search

ClickHouse / ClickHouse

ClickHouse® is a real-time analytics DBMS
https://clickhouse.com
Apache License 2.0
35.42k stars 6.61k forks source link

Insertion into distributed table causes Segmentation fault #65520

Open r33s3n6 opened 2 weeks ago

r33s3n6 commented 2 weeks ago

Describe what's wrong Insertion into distributed table causes Segmentation fault

crash reports

SentryWriter: Sending crash reports is initialized with https://6f33034cfe684dd7a3ab9875e57b1c8d@o388870.ingest.sentry.io/5226277 endpoint and /var/lib/clickhouse/tmp/sentry temp folder

How to reproduce

create table t_m on cluster default ( c_mpcnr33 Int32 primary key , c_v8s String , c_l Int32 , c_jismi1 String , c_p37t64z75 Bool not null , c_uz Bool , c_rp Int32 primary key , c_d56dwp13jp Bool , c_sfxnd4 Float64 not null , );

-- sql #155 create table t_m on cluster default as t_m ENGINE = Distributed(default, ch_main, t_m, c_mpcnr33);

create table __t_nh1w on cluster default ( c_sfdzg Int32 , c_xf Bool , c_u3xs92nr4c String , c_b_m Int32 primary key , c_lgy Int32 , );

-- sql #101 create table t_nh1w on cluster default as t_nh1w ENGINE = Distributed(default, ch_main, t_nh1w, c_b_m);


* Queries to run that lead to an unexpected result
```sql
insert into t_m (c_mpcnr33, c_v8s, c_l, c_jismi1, c_p37t64z75, c_uz, c_rp, c_d56dwp13jp, c_sf__xnd4) values 
(868701807, coalesce((select c_u3xs92nr4c from t_nh1w order by c_u3xs92nr4c limit 1 offset 6)
  , 'llwlzwb3'), 1824351772, coalesce(MACNumToString(lcm(-3, -6)), 'f')) 
;

clickhouse log:

2024.06.21 08:13:06.769919 [ 39 ] {mysql:3:18d1ab63-3d84-4578-b99e-ec4e9474a4e8} <Debug> executeQuery: (from 10.0.7.254:48550) insert into t_m (c_mpcnr33, c_v8s, c_l, c_jismi1, c_p37t64z75, c_uz, c_rp, c_d56dwp13jp, c_sf__xnd4) values  (stage: Complete)
2024.06.21 08:13:06.772360 [ 719 ] {} <Fatal> BaseDaemon: ########## Short fault info ############
2024.06.21 08:13:06.772450 [ 719 ] {} <Fatal> BaseDaemon: (version 24.3.3.102 (official build), build id: EF9E1BD0781C858153E899F2D95A044F4DD82F9B, git hash: 7e7f3bdd9be3ced03925d1d602037db8687e6401) (from thread 39) Received signal 11
2024.06.21 08:13:06.772499 [ 719 ] {} <Fatal> BaseDaemon: Signal description: Segmentation fault
2024.06.21 08:13:06.772527 [ 719 ] {} <Fatal> BaseDaemon: Address: NULL pointer. Access: read. Address not mapped to object.
2024.06.21 08:13:06.772553 [ 719 ] {} <Fatal> BaseDaemon: Stack trace: 0x0000000010c33c2b
2024.06.21 08:13:06.772574 [ 719 ] {} <Fatal> BaseDaemon: ########################################
2024.06.21 08:13:06.772595 [ 719 ] {} <Fatal> BaseDaemon: (version 24.3.3.102 (official build), build id: EF9E1BD0781C858153E899F2D95A044F4DD82F9B, git hash: 7e7f3bdd9be3ced03925d1d602037db8687e6401) (from thread 39) (query_id: mysql:3:18d1ab63-3d84-4578-b99e-ec4e9474a4e8) (query: insert into t_m (c_mpcnr33, c_v8s, c_l, c_jismi1, c_p37t64z75, c_uz, c_rp, c_d56dwp13jp, c_sf__xnd4) values 
) Received signal Segmentation fault (11)
2024.06.21 08:13:06.772628 [ 719 ] {} <Fatal> BaseDaemon: Address: NULL pointer. Access: read. Address not mapped to object.
2024.06.21 08:13:06.772647 [ 719 ] {} <Fatal> BaseDaemon: Stack trace: 0x0000000010c33c2b
2024.06.21 08:13:06.772758 [ 719 ] {} <Fatal> BaseDaemon: 2. DB::QueryNode const& typeid_cast<DB::QueryNode const&, DB::IQueryTreeNode>(DB::IQueryTreeNode&) @ 0x0000000010c33c2b
2024.06.21 08:13:06.901022 [ 719 ] {} <Fatal> BaseDaemon: Integrity check of the executable successfully passed (checksum: F3691ADAC982D94BEEF75EF7C8E42F75)
2024.06.21 08:13:06.901121 [ 719 ] {} <Debug> SystemLogQueue (system.crash_log): Requested flush up to offset 1
2024.06.21 08:13:06.901201 [ 678 ] {} <Debug> SystemLog (system.crash_log): Creating new table system.crash_log for CrashLog
2024.06.21 08:13:06.901296 [ 719 ] {} <Information> SentryWriter: Sending crash report
2024.06.21 08:13:06.906809 [ 678 ] {} <Debug> system.crash_log (c712639d-59b1-4cee-8f1d-8933b6b43190): Loading data parts
2024.06.21 08:13:06.907068 [ 678 ] {} <Debug> system.crash_log (c712639d-59b1-4cee-8f1d-8933b6b43190): There are no data parts
2024.06.21 08:13:07.642377 [ 185 ] {} <Debug> DNSResolver: Updating DNS cache
2024.06.21 08:13:07.643072 [ 185 ] {} <Debug> DNSResolver: Updated DNS cache
2024.06.21 08:13:08.237043 [ 719 ] {} <Fatal> BaseDaemon: Report this error to https://github.com/ClickHouse/ClickHouse/issues
2024.06.21 08:13:08.237185 [ 719 ] {} <Fatal> BaseDaemon: Changed settings: use_uncompressed_cache = false, load_balancing = 'in_order', log_queries = true, distributed_product_mode = 'allow', prefer_column_name_to_alias = true, max_memory_usage = 10000000000, use_structure_from_insertion_table_in_table_functions = 0
2024.06.21 08:13:21.854053 [ 1 ] {} <Information> SentryWriter: Sending crash reports is initialized with https://6f33034cfe684dd7a3ab9875e57b1c8d@o388870.ingest.sentry.io/5226277 endpoint and /var/lib/clickhouse/tmp/sentry temp folder
2024.06.21 08:13:21.906566 [ 1 ] {} <Information> Application: Starting ClickHouse 24.3.3.102 (revision: 54484, git hash: 7e7f3bdd9be3ced03925d1d602037db8687e6401, build id: EF9E1BD0781C858153E899F2D95A044F4DD82F9B), PID 1
2024.06.21 08:13:21.906686 [ 1 ] {} <Information> Application: starting up
2024.06.21 08:13:21.906697 [ 1 ] {} <Information> Application: OS name: Linux, version: 6.5.0-28-generic, architecture: x86_64
2024.06.21 08:13:21.913999 [ 1 ] {} <Information> Application: Available RAM: 503.52 GiB; physical cores: 64; logical cores: 128.
2024.06.21 08:13:21.914020 [ 1 ] {} <Information> Application: Available CPU instruction sets: SSE, SSE2, SSE3, SSSE3, SSE41, SSE42, F16C, POPCNT, BMI1, BMI2, PCLMUL, AES, AVX, FMA, AVX2, SHA, ADX, RDRAND, RDSEED, RDTSCP, CLFLUSHOPT, CLWB, XSAVE, OSXSAVE

Expected behavior No crash.

Additional context docker compose config:

version: '3.8'
services:
  clickhouse-01:
    image: "clickhouse/clickhouse-server:${CHVER:-latest}"
    user: "101:101"
    container_name: clickhouse-01
    hostname: clickhouse-01
    networks:
      cluster_2S_1R:
        ipv4_address: 10.0.7.1
    volumes:
      - ${PWD}/fs/volumes/clickhouse-01/etc/clickhouse-server/config.d/config.xml:/etc/clickhouse-server/config.d/config.xml
      - ${PWD}/fs/volumes/clickhouse-01/etc/clickhouse-server/users.d/users.xml:/etc/clickhouse-server/users.d/users.xml
    depends_on:
      - clickhouse-keeper-01
      - clickhouse-keeper-02
      - clickhouse-keeper-03
  clickhouse-02:
    image: "clickhouse/clickhouse-server:${CHVER:-latest}"
    user: "101:101"
    container_name: clickhouse-02
    hostname: clickhouse-02
    networks:
      cluster_2S_1R:
        ipv4_address: 10.0.7.2
    volumes:
      - ${PWD}/fs/volumes/clickhouse-02/etc/clickhouse-server/config.d/config.xml:/etc/clickhouse-server/config.d/config.xml
      - ${PWD}/fs/volumes/clickhouse-02/etc/clickhouse-server/users.d/users.xml:/etc/clickhouse-server/users.d/users.xml
    depends_on:
      - clickhouse-keeper-01
      - clickhouse-keeper-02
      - clickhouse-keeper-03
  clickhouse-keeper-01:
    image: "clickhouse/clickhouse-keeper:${CHKVER:-latest-alpine}"
    user: "101:101"
    container_name: clickhouse-keeper-01
    hostname: clickhouse-keeper-01
    networks:
      cluster_2S_1R:
        ipv4_address: 10.0.7.5
    volumes:
      - ${PWD}/fs/volumes/clickhouse-keeper-01/etc/clickhouse-keeper/keeper_config.xml:/etc/clickhouse-keeper/keeper_config.xml

  clickhouse-keeper-02:
    image: "clickhouse/clickhouse-keeper:${CHKVER:-latest-alpine}"
    user: "101:101"
    container_name: clickhouse-keeper-02
    hostname: clickhouse-keeper-02
    networks:
      cluster_2S_1R:
        ipv4_address: 10.0.7.6
    volumes:
      - ${PWD}/fs/volumes/clickhouse-keeper-02/etc/clickhouse-keeper/keeper_config.xml:/etc/clickhouse-keeper/keeper_config.xml

  clickhouse-keeper-03:
    image: "clickhouse/clickhouse-keeper:${CHKVER:-latest-alpine}"
    user: "101:101"
    container_name: clickhouse-keeper-03
    hostname: clickhouse-keeper-03
    networks:
      cluster_2S_1R:
        ipv4_address: 10.0.7.7
    volumes:
      - ${PWD}/fs/volumes/clickhouse-keeper-03/etc/clickhouse-keeper/keeper_config.xml:/etc/clickhouse-keeper/keeper_config.xml

networks:
  cluster_2S_1R:
    driver: bridge
    ipam:
      config:
        - subnet: 10.0.7.0/24
          gateway: 10.0.7.254

config.xml

<clickhouse replace="true">
    <logger>
        <level>debug</level>
        <log>/var/log/clickhouse-server/clickhouse-server.log</log>
        <errorlog>/var/log/clickhouse-server/clickhouse-server.err.log</errorlog>
        <size>1000M</size>
        <count>3</count>
    </logger>
    <display_name>cluster_2S_1R node 1</display_name>
    <listen_host>0.0.0.0</listen_host>
    <http_port>8123</http_port>
    <tcp_port>9000</tcp_port>
    <mysql_port>9004</mysql_port>
    <postgresql_port>9005</postgresql_port>
    <user_directories>
        <users_xml>
            <path>users.xml</path>
        </users_xml>
        <local_directory>
            <path>/var/lib/clickhouse/access/</path>
        </local_directory>
    </user_directories>
    <distributed_ddl>
        <path>/clickhouse/task_queue/ddl</path>
    </distributed_ddl>
    <remote_servers>
        <default>
            <shard>
                <replica>
                    <host>clickhouse-01</host>
                    <port>9000</port>
                </replica>
            </shard>
            <shard>
                <replica>
                    <host>clickhouse-02</host>
                    <port>9000</port>
                </replica>
            </shard>
        </default>
    </remote_servers>
    <zookeeper>
        <node>
            <host>clickhouse-keeper-01</host>
            <port>9181</port>
        </node>
        <node>
            <host>clickhouse-keeper-02</host>
            <port>9181</port>
        </node>
        <node>
            <host>clickhouse-keeper-03</host>
            <port>9181</port>
        </node>
    </zookeeper>
    <macros>
        <shard>01</shard>
        <replica>01</replica>
    </macros>
</clickhouse>

users.xml

<?xml version="1.0"?>
<clickhouse replace="true">
    <profiles>
        <default>
            <max_memory_usage>10000000000</max_memory_usage>
            <use_uncompressed_cache>0</use_uncompressed_cache>
            <load_balancing>in_order</load_balancing>
            <log_queries>1</log_queries>
            <distributed_product_mode>allow</distributed_product_mode>
        </default>
    </profiles>
    <users>
        <default>
            <access_management>1</access_management>
            <profile>default</profile>
            <networks>
                <ip>::/0</ip>
            </networks>
            <password></password>
            <quota>default</quota>
            <access_management>1</access_management>
            <named_collection_control>1</named_collection_control>
            <show_named_collections>1</show_named_collections>
            <show_named_collections_secrets>1</show_named_collections_secrets>
        </default>
    </users>
    <quotas>
        <default>
            <interval>
                <duration>3600</duration>
                <queries>0</queries>
                <errors>0</errors>
                <result_rows>0</result_rows>
                <read_rows>0</read_rows>
                <execution_time>0</execution_time>
            </interval>
        </default>
    </quotas>
</clickhouse>

about us

We are the BASS team from the School of Cyber Science and Technology at Beihang University. Our main focus is on system software security, operating systems, and program analysis research, as well as the development of automated program testing frameworks for detecting software defects. Using our self-developed database vulnerability testing tool, we have identified the potential above-mentioned vulnerability that may lead to database logic error.

alexey-milovidov commented 2 weeks ago

Could you please also test the latest version?

r33s3n6 commented 1 week ago

Using the latest docker image (v24.5.3.5), the server crashed too:

2024.06.22 14:52:08.683772 [ 39 ] {} <Debug> MySQLHandler: Received command: 3. Connection id: 0.
2024.06.22 14:52:08.684094 [ 39 ] {mysql:0:57a76f62-85e4-4b8a-a014-ab830f6bd7c3} <Debug> executeQuery: (from 10.0.6.254:54280) insert into t_m (c_mpcnr33, c_v8s, c_l, c_jismi1, c_p37t64z75, c_uz, c_rp, c_d56dwp13jp, c_sf__xnd4) values  (stage: Complete)
2024.06.22 14:52:08.686104 [ 703 ] {} <Fatal> BaseDaemon: ########## Short fault info ############
2024.06.22 14:52:08.686215 [ 703 ] {} <Fatal> BaseDaemon: (version 24.5.3.5 (official build), build id: 55D1342D4B3DE2F10DDBC48A95EB371437DCED66, git hash: e0eb66f8e1724d8339dd69310d290bbfdd144c83) (from thread 39) Received signal 11
2024.06.22 14:52:08.686280 [ 703 ] {} <Fatal> BaseDaemon: Signal description: Segmentation fault
2024.06.22 14:52:08.686309 [ 703 ] {} <Fatal> BaseDaemon: Address: NULL pointer. Access: read. Address not mapped to object.
2024.06.22 14:52:08.686351 [ 703 ] {} <Fatal> BaseDaemon: Stack trace: 0x000000000c85f44c 0x00007f5bae069420 0x00000000112a2e18 0x0000000010a0d0ce 0x0000000010a041f4 0x0000000010ab4da4 0x0000000010ab5dfe 0x0000000010b15615 0x0000000010b13add 0x0000000010b13c39 0x0000000010b199aa 0x0000000010b13afe 0x0000000010d8ec2a 0x0000000010d901e8 0x0000000010e03b2c 0x0000000010e046db 0x00000000121285d1 0x00000000121265ca 0x0000000011f1b156 0x0000000011ef7ff5 0x0000000011ef7a82 0x0000000011f11907 0x0000000011f061f0 0x0000000011f05682 0x0000000011f03f92 0x0000000010e321af 0x0000000011e5a6e6 0x0000000011e54d22 0x0000000014767fa7 0x0000000014768439 0x000000001485e8a1 0x000000001485ce7d 0x00007f5bae05d609 0x00007f5badf78353
2024.06.22 14:52:08.686381 [ 703 ] {} <Fatal> BaseDaemon: ########################################
2024.06.22 14:52:08.686412 [ 703 ] {} <Fatal> BaseDaemon: (version 24.5.3.5 (official build), build id: 55D1342D4B3DE2F10DDBC48A95EB371437DCED66, git hash: e0eb66f8e1724d8339dd69310d290bbfdd144c83) (from thread 39) (query_id: mysql:0:57a76f62-85e4-4b8a-a014-ab830f6bd7c3) (query: insert into t_m (c_mpcnr33, c_v8s, c_l, c_jismi1, c_p37t64z75, c_uz, c_rp, c_d56dwp13jp, c_sf__xnd4) values 
) Received signal Segmentation fault (11)
2024.06.22 14:52:08.686441 [ 703 ] {} <Fatal> BaseDaemon: Address: NULL pointer. Access: read. Address not mapped to object.
2024.06.22 14:52:08.686461 [ 703 ] {} <Fatal> BaseDaemon: Stack trace: 0x000000000c85f44c 0x00007f5bae069420 0x00000000112a2e18 0x0000000010a0d0ce 0x0000000010a041f4 0x0000000010ab4da4 0x0000000010ab5dfe 0x0000000010b15615 0x0000000010b13add 0x0000000010b13c39 0x0000000010b199aa 0x0000000010b13afe 0x0000000010d8ec2a 0x0000000010d901e8 0x0000000010e03b2c 0x0000000010e046db 0x00000000121285d1 0x00000000121265ca 0x0000000011f1b156 0x0000000011ef7ff5 0x0000000011ef7a82 0x0000000011f11907 0x0000000011f061f0 0x0000000011f05682 0x0000000011f03f92 0x0000000010e321af 0x0000000011e5a6e6 0x0000000011e54d22 0x0000000014767fa7 0x0000000014768439 0x000000001485e8a1 0x000000001485ce7d 0x00007f5bae05d609 0x00007f5badf78353
2024.06.22 14:52:08.686580 [ 703 ] {} <Fatal> BaseDaemon: 0. signalHandler(int, siginfo_t*, void*) @ 0x000000000c85f44c
2024.06.22 14:52:08.686609 [ 703 ] {} <Fatal> BaseDaemon: 1. ? @ 0x00007f5bae069420
2024.06.22 14:52:08.686692 [ 703 ] {} <Fatal> BaseDaemon: 2. DB::StorageDistributed::read(DB::QueryPlan&, std::vector<String, std::allocator<String>> const&, std::shared_ptr<DB::StorageSnapshot> const&, DB::SelectQueryInfo&, std::shared_ptr<DB::Context const>, DB::QueryProcessingStage::Enum, unsigned long, unsigned long) @ 0x00000000112a2e18
2024.06.22 14:52:08.686754 [ 703 ] {} <Fatal> BaseDaemon: 3. DB::InterpreterSelectQuery::executeImpl(DB::QueryPlan&, std::optional<DB::Pipe>) @ 0x0000000010a0d0ce
2024.06.22 14:52:08.686792 [ 703 ] {} <Fatal> BaseDaemon: 4. DB::InterpreterSelectQuery::buildQueryPlan(DB::QueryPlan&) @ 0x0000000010a041f4
2024.06.22 14:52:08.686829 [ 703 ] {} <Fatal> BaseDaemon: 5. DB::InterpreterSelectWithUnionQuery::buildQueryPlan(DB::QueryPlan&) @ 0x0000000010ab4da4
2024.06.22 14:52:08.686880 [ 703 ] {} <Fatal> BaseDaemon: 6. DB::InterpreterSelectWithUnionQuery::execute() @ 0x0000000010ab5dfe
2024.06.22 14:52:08.686938 [ 703 ] {} <Fatal> BaseDaemon: 7. DB::ExecuteScalarSubqueriesMatcher::visit(DB::ASTSubquery const&, std::shared_ptr<DB::IAST>&, DB::ExecuteScalarSubqueriesMatcher::Data&) @ 0x0000000010b15615
2024.06.22 14:52:08.686996 [ 703 ] {} <Fatal> BaseDaemon: 8. DB::InDepthNodeVisitor<DB::ExecuteScalarSubqueriesMatcher, true, false, std::shared_ptr<DB::IAST>>::doVisit(std::shared_ptr<DB::IAST>&) @ 0x0000000010b13add
2024.06.22 14:52:08.687036 [ 703 ] {} <Fatal> BaseDaemon: 9. void DB::InDepthNodeVisitor<DB::ExecuteScalarSubqueriesMatcher, true, false, std::shared_ptr<DB::IAST>>::visitChildren<false>(std::shared_ptr<DB::IAST>&) @ 0x0000000010b13c39
2024.06.22 14:52:08.687089 [ 703 ] {} <Fatal> BaseDaemon: 10. DB::ExecuteScalarSubqueriesMatcher::visit(DB::ASTFunction const&, std::shared_ptr<DB::IAST>&, DB::ExecuteScalarSubqueriesMatcher::Data&) @ 0x0000000010b199aa
2024.06.22 14:52:08.687106 [ 703 ] {} <Fatal> BaseDaemon: 11. DB::InDepthNodeVisitor<DB::ExecuteScalarSubqueriesMatcher, true, false, std::shared_ptr<DB::IAST>>::doVisit(std::shared_ptr<DB::IAST>&) @ 0x0000000010b13afe
2024.06.22 14:52:08.687145 [ 703 ] {} <Fatal> BaseDaemon: 12. DB::(anonymous namespace)::executeScalarSubqueries(std::shared_ptr<DB::IAST>&, std::shared_ptr<DB::Context const>, unsigned long, std::map<String, DB::Block, std::less<String>, std::allocator<std::pair<String const, DB::Block>>>&, std::map<String, DB::Block, std::less<String>, std::allocator<std::pair<String const, DB::Block>>>&, bool, bool) @ 0x0000000010d8ec2a
2024.06.22 14:52:08.687163 [ 703 ] {} <Fatal> BaseDaemon: 13. DB::TreeRewriter::analyze(std::shared_ptr<DB::IAST>&, DB::NamesAndTypesList const&, std::shared_ptr<DB::IStorage const>, std::shared_ptr<DB::StorageSnapshot> const&, bool, bool, bool, bool) const @ 0x0000000010d901e8
2024.06.22 14:52:08.687187 [ 703 ] {} <Fatal> BaseDaemon: 14. DB::evaluateConstantExpressionImpl(std::shared_ptr<DB::IAST> const&, std::shared_ptr<DB::Context const> const&, bool) @ 0x0000000010e03b2c
2024.06.22 14:52:08.687208 [ 703 ] {} <Fatal> BaseDaemon: 15. DB::evaluateConstantExpression(std::shared_ptr<DB::IAST> const&, std::shared_ptr<DB::Context const> const&) @ 0x0000000010e046db
2024.06.22 14:52:08.687231 [ 703 ] {} <Fatal> BaseDaemon: 16. DB::ValuesBlockInputFormat::parseExpression(DB::IColumn&, unsigned long) @ 0x00000000121285d1
2024.06.22 14:52:08.687245 [ 703 ] {} <Fatal> BaseDaemon: 17. DB::ValuesBlockInputFormat::read() @ 0x00000000121265ca
2024.06.22 14:52:08.687261 [ 703 ] {} <Fatal> BaseDaemon: 18. DB::IInputFormat::generate() @ 0x0000000011f1b156
2024.06.22 14:52:08.687281 [ 703 ] {} <Fatal> BaseDaemon: 19. DB::ISource::tryGenerate() @ 0x0000000011ef7ff5
2024.06.22 14:52:08.687301 [ 703 ] {} <Fatal> BaseDaemon: 20. DB::ISource::work() @ 0x0000000011ef7a82
2024.06.22 14:52:08.687322 [ 703 ] {} <Fatal> BaseDaemon: 21. DB::ExecutionThreadContext::executeTask() @ 0x0000000011f11907
2024.06.22 14:52:08.687343 [ 703 ] {} <Fatal> BaseDaemon: 22. DB::PipelineExecutor::executeStepImpl(unsigned long, std::atomic<bool>*) @ 0x0000000011f061f0
2024.06.22 14:52:08.687363 [ 703 ] {} <Fatal> BaseDaemon: 23. DB::PipelineExecutor::execute(unsigned long, bool) @ 0x0000000011f05682
2024.06.22 14:52:08.687377 [ 703 ] {} <Fatal> BaseDaemon: 24. DB::CompletedPipelineExecutor::execute() @ 0x0000000011f03f92
2024.06.22 14:52:08.687411 [ 703 ] {} <Fatal> BaseDaemon: 25. DB::executeQuery(DB::ReadBuffer&, DB::WriteBuffer&, bool, std::shared_ptr<DB::Context>, std::function<void (DB::QueryResultDetails const&)>, DB::QueryFlags, std::optional<DB::FormatSettings> const&, std::function<void (DB::IOutputFormat&, String const&, std::shared_ptr<DB::Context const> const&, std::optional<DB::FormatSettings> const&)>) @ 0x0000000010e321af
2024.06.22 14:52:08.687434 [ 703 ] {} <Fatal> BaseDaemon: 26. DB::MySQLHandler::comQuery(DB::ReadBuffer&, bool) @ 0x0000000011e5a6e6
2024.06.22 14:52:08.687454 [ 703 ] {} <Fatal> BaseDaemon: 27. DB::MySQLHandler::run() @ 0x0000000011e54d22
2024.06.22 14:52:08.687476 [ 703 ] {} <Fatal> BaseDaemon: 28. Poco::Net::TCPServerConnection::start() @ 0x0000000014767fa7
2024.06.22 14:52:08.687489 [ 703 ] {} <Fatal> BaseDaemon: 29. Poco::Net::TCPServerDispatcher::run() @ 0x0000000014768439
2024.06.22 14:52:08.687505 [ 703 ] {} <Fatal> BaseDaemon: 30. Poco::PooledThread::run() @ 0x000000001485e8a1
2024.06.22 14:52:08.687518 [ 703 ] {} <Fatal> BaseDaemon: 31. Poco::ThreadImpl::runnableEntry(void*) @ 0x000000001485ce7d
2024.06.22 14:52:08.687528 [ 703 ] {} <Fatal> BaseDaemon: 32. ? @ 0x00007f5bae05d609
2024.06.22 14:52:08.687543 [ 703 ] {} <Fatal> BaseDaemon: 33. ? @ 0x00007f5badf78353
2024.06.22 14:52:08.813660 [ 703 ] {} <Fatal> BaseDaemon: Integrity check of the executable successfully passed (checksum: 2836EACED8BDD1F56A7AB0C3F4E27109)
2024.06.22 14:52:08.813980 [ 703 ] {} <Debug> SystemLogQueue (system.crash_log): Requested flush up to offset 1
2024.06.22 14:52:08.814075 [ 685 ] {} <Debug> SystemLog (system.crash_log): Creating new table system.crash_log for CrashLog
2024.06.22 14:52:08.814373 [ 703 ] {} <Information> SentryWriter: Sending crash report
2024.06.22 14:52:08.814434 [ 703 ] {} <Fatal> BaseDaemon: Report this error to https://github.com/ClickHouse/ClickHouse/issues
2024.06.22 14:52:08.814562 [ 703 ] {} <Fatal> BaseDaemon: Changed settings: use_uncompressed_cache = false, load_balancing = 'in_order', log_queries = true, distributed_product_mode = 'allow', prefer_column_name_to_alias = true, max_memory_usage = 10000000000, use_structure_from_insertion_table_in_table_functions = 0
thevar1able commented 1 week ago

Can confirm, reproduced the segfault using mysql CLI on v24.5.3.5 and latest master, looking into it.

Interesting that this query does not cause a segfault using native interface, it returns an error instead (I've executed use ch_main beforehand):

insert into t_m (c_mpcnr33, c_v8s, c_l, c_jismi1, c_p37t64z75, c_uz, c_rp, c_d56dwp13jp, c_sf__xnd4) values
(868701807, coalesce((select c_u3xs92nr4c from t_nh1w order by c_u3xs92nr4c limit 1 offset 6)
  , 'llwlzwb3'), 1824351772, coalesce(MACNumToString(lcm(-3, -6)), 'f'))
;

INSERT INTO t_m (c_mpcnr33, c_v8s, c_l, c_jismi1, c_p37t64z75, c_uz, c_rp, c_d56dwp13jp, c_sf__xnd4) FORMAT Values

Query id: 30e48727-1ab6-41cf-a3de-d4e287425f9b

Ok.
Exception on client:
Code: 81. DB::Exception: Default database is not selected: While processing (SELECT c_u3xs92nr4c FROM t_nh1w ORDER BY c_u3xs92nr4c ASC LIMIT 6, 1) AS _subquery1: While processing coalesce((SELECT c_u3xs92nr4c FROM t_nh1w ORDER BY c_u3xs92nr4c ASC LIMIT 6, 1) AS _subquery1, 'llwlzwb3'): While executing ValuesBlockInputFormat: data for INSERT was parsed from query. (UNKNOWN_DATABASE)

And even if I specify the database:

INSERT INTO ch_main.t_m (c_mpcnr33, c_v8s, c_l, c_jismi1, c_p37t64z75, c_uz, c_rp, c_d56dwp13jp, c_sf__xnd4) FORMAT Values

Query id: 8de8ea14-ca05-4fda-9512-eb435e8cffff

Ok.
Exception on client:
Code: 81. DB::Exception: Database ch_main does not exist: While processing (SELECT c_u3xs92nr4c FROM ch_main.t_nh1w ORDER BY c_u3xs92nr4c ASC LIMIT 6, 1) AS _subquery1: While processing coalesce((SELECT c_u3xs92nr4c FROM ch_main.t_nh1w ORDER BY c_u3xs92nr4c ASC LIMIT 6, 1) AS _subquery1, 'llwlzwb3'): While executing ValuesBlockInputFormat: data for INSERT was parsed from query. (UNKNOWN_DATABASE), Stack trace (when copying this message, always include the lines below):

0. /home/thevar1able/src/clickhouse/contrib/llvm-project/libcxx/include/exception:141: std::exception::capture() @ 0x000000000ae0bde2
1. /home/thevar1able/src/clickhouse/contrib/llvm-project/libcxx/include/exception:116: std::exception::exception[abi:v15000]() @ 0x000000000ae0bdad
2. /home/thevar1able/src/clickhouse/base/poco/Foundation/src/Exception.cpp:27: Poco::Exception::Exception(String const&, int) @ 0x0000000025876220
3. /home/thevar1able/src/clickhouse/src/Common/Exception.cpp:99: DB::Exception::Exception(DB::Exception::MessageMasked&&, int, bool) @ 0x00000000142bb59e
4. /home/thevar1able/src/clickhouse/src/Common/Exception.h:95: DB::Exception::Exception(String&&, int, bool) @ 0x000000000ae00b97
5. /home/thevar1able/src/clickhouse/src/Common/Exception.h:68: DB::Exception::Exception(PreformattedMessage&&, int) @ 0x000000000adfdd29
6. /home/thevar1able/src/clickhouse/src/Common/Exception.h:113: DB::Exception::Exception<String>(int, FormatStringHelperImpl<std::type_identity<String>::type>, String&&) @ 0x000000000adfda92
7. /home/thevar1able/src/clickhouse/src/Interpreters/DatabaseCatalog.cpp:660: DB::DatabaseCatalog::getDatabase(String const&) const @ 0x000000001c9b02bc
8. /home/thevar1able/src/clickhouse/src/Interpreters/Context.cpp:4917: DB::Context::resolveStorageID(DB::StorageID, DB::Context::StorageNamespace) const @ 0x000000001c89571f
9. /home/thevar1able/src/clickhouse/src/Interpreters/JoinedTables.cpp:217: DB::JoinedTables::getLeftTableStorage() @ 0x000000001dabceaa
10. /home/thevar1able/src/clickhouse/src/Interpreters/InterpreterSelectQuery.cpp:438: DB::InterpreterSelectQuery::InterpreterSelectQuery(std::shared_ptr<DB::IAST> const&, std::shared_ptr<DB::Context> const&, std::optional<DB::Pipe>, std::shared_ptr<DB::IStorage> const&, DB::SelectQueryOptions const&, std::vector<String, std::allocator<String>> const&, std::shared_ptr<DB::StorageInMemoryMetadata const> const&, std::shared_ptr<DB::PreparedSets>) @ 0x000000001d8c0fb4
11. /home/thevar1able/src/clickhouse/src/Interpreters/InterpreterSelectQuery.cpp:210: DB::InterpreterSelectQuery::InterpreterSelectQuery(std::shared_ptr<DB::IAST> const&, std::shared_ptr<DB::Context> const&, DB::SelectQueryOptions const&, std::vector<String, std::allocator<String>> const&) @ 0x000000001d8c03d1
12. /home/thevar1able/src/clickhouse/contrib/llvm-project/libcxx/include/__memory/unique_ptr.h:714: std::__unique_if<DB::InterpreterSelectQuery>::__unique_single std::make_unique[abi:v15000]<DB::InterpreterSelectQuery, std::shared_ptr<DB::IAST> const&, std::shared_ptr<DB::Context>&, DB::SelectQueryOptions&, std::vector<String, std::allocator<String>> const&>(std::shared_ptr<DB::IAST> const&, std::shared_ptr<DB::Context>&, DB::SelectQueryOptions&, std::vector<String, std::allocator<String>> const&) @ 0x000000001da8914e
13. /home/thevar1able/src/clickhouse/src/Interpreters/InterpreterSelectWithUnionQuery.cpp:255: DB::InterpreterSelectWithUnionQuery::buildCurrentChildInterpreter(std::shared_ptr<DB::IAST> const&, std::vector<String, std::allocator<String>> const&) @ 0x000000001da86046
14. /home/thevar1able/src/clickhouse/src/Interpreters/InterpreterSelectWithUnionQuery.cpp:153: DB::InterpreterSelectWithUnionQuery::InterpreterSelectWithUnionQuery(std::shared_ptr<DB::IAST> const&, std::shared_ptr<DB::Context>, DB::SelectQueryOptions const&, std::vector<String, std::allocator<String>> const&) @ 0x000000001da853b2
15. /home/thevar1able/src/clickhouse/contrib/llvm-project/libcxx/include/__memory/unique_ptr.h:714: std::__unique_if<DB::InterpreterSelectWithUnionQuery>::__unique_single std::make_unique[abi:v15000]<DB::InterpreterSelectWithUnionQuery, std::shared_ptr<DB::IAST>&, std::shared_ptr<DB::Context>&, DB::SelectQueryOptions&>(std::shared_ptr<DB::IAST>&, std::shared_ptr<DB::Context>&, DB::SelectQueryOptions&) @ 0x000000001db3caa4
16. /home/thevar1able/src/clickhouse/src/Interpreters/ExecuteScalarSubqueriesVisitor.cpp:102: DB::getQueryInterpreter(DB::ASTSubquery const&, DB::ExecuteScalarSubqueriesMatcher::Data&) @ 0x000000001db3c1f0
17. /home/thevar1able/src/clickhouse/src/Interpreters/ExecuteScalarSubqueriesVisitor.cpp:168: DB::ExecuteScalarSubqueriesMatcher::visit(DB::ASTSubquery const&, std::shared_ptr<DB::IAST>&, DB::ExecuteScalarSubqueriesMatcher::Data&) @ 0x000000001db399b2
18. /home/thevar1able/src/clickhouse/src/Interpreters/ExecuteScalarSubqueriesVisitor.cpp:69: DB::ExecuteScalarSubqueriesMatcher::visit(std::shared_ptr<DB::IAST>&, DB::ExecuteScalarSubqueriesMatcher::Data&) @ 0x000000001db39021
19. /home/thevar1able/src/clickhouse/src/Interpreters/InDepthNodeVisitor.h:71: DB::InDepthNodeVisitor<DB::ExecuteScalarSubqueriesMatcher, true, false, std::shared_ptr<DB::IAST>>::doVisit(std::shared_ptr<DB::IAST>&) @ 0x000000001db37d8d
20. /home/thevar1able/src/clickhouse/src/Interpreters/InDepthNodeVisitor.h:61: void DB::InDepthNodeVisitor<DB::ExecuteScalarSubqueriesMatcher, true, false, std::shared_ptr<DB::IAST>>::visitImplMain<false>(std::shared_ptr<DB::IAST>&) @ 0x000000001db37fc1
21. /home/thevar1able/src/clickhouse/src/Interpreters/InDepthNodeVisitor.h:53: void DB::InDepthNodeVisitor<DB::ExecuteScalarSubqueriesMatcher, true, false, std::shared_ptr<DB::IAST>>::visitImpl<false>(std::shared_ptr<DB::IAST>&) @ 0x000000001db37d0a
22. /home/thevar1able/src/clickhouse/src/Interpreters/InDepthNodeVisitor.h:83: void DB::InDepthNodeVisitor<DB::ExecuteScalarSubqueriesMatcher, true, false, std::shared_ptr<DB::IAST>>::visitChildren<false>(std::shared_ptr<DB::IAST>&) @ 0x000000001db38066
23. /home/thevar1able/src/clickhouse/src/Interpreters/InDepthNodeVisitor.h:65: void DB::InDepthNodeVisitor<DB::ExecuteScalarSubqueriesMatcher, true, false, std::shared_ptr<DB::IAST>>::visitImplMain<false>(std::shared_ptr<DB::IAST>&) @ 0x000000001db37fce
24. /home/thevar1able/src/clickhouse/src/Interpreters/InDepthNodeVisitor.h:53: void DB::InDepthNodeVisitor<DB::ExecuteScalarSubqueriesMatcher, true, false, std::shared_ptr<DB::IAST>>::visitImpl<false>(std::shared_ptr<DB::IAST>&) @ 0x000000001db37d0a
25. /home/thevar1able/src/clickhouse/src/Interpreters/InDepthNodeVisitor.h:33: DB::InDepthNodeVisitor<DB::ExecuteScalarSubqueriesMatcher, true, false, std::shared_ptr<DB::IAST>>::visit(std::shared_ptr<DB::IAST>&) @ 0x000000001db37bc5
26. /home/thevar1able/src/clickhouse/src/Interpreters/ExecuteScalarSubqueriesVisitor.cpp:327: DB::ExecuteScalarSubqueriesMatcher::visit(DB::ASTFunction const&, std::shared_ptr<DB::IAST>&, DB::ExecuteScalarSubqueriesMatcher::Data&) @ 0x000000001db3bc88
27. /home/thevar1able/src/clickhouse/src/Interpreters/ExecuteScalarSubqueriesVisitor.cpp:71: DB::ExecuteScalarSubqueriesMatcher::visit(std::shared_ptr<DB::IAST>&, DB::ExecuteScalarSubqueriesMatcher::Data&) @ 0x000000001db39057
28. /home/thevar1able/src/clickhouse/src/Interpreters/InDepthNodeVisitor.h:71: DB::InDepthNodeVisitor<DB::ExecuteScalarSubqueriesMatcher, true, false, std::shared_ptr<DB::IAST>>::doVisit(std::shared_ptr<DB::IAST>&) @ 0x000000001db37d8d
29. /home/thevar1able/src/clickhouse/src/Interpreters/InDepthNodeVisitor.h:61: void DB::InDepthNodeVisitor<DB::ExecuteScalarSubqueriesMatcher, true, false, std::shared_ptr<DB::IAST>>::visitImplMain<false>(std::shared_ptr<DB::IAST>&) @ 0x000000001db37fc1
30. /home/thevar1able/src/clickhouse/src/Interpreters/InDepthNodeVisitor.h:53: void DB::InDepthNodeVisitor<DB::ExecuteScalarSubqueriesMatcher, true, false, std::shared_ptr<DB::IAST>>::visitImpl<false>(std::shared_ptr<DB::IAST>&) @ 0x000000001db37d0a
31. /home/thevar1able/src/clickhouse/src/Interpreters/InDepthNodeVisitor.h:33: DB::InDepthNodeVisitor<DB::ExecuteScalarSubqueriesMatcher, true, false, std::shared_ptr<DB::IAST>>::visit(std::shared_ptr<DB::IAST>&) @ 0x000000001db37bc5
thevar1able commented 1 week ago

Huh, it is not reproducible via clickhouse-client because of another potential bug in it. Here is a repro with HTTP:

curl -XPOST -H'Content-Length:0' 'http://localhost:8123/?query=insert%20into%20ch_main.t_m%20%28c_mpcnr33%2C%20c_v8s%2C%20c_l%2C%20c_jismi1%2C%20c_p37t64z75%2C%20c_uz%2C%20c_rp%2C%20c_d56dwp13jp%2C%20c_sf__xnd4%29%20values%0A%28868701807%2C%20coalesce%28%28select%20c_u3xs92nr4c%20from%20ch_main.t_nh1w%20order%20by%20c_u3xs92nr4c%20limit%201%20offset%206%29%0A%20%20%2C%20%27llwlzwb3%27%29%2C%201824351772%2C%20coalesce%28MACNumToString%28lcm%28-3%2C%20-6%29%29%2C%20%27f%27%29%29%3B'
novikd commented 1 week ago

The issue here is that DB::evaluateConstantExpressionImpl uses the old analyzer unconditionally. This function should be rewritten to support allow_experimental_analyzer setting.