Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DuckDB crashes with a crafted ARRAY expression #12007

Closed
2 tasks done
fuboat opened this issue May 11, 2024 · 1 comment · Fixed by #12111
Closed
2 tasks done

DuckDB crashes with a crafted ARRAY expression #12007

fuboat opened this issue May 11, 2024 · 1 comment · Fixed by #12111
Labels
reproduced

Comments

@fuboat
Copy link

fuboat commented May 11, 2024

What happens?

DuckDB v0.10.2 (duckdb_cli-linux-amd64) crashes with a crafted ARRAY expression. It can also be reproduced in the nightly build.

To Reproduce

SELECT [MAP([2], [{'key1': MAP([ARRAY_VALUE('1', NULL), ARRAY_VALUE(NULL, '2')], [1, 2]), 'key2': 2}])];
SELECT [MAP([2], [{'key1': MAP([ARRAY_VALUE('1', NULL), ARRAY_VALUE(NULL, '2')], [1, 2]), 'key2': 2}])];
...
-- Sometimes you needs to execute the stmt multiple times to trigger the crash.

Backtrace:

#0  0x00007ffff78969fc in ?? ()
...
#4  0x00000000007df9c6 in duckdb::Value::Value(std::string) ()
#5  0x00000000007f09c9 in duckdb::Value::CastAs(duckdb::CastFunctionSet&, duckdb::GetCastFunctionInput&, duckdb::LogicalType const&, bool) const ()
#6  0x00007ffff7e2b600 in ?? ()
...
#16 0x00000000007f0de1 in duckdb::Value::STRUCT(duckdb::LogicalType const&, duckdb::vector<duckdb::Value, true>) ()
#17 0x00000000007f11e6 in duckdb::Value::STRUCT(duckdb::vector<std::pair<std::string, duckdb::Value>, true>) ()
#18 0x00007ffff78a5453 in ?? ()
...
#24 0x00000000007fd86b in void std::vector<duckdb::Value, std::allocator<duckdb::Value> >::_M_realloc_insert<duckdb::Value const&>(__gnu_cxx::__normal_iterator<duckdb::Value*, std::vector<duckdb::Value, std::allocator<duckdb::Value> > >, duckdb::Value const&) ()
#25 0x00000000007f1e26 in duckdb::Value::MAP(duckdb::LogicalType const&, duckdb::vector<duckdb::Value, true>) ()
#26 0x00000000007efd15 in duckdb::Vector::GetValueInternal(duckdb::Vector const&, unsigned long) ()
#27 0x00000000007f03cf in duckdb::Vector::GetValue(duckdb::Vector const&, unsigned long) ()
#28 0x00000000007f045a in duckdb::Vector::GetValue(unsigned long) const ()
#29 0x00000000007f00f9 in duckdb::Vector::GetValueInternal(duckdb::Vector const&, unsigned long) ()
#30 0x00000000007f03cf in duckdb::Vector::GetValue(duckdb::Vector const&, unsigned long) ()
#31 0x00000000007f045a in duckdb::Vector::GetValue(unsigned long) const ()
...
#38 0x00000000007f04ac in duckdb::DataChunk::GetValue(unsigned long, unsigned long) const ()
#39 0x00000000015d9df1 in duckdb::ListValueFunction(duckdb::DataChunk&, duckdb::ExpressionState&, duckdb::Vector&) ()
#40 0x0000000000a9a107 in duckdb::ExpressionExecutor::Execute(duckdb::Expression const&, duckdb::ExpressionState*, duckdb::SelectionVector const*, unsigned long, duckdb::Vector&) ()
#41 0x0000000000a9a865 in duckdb::ExpressionExecutor::EvaluateScalar(duckdb::ClientContext&, duckdb::Expression const&, bool) ()
#42 0x0000000000a9aaad in duckdb::ExpressionExecutor::TryEvaluateScalar(duckdb::ClientContext&, duckdb::Expression const&, duckdb::Value&) ()
#43 0x0000000000c8f966 in duckdb::ConstantFoldingRule::Apply(duckdb::LogicalOperator&, duckdb::vector<std::reference_wrapper<duckdb::Expression>, true>&, bool&, bool) ()
#44 0x0000000000c9b6ce in duckdb::ExpressionRewriter::ApplyRules(duckdb::LogicalOperator&, duckdb::vector<std::reference_wrapper<duckdb::Rule>, true> const&, duckdb::unique_ptr<duckdb::Expression, std::default_delete<duckdb::Expression>, true>, bool&, bool) ()
#45 0x0000000000c9b94a in duckdb::ExpressionRewriter::VisitExpression(duckdb::unique_ptr<duckdb::Expression, std::default_delete<duckdb::Expression>, true>*) ()
#46 0x0000000000d4d410 in duckdb::LogicalOperatorVisitor::EnumerateExpressions(duckdb::LogicalOperator&, std::function<void (duckdb::unique_ptr<duckdb::Expression, std::default_delete<duckdb::Expression>, true>*)> const&) ()
#47 0x0000000000d4d7ad in duckdb::LogicalOperatorVisitor::VisitOperatorExpressions(duckdb::LogicalOperator&) ()
#48 0x0000000000c9f512 in duckdb::ExpressionRewriter::VisitOperator(duckdb::LogicalOperator&) ()
#49 0x0000000000c9a476 in duckdb::Optimizer::RunOptimizer(duckdb::OptimizerType, std::function<void ()> const&) ()
#50 0x0000000000c9c167 in duckdb::Optimizer::Optimize(duckdb::unique_ptr<duckdb::LogicalOperator, std::default_delete<duckdb::LogicalOperator>, true>) ()
#51 0x0000000000b00189 in duckdb::ClientContext::CreatePreparedStatementInternal(duckdb::ClientContextLock&, std::string const&, duckdb::unique_ptr<duckdb::SQLStatement, std::default_delete<duckdb::SQLStatement>, true>, duckdb::optional_ptr<std::unordered_map<std::string, duckdb::Value, duckdb::CaseInsensitiveStringHashFunction, duckdb::CaseInsensitiveStringEquality, std::allocator<std::pair<std::string const, duckdb::Value> > > >) ()
#52 0x0000000000b009c3 in duckdb::ClientContext::CreatePreparedStatement(duckdb::ClientContextLock&, std::string const&, duckdb::unique_ptr<duckdb::SQLStatement, std::default_delete<duckdb::SQLStatement>, true>, duckdb::optional_ptr<std::unordered_map<std::string, duckdb::Value, duckdb::CaseInsensitiveStringHashFunction, duckdb::CaseInsensitiveStringEquality, std::allocator<std::pair<std::string const, duckdb::Value> > > >, duckdb::PreparedStatementMode) ()
#53 0x0000000000b00b4c in std::_Function_handler<void (), duckdb::ClientContext::PrepareInternal(duckdb::ClientContextLock&, duckdb::unique_ptr<duckdb::SQLStatement, std::default_delete<duckdb::SQLStatement>, true>)::{lambda()#1}>::_M_invoke(std::_Any_data const&) ()
#54 0x0000000000af9c49 in duckdb::ClientContext::RunFunctionInTransactionInternal(duckdb::ClientContextLock&, std::function<void ()> const&, bool) ()
#55 0x0000000000afa6a2 in duckdb::ClientContext::PrepareInternal(duckdb::ClientContextLock&, duckdb::unique_ptr<duckdb::SQLStatement, std::default_delete<duckdb::SQLStatement>, true>) ()
#56 0x0000000000b08678 in duckdb::ClientContext::Prepare(duckdb::unique_ptr<duckdb::SQLStatement, std::default_delete<duckdb::SQLStatement>, true>) ()
#57 0x0000000000b08725 in duckdb::Connection::Prepare(duckdb::unique_ptr<duckdb::SQLStatement, std::default_delete<duckdb::SQLStatement>, true>) ()
#58 0x00000000006da751 in duckdb_shell_sqlite3_prepare_v2 ()
#59 0x00000000006c7f40 in shell_exec ()
#60 0x00000000006c9b50 in runOneSqlLine.constprop.0 ()
#61 0x00000000006d2025 in process_input ()
#62 0x00000000006a6ab7 in main ()

OS:

Ubuntu 22.04

DuckDB Version:

v0.10.2

DuckDB Client:

cli

Full Name:

Jingzhou Fu

Affiliation:

Wingtecher Lab of Tsinghua University

What is the latest build you tested with? If possible, we recommend testing with the latest nightly build.

I have tested with a nightly build

Did you include all relevant data sets for reproducing the issue?

Yes

Did you include all code required to reproduce the issue?

  • Yes, I have

Did you include all relevant configuration (e.g., CPU architecture, Python version, Linux distribution) to reproduce the issue?

  • Yes, I have
@szarnyasg
Copy link
Collaborator

Thanks! This also reproduces on macOS/Apple Silicon.

@taniabogatsch taniabogatsch mentioned this issue May 17, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
reproduced
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Fix] Correctly allocate the ARRAY target child vector in a MAP function taniabogatsch/duckdb
3 participants
@szarnyasg @fuboat @duckdblabs-bot