Use keywords structure in all places - obfuscateQueries.cpp / Suggest.cpp #62000

Merged

rschu1ze mentioned this issue May 29, 2024

Add fromReadableSize function #64386

Merged

30 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

heap-use-after-free in function concat #63006

heap-use-after-free in function concat #63006

nikitamikhaylov commented Apr 25, 2024

davenger commented May 1, 2024 •

edited

davenger commented May 1, 2024

heap-use-after-free in function concat #63006

heap-use-after-free in function concat #63006

Comments

nikitamikhaylov commented Apr 25, 2024

davenger commented May 1, 2024 • edited

davenger commented May 1, 2024

davenger commented May 1, 2024 •

edited