Skip to content

UBSan: downcast of address ... which does not point to an object of type 'const DB::ColumnVector' #21619

Closed
Closed
UBSan: downcast of address ... which does not point to an object of type 'const DB::ColumnVector'#21619
Assignees
vdimir
Labels
fuzzProblem found by one of the fuzzers
@alesapin

Description

@alesapin
alesapin
opened on Mar 11, 2021

https://clickhouse-test-reports.s3.yandex.net/21593/a9032215a68cbf4cdb021f36f41a0d13b035b50d/fuzzer_ubsan/report.html#fail1

SELECT *
FROM 
(
    SELECT number AS key
    FROM numbers(5)
) AS s1
LEFT JOIN dict_flat AS d ON equals(GREATEST(NULL, count(CAST(NULL, 'Nullable(UInt8)')) < 2., NULL), s1.key, d.key)
ORDER BY s1.key DESC

    #0 0x19b39b28 in DB::ColumnVector<char8_t> const& assert_cast<DB::ColumnVector<char8_t> const&, DB::IColumn const&>(DB::IColumn const&) obj-x86_64-linux-gnu/../src/Common/assert_cast.h:50:12
    #1 0x19b39b28 in DB::ColumnVector<char8_t>::insertFrom(DB::IColumn const&, unsigned long) obj-x86_64-linux-gnu/../src/Columns/ColumnVector.h:130:24
    #2 0x19582230 in void DB::(anonymous namespace)::AddedColumns::appendFromBlock<true>(DB::Block const&, unsigned long) obj-x86_64-linux-gnu/../src/Interpreters/HashJoin.cpp:738:25
    #3 0x19581b83 in DB::PODArray<char8_t, 4096ul, Allocator<false, false>, 15ul, 16ul> DB::(anonymous namespace)::joinRightColumns<(DB::ASTTableJoin::Kind)1, (DB::ASTTableJoin::Strictness)2, DB::KeyGetterForDict, DB::TableJoin, true, false>(DB::TableJoin const&, DB::(anonymous namespace)::AddedColumns&, DB::PODArray<char8_t, 4096ul, Allocator<false, false>, 15ul, 16ul> const* const&, DB::JoinStuff::JoinUsedFlags&) obj-x86_64-linux-gnu/../src/Interpreters/HashJoin.cpp:929:31
    #4 0x19581673 in DB::PODArray<char8_t, 4096ul, Allocator<false, false>, 15ul, 16ul> DB::(anonymous namespace)::joinRightColumnsSwitchNullability<(DB::ASTTableJoin::Kind)1, (DB::ASTTableJoin::Strictness)2, DB::KeyGetterForDict, DB::TableJoin>(DB::TableJoin const&, DB::(anonymous namespace)::AddedColumns&, DB::PODArray<char8_t, 4096ul, Allocator<false, false>, 15ul, 16ul> const* const&, DB::JoinStuff::JoinUsedFlags&) obj-x86_64-linux-gnu/../src/Interpreters/HashJoin.cpp:956:20
    #5 0x195803cb in DB::PODArray<char8_t, 4096ul, Allocator<false, false>, 15ul, 16ul> DB::(anonymous namespace)::dictionaryJoinRightColumns<(DB::ASTTableJoin::Kind)1, (DB::ASTTableJoin::Strictness)2>(DB::TableJoin const&, DB::(anonymous namespace)::AddedColumns&, DB::PODArray<char8_t, 4096ul, Allocator<false, false>, 15ul, 16ul> const* const&) obj-x86_64-linux-gnu/../src/Interpreters/HashJoin.cpp:995:16
    #6 0x196eca1b in void DB::HashJoin::joinBlockImpl<(DB::ASTTableJoin::Kind)1, (DB::ASTTableJoin::Strictness)2, DB::HashJoin::MapsTemplate<DB::RowRef> >(DB::Block&, std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&, DB::Block const&, DB::HashJoin::MapsTemplate<DB::RowRef> const&) const obj-x86_64-linux-gnu/../src/Interpreters/HashJoin.cpp:1058:9
    #7 0x1a7fe56d in DB::JoiningTransform::readExecute(DB::Chunk&) obj-x86_64-linux-gnu/../src/Processors/Transforms/JoiningTransform.cpp:67:19
    #8 0x1a7fdbf7 in DB::JoiningTransform::transform(DB::Chunk&) obj-x86_64-linux-gnu/../src/Processors/Transforms/JoiningTransform.cpp:51:17
    #9 0x1a4891e1 in DB::ISimpleTransform::transform(DB::Chunk&, DB::Chunk&) obj-x86_64-linux-gnu/../src/Processors/ISimpleTransform.h:42:9
    #10 0x1a4886ef in DB::ISimpleTransform::work() obj-x86_64-linux-gnu/../src/Processors/ISimpleTransform.cpp:89:9
    #11 0x1a4b90a8 in DB::executeJob(DB::IProcessor*) obj-x86_64-linux-gnu/../src/Processors/Executors/PipelineExecutor.cpp:79:20
    #12 0x1a4b8f96 in DB::PipelineExecutor::addJob(DB::ExecutingGraph::Node*)::$_0::operator()() const obj-x86_64-linux-gnu/../src/Processors/Executors/PipelineExecutor.cpp:96:13
    #13 0x1a4b8f96 in decltype(std::__1::forward<DB::PipelineExecutor::addJob(DB::ExecutingGraph::Node*)::$_0&>(fp)()) std::__1::__invoke<DB::PipelineExecutor::addJob(DB::ExecutingGraph::Node*)::$_0&>(DB::PipelineExecutor::addJob(DB::ExecutingGraph::Node*)::$_0&) obj-x86_64-linux-gnu/../contrib/libcxx/include/type_traits:3676:1
    #14 0x1a4b79a3 in std::__1::__function::__policy_func<void ()>::operator()() const obj-x86_64-linux-gnu/../contrib/libcxx/include/functional:2221:16
    #15 0x1a4b79a3 in std::__1::function<void ()>::operator()() const obj-x86_64-linux-gnu/../contrib/libcxx/include/functional:2560:12
    #16 0x1a4b79a3 in DB::PipelineExecutor::executeStepImpl(unsigned long, unsigned long, std::__1::atomic<bool>*) obj-x86_64-linux-gnu/../src/Processors/Executors/PipelineExecutor.cpp:585:17
    #17 0x1a4b6259 in DB::PipelineExecutor::executeSingleThread(unsigned long, unsigned long) obj-x86_64-linux-gnu/../src/Processors/Executors/PipelineExecutor.cpp:473:5
    #18 0x1a4b6259 in DB::PipelineExecutor::executeImpl(unsigned long) obj-x86_64-linux-gnu/../src/Processors/Executors/PipelineExecutor.cpp:812:9
    #19 0x1a4b5d1a in DB::PipelineExecutor::execute(unsigned long) obj-x86_64-linux-gnu/../src/Processors/Executors/PipelineExecutor.cpp:395:9
    #20 0x1a4c8485 in DB::threadFunction(DB::PullingAsyncPipelineExecutor::Data&, std::__1::shared_ptr<DB::ThreadGroupStatus>, unsigned long) obj-x86_64-linux-gnu/../src/Processors/Executors/PullingAsyncPipelineExecutor.cpp:80:24
    #21 0x1a4c83d6 in DB::PullingAsyncPipelineExecutor::pull(DB::Chunk&, unsigned long)::$_0::operator()() const obj-x86_64-linux-gnu/../src/Processors/Executors/PullingAsyncPipelineExecutor.cpp:107:13
    #22 0x1a4c83d6 in decltype(std::__1::forward<DB::PullingAsyncPipelineExecutor::pull(DB::Chunk&, unsigned long)::$_0&>(fp)()) std::__1::__invoke_constexpr<DB::PullingAsyncPipelineExecutor::pull(DB::Chunk&, unsigned long)::$_0&>(DB::PullingAsyncPipelineExecutor::pull(DB::Chunk&, unsigned long)::$_0&) obj-x86_64-linux-gnu/../contrib/libcxx/include/type_traits:3682:1
    #23 0x1a4c8291 in decltype(auto) std::__1::__apply_tuple_impl<DB::PullingAsyncPipelineExecutor::pull(DB::Chunk&, unsigned long)::$_0&, std::__1::tuple<>&>(DB::PullingAsyncPipelineExecutor::pull(DB::Chunk&, unsigned long)::$_0&, std::__1::tuple<>&, std::__1::__tuple_indices<>) obj-x86_64-linux-gnu/../contrib/libcxx/include/tuple:1415:1
    #24 0x1a4c8291 in decltype(auto) std::__1::apply<DB::PullingAsyncPipelineExecutor::pull(DB::Chunk&, unsigned long)::$_0&, std::__1::tuple<>&>(DB::PullingAsyncPipelineExecutor::pull(DB::Chunk&, unsigned long)::$_0&, std::__1::tuple<>&) obj-x86_64-linux-gnu/../contrib/libcxx/include/tuple:1424:1
    #25 0x1a4c8291 in ThreadFromGlobalPool::ThreadFromGlobalPool<DB::PullingAsyncPipelineExecutor::pull(DB::Chunk&, unsigned long)::$_0>(DB::PullingAsyncPipelineExecutor::pull(DB::Chunk&, unsigned long)::$_0&&)::'lambda'()::operator()() obj-x86_64-linux-gnu/../src/Common/ThreadPool.h:178:13
    #26 0x1a4c8291 in decltype(std::__1::forward<DB::PullingAsyncPipelineExecutor::pull(DB::Chunk&, unsigned long)::$_0>(fp)()) std::__1::__invoke<ThreadFromGlobalPool::ThreadFromGlobalPool<DB::PullingAsyncPipelineExecutor::pull(DB::Chunk&, unsigned long)::$_0>(DB::PullingAsyncPipelineExecutor::pull(DB::Chunk&, unsigned long)::$_0&&)::'lambda'()&>(DB::PullingAsyncPipelineExecutor::pull(DB::Chunk&, unsigned long)::$_0&&) obj-x86_64-linux-gnu/../contrib/libcxx/include/type_traits:3676:1
    #27 0xdb9da6e in std::__1::function<void ()>::operator()() const obj-x86_64-linux-gnu/../contrib/libcxx/include/functional:2560:12
    #28 0xdb9da6e in ThreadPoolImpl<std::__1::thread>::worker(std::__1::__list_iterator<std::__1::thread, void*>) obj-x86_64-linux-gnu/../src/Common/ThreadPool.cpp:247:17
    #29 0xdba1745 in void ThreadPoolImpl<std::__1::thread>::scheduleImpl<void>(std::__1::function<void ()>, int, std::__1::optional<unsigned long>)::'lambda1'()::operator()() const obj-x86_64-linux-gnu/../src/Common/ThreadPool.cpp:124:73
    #30 0xdba1745 in decltype(std::__1::forward<void>(fp)(std::__1::forward<void ThreadPoolImpl<std::__1::thread>::scheduleImpl<void>(std::__1::function<void ()>, int, std::__1::optional<unsigned long>)::'lambda1'()>(fp0)...)) std::__1::__invoke<void ThreadPoolImpl<std::__1::thread>::scheduleImpl<void>(std::__1::function<void ()>, int, std::__1::optional<unsigned long>)::'lambda1'()>(void&&, void ThreadPoolImpl<std::__1::thread>::scheduleImpl<void>(std::__1::function<void ()>, int, std::__1::optional<unsigned long>)::'lambda1'()&&...) obj-x86_64-linux-gnu/../contrib/libcxx/include/type_traits:3676:1
    #31 0xdba1745 in void std::__1::__thread_execute<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, void ThreadPoolImpl<std::__1::thread>::scheduleImpl<void>(std::__1::function<void ()>, int, std::__1::optional<unsigned long>)::'lambda1'()>(std::__1::tuple<void, void ThreadPoolImpl<std::__1::thread>::scheduleImpl<void>(std::__1::function<void ()>, int, std::__1::optional<unsigned long>)::'lambda1'()>&, std::__1::__tuple_indices<>) obj-x86_64-linux-gnu/../contrib/libcxx/include/thread:280:5
    #32 0xdba1745 in void* std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, void ThreadPoolImpl<std::__1::thread>::scheduleImpl<void>(std::__1::function<void ()>, int, std::__1::optional<unsigned long>)::'lambda1'()> >(void*) obj-x86_64-linux-gnu/../contrib/libcxx/include/thread:291:5
    #33 0x7fa9df523608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
    #34 0x7fa9df44a292 in clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/Common/assert_cast.h:50:12 in

Metadata

Metadata

Assignees

Labels

fuzzProblem found by one of the fuzzers

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions