[Bug] core in FindInSetOp::execute due to global buffer overflow #12676
Description
Search before asking
- I had searched in the issues and found no similar issues.
Version
Master compiled with asan.
It might occur in previous version which enables VectorizedEngine(Not verified).
What's Wrong?
==1863897==ERROR: AddressSanitizer: global-buffer-overflow on address 0x5610761efac0 at pc 0x56107fd1da64 bp 0x7f9a52341ad0 sp 0x7f9a52341ac0
READ of size 1 at 0x5610761efac0 thread T70 (_scanner_scan)
#0 0x56107fd1da63 in doris::vectorized::FindInSetOp::execute(std::basic_string_view<char, std::char_traits > const&, std::basic_string_view<char, std::char_traits > const&, int&) /home/zcp/repo_center/doris_master/be/src/vec/functions/function_string.cpp:154
#1 0x56107fdb57ef in doris::vectorized::StringFunctionImpl<doris::vectorized::DataTypeString, doris::vectorized::DataTypeString, doris::vectorized::FindInSetOp>::vector_vector(doris::vectorized::PODArray<unsigned char, 4096ul, Allocator<false, false>, 15ul, 16ul> const&, doris::vectorized::PODArray<unsigned int, 4096ul, Allocator<false, false>, 15ul, 16ul> const&, doris::vectorized::PODArray<unsigned char, 4096ul, Allocator<false, false>, 15ul, 16ul> const&, doris::vectorized::PODArray<unsigned int, 4096ul, Allocator<false, false>, 15ul, 16ul> const&, doris::vectorized::PODArray<int, 4096ul, Allocator<false, false>, 15ul, 16ul>&) /home/zcp/repo_center/doris_master/be/src/vec/functions/function_string.cpp:233
#2 0x56107fdaeeac in doris::Status doris::vectorized::FunctionBinaryToType<doris::vectorized::DataTypeString, doris::vectorized::DataTypeString, doris::vectorized::StringFindInSetImpl, doris::vectorized::NameFindInSet>::execute_inner_impl<doris::vectorized::DataTypeNumber, (doris::vectorized::DataTypeNumber)0>(doris::vectorized::ColumnWithTypeAndName const&, doris::vectorized::ColumnWithTypeAndName const&, doris::vectorized::Block&, std::vector<unsigned long, std::allocator > const&, unsigned long) /home/zcp/repo_center/doris_master/be/src/vec/functions/function_totype.h:236
#3 0x56107fda3671 in doris::vectorized::FunctionBinaryToType<doris::vectorized::DataTypeString, doris::vectorized::DataTypeString, doris::vectorized::StringFindInSetImpl, doris::vectorized::NameFindInSet>::execute_impl(doris_udf::FunctionContext, doris::vectorized::Block&, std::vector<unsigned long, std::allocator > const&, unsigned long, unsigned long) /home/zcp/repo_center/doris_master/be/src/vec/functions/function_totype.h:215
#4 0x56107e7fea5c in doris::vectorized::DefaultExecutable::execute_impl(doris_udf::FunctionContext*, doris::vectorized::Block&, std::vector<unsigned long, std::allocator > const&, unsigned long, unsigned long) /home/zcp/repo_center/doris_master/be/src/vec/functions/function.h:465
#5 0x56107f920d9a in doris::vectorized::PreparedFunctionImpl::execute_without_low_cardinality_columns(doris_udf::FunctionContext*, doris::vectorized::Block&, std::vector<unsigned long, std::allocator > const&, unsigned long, unsigned long, bool) /home/zcp/repo_center/doris_master/be/src/vec/functions/function.cpp:251
#6 0x56107f920f19 in doris::vectorized::PreparedFunctionImpl::execute(doris_udf::FunctionContext*, doris::vectorized::Block&, std::vector<unsigned long, std::allocator > const&, unsigned long, unsigned long, bool) /home/zcp/repo_center/doris_master/be/src/vec/functions/function.cpp:273
#7 0x56107e7fb5ca in doris::vectorized::IFunctionBase::execute(doris_udf::FunctionContext*, doris::vectorized::Block&, std::vector<unsigned long, std::allocator > const&, unsigned long, unsigned long, bool) /home/zcp/repo_center/doris_master/be/src/vec/functions/function.h:136
#8 0x56107e7244e4 in doris::vectorized::VectorizedFnCall::execute(doris::vectorized::VExprContext*, doris::vectorized::Block*, int*) /home/zcp/repo_center/doris_master/be/src/vec/exprs/vectorized_fn_call.cpp:96
#9 0x56107e72410d in doris::vectorized::VectorizedFnCall::execute(doris::vectorized::VExprContext*, doris::vectorized::Block*, int*) /home/zcp/repo_center/doris_master/be/src/vec/exprs/vectorized_fn_call.cpp:89
#10 0x56107e72410d in doris::vectorized::VectorizedFnCall::execute(doris::vectorized::VExprContext*, doris::vectorized::Block*, int*) /home/zcp/repo_center/doris_master/be/src/vec/exprs/vectorized_fn_call.cpp:89
#11 0x56107e746651 in doris::vectorized::VExprContext::execute(doris::vectorized::Block*, int*) /home/zcp/repo_center/doris_master/be/src/vec/exprs/vexpr_context.cpp:43
#12 0x56107e74844f in doris::vectorized::VExprContext::filter_block(doris::vectorized::VExprContext*, doris::vectorized::Block*, int) /home/zcp/repo_center/doris_master/be/src/vec/exprs/vexpr_context.cpp:121
#13 0x561082a5dbec in doris::vectorized::VScanner::_filter_output_block(doris::vectorized::Block*) /home/zcp/repo_center/doris_master/be/src/vec/exec/scan/vscanner.cpp:121
#14 0x561082a5ca36 in doris::vectorized::VScanner::get_block(doris::RuntimeState*, doris::vectorized::Block*, bool*) /home/zcp/repo_center/doris_master/be/src/vec/exec/scan/vscanner.cpp:80
#15 0x561082a38fbd in doris::vectorized::ScannerScheduler::_scanner_scan(doris::vectorized::ScannerScheduler*, doris::vectorized::ScannerContext*, doris::vectorized::VScanner*) /home/zcp/repo_center/doris_master/be/src/vec/exec/scan/scanner_scheduler.cpp:224
#16 0x561082a36d26 in operator() /home/zcp/repo_center/doris_master/be/src/vec/exec/scan/scanner_scheduler.cpp:127
#17 0x561082a3b15d in __invoke_impl<void, doris::vectorized::ScannerScheduler::_schedule_scanners(doris::vectorized::ScannerContext*)::<lambda()>&> /var/local/ldb_toolchain/include/c++/11/bits/invoke.h:61
#18 0x561082a3add5 in __invoke_r<void, doris::vectorized::ScannerScheduler::_schedule_scanners(doris::vectorized::ScannerContext*)::<lambda()>&> /var/local/ldb_toolchain/include/c++/11/bits/invoke.h:111
#19 0x561082a3a842 in _M_invoke /var/local/ldb_toolchain/include/c++/11/bits/std_function.h:291
#20 0x56107ad96b91 in std::function<void ()>::operator()() const /var/local/ldb_toolchain/include/c++/11/bits/std_function.h:560
#21 0x56107b833437 in doris::FunctionRunnable::run() /home/zcp/repo_center/doris_master/be/src/util/threadpool.cpp:45
#22 0x56107b82e77f in doris::ThreadPool::dispatch_thread() /home/zcp/repo_center/doris_master/be/src/util/threadpool.cpp:540
#23 0x56107b84fa9b in void std::_invoke_impl<void, void (doris::ThreadPool::&)(), doris::ThreadPool&>(std::_invoke_memfun_deref, void (doris::ThreadPool::&)(), doris::ThreadPool&) /var/local/ldb_toolchain/include/c++/11/bits/invoke.h:74
#24 0x56107b84f33a in std::_invoke_result<void (doris::ThreadPool::&)(), doris::ThreadPool&>::type std::_invoke<void (doris::ThreadPool::&)(), doris::ThreadPool&>(void (doris::ThreadPool::&)(), doris::ThreadPool&) /var/local/ldb_toolchain/include/c++/11/bits/invoke.h:96
#25 0x56107b84e6d9 in void std::Bind<void (doris::ThreadPool::(doris::ThreadPool))()>::_call<void, , 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) /var/local/ldb_toolchain/include/c++/11/functional:420
#26 0x56107b84d1ea in void std::_Bind<void (doris::ThreadPool::(doris::ThreadPool))()>::operator()<, void>() /var/local/ldb_toolchain/include/c++/11/functional:503
#27 0x56107b849ddb in void std::_invoke_impl<void, std::_Bind<void (doris::ThreadPool::(doris::ThreadPool))()>&>(std::_invoke_other, std::_Bind<void (doris::ThreadPool::(doris::ThreadPool))()>&) /var/local/ldb_toolchain/include/c++/11/bits/invoke.h:61
#28 0x56107b847349 in std::enable_if<is_invocable_r_v<void, std::Bind<void (doris::ThreadPool::(doris::ThreadPool))()>&>, void>::type std::_invoke_r<void, std::_Bind<void (doris::ThreadPool::(doris::ThreadPool))()>&>(std::_Bind<void (doris::ThreadPool::(doris::ThreadPool))()>&) /var/local/ldb_toolchain/include/c++/11/bits/invoke.h:111
#29 0x56107b84264c in std::_Function_handler<void (), std::_Bind<void (doris::ThreadPool::(doris::ThreadPool))()> >::_M_invoke(std::_Any_data const&) /var/local/ldb_toolchain/include/c++/11/bits/std_function.h:291
#30 0x56107ad96b91 in std::function<void ()>::operator()() const /var/local/ldb_toolchain/include/c++/11/bits/std_function.h:560
#31 0x56107b80e2d1 in doris::Thread::supervise_thread(void*) /home/zcp/repo_center/doris_master/be/src/util/thread.cpp:425
#32 0x7f9a796a7608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
#33 0x7f9a797e1162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)
0x5610761efac0 is located 0 bytes to the right of global variable 'empty_pod_array' defined in '/home/zcp/repo_center/doris_master/be/src/vec/common/pod_array.cpp:25:12' (0x5610761ef6c0) of size 1024
SUMMARY: AddressSanitizer: global-buffer-overflow /home/zcp/repo_center/doris_master/be/src/vec/functions/function_string.cpp:154 in doris::vectorized::FindInSetOp::execute(std::basic_string_view<char, std::char_traits > const&, std::basic_string_view<char, std::char_traits > const&, int&)
Shadow bytes around the buggy address:
0x0ac28ec35f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ac28ec35f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ac28ec35f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ac28ec35f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ac28ec35f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ac28ec35f50: 00 00 00 00 00 00 00 00[f9]f9 f9 f9 00 00 00 00
0x0ac28ec35f60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ac28ec35f70: 00 00 00 00 00 00 00 00 00 00 00 00 03 f9 f9 f9
0x0ac28ec35f80: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0ac28ec35f90: 00 01 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0ac28ec35fa0: 00 00 00 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
Thread T70 (_scanner_scan) created by T0 here:
Thread T70 (_scanner_scan) created by T0 here:
#0 0x561078bd0061 in pthread_create (/mnt/ssd01/doris-master/VEC_ASAN/be/lib/doris_be+0xbdd2061)
#1 0x56107b80d629 in doris::Thread::start_thread(std::_cxx11::basic_string<char, std::char_traits, std::allocator > const&, std::_cxx11::basic_string<char, std::char_traits, std::allocator > const&, std::function<void ()> const&, unsigned long, scoped_refptrdoris::Thread) /home/zcp/repo_center/doris_master/be/src/util/thread.cpp:379
#2 0x56107b837ca3 in doris::Status doris::Thread::create<void (doris::ThreadPool::)(), doris::ThreadPool>(std::_cxx11::basic_string<char, std::char_traits, std::allocator > const&, std::_cxx11::basic_string<char, std::char_traits, std::allocator > const&, void (doris::ThreadPool:: const&)(), doris::ThreadPool* const&, scoped_refptrdoris::Thread) /home/zcp/repo_center/doris_master/be/src/util/thread.h:54
#3 0x56107b82ffc6 in doris::ThreadPool::create_thread() /home/zcp/repo_center/doris_master/be/src/util/threadpool.cpp:609
#4 0x56107b829ae0 in doris::ThreadPool::init() /home/zcp/repo_center/doris_master/be/src/util/threadpool.cpp:266
#5 0x56107b82638c in doris::ThreadPoolBuilder::build(std::unique_ptr<doris::ThreadPool, std::default_deletedoris::ThreadPool >) const /home/zcp/repo_center/doris_master/be/src/util/threadpool.cpp:77
#6 0x56107ad774bd in doris::ExecEnv::_init(std::vector<doris::StorePath, std::allocatordoris::StorePath > const&) /home/zcp/repo_center/doris_master/be/src/runtime/exec_env_init.cpp:126
#7 0x56107ad7667d in doris::ExecEnv::init(doris::ExecEnv*, std::vector<doris::StorePath, std::allocatordoris::StorePath > const&) /home/zcp/repo_center/doris_master/be/src/runtime/exec_env_init.cpp:81
#8 0x561078c7c982 in main /home/zcp/repo_center/doris_master/be/src/service/doris_main.cpp:383
#9 0x7f9a796e60b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
What You Expected?
Return rows as expect instead of crush.
How to Reproduce?
Type query statement below to Doris.
select /*+ SET_VAR(query_timeout = 600) */ ref_0.O_ORDERKEY as c0, coalesce(43, ref_0.O_CUSTKEY) as c1, ref_0.O_ORDERKEY as c2, ref_0.O_ORDERSTATUS as c3 from regression_test_tpch_sf1_p1.orders as ref_0 where find_in_set( cast(ref_0.O_COMMENT as varchar), cast(BITMAP_TO_STRING( cast(BITMAP_EMPTY() as bitmap)) as varchar)) is NULL order by ref_0.O_ORDERSTATUSdesc limit 63 offset 171
Anything Else?
No response
Are you willing to submit PR?
- Yes I am willing to submit a PR!
Code of Conduct
- I agree to follow this project's Code of Conduct