DuckDB crashes via a crafted LIST_WHERE expression #12008
Closed
Description
What happens?
DuckDB v0.10.2 (duckdb_cli-linux-amd64) crashes with a crafted LIST_WHERE expression. It can also be reproduced in the nightly build.
To Reproduce
PoC:
SELECT LIST_WHERE(ARRAY_VALUE('1', NULL), [TRUE, TRUE, TRUE]);Backtrace:
Thread 1 "duckdb" received signal SIGSEGV, Segmentation fault.
0x00007ffff79a07cd in ?? ()
(gdb) bt
#0 0x00007ffff79a07cd in ?? ()
#1 0x00000000007d5be6 in duckdb::StringHeap::AddBlob(char const*, unsigned long) ()
#2 0x000000000085f5e7 in duckdb::VectorOperations::Copy(duckdb::Vector const&, duckdb::Vector&, duckdb::SelectionVector const&, unsigned long, unsigned long, unsigned long) ()
#3 0x00000000007e3f27 in duckdb::Vector::Flatten(unsigned long) ()
#4 0x00000000016cbbb5 in void duckdb::ListSelectFunction<duckdb::SetSelectionVectorWhere>(duckdb::DataChunk&, duckdb::ExpressionState&, duckdb::Vector&) ()
#5 0x0000000000a9a107 in duckdb::ExpressionExecutor::Execute(duckdb::Expression const&, duckdb::ExpressionState*, duckdb::SelectionVector const*, unsigned long, duckdb::Vector&) ()
#6 0x0000000000a9a865 in duckdb::ExpressionExecutor::EvaluateScalar(duckdb::ClientContext&, duckdb::Expression const&, bool) ()
#7 0x0000000000a9aaad in duckdb::ExpressionExecutor::TryEvaluateScalar(duckdb::ClientContext&, duckdb::Expression const&, duckdb::Value&) ()
#8 0x0000000000c8f966 in duckdb::ConstantFoldingRule::Apply(duckdb::LogicalOperator&, duckdb::vector<std::reference_wrapper<duckdb::Expression>, true>&, bool&, bool) ()
#9 0x0000000000c9b6ce in duckdb::ExpressionRewriter::ApplyRules(duckdb::LogicalOperator&, duckdb::vector<std::reference_wrapper<duckdb::Rule>, true> const&, duckdb::unique_ptr<duckdb::Expression, std::default_delete<duckdb::Expression>, true>, bool&, bool) ()
#10 0x0000000000c9b94a in duckdb::ExpressionRewriter::VisitExpression(duckdb::unique_ptr<duckdb::Expression, std::default_delete<duckdb::Expression>, true>*) ()
#11 0x0000000000d4d410 in duckdb::LogicalOperatorVisitor::EnumerateExpressions(duckdb::LogicalOperator&, std::function<void (duckdb::unique_ptr<duckdb::Expression, std::default_delete<duckdb::Expression>, true>*)> const&) ()
#12 0x0000000000d4d7ad in duckdb::LogicalOperatorVisitor::VisitOperatorExpressions(duckdb::LogicalOperator&) ()
#13 0x0000000000c9f512 in duckdb::ExpressionRewriter::VisitOperator(duckdb::LogicalOperator&) ()
#14 0x0000000000c9a476 in duckdb::Optimizer::RunOptimizer(duckdb::OptimizerType, std::function<void ()> const&) ()
#15 0x0000000000c9c167 in duckdb::Optimizer::Optimize(duckdb::unique_ptr<duckdb::LogicalOperator, std::default_delete<duckdb::LogicalOperator>, true>) ()
#16 0x0000000000b00189 in duckdb::ClientContext::CreatePreparedStatementInternal(duckdb::ClientContextLock&, std::string const&, duckdb::unique_ptr<duckdb::SQLStatement, std::default_delete<duckdb::SQLStatement>, true>, duckdb::optional_ptr<std::unordered_map<std::string, duckdb::Value, duckdb::CaseInsensitiveStringHashFunction, duckdb::CaseInsensitiveStringEquality, std::allocator<std::pair<std::string const, duckdb::Value> > > >) ()
#17 0x0000000000b009c3 in duckdb::ClientContext::CreatePreparedStatement(duckdb::ClientContextLock&, std::string const&, duckdb::unique_ptr<duckdb::SQLStatement, std::default_delete<duckdb::SQLStatement>, true>, duckdb::optional_ptr<std::unordered_map<std::string, duckdb::Value, duckdb::CaseInsensitiveStringHashFunction, duckdb::CaseInsensitiveStringEquality, std::allocator<std::pair<std::string const, duckdb::Value> > > >, duckdb::PreparedStatementMode) ()
#18 0x0000000000b00b4c in std::_Function_handler<void (), duckdb::ClientContext::PrepareInternal(duckdb::ClientContextLock&, duckdb::unique_ptr<duckdb::SQLStatement, std::default_delete<duckdb::SQLStatement>, true>)::{lambda()#1}>::_M_invoke(std::_Any_data const&) ()
#19 0x0000000000af9c49 in duckdb::ClientContext::RunFunctionInTransactionInternal(duckdb::ClientContextLock&, std::function<void ()> const&, bool) ()
#20 0x0000000000afa6a2 in duckdb::ClientContext::PrepareInternal(duckdb::ClientContextLock&, duckdb::unique_ptr<duckdb::SQLStatement, std::default_delete<duckdb::SQLStatement>, true>) ()
#21 0x0000000000b08678 in duckdb::ClientContext::Prepare(duckdb::unique_ptr<duckdb::SQLStatement, std::default_delete<duckdb::SQLStatement>, true>) ()
#22 0x0000000000b08725 in duckdb::Connection::Prepare(duckdb::unique_ptr<duckdb::SQLStatement, std::default_delete<duckdb::SQLStatement>, true>) ()
#23 0x00000000006da751 in duckdb_shell_sqlite3_prepare_v2 ()
#24 0x00000000006c7f40 in shell_exec ()
#25 0x00000000006c9b50 in runOneSqlLine.constprop.0 ()
#26 0x00000000006d2025 in process_input ()
#27 0x00000000006a6ab7 in main ()
OS:
Ubuntu 22.04 x64
DuckDB Version:
v0.10.2
DuckDB Client:
cli
Full Name:
Jingzhou Fu
Affiliation:
WingTecher Lab of Tsinghua University
What is the latest build you tested with? If possible, we recommend testing with the latest nightly build.
I have tested with a nightly build
Did you include all relevant data sets for reproducing the issue?
Yes
Did you include all code required to reproduce the issue?
- Yes, I have
Did you include all relevant configuration (e.g., CPU architecture, Python version, Linux distribution) to reproduce the issue?
- Yes, I have