MemorySanitizer: use-of-uninitialized-value in `AggregateFunctionSingleValueOrNullData`

[kssenii]

https://s3.amazonaws.com/clickhouse-test-reports/43595/6a057dec70cde1fbd77acf2a560c6be15adb9bb6/fuzzer_astfuzzermsan//report.html

2022.11.27 00:14:15.933546 [ 159 ] {} <Trace> BaseDaemon: Received signal -3
2022.11.27 00:14:15.934633 [ 449 ] {} <Fatal> BaseDaemon: ########################################
2022.11.27 00:14:15.935349 [ 449 ] {} <Fatal> BaseDaemon: (version 22.12.1.1, build id: 7C029890E30B7996229475DF90BF019833314424) (from thread 444) (query_id: 10d2b217-19a6-453b-ac4c-a47b45a41a80) (query: SELECT 0.5 IN (SELECT singleValueOrNull(*) FROM (SELECT 1048577 FROM numbers(0)) WITH TOTALS), NULL, NULL NOT IN (SELECT 2147483647, 1024 IN (SELECT [NULL, 2147483648, NULL, NULL], number FROM numbers(7, 100)), [NULL, NULL, NULL, NULL, NULL], number FROM numbers(1048576) WHERE NULL), NULL NOT IN (SELECT number FROM numbers(0)) GROUP BY NULL WITH CUBE) Received signal Unknown signal -3 (-3)
2022.11.27 00:14:15.935645 [ 449 ] {} <Fatal> BaseDaemon: Sanitizer trap.
2022.11.27 00:14:15.935974 [ 449 ] {} <Fatal> BaseDaemon: Stack trace: 0x28a465f9 0x2926c61a 0xc090416 0xc0a4fb3 0x4587d25c 0x4587285c 0x45856725 0x45854dcf 0x4a20d22b 0x49903d22 0x4a2081d9 0x49989b78 0x499505bd 0x499563b2 0x28cc650d 0x28cd4543 0x7fc20c6a6609 0x7fc20c5cb133
2022.11.27 00:14:16.070780 [ 449 ] {} <Fatal> BaseDaemon: 0.1. inlined from ./build_docker/../src/Common/StackTrace.cpp:332: StackTrace::tryCapture()
2022.11.27 00:14:16.071036 [ 449 ] {} <Fatal> BaseDaemon: 0. ./build_docker/../src/Common/StackTrace.cpp:293: StackTrace::StackTrace() @ 0x28a465f9 in /workspace/clickhouse
    #2 0x2926c683 in sanitizerDeathCallback() build_docker/../src/Daemon/BaseDaemon.cpp:427:9
2022.11.27 00:14:16.332776 [ 449 ] {} <Fatal> BaseDaemon: 1. ./build_docker/../src/Daemon/BaseDaemon.cpp:421: sanitizerDeathCallback() @ 0x2926c61a in /workspace/clickhouse
2022.11.27 00:14:21.862734 [ 449 ] {} <Fatal> BaseDaemon: 2. __sanitizer::Die() @ 0xc090416 in /workspace/clickhouse
    #4 0x2926c630 in sanitizerDeathCallback() build_docker/../src/Daemon/BaseDaemon.cpp:422:5
2022.11.27 00:14:27.145134 [ 449 ] {} <Fatal> BaseDaemon: 3. ? @ 0xc0a4fb3 in /workspace/clickhouse
2022.11.27 00:14:27.469155 [ 449 ] {} <Fatal> BaseDaemon: 4.1. inlined from ./build_docker/../src/Common/HashTable/HashTable.h:0: void HashTable<unsigned int, HashTableCell<unsigned int, HashCRC32<unsigned int>, HashTableNoState>, HashCRC32<unsigned int>, HashTableGrowerWithPrecalculation<8ul>, Allocator<true, true>>::emplace<unsigned int&>(unsigned int&, HashTableCell<unsigned int, HashCRC32<unsigned int>, HashTableNoState>*&, bool&, unsigned long)
2022.11.27 00:14:27.469328 [ 449 ] {} <Fatal> BaseDaemon: 4.2. inlined from ./build_docker/../src/Common/HashTable/HashTable.h:1052: void HashTable<unsigned int, HashTableCell<unsigned int, HashCRC32<unsigned int>, HashTableNoState>, HashCRC32<unsigned int>, HashTableGrowerWithPrecalculation<8ul>, Allocator<true, true>>::emplace<unsigned int&>(unsigned int&, HashTableCell<unsigned int, HashCRC32<unsigned int>, HashTableNoState>*&, bool&)
2022.11.27 00:14:27.469477 [ 449 ] {} <Fatal> BaseDaemon: 4.3. inlined from ./build_docker/../src/Common/ColumnsHashingImpl.h:209: DB::ColumnsHashing::columns_hashing_impl::EmplaceResultImpl<void> DB::ColumnsHashing::columns_hashing_impl::HashMethodBase<DB::ColumnsHashing::HashMethodOneNumber<unsigned int, void, unsigned int, true, false>, unsigned int, void, true, false>::emplaceImpl<HashSetTable<unsigned int, HashTableCell<unsigned int, HashCRC32<unsigned int>, HashTableNoState>, HashCRC32<unsigned int>, HashTableGrowerWithPrecalculation<8ul>, Allocator<true, true>>, unsigned int>(unsigned int&, HashSetTable<unsigned int, HashTableCell<unsigned int, HashCRC32<unsigned int>, HashTableNoState>, HashCRC32<unsigned int>, HashTableGrowerWithPrecalculation<8ul>, Allocator<true, true>>&)
2022.11.27 00:14:27.469605 [ 449 ] {} <Fatal> BaseDaemon: 4.4. inlined from ./build_docker/../src/Common/ColumnsHashingImpl.h:158: DB::ColumnsHashing::columns_hashing_impl::EmplaceResultImpl<void> DB::ColumnsHashing::columns_hashing_impl::HashMethodBase<DB::ColumnsHashing::HashMethodOneNumber<unsigned int, void, unsigned int, true, false>, unsigned int, void, true, false>::emplaceKey<HashSetTable<unsigned int, HashTableCell<unsigned int, HashCRC32<unsigned int>, HashTableNoState>, HashCRC32<unsigned int>, HashTableGrowerWithPrecalculation<8ul>, Allocator<true, true>>>(HashSetTable<unsigned int, HashTableCell<unsigned int, HashCRC32<unsigned int>, HashTableNoState>, HashCRC32<unsigned int>, HashTableGrowerWithPrecalculation<8ul>, Allocator<true, true>>&, unsigned long, DB::Arena&)
2022.11.27 00:14:27.469687 [ 449 ] {} <Fatal> BaseDaemon: 4. ./build_docker/../src/Interpreters/Set.cpp:98: void DB::Set::insertFromBlockImplCase<DB::SetMethodOneNumber<unsigned int, HashSetTable<unsigned int, HashTableCell<unsigned int, HashCRC32<unsigned int>, HashTableNoState>, HashCRC32<unsigned int>, HashTableGrowerWithPrecalculation<8ul>, Allocator<true, true>>, true>, true, false>(DB::SetMethodOneNumber<unsigned int, HashSetTable<unsigned int, HashTableCell<unsigned int, HashCRC32<unsigned int>, HashTableNoState>, HashCRC32<unsigned int>, HashTableGrowerWithPrecalculation<8ul>, Allocator<true, true>>, true>&, std::__1::vector<DB::IColumn const*, std::__1::allocator<DB::IColumn const*>> const&, unsigned long, DB::SetVariantsTemplate<DB::NonClearableSet>&, DB::PODArray<char8_t, 4096ul, Allocator<false, false>, 63ul, 64ul> const*, DB::PODArray<char8_t, 4096ul, Allocator<false, false>, 63ul, 64ul>*) @ 0x4587d25c in /workspace/clickhouse
2022.11.27 00:14:27.777101 [ 449 ] {} <Fatal> BaseDaemon: 5. ./build_docker/../src/Interpreters/Set.cpp:0: void DB::Set::insertFromBlockImpl<DB::SetMethodOneNumber<unsigned int, HashSetTable<unsigned int, HashTableCell<unsigned int, HashCRC32<unsigned int>, HashTableNoState>, HashCRC32<unsigned int>, HashTableGrowerWithPrecalculation<8ul>, Allocator<true, true>>, true>>(DB::SetMethodOneNumber<unsigned int, HashSetTable<unsigned int, HashTableCell<unsigned int, HashCRC32<unsigned int>, HashTableNoState>, HashCRC32<unsigned int>, HashTableGrowerWithPrecalculation<8ul>, Allocator<true, true>>, true>&, std::__1::vector<DB::IColumn const*, std::__1::allocator<DB::IColumn const*>> const&, unsigned long, DB::SetVariantsTemplate<DB::NonClearableSet>&, DB::PODArray<char8_t, 4096ul, Allocator<false, false>, 63ul, 64ul> const*, DB::PODArray<char8_t, 4096ul, Allocator<false, false>, 63ul, 64ul>*) @ 0x4587285c in /workspace/clickhouse
2022.11.27 00:14:28.079757 [ 449 ] {} <Fatal> BaseDaemon: 6. ./build_docker/../src/Interpreters/Set.cpp:0: DB::Set::insertFromBlock(std::__1::vector<COW<DB::IColumn>::immutable_ptr<DB::IColumn>, std::__1::allocator<COW<DB::IColumn>::immutable_ptr<DB::IColumn>>> const&) @ 0x45856725 in /workspace/clickhouse
2022.11.27 00:14:28.378467 [ 449 ] {} <Fatal> BaseDaemon: 7. ./build_docker/../src/Interpreters/Set.cpp:0: DB::Set::insertFromBlock(std::__1::vector<DB::ColumnWithTypeAndName, std::__1::allocator<DB::ColumnWithTypeAndName>> const&) @ 0x45854dcf in /workspace/clickhouse
2022.11.27 00:14:28.510685 [ 449 ] {} <Fatal> BaseDaemon: 8. ./build_docker/../src/Processors/Transforms/CreatingSetsTransform.cpp:103: DB::CreatingSetsTransform::consume(DB::Chunk) @ 0x4a20d22b in /workspace/clickhouse
2022.11.27 00:14:28.639228 [ 449 ] {} <Fatal> BaseDaemon: 9. ./build_docker/../src/Processors/IAccumulatingTransform.cpp:97: DB::IAccumulatingTransform::work() @ 0x49903d22 in /workspace/clickhouse
2022.11.27 00:14:28.758960 [ 449 ] {} <Fatal> BaseDaemon: 10. ./build_docker/../src/Processors/Transforms/CreatingSetsTransform.cpp:42: DB::CreatingSetsTransform::work() @ 0x4a2081d9 in /workspace/clickhouse
2022.11.27 00:14:28.804616 [ 449 ] {} <Fatal> BaseDaemon: 11.1. inlined from ./build_docker/../src/Processors/Executors/ExecutionThreadContext.cpp:0: DB::executeJob(DB::ExecutingGraph::Node*, DB::ReadProgressCallback*)
2022.11.27 00:14:28.804742 [ 449 ] {} <Fatal> BaseDaemon: 11. ./build_docker/../src/Processors/Executors/ExecutionThreadContext.cpp:92: DB::ExecutionThreadContext::executeTask() @ 0x49989b78 in /workspace/clickhouse
2022.11.27 00:14:28.968901 [ 449 ] {} <Fatal> BaseDaemon: 12. ./build_docker/../src/Processors/Executors/PipelineExecutor.cpp:229: DB::PipelineExecutor::executeStepImpl(unsigned long, std::__1::atomic<bool>*) @ 0x499505bd in /workspace/clickhouse
2022.11.27 00:14:29.158784 [ 449 ] {} <Fatal> BaseDaemon: 13.1. inlined from ./build_docker/../src/Common/ThreadPool.h:197: operator()
2022.11.27 00:14:29.159053 [ 449 ] {} <Fatal> BaseDaemon: 13.2. inlined from ./build_docker/../contrib/libcxx/include/__functional/invoke.h:394: decltype(std::declval<DB::PipelineExecutor::spawnThreads()::$_0>()()) std::__1::__invoke[abi:v15003]<ThreadFromGlobalPoolImpl<true>::ThreadFromGlobalPoolImpl<DB::PipelineExecutor::spawnThreads()::$_0>(DB::PipelineExecutor::spawnThreads()::$_0&&)::'lambda'()&>(DB::PipelineExecutor::spawnThreads()::$_0&&)
2022.11.27 00:14:29.159258 [ 449 ] {} <Fatal> BaseDaemon: 13.3. inlined from ./build_docker/../contrib/libcxx/include/__functional/invoke.h:479: void std::__1::__invoke_void_return_wrapper<void, true>::__call<ThreadFromGlobalPoolImpl<true>::ThreadFromGlobalPoolImpl<DB::PipelineExecutor::spawnThreads()::$_0>(DB::PipelineExecutor::spawnThreads()::$_0&&)::'lambda'()&>(ThreadFromGlobalPoolImpl<true>::ThreadFromGlobalPoolImpl<DB::PipelineExecutor::spawnThreads()::$_0>(DB::PipelineExecutor::spawnThreads()::$_0&&)::'lambda'()&)
2022.11.27 00:14:29.159425 [ 449 ] {} <Fatal> BaseDaemon: 13.4. inlined from ./build_docker/../contrib/libcxx/include/__functional/function.h:235: std::__1::__function::__default_alloc_func<ThreadFromGlobalPoolImpl<true>::ThreadFromGlobalPoolImpl<DB::PipelineExecutor::spawnThreads()::$_0>(DB::PipelineExecutor::spawnThreads()::$_0&&)::'lambda'(), void ()>::operator()[abi:v15003]()
2022.11.27 00:14:29.159496 [ 449 ] {} <Fatal> BaseDaemon: 13. ./build_docker/../contrib/libcxx/include/__functional/function.h:716: void std::__1::__function::__policy_invoker<void ()>::__call_impl<std::__1::__function::__default_alloc_func<ThreadFromGlobalPoolImpl<true>::ThreadFromGlobalPoolImpl<DB::PipelineExecutor::spawnThreads()::$_0>(DB::PipelineExecutor::spawnThreads()::$_0&&)::'lambda'(), void ()>>(std::__1::__function::__policy_storage const*) @ 0x499563b2 in /workspace/clickhouse
2022.11.27 00:14:29.290979 [ 449 ] {} <Fatal> BaseDaemon: 14. ./build_docker/../contrib/libcxx/include/__functional/function.h:0: ThreadPoolImpl<std::__1::thread>::worker(std::__1::__list_iterator<std::__1::thread, void*>) @ 0x28cc650d in /workspace/clickhouse
2022.11.27 00:14:29.454317 [ 449 ] {} <Fatal> BaseDaemon: 15. ./build_docker/../src/Common/ThreadPool.cpp:0: void* std::__1::__thread_proxy[abi:v15003]<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct>>, void ThreadPoolImpl<std::__1::thread>::scheduleImpl<void>(std::__1::function<void ()>, long, std::__1::optional<unsigned long>, bool)::'lambda0'()>>(void*) @ 0x28cd4543 in /workspace/clickhouse

[tavplubix]

The stacktrace is almost useless, because the most interesting thing is not where an uninitialized value was used, but where it was stored. As we can see from the msan report (https://pastila.nl/?003ab571/8ee4d461c3a0e58e1256b61287da10f2), the bug is probably somewhere in AggregateFunctionSingleValueOrNullData, not in HashTable.h:909

[tavplubix]

Simpler reproducer:

select singleValueOrNull(number) from numbers(0) with totals