bug: The instance is crashed if the aggregate function out of bounds

[haitaoguan]

Have you read the Contributing Guidelines on issues?

• I have read the Contributing Guidelines on issues.

Please confirm if bug report does NOT exists already ?

• I confirm there is no existing issue for this

Describe the problem

mysql> show create table ttt\G
*************************** 1. row ***************************
       Table: ttt
Create Table: CREATE TABLE `ttt` (
  `o_id` bigint(20) unsigned NOT NULL,
  `u_id` bigint(20) unsigned NOT NULL,
  `p_id` varchar(50) NOT NULL,
  `u_date` timestamp NULL DEFAULT NULL,
  `t_date` timestamp NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
  `t_type` tinyint(4) unsigned DEFAULT NULL COMMENT '(1:;2:;3:)',
  `c_id` varchar(50) DEFAULT NULL,
  `contact` varchar(100) DEFAULT '',
  `create_time` datetime NOT NULL DEFAULT CURRENT_TIMESTAMP,
  `update_time` datetime NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP
) ENGINE=TIANMU DEFAULT CHARSET=utf8
1 row in set (0.00 sec)

mysql> select count(*) from ttt;
+------------+
| count(*)   |
+------------+
| 1740800000 |
+------------+
1 row in set (0.01 sec)

mysql> select sum(length(p_id)) from ttt;
ERROR 2013 (HY000): Lost connection to MySQL server during query

(gdb) bt
#0  0x00007f94b76fa387 in raise () from /lib64/libc.so.6
#1  0x00007f94b76fba78 in abort () from /lib64/libc.so.6
#2  0x00007f94b773cf67 in __libc_message () from /lib64/libc.so.6
#3  0x00007f94b7745329 in _int_free () from /lib64/libc.so.6
#4  0x000000000165140f in Clear (this=0x7f9370ff8170) at /stonedb/storage/tianmu/core/value_or_null.h:109
#5  ~ValueOrNull (this=0x7f9370ff8170, __in_chrg=<optimized out>) at /stonedb/storage/tianmu/core/value_or_null.h:39
#6  Tianmu::core::ValueOrNull::operator=(Tianmu::core::ValueOrNull const&) () at /stonedb/storage/tianmu/core/value_or_null.cpp:87
#7  0x00000000016ac9ab in Tianmu::vcolumn::ExpressionColumn::FeedArguments(Tianmu::core::MIIterator const&) () at /stonedb/storage/tianmu/vc/expr_column.cpp:111
#8  0x00000000016acb75 in Tianmu::vcolumn::ExpressionColumn::GetValueInt64Impl (this=0x7f86152c2360, mit=...) at /stonedb/storage/tianmu/vc/expr_column.cpp:126
#9  0x000000000178ddf7 in GetValueInt64 (mit=..., this=<optimized out>) at /stonedb/storage/tianmu/vc/virtual_column_base.h:93
#10 Tianmu::core::GroupTable::PutAggregatedValue(int, long, Tianmu::core::MIIterator&, long, bool) () at /stonedb/storage/tianmu/optimizer/group_table.cpp:591
#11 0x00000000017812b6 in Tianmu::core::AggregationAlgorithm::AggregatePackrow(Tianmu::core::GroupByWrapper&, Tianmu::core::MIIterator*, long, unsigned long*) ()
    at /stonedb/storage/tianmu/optimizer/aggregation_algorithm.cpp:656
#12 0x000000000178393f in Tianmu::core::AggregationWorkerEnt::TaskAggrePacks(Tianmu::core::MIIterator*, Tianmu::core::DimensionVector*, Tianmu::core::MIIterator*, Tianmu::core::CTask*, Tianmu::core::GroupByWrapper*, Tianmu::core::Transaction*, unsigned long*) () at /stonedb/storage/tianmu/optimizer/aggregation_algorithm.cpp:934
#13 0x000000000177e943 in __invoke_impl<void, void (Tianmu::core::AggregationWorkerEnt::*&)(Tianmu::core::MIIterator*, Tianmu::core::DimensionVector*, Tianmu::core::MIIterator*, Tianmu::core::CTask*, Tianmu::core::GroupByWrapper*, Tianmu::core::Transaction*, unsigned long*), Tianmu::core::AggregationWorkerEnt*&, Tianmu::core::MIIterator*&, Tianmu::core::DimensionVector*&, Tianmu::core::MIIterator*&, Tianmu::core::CTask*&, Tianmu::core::GroupByWrapper*&, Tianmu::core::Transaction*&, unsigned long*&>
    (__t=<optimized out>, __f=<optimized out>) at /opt/rh/devtoolset-9/root/usr/include/c++/9/bits/invoke.h:89
#14 __invoke<void (Tianmu::core::AggregationWorkerEnt::*&)(Tianmu::core::MIIterator*, Tianmu::core::DimensionVector*, Tianmu::core::MIIterator*, Tianmu::core::CTask*, Tianmu::core::GroupByWrapper*, Tianmu::core::Transaction*, unsigned long*), Tianmu::core::AggregationWorkerEnt*&, Tianmu::core::MIIterator*&, Tianmu::core::DimensionVector*&, Tianmu::core::MIIterator*&, Tianmu::core::CTask*&, Tianmu::core::GroupByWrapper*&, Tianmu::core::Transaction*&, unsigned long*&> (__fn=<optimized out>)
    at /opt/rh/devtoolset-9/root/usr/include/c++/9/bits/invoke.h:95
#15 __call<void, 0, 1, 2, 3, 4, 5, 6, 7> (__args=..., this=<optimized out>) at /opt/rh/devtoolset-9/root/usr/include/c++/9/functional:400
#16 operator()<> (this=<optimized out>) at /opt/rh/devtoolset-9/root/usr/include/c++/9/functional:484
#17 __invoke_impl<void, std::_Bind<void (Tianmu::core::AggregationWorkerEnt::*(Tianmu::core::AggregationWorkerEnt*, Tianmu::core::MIIterator*, Tianmu::core::DimensionVector*, Tianmu::core::MIIterator*, Tianmu::core::CTask*, Tianmu::core::GroupByWrapper*, Tianmu::core::Transaction*, long unsigned int*))(Tianmu::core::MIIterator*, Tianmu::core::DimensionVector*, Tianmu::core::MIIterator*, Tianmu::core::CTask*, Tianmu::core::GroupByWrapper*, Tianmu::core::Transaction*, long unsigned int*)>&> (__f=...)
    at /opt/rh/devtoolset-9/root/usr/include/c++/9/bits/invoke.h:60
#18 __invoke<std::_Bind<void (Tianmu::core::AggregationWorkerEnt::*(Tianmu::core::AggregationWorkerEnt*, Tianmu::core::MIIterator*, Tianmu::core::DimensionVector*, Tianmu::core::MIIterator*, Tianmu::core::CTask*, Tianmu::core::GroupByWrapper*, Tianmu::core::Transaction*, long unsigned int*))(Tianmu::core::MIIterator*, Tianmu::core::DimensionVector*, Tianmu::core::MIIterator*, Tianmu::core::CTask*, Tianmu::core::GroupByWrapper*, Tianmu::core::Transaction*, long unsigned int*)>&> (__fn=...)
    at /opt/rh/devtoolset-9/root/usr/include/c++/9/bits/invoke.h:95
#19 operator() (this=<optimized out>) at /opt/rh/devtoolset-9/root/usr/include/c++/9/future:1421
#20 operator() (this=0x7f9370ff85d0) at /opt/rh/devtoolset-9/root/usr/include/c++/9/future:1362
#21 std::_Function_handler<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> (), std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<void>, std::__future_base::_Result_base::_Deleter>, std::__future_base::_Task_state<std::_Bind<void (Tianmu::core::AggregationWorkerEnt::*(Tianmu::core::AggregationWorkerEnt*, Tianmu::core::MIIterator*, Tianmu::core::DimensionVector*, Tianmu::core::MIIterator*, Tianmu::core::CTask*, Tianmu::core::GroupByWrapper*, Tianmu::core::Transaction*, unsigned long*))(Tianmu::core::MIIterator*, Tianmu::core::DimensionVector*, Tianmu::core::MIIterator*, Tianmu::core::CTask*, Tianmu::core::GroupByWrapper*, Tianmu::core::Transaction*, unsigned long*)>, std::allocator<int>, void ()>::_M_run()::{lambda()#1}, void> >::_M_invoke(std::_Any_data const&) (__functor=...) at /opt/rh/devtoolset-9/root/usr/include/c++/9/bits/std_function.h:286
#22 0x00000000015bfb7f in operator() (this=<optimized out>) at /opt/rh/devtoolset-9/root/usr/include/c++/9/bits/std_function.h:683
#23 std::__future_base::_State_baseV2::_M_do_set(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*) (this=0x7f8615e46e70, __f=<optimized out>, __did_set=0x7f9370ff859f) at /opt/rh/devtoolset-9/root/usr/include/c++/9/future:561
#24 0x00007f94b9d0d20b in __pthread_once_slow () from /lib64/libpthread.so.0
#25 0x000000000177e726 in __gthread_once (__func=<optimized out>, __once=0x7f8615e46e88)

Expected behavior

No response

How To Reproduce

No response

Environment

./mysqld Ver 5.7.36-StoneDB-v1.0.1 for Linux on x86_64 (build-)
build information as follow:
Repository address: https://github.com/stoneatom/stonedb.git:stonedb-5.7-dev
Branch name: stonedb-5.7-dev
Last commit ID: 1b51907
Last commit time: Date: Mon Jun 5 20:37:37 2023 +0800
Build time: Date: Tue Jun 6 02:34:37 UTC 2023

Are you interested in submitting a PR to solve the problem?

• Yes, I will!

[RingsC]

in value_or_nul.h, the validity of sp value does not check, which maybe leads to crash if a null pointer was deleted.

  void Clear() {
    if (string_owner)
      delete[] sp;
    sp = nullptr;
    string_owner = false;
    null = true;
    x = common::NULL_VALUE_64;
    len = 0;
  }

in value_or_null.cpp, the operator = will create a temp var tmp, and then swap it with *this. After that goes to destructor of ValueOrNull of tmp. In destructor of ValueOrNull, it calls Clear to clean up the temp resource which allocated in construtor of var tmp.

ValueOrNull::ValueOrNull(ValueOrNull const &von)
    : x(von.x), len(von.len), string_owner(von.string_owner), null(von.null) {
  if (string_owner) {
    sp = new char[len + 1];
    std::memcpy(sp, von.sp, len);
    sp[len] = 0;
  } else {
    sp = von.sp;
  }
}

ValueOrNull &ValueOrNull::operator=(ValueOrNull const &von) {
  if (&von != this) {
    ValueOrNull tmp(von);
    Swap(tmp);
  }
  return (*this);
}

This merged in PR #1856

[RingsC]

After that, we got this:

(gdb) bt
#0  0x00007f2ca890dff4 in _int_malloc () from /lib64/libc.so.6
#1  0x00007f2ca891178c in malloc () from /lib64/libc.so.6
#2  0x0000000001953b15 in operator new(unsigned long) ()
#3  0x0000000001953bd9 in operator new[](unsigned long, std::nothrow_t const&) ()
#4  0x000000000165184f in Tianmu::core::ValueOrNull::ValueOrNull(Tianmu::core::ValueOrNull const&) ()
#5  0x00000000016519c0 in Tianmu::core::ValueOrNull::operator=(Tianmu::core::ValueOrNull const&) ()
#6  0x00000000016acf9b in Tianmu::vcolumn::ExpressionColumn::FeedArguments(Tianmu::core::MIIterator const&) ()
#7  0x00000000016ad165 in Tianmu::vcolumn::ExpressionColumn::GetValueInt64Impl(Tianmu::core::MIIterator const&) [clone .localalias] ()
#8  0x000000000178e3e7 in Tianmu::core::GroupTable::PutAggregatedValue(int, long, Tianmu::core::MIIterator&, long, bool) ()
#9  0x00000000017818a6 in Tianmu::core::AggregationAlgorithm::AggregatePackrow(Tianmu::core::GroupByWrapper&, Tianmu::core::MIIterator*, long, unsigned long*) ()
#10 0x0000000001783f2f in Tianmu::core::AggregationWorkerEnt::TaskAggrePacks(Tianmu::core::MIIterator*, Tianmu::core::DimensionVector*, Tianmu::core::MIIterator*, Tianmu::core::CTask*, Tianmu::core::GroupByWrapper*, Tianmu::core::Transaction*, unsigned long*) ()

Memory allocation failed due to the memory leakage occurs here.

[RingsC]

mysql> select sum(length(oid)) from ttt;
+------------------+
| sum(length(oid)) |
+------------------+
|      12185547864 |
+------------------+
1 row in set (4 min 19.31 sec)


+------------------+
| sum(length(pid)) |
+------------------+
|      55690350592 |
+------------------+
1 row in set (46 min 11.60 sec)