Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] core in FindInSetOp::execute due to global buffer overflow #12676

Closed
3 tasks done
ByteYue opened this issue Sep 16, 2022 · 0 comments · Fixed by #12677
Closed
3 tasks done

[Bug] core in FindInSetOp::execute due to global buffer overflow #12676

ByteYue opened this issue Sep 16, 2022 · 0 comments · Fixed by #12677

Comments

@ByteYue
Copy link
Contributor

ByteYue commented Sep 16, 2022

Search before asking

  • I had searched in the issues and found no similar issues.

Version

Master compiled with asan.
It might occur in previous version which enables VectorizedEngine(Not verified).

What's Wrong?

==1863897==ERROR: AddressSanitizer: global-buffer-overflow on address 0x5610761efac0 at pc 0x56107fd1da64 bp 0x7f9a52341ad0 sp 0x7f9a52341ac0
READ of size 1 at 0x5610761efac0 thread T70 (_scanner_scan)
#0 0x56107fd1da63 in doris::vectorized::FindInSetOp::execute(std::basic_string_view<char, std::char_traits > const&, std::basic_string_view<char, std::char_traits > const&, int&) /home/zcp/repo_center/doris_master/be/src/vec/functions/function_string.cpp:154
#1 0x56107fdb57ef in doris::vectorized::StringFunctionImpl<doris::vectorized::DataTypeString, doris::vectorized::DataTypeString, doris::vectorized::FindInSetOp>::vector_vector(doris::vectorized::PODArray<unsigned char, 4096ul, Allocator<false, false>, 15ul, 16ul> const&, doris::vectorized::PODArray<unsigned int, 4096ul, Allocator<false, false>, 15ul, 16ul> const&, doris::vectorized::PODArray<unsigned char, 4096ul, Allocator<false, false>, 15ul, 16ul> const&, doris::vectorized::PODArray<unsigned int, 4096ul, Allocator<false, false>, 15ul, 16ul> const&, doris::vectorized::PODArray<int, 4096ul, Allocator<false, false>, 15ul, 16ul>&) /home/zcp/repo_center/doris_master/be/src/vec/functions/function_string.cpp:233
#2 0x56107fdaeeac in doris::Status doris::vectorized::FunctionBinaryToType<doris::vectorized::DataTypeString, doris::vectorized::DataTypeString, doris::vectorized::StringFindInSetImpl, doris::vectorized::NameFindInSet>::execute_inner_impl<doris::vectorized::DataTypeNumber, (doris::vectorized::DataTypeNumber)0>(doris::vectorized::ColumnWithTypeAndName const&, doris::vectorized::ColumnWithTypeAndName const&, doris::vectorized::Block&, std::vector<unsigned long, std::allocator > const&, unsigned long) /home/zcp/repo_center/doris_master/be/src/vec/functions/function_totype.h:236
#3 0x56107fda3671 in doris::vectorized::FunctionBinaryToType<doris::vectorized::DataTypeString, doris::vectorized::DataTypeString, doris::vectorized::StringFindInSetImpl, doris::vectorized::NameFindInSet>::execute_impl(doris_udf::FunctionContext, doris::vectorized::Block&, std::vector<unsigned long, std::allocator > const&, unsigned long, unsigned long) /home/zcp/repo_center/doris_master/be/src/vec/functions/function_totype.h:215
#4 0x56107e7fea5c in doris::vectorized::DefaultExecutable::execute_impl(doris_udf::FunctionContext*, doris::vectorized::Block&, std::vector<unsigned long, std::allocator > const&, unsigned long, unsigned long) /home/zcp/repo_center/doris_master/be/src/vec/functions/function.h:465
#5 0x56107f920d9a in doris::vectorized::PreparedFunctionImpl::execute_without_low_cardinality_columns(doris_udf::FunctionContext*, doris::vectorized::Block&, std::vector<unsigned long, std::allocator > const&, unsigned long, unsigned long, bool) /home/zcp/repo_center/doris_master/be/src/vec/functions/function.cpp:251
#6 0x56107f920f19 in doris::vectorized::PreparedFunctionImpl::execute(doris_udf::FunctionContext*, doris::vectorized::Block&, std::vector<unsigned long, std::allocator > const&, unsigned long, unsigned long, bool) /home/zcp/repo_center/doris_master/be/src/vec/functions/function.cpp:273
#7 0x56107e7fb5ca in doris::vectorized::IFunctionBase::execute(doris_udf::FunctionContext*, doris::vectorized::Block&, std::vector<unsigned long, std::allocator > const&, unsigned long, unsigned long, bool) /home/zcp/repo_center/doris_master/be/src/vec/functions/function.h:136
#8 0x56107e7244e4 in doris::vectorized::VectorizedFnCall::execute(doris::vectorized::VExprContext*, doris::vectorized::Block*, int*) /home/zcp/repo_center/doris_master/be/src/vec/exprs/vectorized_fn_call.cpp:96
#9 0x56107e72410d in doris::vectorized::VectorizedFnCall::execute(doris::vectorized::VExprContext*, doris::vectorized::Block*, int*) /home/zcp/repo_center/doris_master/be/src/vec/exprs/vectorized_fn_call.cpp:89
#10 0x56107e72410d in doris::vectorized::VectorizedFnCall::execute(doris::vectorized::VExprContext*, doris::vectorized::Block*, int*) /home/zcp/repo_center/doris_master/be/src/vec/exprs/vectorized_fn_call.cpp:89
#11 0x56107e746651 in doris::vectorized::VExprContext::execute(doris::vectorized::Block*, int*) /home/zcp/repo_center/doris_master/be/src/vec/exprs/vexpr_context.cpp:43
#12 0x56107e74844f in doris::vectorized::VExprContext::filter_block(doris::vectorized::VExprContext*, doris::vectorized::Block*, int) /home/zcp/repo_center/doris_master/be/src/vec/exprs/vexpr_context.cpp:121
#13 0x561082a5dbec in doris::vectorized::VScanner::_filter_output_block(doris::vectorized::Block*) /home/zcp/repo_center/doris_master/be/src/vec/exec/scan/vscanner.cpp:121
#14 0x561082a5ca36 in doris::vectorized::VScanner::get_block(doris::RuntimeState*, doris::vectorized::Block*, bool*) /home/zcp/repo_center/doris_master/be/src/vec/exec/scan/vscanner.cpp:80
#15 0x561082a38fbd in doris::vectorized::ScannerScheduler::_scanner_scan(doris::vectorized::ScannerScheduler*, doris::vectorized::ScannerContext*, doris::vectorized::VScanner*) /home/zcp/repo_center/doris_master/be/src/vec/exec/scan/scanner_scheduler.cpp:224
#16 0x561082a36d26 in operator() /home/zcp/repo_center/doris_master/be/src/vec/exec/scan/scanner_scheduler.cpp:127
#17 0x561082a3b15d in __invoke_impl<void, doris::vectorized::ScannerScheduler::_schedule_scanners(doris::vectorized::ScannerContext*)::<lambda()>&> /var/local/ldb_toolchain/include/c++/11/bits/invoke.h:61
#18 0x561082a3add5 in __invoke_r<void, doris::vectorized::ScannerScheduler::_schedule_scanners(doris::vectorized::ScannerContext*)::<lambda()>&> /var/local/ldb_toolchain/include/c++/11/bits/invoke.h:111
#19 0x561082a3a842 in _M_invoke /var/local/ldb_toolchain/include/c++/11/bits/std_function.h:291
#20 0x56107ad96b91 in std::function<void ()>::operator()() const /var/local/ldb_toolchain/include/c++/11/bits/std_function.h:560
#21 0x56107b833437 in doris::FunctionRunnable::run() /home/zcp/repo_center/doris_master/be/src/util/threadpool.cpp:45
#22 0x56107b82e77f in doris::ThreadPool::dispatch_thread() /home/zcp/repo_center/doris_master/be/src/util/threadpool.cpp:540
#23 0x56107b84fa9b in void std::_invoke_impl<void, void (doris::ThreadPool::&)(), doris::ThreadPool&>(std::_invoke_memfun_deref, void (doris::ThreadPool::&)(), doris::ThreadPool&) /var/local/ldb_toolchain/include/c++/11/bits/invoke.h:74
#24 0x56107b84f33a in std::_invoke_result<void (doris::ThreadPool::&)(), doris::ThreadPool&>::type std::_invoke<void (doris::ThreadPool::&)(), doris::ThreadPool&>(void (doris::ThreadPool::&)(), doris::ThreadPool&) /var/local/ldb_toolchain/include/c++/11/bits/invoke.h:96
#25 0x56107b84e6d9 in void std::Bind<void (doris::ThreadPool::(doris::ThreadPool))()>::_call<void, , 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) /var/local/ldb_toolchain/include/c++/11/functional:420
#26 0x56107b84d1ea in void std::_Bind<void (doris::ThreadPool::(doris::ThreadPool))()>::operator()<, void>() /var/local/ldb_toolchain/include/c++/11/functional:503
#27 0x56107b849ddb in void std::_invoke_impl<void, std::_Bind<void (doris::ThreadPool::(doris::ThreadPool))()>&>(std::_invoke_other, std::_Bind<void (doris::ThreadPool::(doris::ThreadPool))()>&) /var/local/ldb_toolchain/include/c++/11/bits/invoke.h:61
#28 0x56107b847349 in std::enable_if<is_invocable_r_v<void, std::Bind<void (doris::ThreadPool::(doris::ThreadPool))()>&>, void>::type std::_invoke_r<void, std::_Bind<void (doris::ThreadPool::(doris::ThreadPool))()>&>(std::_Bind<void (doris::ThreadPool::(doris::ThreadPool))()>&) /var/local/ldb_toolchain/include/c++/11/bits/invoke.h:111
#29 0x56107b84264c in std::_Function_handler<void (), std::_Bind<void (doris::ThreadPool::(doris::ThreadPool))()> >::_M_invoke(std::_Any_data const&) /var/local/ldb_toolchain/include/c++/11/bits/std_function.h:291
#30 0x56107ad96b91 in std::function<void ()>::operator()() const /var/local/ldb_toolchain/include/c++/11/bits/std_function.h:560
#31 0x56107b80e2d1 in doris::Thread::supervise_thread(void*) /home/zcp/repo_center/doris_master/be/src/util/thread.cpp:425
#32 0x7f9a796a7608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
#33 0x7f9a797e1162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)

0x5610761efac0 is located 0 bytes to the right of global variable 'empty_pod_array' defined in '/home/zcp/repo_center/doris_master/be/src/vec/common/pod_array.cpp:25:12' (0x5610761ef6c0) of size 1024
SUMMARY: AddressSanitizer: global-buffer-overflow /home/zcp/repo_center/doris_master/be/src/vec/functions/function_string.cpp:154 in doris::vectorized::FindInSetOp::execute(std::basic_string_view<char, std::char_traits > const&, std::basic_string_view<char, std::char_traits > const&, int&)
Shadow bytes around the buggy address:
0x0ac28ec35f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ac28ec35f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ac28ec35f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ac28ec35f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ac28ec35f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ac28ec35f50: 00 00 00 00 00 00 00 00[f9]f9 f9 f9 00 00 00 00
0x0ac28ec35f60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ac28ec35f70: 00 00 00 00 00 00 00 00 00 00 00 00 03 f9 f9 f9
0x0ac28ec35f80: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0ac28ec35f90: 00 01 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0ac28ec35fa0: 00 00 00 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
Thread T70 (_scanner_scan) created by T0 here:
Thread T70 (_scanner_scan) created by T0 here:
#0 0x561078bd0061 in pthread_create (/mnt/ssd01/doris-master/VEC_ASAN/be/lib/doris_be+0xbdd2061)
#1 0x56107b80d629 in doris::Thread::start_thread(std::_cxx11::basic_string<char, std::char_traits, std::allocator > const&, std::_cxx11::basic_string<char, std::char_traits, std::allocator > const&, std::function<void ()> const&, unsigned long, scoped_refptrdoris::Thread) /home/zcp/repo_center/doris_master/be/src/util/thread.cpp:379
#2 0x56107b837ca3 in doris::Status doris::Thread::create<void (doris::ThreadPool::)(), doris::ThreadPool>(std::_cxx11::basic_string<char, std::char_traits, std::allocator > const&, std::_cxx11::basic_string<char, std::char_traits, std::allocator > const&, void (doris::ThreadPool:: const&)(), doris::ThreadPool* const&, scoped_refptrdoris::Thread) /home/zcp/repo_center/doris_master/be/src/util/thread.h:54
#3 0x56107b82ffc6 in doris::ThreadPool::create_thread() /home/zcp/repo_center/doris_master/be/src/util/threadpool.cpp:609
#4 0x56107b829ae0 in doris::ThreadPool::init() /home/zcp/repo_center/doris_master/be/src/util/threadpool.cpp:266
#5 0x56107b82638c in doris::ThreadPoolBuilder::build(std::unique_ptr<doris::ThreadPool, std::default_deletedoris::ThreadPool >) const /home/zcp/repo_center/doris_master/be/src/util/threadpool.cpp:77
#6 0x56107ad774bd in doris::ExecEnv::_init(std::vector<doris::StorePath, std::allocatordoris::StorePath > const&) /home/zcp/repo_center/doris_master/be/src/runtime/exec_env_init.cpp:126
#7 0x56107ad7667d in doris::ExecEnv::init(doris::ExecEnv*, std::vector<doris::StorePath, std::allocatordoris::StorePath > const&) /home/zcp/repo_center/doris_master/be/src/runtime/exec_env_init.cpp:81
#8 0x561078c7c982 in main /home/zcp/repo_center/doris_master/be/src/service/doris_main.cpp:383
#9 0x7f9a796e60b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)

What You Expected?

Return rows as expect instead of crush.

How to Reproduce?

Type query statement below to Doris.
select /*+ SET_VAR(query_timeout = 600) */ ref_0.O_ORDERKEY as c0, coalesce(43, ref_0.O_CUSTKEY) as c1, ref_0.O_ORDERKEY as c2, ref_0.O_ORDERSTATUS as c3 from regression_test_tpch_sf1_p1.orders as ref_0 where find_in_set( cast(ref_0.O_COMMENT as varchar), cast(BITMAP_TO_STRING( cast(BITMAP_EMPTY() as bitmap)) as varchar)) is NULL order by ref_0.O_ORDERSTATUSdesc limit 63 offset 171

Anything Else?

No response

Are you willing to submit PR?

  • Yes I am willing to submit a PR!

Code of Conduct
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@ByteYue