Inconsistent AST formatting query NOT with tuple argument

[PedroTadim]

Describe the bug
A fuzzed query triggers internal error on Clickhouse on Debug builds on master branch. This issue was found with libFuzzer using libprotobuf-mutator.

How to reproduce
Compile and install Clickhouse on Debug: -DCMAKE_BUILD_TYPE=Debug, then start the server and run:

SELECT NOT ((1, 1, 1));

The following logical error happens:

<Fatal> : Logical error: 'Inconsistent AST formatting: the query:
SELECT NOT (1, 1, 1)
Was parsed and formatted back as:
SELECT not(1, 1, 1)'.

Stack trace:

2024.08.13 17:01:38.785147 [ 364504 ] {} <Fatal> ClientBase: ########## Short fault info ############
2024.08.13 17:01:38.785219 [ 364504 ] {} <Fatal> ClientBase: (version 24.8.1.1, build id: , git hash: ) (from thread 364488) Received signal 6
2024.08.13 17:01:38.785248 [ 364504 ] {} <Fatal> ClientBase: Signal description: Aborted
2024.08.13 17:01:38.785273 [ 364504 ] {} <Fatal> ClientBase: 
2024.08.13 17:01:38.785341 [ 364504 ] {} <Fatal> ClientBase: Stack trace: 0x0000644426b1506d 0x000064442703f5b0 0x000078d9f8245320 0x000078d9f829eb1d 0x000078d9f824526e 0x000078d9f82288ff 0x0000644426ab6428 0x0000644426ab7c3f 0x0000644417587d26 0x0000644423e51efb 0x0000644433ce2e73 0x0000644433cd9209 0x000064443676c1dc 0x00006444366ab856 0x00006444366a827a 0x00006444366beb7c 0x00006444366c09e2 0x00006444366c3e52 0x0000644426f372b5 0x000064443803ef57 0x0000644426f484d4 0x00006444175772d6 0x000078d9f822a1ca 0x000078d9f822a28b 0x00006444174a602e
2024.08.13 17:01:38.785375 [ 364504 ] {} <Fatal> ClientBase: ########################################
2024.08.13 17:01:38.785417 [ 364504 ] {} <Fatal> ClientBase: (version 24.8.1.1, build id: , git hash: ) (from thread 364488) (query_id: 8dcb306e-b266-4216-8310-b9189a4cb34a) (query: ) Received signal Aborted (6)
2024.08.13 17:01:38.785446 [ 364504 ] {} <Fatal> ClientBase: 
2024.08.13 17:01:38.785468 [ 364504 ] {} <Fatal> ClientBase: Stack trace: 0x0000644426b1506d 0x000064442703f5b0 0x000078d9f8245320 0x000078d9f829eb1d 0x000078d9f824526e 0x000078d9f82288ff 0x0000644426ab6428 0x0000644426ab7c3f 0x0000644417587d26 0x0000644423e51efb 0x0000644433ce2e73 0x0000644433cd9209 0x000064443676c1dc 0x00006444366ab856 0x00006444366a827a 0x00006444366beb7c 0x00006444366c09e2 0x00006444366c3e52 0x0000644426f372b5 0x000064443803ef57 0x0000644426f484d4 0x00006444175772d6 0x000078d9f822a1ca 0x000078d9f822a28b 0x00006444174a602e
2024.08.13 17:01:38.825139 [ 364504 ] {} <Fatal> ClientBase: 0.0. inlined from src/Common/StackTrace.cpp:349: StackTrace::tryCapture()
2024.08.13 17:01:38.825191 [ 364504 ] {} <Fatal> ClientBase: 0. src/Common/StackTrace.cpp:318: StackTrace::StackTrace(ucontext_t const&) @ 0x000000001613c06d
2024.08.13 17:01:38.878551 [ 364504 ] {} <Fatal> ClientBase: 1. src/Common/SignalHandlers.cpp:0: signalHandler(int, siginfo_t*, void*) @ 0x00000000166665b0
2024.08.13 17:01:38.878586 [ 364504 ] {} <Fatal> ClientBase: 2. ? @ 0x000078d9f8245320
2024.08.13 17:01:38.878610 [ 364504 ] {} <Fatal> ClientBase: 3. ? @ 0x000078d9f829eb1d
2024.08.13 17:01:38.878626 [ 364504 ] {} <Fatal> ClientBase: 4. ? @ 0x000078d9f824526e
2024.08.13 17:01:38.878644 [ 364504 ] {} <Fatal> ClientBase: 5. ? @ 0x000078d9f82288ff
2024.08.13 17:01:38.955418 [ 364504 ] {} <Fatal> ClientBase: 6.0. inlined from contrib/llvm-project/libcxx/include/atomic:958: int std::__cxx_atomic_load[abi:v15007]<int>(std::__cxx_atomic_base_impl<int> const*, std::memory_order)
2024.08.13 17:01:38.955467 [ 364504 ] {} <Fatal> ClientBase: 6.1. inlined from contrib/llvm-project/libcxx/include/atomic:1560: std::__atomic_base<int, false>::load[abi:v15007](std::memory_order) const
2024.08.13 17:01:38.955503 [ 364504 ] {} <Fatal> ClientBase: 6.2. inlined from contrib/llvm-project/libcxx/include/atomic:1564: std::__atomic_base<int, false>::operator int[abi:v15007]() const
2024.08.13 17:01:38.955533 [ 364504 ] {} <Fatal> ClientBase: 6.3. inlined from base/poco/Foundation/include/Poco/Logger.h:2354: Poco::Logger::is(int) const
2024.08.13 17:01:38.955561 [ 364504 ] {} <Fatal> ClientBase: 6. src/Common/Exception.cpp:47: DB::abortOnFailedAssertion(String const&, void* const*, unsigned long, unsigned long) @ 0x00000000160dd428
2024.08.13 17:01:39.027028 [ 364504 ] {} <Fatal> ClientBase: 7. src/Common/Exception.cpp:111: DB::Exception::Exception(DB::Exception::MessageMasked&&, int, bool) @ 0x00000000160dec3f
2024.08.13 17:01:39.063417 [ 364504 ] {} <Fatal> ClientBase: 8.0. inlined from contrib/llvm-project/libcxx/include/string:1499: String::__is_long[abi:v15007]() const
2024.08.13 17:01:39.063458 [ 364504 ] {} <Fatal> ClientBase: 8.1. inlined from contrib/llvm-project/libcxx/include/string:2333: ~basic_string
2024.08.13 17:01:39.063482 [ 364504 ] {} <Fatal> ClientBase: 8.2. inlined from src/Common/Exception.h:98: ~MessageMasked
2024.08.13 17:01:39.063505 [ 364504 ] {} <Fatal> ClientBase: 8.3. inlined from src/Common/Exception.h:110: Exception
2024.08.13 17:01:39.063530 [ 364504 ] {} <Fatal> ClientBase: 8. src/Common/Exception.h:63: DB::Exception::Exception(PreformattedMessage&&, int) @ 0x0000000006baed26
2024.08.13 17:01:39.115182 [ 364504 ] {} <Fatal> ClientBase: 9.0. inlined from src/Common/LoggingFormatStringHelpers.h:45: ~PreformattedMessage
2024.08.13 17:01:39.115226 [ 364504 ] {} <Fatal> ClientBase: 9. src/Common/Exception.h:128: DB::Exception::Exception<String&, String&>(int, FormatStringHelperImpl<std::type_identity<String&>::type, std::type_identity<String&>::type>, String&, String&) @ 0x0000000013478efb
2024.08.13 17:01:39.311481 [ 364504 ] {} <Fatal> ClientBase: 10. src/Interpreters/executeQuery.cpp:817: DB::executeQueryImpl(char const*, char const*, std::shared_ptr<DB::Context>, DB::QueryFlags, DB::QueryProcessingStage::Enum, DB::ReadBuffer*) @ 0x0000000023309e73
2024.08.13 17:01:39.529590 [ 364504 ] {} <Fatal> ClientBase: 11. src/Interpreters/executeQuery.cpp:1395: DB::executeQuery(String const&, std::shared_ptr<DB::Context>, DB::QueryFlags, DB::QueryProcessingStage::Enum) @ 0x0000000023300209
2024.08.13 17:01:39.609490 [ 364504 ] {} <Fatal> ClientBase: 12. src/Client/LocalConnection.cpp:0: DB::LocalConnection::sendQuery(DB::ConnectionTimeouts const&, String const&, std::unordered_map<String, String, std::hash<String>, std::equal_to<String>, std::allocator<std::pair<String const, String>>> const&, String const&, unsigned long, DB::Settings const*, DB::ClientInfo const*, bool, std::function<void (DB::Progress const&)>) @ 0x0000000025d931dc
2024.08.13 17:01:39.826835 [ 364504 ] {} <Fatal> ClientBase: 13. src/Client/ClientBase.cpp:1035: DB::ClientBase::processOrdinaryQuery(String const&, std::shared_ptr<DB::IAST>) @ 0x0000000025cd2856
2024.08.13 17:01:40.051524 [ 364504 ] {} <Fatal> ClientBase: 14. src/Client/ClientBase.cpp:0: DB::ClientBase::processParsedSingleQuery(String const&, String const&, std::shared_ptr<DB::IAST>, std::optional<bool>, bool) @ 0x0000000025ccf27a
2024.08.13 17:01:40.346251 [ 364504 ] {} <Fatal> ClientBase: 15. src/Client/ClientBase.cpp:2262: DB::ClientBase::executeMultiQuery(String const&) @ 0x0000000025ce5b7c
2024.08.13 17:01:40.645267 [ 364504 ] {} <Fatal> ClientBase: 16. src/Client/ClientBase.cpp:0: DB::ClientBase::processQueryText(String const&) @ 0x0000000025ce79e2
2024.08.13 17:01:40.858925 [ 364504 ] {} <Fatal> ClientBase: 17. src/Client/ClientBase.cpp:2632: DB::ClientBase::runInteractive() @ 0x0000000025ceae52
2024.08.13 17:01:40.933405 [ 364504 ] {} <Fatal> ClientBase: 18.0. inlined from contrib/llvm-project/libcxx/include/string:1499: String::__is_long[abi:v15007]() const
2024.08.13 17:01:40.933454 [ 364504 ] {} <Fatal> ClientBase: 18.1. inlined from contrib/llvm-project/libcxx/include/string:2333: ~basic_string
2024.08.13 17:01:40.933489 [ 364504 ] {} <Fatal> ClientBase: 18. programs/local/LocalServer.cpp:565: DB::LocalServer::main(std::vector<String, std::allocator<String>> const&) @ 0x000000001655e2b5
2024.08.13 17:01:40.959311 [ 364504 ] {} <Fatal> ClientBase: 19. base/poco/Util/src/Application.cpp:0: Poco::Util::Application::run() @ 0x0000000027665f57
2024.08.13 17:01:41.110957 [ 364504 ] {} <Fatal> ClientBase: 20. programs/local/LocalServer.cpp:0: mainEntryClickHouseLocal(int, char**) @ 0x000000001656f4d4
2024.08.13 17:01:41.117071 [ 364504 ] {} <Fatal> ClientBase: 21. programs/main.cpp:0: main @ 0x0000000006b9e2d6
2024.08.13 17:01:41.117105 [ 364504 ] {} <Fatal> ClientBase: 22. ? @ 0x000078d9f822a1ca
2024.08.13 17:01:41.117123 [ 364504 ] {} <Fatal> ClientBase: 23. ? @ 0x000078d9f822a28b
2024.08.13 17:01:41.172670 [ 364504 ] {} <Fatal> ClientBase: 24. _start @ 0x0000000006acd02e
2024.08.13 17:01:41.172727 [ 364504 ] {} <Fatal> ClientBase: This ClickHouse version is not official and should be upgraded to the official build.
2024.08.13 17:01:41.172914 [ 364504 ] {} <Fatal> ClientBase: Changed settings: allow_introspection_functions = true, storage_file_read_method = 'mmap'
Aborted (core dumped)

[PedroTadim]

And one more, just test cases:

SELECT (1, (1 AS c0, 1 AS c0) IS NULL AS c0), (1, (1, 1 AS c0) IS NULL AS c0) IS NULL AS c0;

Logical error: 'Inconsistent AST formatting: the query:
SELECT (1, (1 AS c0, c0) IS NULL AS c0), (1, c0) IS NULL AS c0
Was parsed and formatted back as:
SELECT (1, (1 AS c0, c0) IS NULL AS c0), c0'.

[vdimir]

Yes and actually there are three different issues in parsers (issues with NOT and - are really close to each other and being fixed in the linked PR above). Issue with tuple literals leads to (1, 1) being parsed as tuple literal while (1, (1)) as function tuple, but actually expression is the same. This issue is a bit trickier to solve, I'll try to make it in another PR

[Algunenano]

Another one with tupleElement -> https://s3.amazonaws.com/clickhouse-test-reports/json.html?PR=77633&sha=747b4aa35535746e929588fd30f06b0eb62e2cce&name_0=PR&name_1=AST%20fuzzer%20%28debug%29

SELECT ProfileEvents['LoadedMarksCount'], 1 OR toLowCardinality(1) FROM system.query_log PREWHERE tupleElement(*, 1) AND match(query, 'SELECT * FROM t_prewarm_add_column%') AND (currentDatabase() = current_database) WHERE ('SELECT * FROM t_prewarm_add_column%' NOT LIKE query) AND (type = 'QueryFinish') AND (current_database = currentDatabase()) ORDER BY ALL DESC NULLS FIRST'

[vdimir]

There are pretty inconsistencies that are difficult to fix without breaking compatibility. I'm considering an alternative approach instead of just fixing tuple literal parsing, as is being done in #69039

:) select (((1), (2)));

   ┌─(1, 2)─┐
1. │ (1,2)  │
   └────────┘

:) select ((1, 2));

   ┌─((1, 2))─┐
1. │ ((1,2))  │
   └──────────┘

:) select ((1, 2,));

   ┌─(1, 2)─┐
1. │ (1,2)  │
   └────────┘