Skip to content

MemorySanitizer: use-of-uninitialized-value in DB::ColumnString::sizeAt(long) #86134

Closed
#86171
Closed
MemorySanitizer: use-of-uninitialized-value in DB::ColumnString::sizeAt(long)#86134
#86171
Assignees
Avogar
Labels
fuzzProblem found by one of the fuzzerstestingSpecial issue with list of bugs found by CI
@nikitamikhaylov

Description

@nikitamikhaylov
nikitamikhaylov
opened on Aug 25, 2025

Describe the bug

https://s3.amazonaws.com/clickhouse-test-reports/json.html?REF=master&sha=9b7ef376fd43daf0462132b168caa9ecf94fd071&name_0=MasterCI&name_1=AST%20fuzzer%20%28amd_msan%29&name_1=AST%20fuzzer%20%28amd_msan%29

Logging trace to server.log
==606==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x55a30c25f168 in DB::ColumnString::sizeAt(long) const ci/tmp/build/./src/Columns/ColumnString.h:49:9
    #1 0x55a30c25f168 in DB::ColumnString::doCompareAt(unsigned long, unsigned long, DB::IColumn const&, int) const ci/tmp/build/./src/Columns/ColumnString.h:261:122
    #2 0x55a30c52adcc in DB::IColumn::compareAt(unsigned long, unsigned long, DB::IColumn const&, int) const ci/tmp/build/./src/Columns/IColumn.h:359:16
    #3 0x55a30c52adcc in COW<DB::IColumn>::mutable_ptr<DB::IColumn> DB::ColumnUnique<DB::ColumnString>::uniqueInsertRangeImpl<char8_t>(DB::IColumn const&, unsigned long, unsigned long, unsigned long, DB::ColumnVector<char8_t>::MutablePtr&&, DB::ReverseIndex<unsigned long, DB::ColumnString>*, unsigned long) ci/tmp/build/./src/Columns/ColumnUnique.h:652:26
    #4 0x55a30c3ced00 in COW<DB::IColumn>::mutable_ptr<DB::IColumn> DB::ColumnUnique<DB::ColumnString>::uniqueInsertRangeFrom(DB::IColumn const&, unsigned long, unsigned long)::'lambda'(auto)::operator()<char8_t>(auto) const ci/tmp/build/./src/Columns/ColumnUnique.h:689:26
    #5 0x55a30c3ce2f3 in DB::ColumnUnique<DB::ColumnString>::uniqueInsertRangeFrom(DB::IColumn const&, unsigned long, unsigned long) ci/tmp/build/./src/Columns/ColumnUnique.h:697:28
    #6 0x55a2f8411e38 in DB::IExecutableFunction::executeWithoutSparseColumns(std::__1::vector<DB::ColumnWithTypeAndName, std::__1::allocator<DB::ColumnWithTypeAndName>> const&, std::__1::shared_ptr<DB::IDataType const> const&, unsigned long, bool) const (/repo/ci/tmp/clickhouse+0x3264ae38) (BuildId: 2763f4f9b197e38fe6de10f920ab077355b8aaeb)
    #7 0x55a2f8415125 in DB::IExecutableFunction::execute(std::__1::vector<DB::ColumnWithTypeAndName, std::__1::allocator<DB::ColumnWithTypeAndName>> const&, std::__1::shared_ptr<DB::IDataType const> const&, unsigned long, bool) const (/repo/ci/tmp/clickhouse+0x3264e125) (BuildId: 2763f4f9b197e38fe6de10f920ab077355b8aaeb)
    #8 0x55a2fcde57c1 in DB::executeActionForPartialResult(DB::ActionsDAG::Node const*, std::__1::vector<DB::ColumnWithTypeAndName, std::__1::allocator<DB::ColumnWithTypeAndName>>, unsigned long) ci/tmp/build/./src/Interpreters/ActionsDAG.cpp:825:53
    #9 0x55a2fcde57c1 in DB::ActionsDAG::evaluatePartialResult(std::__1::unordered_map<DB::ActionsDAG::Node const*, DB::ColumnWithTypeAndName, std::__1::hash<DB::ActionsDAG::Node const*>, std::__1::equal_to<DB::ActionsDAG::Node const*>, std::__1::allocator<std::__1::pair<DB::ActionsDAG::Node const* const, DB::ColumnWithTypeAndName>>>&, std::__1::vector<DB::ActionsDAG::Node const*, std::__1::allocator<DB::ActionsDAG::Node const*>> const&, unsigned long, bool) ci/tmp/build/./src/Interpreters/ActionsDAG.cpp:1023:48
    #10 0x55a2fcde152a in DB::ActionsDAG::updateHeader(DB::Block const&) const ci/tmp/build/./src/Interpreters/ActionsDAG.cpp:923:26
    #11 0x55a310e19216 in DB::ExpressionTransform::transformHeader(DB::Block const&, DB::ActionsDAG const&) ci/tmp/build/./src/Processors/Transforms/ExpressionTransform.cpp:12:23
    #12 0x55a311609742 in DB::ExpressionStep::ExpressionStep(std::__1::shared_ptr<DB::Block const>, DB::ActionsDAG) ci/tmp/build/./src/Processors/QueryPlan/ExpressionStep.cpp:38:39
    #13 0x55a2fde1ca7a in std::__1::__unique_if<DB::ExpressionStep>::__unique_single std::__1::make_unique[abi:ne190107]<DB::ExpressionStep, std::__1::shared_ptr<DB::Block const> const&, DB::ActionsDAG>(std::__1::shared_ptr<DB::Block const> const&, DB::ActionsDAG&&) ci/tmp/build/./contrib/llvm-project/libcxx/include/__memory/unique_ptr.h:634:30
    #14 0x55a2fde1ca7a in DB::(anonymous namespace)::addExpressionStep(std::__1::shared_ptr<DB::PlannerContext> const&, DB::QueryPlan&, std::__1::shared_ptr<DB::ActionsAndProjectInputsFlag>&, DB::CorrelatedSubtrees const&, DB::SelectQueryOptions const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, std::__1::unordered_set<std::__1::shared_ptr<DB::FutureSet>, std::__1::hash<std::__1::shared_ptr<DB::FutureSet>>, std::__1::equal_to<std::__1::shared_ptr<DB::FutureSet>>, std::__1::allocator<std::__1::shared_ptr<DB::FutureSet>>>&) ci/tmp/build/./src/Planner/Planner.cpp:444:28
    #15 0x55a2fde01d43 in DB::Planner::buildPlanForQueryNode() ci/tmp/build/./src/Planner/Planner.cpp:1742:17
    #16 0x55a2fddf0a7e in DB::Planner::buildQueryPlanIfNeeded() ci/tmp/build/./src/Planner/Planner.cpp:1402:9
    #17 0x55a30025f251 in DB::InterpreterSelectQueryAnalyzer::getQueryPlan() ci/tmp/build/./src/Interpreters/InterpreterSelectQueryAnalyzer.cpp:269:13
    #18 0x55a300db445f in DB::executeQueryImpl(char const*, char const*, std::__1::shared_ptr<DB::Context>, DB::QueryFlags, DB::QueryProcessingStage::Enum, std::__1::unique_ptr<DB::ReadBuffer, std::__1::default_delete<DB::ReadBuffer>>&, std::__1::shared_ptr<DB::IAST>&, std::__1::shared_ptr<DB::ImplicitTransactionControlExecutor>) ci/tmp/build/./src/Interpreters/executeQuery.cpp:1523:48
    #19 0x55a300da5a81 in DB::executeQuery(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, std::__1::shared_ptr<DB::Context>, DB::QueryFlags, DB::QueryProcessingStage::Enum) ci/tmp/build/./src/Interpreters/executeQuery.cpp:1782:11
    #20 0x55a3100d2fea in DB::TCPHandler::runImpl() ci/tmp/build/./src/Server/TCPHandler.cpp:739:68
    #21 0x55a31013ed4d in DB::TCPHandler::run() ci/tmp/build/./src/Server/TCPHandler.cpp:2740:9
    #22 0x55a31c98e49f in Poco::Net::TCPServerConnection::start() ci/tmp/build/./base/poco/Net/src/TCPServerConnection.cpp:40:3
    #23 0x55a31c98f491 in Poco::Net::TCPServerDispatcher::run() ci/tmp/build/./base/poco/Net/src/TCPServerDispatcher.cpp:115:38
    #24 0x55a31c861534 in Poco::PooledThread::run() ci/tmp/build/./base/poco/Foundation/src/ThreadPool.cpp:205:14
    #25 0x55a31c85e2ad in Poco::(anonymous namespace)::RunnableHolder::run() ci/tmp/build/./base/poco/Foundation/src/Thread.cpp:45:11
    #26 0x55a31c85ab10 in Poco::ThreadImpl::runnableEntry(void*) ci/tmp/build/./base/poco/Foundation/src/Thread_POSIX.cpp:341:27
    #27 0x7f9319951ac2 in start_thread nptl/pthread_create.c:442:8
    #28 0x7f93199e384f  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

  Uninitialized value was created by a heap allocation
    #0 0x55a2cf7e6e62 in malloc (/repo/ci/tmp/clickhouse+0x9a1fe62) (BuildId: 2763f4f9b197e38fe6de10f920ab077355b8aaeb)
    #1 0x55a2ea9127b8 in void* (anonymous namespace)::allocNoTrack<false, false>(unsigned long, unsigned long) ci/tmp/build/./src/Common/Allocator.cpp:86:19
    #2 0x55a2ea9127b8 in Allocator<false, false>::alloc(unsigned long, unsigned long) ci/tmp/build/./src/Common/Allocator.cpp:133:18
    #3 0x55a2cf86b47b in void DB::PODArrayBase<8ul, 4096ul, Allocator<false, false>, 63ul, 64ul>::resize<>(unsigned long) (/repo/ci/tmp/clickhouse+0x9aa447b) (BuildId: 2763f4f9b197e38fe6de10f920ab077355b8aaeb)
    #4 0x55a2e4c5a916 in DB::FunctionStringReplace<DB::ReplaceRegexpImpl<DB::(anonymous namespace)::NameReplaceRegexpOne, (DB::ReplaceRegexpTraits)0>, DB::(anonymous namespace)::NameReplaceRegexpOne>::executeImpl(std::__1::vector<DB::ColumnWithTypeAndName, std::__1::allocator<DB::ColumnWithTypeAndName>> const&, std::__1::shared_ptr<DB::IDataType const> const&, unsigned long) const replaceRegexpOne.cpp
    #5 0x55a2cf863461 in DB::IFunction::executeImplDryRun(std::__1::vector<DB::ColumnWithTypeAndName, std::__1::allocator<DB::ColumnWithTypeAndName>> const&, std::__1::shared_ptr<DB::IDataType const> const&, unsigned long) const (/repo/ci/tmp/clickhouse+0x9a9c461) (BuildId: 2763f4f9b197e38fe6de10f920ab077355b8aaeb)
    #6 0x55a2f841ef1a in DB::FunctionToExecutableFunctionAdaptor::executeDryRunImpl(std::__1::vector<DB::ColumnWithTypeAndName, std::__1::allocator<DB::ColumnWithTypeAndName>> const&, std::__1::shared_ptr<DB::IDataType const> const&, unsigned long) const ci/tmp/build/./src/Functions/IFunctionAdaptors.cpp:16:22
    #7 0x55a2f840ad42 in DB::IExecutableFunction::executeWithoutLowCardinalityColumns(std::__1::vector<DB::ColumnWithTypeAndName, std::__1::allocator<DB::ColumnWithTypeAndName>> const&, std::__1::shared_ptr<DB::IDataType const> const&, unsigned long, bool) const (/repo/ci/tmp/clickhouse+0x32643d42) (BuildId: 2763f4f9b197e38fe6de10f920ab077355b8aaeb)
    #8 0x55a2f8411b18 in DB::IExecutableFunction::executeWithoutSparseColumns(std::__1::vector<DB::ColumnWithTypeAndName, std::__1::allocator<DB::ColumnWithTypeAndName>> const&, std::__1::shared_ptr<DB::IDataType const> const&, unsigned long, bool) const (/repo/ci/tmp/clickhouse+0x3264ab18) (BuildId: 2763f4f9b197e38fe6de10f920ab077355b8aaeb)
    #9 0x55a2f8415125 in DB::IExecutableFunction::execute(std::__1::vector<DB::ColumnWithTypeAndName, std::__1::allocator<DB::ColumnWithTypeAndName>> const&, std::__1::shared_ptr<DB::IDataType const> const&, unsigned long, bool) const (/repo/ci/tmp/clickhouse+0x3264e125) (BuildId: 2763f4f9b197e38fe6de10f920ab077355b8aaeb)
    #10 0x55a2fcde57c1 in DB::executeActionForPartialResult(DB::ActionsDAG::Node const*, std::__1::vector<DB::ColumnWithTypeAndName, std::__1::allocator<DB::ColumnWithTypeAndName>>, unsigned long) ci/tmp/build/./src/Interpreters/ActionsDAG.cpp:825:53
    #11 0x55a2fcde57c1 in DB::ActionsDAG::evaluatePartialResult(std::__1::unordered_map<DB::ActionsDAG::Node const*, DB::ColumnWithTypeAndName, std::__1::hash<DB::ActionsDAG::Node const*>, std::__1::equal_to<DB::ActionsDAG::Node const*>, std::__1::allocator<std::__1::pair<DB::ActionsDAG::Node const* const, DB::ColumnWithTypeAndName>>>&, std::__1::vector<DB::ActionsDAG::Node const*, std::__1::allocator<DB::ActionsDAG::Node const*>> const&, unsigned long, bool) ci/tmp/build/./src/Interpreters/ActionsDAG.cpp:1023:48
    #12 0x55a2fcde152a in DB::ActionsDAG::updateHeader(DB::Block const&) const ci/tmp/build/./src/Interpreters/ActionsDAG.cpp:923:26
    #13 0x55a310e19216 in DB::ExpressionTransform::transformHeader(DB::Block const&, DB::ActionsDAG const&) ci/tmp/build/./src/Processors/Transforms/ExpressionTransform.cpp:12:23
    #14 0x55a311609742 in DB::ExpressionStep::ExpressionStep(std::__1::shared_ptr<DB::Block const>, DB::ActionsDAG) ci/tmp/build/./src/Processors/QueryPlan/ExpressionStep.cpp:38:39
    #15 0x55a2fde1ca7a in std::__1::__unique_if<DB::ExpressionStep>::__unique_single std::__1::make_unique[abi:ne190107]<DB::ExpressionStep, std::__1::shared_ptr<DB::Block const> const&, DB::ActionsDAG>(std::__1::shared_ptr<DB::Block const> const&, DB::ActionsDAG&&) ci/tmp/build/./contrib/llvm-project/libcxx/include/__memory/unique_ptr.h:634:30
    #16 0x55a2fde1ca7a in DB::(anonymous namespace)::addExpressionStep(std::__1::shared_ptr<DB::PlannerContext> const&, DB::QueryPlan&, std::__1::shared_ptr<DB::ActionsAndProjectInputsFlag>&, DB::CorrelatedSubtrees const&, DB::SelectQueryOptions const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, std::__1::unordered_set<std::__1::shared_ptr<DB::FutureSet>, std::__1::hash<std::__1::shared_ptr<DB::FutureSet>>, std::__1::equal_to<std::__1::shared_ptr<DB::FutureSet>>, std::__1::allocator<std::__1::shared_ptr<DB::FutureSet>>>&) ci/tmp/build/./src/Planner/Planner.cpp:444:28
    #17 0x55a2fde01d43 in DB::Planner::buildPlanForQueryNode() ci/tmp/build/./src/Planner/Planner.cpp:1742:17
    #18 0x55a2fddf0a7e in DB::Planner::buildQueryPlanIfNeeded() ci/tmp/build/./src/Planner/Planner.cpp:1402:9
    #19 0x55a30025f251 in DB::InterpreterSelectQueryAnalyzer::getQueryPlan() ci/tmp/build/./src/Interpreters/InterpreterSelectQueryAnalyzer.cpp:269:13
    #20 0x55a300db445f in DB::executeQueryImpl(char const*, char const*, std::__1::shared_ptr<DB::Context>, DB::QueryFlags, DB::QueryProcessingStage::Enum, std::__1::unique_ptr<DB::ReadBuffer, std::__1::default_delete<DB::ReadBuffer>>&, std::__1::shared_ptr<DB::IAST>&, std::__1::shared_ptr<DB::ImplicitTransactionControlExecutor>) ci/tmp/build/./src/Interpreters/executeQuery.cpp:1523:48
    #21 0x55a300da5a81 in DB::executeQuery(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, std::__1::shared_ptr<DB::Context>, DB::QueryFlags, DB::QueryProcessingStage::Enum) ci/tmp/build/./src/Interpreters/executeQuery.cpp:1782:11
    #22 0x55a3100d2fea in DB::TCPHandler::runImpl() ci/tmp/build/./src/Server/TCPHandler.cpp:739:68

SUMMARY: MemorySanitizer: use-of-uninitialized-value ci/tmp/build/./src/Columns/ColumnString.h:49:9 in DB::ColumnString::sizeAt(long) const

Metadata

Metadata

Assignees

Labels

fuzzProblem found by one of the fuzzerstestingSpecial issue with list of bugs found by CI

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions