Skip to content

MemorySanitizer: use-of-uninitialized-value in DB::ColumnString::sizeAt(long) #86134

Closed
#86171
Closed
MemorySanitizer: use-of-uninitialized-value in DB::ColumnString::sizeAt(long)#86134
#86171
Assignees
Avogar
Labels
fuzzProblem found by one of the fuzzerstestingSpecial issue with list of bugs found by CI
@nikitamikhaylov

Description

@nikitamikhaylov
nikitamikhaylov
opened on Aug 25, 2025

Describe the bug

https://s3.amazonaws.com/clickhouse-test-reports/json.html?REF=master&sha=9b7ef376fd43daf0462132b168caa9ecf94fd071&name_0=MasterCI&name_1=AST%20fuzzer%20%28amd_msan%29&name_1=AST%20fuzzer%20%28amd_msan%29

Logging trace to server.log
==606==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x55a30c25f168 in DB::ColumnString::sizeAt(long) const ci/tmp/build/./src/Columns/ColumnString.h:49:9
    #1 0x55a30c25f168 in DB::ColumnString::doCompareAt(unsigned long, unsigned long, DB::IColumn const&, int) const ci/tmp/build/./src/Columns/ColumnString.h:261:122
    #2 0x55a30c52adcc in DB::IColumn::compareAt(unsigned long, unsigned long, DB::IColumn const&, int) const ci/tmp/build/./src/Columns/IColumn.h:359:16
    #3 0x55a30c52adcc in COW<DB::IColumn>::mutable_ptr<DB::IColumn> DB::ColumnUnique<DB::ColumnString>::uniqueInsertRangeImpl<char8_t>(DB::IColumn const&, unsigned long, unsigned long, unsigned long, DB::ColumnVector<char8_t>::MutablePtr&&, DB::ReverseIndex<unsigned long, DB::ColumnString>*, unsigned long) ci/tmp/build/./src/Columns/ColumnUnique.h:652:26
    #4 0x55a30c3ced00 in COW<DB::IColumn>::mutable_ptr<DB::IColumn> DB::ColumnUnique<DB::ColumnString>::uniqueInsertRangeFrom(DB::IColumn const&, unsigned long, unsigned long)::'lambda'(auto)::operator()<char8_t>(auto) const ci/tmp/build/./src/Columns/ColumnUnique.h:689:26
    #5 0x55a30c3ce2f3 in DB::ColumnUnique<DB::ColumnString>::uniqueInsertRangeFrom(DB::IColumn const&, unsigned long, unsigned long) ci/tmp/build/./src/Columns/ColumnUnique.h:697:28
    #6 0x55a2f8411e38 in DB::IExecutableFunction::executeWithoutSparseColumns(std::__1::vector<DB::ColumnWithTypeAndName, std::__1::allocator<DB::ColumnWithTypeAndName>> const&, std::__1::shared_ptr<DB::IDataType const> const&, unsigned long, bool) const (/repo/ci/tmp/clickhouse+0x3264ae38) (BuildId: 2763f4f9b197e38fe6de10f920ab077355b8aaeb)
    #7 0x55a2f8415125 in DB::IExecutableFunction::execute(std::__1::vector<DB::ColumnWithTypeAndName, std::__1::allocator<DB::ColumnWithTypeAndName>> const&, std::__1::shared_ptr<DB::IDataType const> const&, unsigned long, bool) const (/repo/ci/tmp/clickhouse+0x3264e125) (BuildId: 2763f4f9b197e38fe6de10f920ab077355b8aaeb)
    #8 0x55a2fcde57c1 in DB::executeActionForPartialResult(DB::ActionsDAG::Node const*, std::__1::vector<DB::ColumnWithTypeAndName, std::__1::allocator<DB::ColumnWithTypeAndName>>, unsigned long) ci/tmp/build/./src/Interpreters/ActionsDAG.cpp:825:53
    #9 0x55a2fcde57c1 in DB::ActionsDAG::evaluatePartialResult(std::__1::unordered_map<DB::ActionsDAG::Node const*, DB::ColumnWithTypeAndName, std::__1::hash<DB::ActionsDAG::Node const*>, std::__1::equal_to<DB::ActionsDAG::Node const*>, std::__1::allocator<std::__1::pair<DB::ActionsDAG::Node const* const, DB::ColumnWithTypeAndName>>>&, std::__1::vector<DB::ActionsDAG::Node const*, std::__1::allocator<DB::ActionsDAG::Node const*>> const&, unsigned long, bool) ci/tmp/build/./src/Interpreters/ActionsDAG.cpp:1023:48
    #10 0x55a2fcde152a in DB::ActionsDAG::updateHeader(DB::Block const&) const ci/tmp/build/./src/Interpreters/ActionsDAG.cpp:923:26
    #11 0x55a310e19216 in DB::ExpressionTransform::transformHeader(DB::Block const&, DB::ActionsDAG const&) ci/tmp/build/./src/Processors/Transforms/ExpressionTransform.cpp:12:23
    #12 0x55a311609742 in DB::ExpressionStep::ExpressionStep(std::__1::shared_ptr<DB::Block const>, DB::ActionsDAG) ci/tmp/build/./src/Processors/QueryPlan/ExpressionStep.cpp:38:39
    #13 0x55a2fde1ca7a in std::__1::__unique_if<DB::ExpressionStep>::__unique_single std::__1::make_unique[abi:ne190107]<DB::ExpressionStep, std::__1::shared_ptr<DB::Block const> const&, DB::ActionsDAG>(std::__1::shared_ptr<DB::Block const> const&, DB::ActionsDAG&&) ci/tmp/build/./contrib/llvm-project/libcxx/include/__memory/unique_ptr.h:634:30
    #14 0x55a2fde1ca7a in DB::(anonymous namespace)::addExpressionStep(std::__1::shared_ptr<DB::PlannerContext> const&, DB::QueryPlan&, std::__1::shared_ptr<DB::ActionsAndProjectInputsFlag>&, DB::CorrelatedSubtrees const&, DB::SelectQueryOptions const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, std::__1::unordered_set<std::__1::shared_ptr<DB::FutureSet>, std::__1::hash<std::__1::shared_ptr<DB::FutureSet>>, std::__1::equal_to<std::__1::shared_ptr<DB::FutureSet>>, std::__1::allocator<std::__1::shared_ptr<DB::FutureSet>>>&) ci/tmp/build/./src/Planner/Planner.cpp:444:28
    #15 0x55a2fde01d43 in DB::Planner::buildPlanForQueryNode() ci/tmp/build/./src/Planner/Planner.cpp:1742:17
    #16 0x55a2fddf0a7e in DB::Planner::buildQueryPlanIfNeeded() ci/tmp/build/./src/Planner/Planner.cpp:1402:9
    #17 0x55a30025f251 in DB::InterpreterSelectQueryAnalyzer::getQueryPlan() ci/tmp/build/./src/Interpreters/InterpreterSelectQueryAnalyzer.cpp:269:13
    #18 0x55a300db445f in DB::executeQueryImpl(char const*, char const*, std::__1::shared_ptr<DB::Context>, DB::QueryFlags, DB::QueryProcessingStage::Enum, std::__1::unique_ptr<DB::ReadBuffer, std::__1::default_delete<DB::ReadBuffer>>&, std::__1::shared_ptr<DB::IAST>&, std::__1::shared_ptr<DB::ImplicitTransactionControlExecutor>) ci/tmp/build/./src/Interpreters/executeQuery.cpp:1523:48
    #19 0x55a300da5a81 in DB::executeQuery(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, std::__1::shared_ptr<DB::Context>, DB::QueryFlags, DB::QueryProcessingStage::Enum) ci/tmp/build/./src/Interpreters/executeQuery.cpp:1782:11
    #20 0x55a3100d2fea in DB::TCPHandler::runImpl() ci/tmp/build/./src/Server/TCPHandler.cpp:739:68
    #21 0x55a31013ed4d in DB::TCPHandler::run() ci/tmp/build/./src/Server/TCPHandler.cpp:2740:9
    #22 0x55a31c98e49f in Poco::Net::TCPServerConnection::start() ci/tmp/build/./base/poco/Net/src/TCPServerConnection.cpp:40:3
    #23 0x55a31c98f491 in Poco::Net::TCPServerDispatcher::run() ci/tmp/build/./base/poco/Net/src/TCPServerDispatcher.cpp:115:38
    #24 0x55a31c861534 in Poco::PooledThread::run() ci/tmp/build/./base/poco/Foundation/src/ThreadPool.cpp:205:14
    #25 0x55a31c85e2ad in Poco::(anonymous namespace)::RunnableHolder::run() ci/tmp/build/./base/poco/Foundation/src/Thread.cpp:45:11
    #26 0x55a31c85ab10 in Poco::ThreadImpl::runnableEntry(void*) ci/tmp/build/./base/poco/Foundation/src/Thread_POSIX.cpp:341:27
    #27 0x7f9319951ac2 in start_thread nptl/pthread_create.c:442:8
    #28 0x7f93199e384f  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

  Uninitialized value was created by a heap allocation
    #0 0x55a2cf7e6e62 in malloc (/repo/ci/tmp/clickhouse+0x9a1fe62) (BuildId: 2763f4f9b197e38fe6de10f920ab077355b8aaeb)
    #1 0x55a2ea9127b8 in void* (anonymous namespace)::allocNoTrack<false, false>(unsigned long, unsigned long) ci/tmp/build/./src/Common/Allocator.cpp:86:19
    #2 0x55a2ea9127b8 in Allocator<false, false>::alloc(unsigned long, unsigned long) ci/tmp/build/./src/Common/Allocator.cpp:133:18
    #3 0x55a2cf86b47b in void DB::PODArrayBase<8ul, 4096ul, Allocator<false, false>, 63ul, 64ul>::resize<>(unsigned long) (/repo/ci/tmp/clickhouse+0x9aa447b) (BuildId: 2763f4f9b197e38fe6de10f920ab077355b8aaeb)
    #4 0x55a2e4c5a916 in DB::FunctionStringReplace<DB::ReplaceRegexpImpl<DB::(anonymous namespace)::NameReplaceRegexpOne, (DB::ReplaceRegexpTraits)0>, DB::(anonymous namespace)::NameReplaceRegexpOne>::executeImpl(std::__1::vector<DB::ColumnWithTypeAndName, std::__1::allocator<DB::ColumnWithTypeAndName>> const&, std::__1::shared_ptr<DB::IDataType const> const&, unsigned long) const replaceRegexpOne.cpp
    #5 0x55a2cf863461 in DB::IFunction::executeImplDryRun(std::__1::vector<DB::ColumnWithTypeAndName, std::__1::allocator<DB::ColumnWithTypeAndName>> const&, std::__1::shared_ptr<DB::IDataType const> const&, unsigned long) const (/repo/ci/tmp/clickhouse+0x9a9c461) (BuildId: 2763f4f9b197e38fe6de10f920ab077355b8aaeb)
    #6 0x55a2f841ef1a in DB::FunctionToExecutableFunctionAdaptor::executeDryRunImpl(std::__1::vector<DB::ColumnWithTypeAndName, std::__1::allocator<DB::ColumnWithTypeAndName>> const&, std::__1::shared_ptr<DB::IDataType const> const&, unsigned long) const ci/tmp/build/./src/Functions/IFunctionAdaptors.cpp:16:22
    #7 0x55a2f840ad42 in DB::IExecutableFunction::executeWithoutLowCardinalityColumns(std::__1::vector<DB::ColumnWithTypeAndName, std::__1::allocator<DB::ColumnWithTypeAndName>> const&, std::__1::shared_ptr<DB::IDataType const> const&, unsigned long, bool) const (/repo/ci/tmp/clickhouse+0x32643d42) (BuildId: 2763f4f9b197e38fe6de10f920ab077355b8aaeb)
    #8 0x55a2f8411b18 in DB::IExecutableFunction::executeWithoutSparseColumns(std::__1::vector<DB::ColumnWithTypeAndName, std::__1::allocator<DB::ColumnWithTypeAndName>> const&, std::__1::shared_ptr<DB::IDataType const> const&, unsigned long, bool) const (/repo/ci/tmp/clickhouse+0x3264ab18) (BuildId: 2763f4f9b197e38fe6de10f920ab077355b8aaeb)
    #9 0x55a2f8415125 in DB::IExecutableFunction::execute(std::__1::vector<DB::ColumnWithTypeAndName, std::__1::allocator<DB::ColumnWithTypeAndName>> const&, std::__1::shared_ptr<DB::IDataType const> const&, unsigned long, bool) const (/repo/ci/tmp/clickhouse+0x3264e125) (BuildId: 2763f4f9b197e38fe6de10f920ab077355b8aaeb)
    #10 0x55a2fcde57c1 in DB::executeActionForPartialResult(DB::ActionsDAG::Node const*, std::__1::vector<DB::ColumnWithTypeAndName, std::__1::allocator<DB::ColumnWithTypeAndName>>, unsigned long) ci/tmp/build/./src/Interpreters/ActionsDAG.cpp:825:53
    #11 0x55a2fcde57c1 in DB::ActionsDAG::evaluatePartialResult(std::__1::unordered_map<DB::ActionsDAG::Node const*, DB::ColumnWithTypeAndName, std::__1::hash<DB::ActionsDAG::Node const*>, std::__1::equal_to<DB::ActionsDAG::Node const*>, std::__1::allocator<std::__1::pair<DB::ActionsDAG::Node const* const, DB::ColumnWithTypeAndName>>>&, std::__1::vector<DB::ActionsDAG::Node const*, std::__1::allocator<DB::ActionsDAG::Node const*>> const&, unsigned long, bool) ci/tmp/build/./src/Interpreters/ActionsDAG.cpp:1023:48
    #12 0x55a2fcde152a in DB::ActionsDAG::updateHeader(DB::Block const&) const ci/tmp/build/./src/Interpreters/ActionsDAG.cpp:923:26
    #13 0x55a310e19216 in DB::ExpressionTransform::transformHeader(DB::Block const&, DB::ActionsDAG const&) ci/tmp/build/./src/Processors/Transforms/ExpressionTransform.cpp:12:23
    #14 0x55a311609742 in DB::ExpressionStep::ExpressionStep(std::__1::shared_ptr<DB::Block const>, DB::ActionsDAG) ci/tmp/build/./src/Processors/QueryPlan/ExpressionStep.cpp:38:39
    #15 0x55a2fde1ca7a in std::__1::__unique_if<DB::ExpressionStep>::__unique_single std::__1::make_unique[abi:ne190107]<DB::ExpressionStep, std::__1::shared_ptr<DB::Block const> const&, DB::ActionsDAG>(std::__1::shared_ptr<DB::Block const> const&, DB::ActionsDAG&&) ci/tmp/build/./contrib/llvm-project/libcxx/include/__memory/unique_ptr.h:634:30
    #16 0x55a2fde1ca7a in DB::(anonymous namespace)::addExpressionStep(std::__1::shared_ptr<DB::PlannerContext> const&, DB::QueryPlan&, std::__1::shared_ptr<DB::ActionsAndProjectInputsFlag>&, DB::CorrelatedSubtrees const&, DB::SelectQueryOptions const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, std::__1::unordered_set<std::__1::shared_ptr<DB::FutureSet>, std::__1::hash<std::__1::shared_ptr<DB::FutureSet>>, std::__1::equal_to<std::__1::shared_ptr<DB::FutureSet>>, std::__1::allocator<std::__1::shared_ptr<DB::FutureSet>>>&) ci/tmp/build/./src/Planner/Planner.cpp:444:28
    #17 0x55a2fde01d43 in DB::Planner::buildPlanForQueryNode() ci/tmp/build/./src/Planner/Planner.cpp:1742:17
    #18 0x55a2fddf0a7e in DB::Planner::buildQueryPlanIfNeeded() ci/tmp/build/./src/Planner/Planner.cpp:1402:9
    #19 0x55a30025f251 in DB::InterpreterSelectQueryAnalyzer::getQueryPlan() ci/tmp/build/./src/Interpreters/InterpreterSelectQueryAnalyzer.cpp:269:13
    #20 0x55a300db445f in DB::executeQueryImpl(char const*, char const*, std::__1::shared_ptr<DB::Context>, DB::QueryFlags, DB::QueryProcessingStage::Enum, std::__1::unique_ptr<DB::ReadBuffer, std::__1::default_delete<DB::ReadBuffer>>&, std::__1::shared_ptr<DB::IAST>&, std::__1::shared_ptr<DB::ImplicitTransactionControlExecutor>) ci/tmp/build/./src/Interpreters/executeQuery.cpp:1523:48
    #21 0x55a300da5a81 in DB::executeQuery(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, std::__1::shared_ptr<DB::Context>, DB::QueryFlags, DB::QueryProcessingStage::Enum) ci/tmp/build/./src/Interpreters/executeQuery.cpp:1782:11
    #22 0x55a3100d2fea in DB::TCPHandler::runImpl() ci/tmp/build/./src/Server/TCPHandler.cpp:739:68

SUMMARY: MemorySanitizer: use-of-uninitialized-value ci/tmp/build/./src/Columns/ColumnString.h:49:9 in DB::ColumnString::sizeAt(long) const

Metadata

Metadata

Assignees

Labels

fuzzProblem found by one of the fuzzerstestingSpecial issue with list of bugs found by CI

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions