We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DuckDB v0.10.2 (duckdb_cli-linux-amd64) crashes with a crafted ARRAY expression. It can also be reproduced in the nightly build.
duckdb_cli-linux-amd64
SELECT [MAP([2], [{'key1': MAP([ARRAY_VALUE('1', NULL), ARRAY_VALUE(NULL, '2')], [1, 2]), 'key2': 2}])]; SELECT [MAP([2], [{'key1': MAP([ARRAY_VALUE('1', NULL), ARRAY_VALUE(NULL, '2')], [1, 2]), 'key2': 2}])]; ... -- Sometimes you needs to execute the stmt multiple times to trigger the crash.
Backtrace:
#0 0x00007ffff78969fc in ?? () ... #4 0x00000000007df9c6 in duckdb::Value::Value(std::string) () #5 0x00000000007f09c9 in duckdb::Value::CastAs(duckdb::CastFunctionSet&, duckdb::GetCastFunctionInput&, duckdb::LogicalType const&, bool) const () #6 0x00007ffff7e2b600 in ?? () ... #16 0x00000000007f0de1 in duckdb::Value::STRUCT(duckdb::LogicalType const&, duckdb::vector<duckdb::Value, true>) () #17 0x00000000007f11e6 in duckdb::Value::STRUCT(duckdb::vector<std::pair<std::string, duckdb::Value>, true>) () #18 0x00007ffff78a5453 in ?? () ... #24 0x00000000007fd86b in void std::vector<duckdb::Value, std::allocator<duckdb::Value> >::_M_realloc_insert<duckdb::Value const&>(__gnu_cxx::__normal_iterator<duckdb::Value*, std::vector<duckdb::Value, std::allocator<duckdb::Value> > >, duckdb::Value const&) () #25 0x00000000007f1e26 in duckdb::Value::MAP(duckdb::LogicalType const&, duckdb::vector<duckdb::Value, true>) () #26 0x00000000007efd15 in duckdb::Vector::GetValueInternal(duckdb::Vector const&, unsigned long) () #27 0x00000000007f03cf in duckdb::Vector::GetValue(duckdb::Vector const&, unsigned long) () #28 0x00000000007f045a in duckdb::Vector::GetValue(unsigned long) const () #29 0x00000000007f00f9 in duckdb::Vector::GetValueInternal(duckdb::Vector const&, unsigned long) () #30 0x00000000007f03cf in duckdb::Vector::GetValue(duckdb::Vector const&, unsigned long) () #31 0x00000000007f045a in duckdb::Vector::GetValue(unsigned long) const () ... #38 0x00000000007f04ac in duckdb::DataChunk::GetValue(unsigned long, unsigned long) const () #39 0x00000000015d9df1 in duckdb::ListValueFunction(duckdb::DataChunk&, duckdb::ExpressionState&, duckdb::Vector&) () #40 0x0000000000a9a107 in duckdb::ExpressionExecutor::Execute(duckdb::Expression const&, duckdb::ExpressionState*, duckdb::SelectionVector const*, unsigned long, duckdb::Vector&) () #41 0x0000000000a9a865 in duckdb::ExpressionExecutor::EvaluateScalar(duckdb::ClientContext&, duckdb::Expression const&, bool) () #42 0x0000000000a9aaad in duckdb::ExpressionExecutor::TryEvaluateScalar(duckdb::ClientContext&, duckdb::Expression const&, duckdb::Value&) () #43 0x0000000000c8f966 in duckdb::ConstantFoldingRule::Apply(duckdb::LogicalOperator&, duckdb::vector<std::reference_wrapper<duckdb::Expression>, true>&, bool&, bool) () #44 0x0000000000c9b6ce in duckdb::ExpressionRewriter::ApplyRules(duckdb::LogicalOperator&, duckdb::vector<std::reference_wrapper<duckdb::Rule>, true> const&, duckdb::unique_ptr<duckdb::Expression, std::default_delete<duckdb::Expression>, true>, bool&, bool) () #45 0x0000000000c9b94a in duckdb::ExpressionRewriter::VisitExpression(duckdb::unique_ptr<duckdb::Expression, std::default_delete<duckdb::Expression>, true>*) () #46 0x0000000000d4d410 in duckdb::LogicalOperatorVisitor::EnumerateExpressions(duckdb::LogicalOperator&, std::function<void (duckdb::unique_ptr<duckdb::Expression, std::default_delete<duckdb::Expression>, true>*)> const&) () #47 0x0000000000d4d7ad in duckdb::LogicalOperatorVisitor::VisitOperatorExpressions(duckdb::LogicalOperator&) () #48 0x0000000000c9f512 in duckdb::ExpressionRewriter::VisitOperator(duckdb::LogicalOperator&) () #49 0x0000000000c9a476 in duckdb::Optimizer::RunOptimizer(duckdb::OptimizerType, std::function<void ()> const&) () #50 0x0000000000c9c167 in duckdb::Optimizer::Optimize(duckdb::unique_ptr<duckdb::LogicalOperator, std::default_delete<duckdb::LogicalOperator>, true>) () #51 0x0000000000b00189 in duckdb::ClientContext::CreatePreparedStatementInternal(duckdb::ClientContextLock&, std::string const&, duckdb::unique_ptr<duckdb::SQLStatement, std::default_delete<duckdb::SQLStatement>, true>, duckdb::optional_ptr<std::unordered_map<std::string, duckdb::Value, duckdb::CaseInsensitiveStringHashFunction, duckdb::CaseInsensitiveStringEquality, std::allocator<std::pair<std::string const, duckdb::Value> > > >) () #52 0x0000000000b009c3 in duckdb::ClientContext::CreatePreparedStatement(duckdb::ClientContextLock&, std::string const&, duckdb::unique_ptr<duckdb::SQLStatement, std::default_delete<duckdb::SQLStatement>, true>, duckdb::optional_ptr<std::unordered_map<std::string, duckdb::Value, duckdb::CaseInsensitiveStringHashFunction, duckdb::CaseInsensitiveStringEquality, std::allocator<std::pair<std::string const, duckdb::Value> > > >, duckdb::PreparedStatementMode) () #53 0x0000000000b00b4c in std::_Function_handler<void (), duckdb::ClientContext::PrepareInternal(duckdb::ClientContextLock&, duckdb::unique_ptr<duckdb::SQLStatement, std::default_delete<duckdb::SQLStatement>, true>)::{lambda()#1}>::_M_invoke(std::_Any_data const&) () #54 0x0000000000af9c49 in duckdb::ClientContext::RunFunctionInTransactionInternal(duckdb::ClientContextLock&, std::function<void ()> const&, bool) () #55 0x0000000000afa6a2 in duckdb::ClientContext::PrepareInternal(duckdb::ClientContextLock&, duckdb::unique_ptr<duckdb::SQLStatement, std::default_delete<duckdb::SQLStatement>, true>) () #56 0x0000000000b08678 in duckdb::ClientContext::Prepare(duckdb::unique_ptr<duckdb::SQLStatement, std::default_delete<duckdb::SQLStatement>, true>) () #57 0x0000000000b08725 in duckdb::Connection::Prepare(duckdb::unique_ptr<duckdb::SQLStatement, std::default_delete<duckdb::SQLStatement>, true>) () #58 0x00000000006da751 in duckdb_shell_sqlite3_prepare_v2 () #59 0x00000000006c7f40 in shell_exec () #60 0x00000000006c9b50 in runOneSqlLine.constprop.0 () #61 0x00000000006d2025 in process_input () #62 0x00000000006a6ab7 in main ()
Ubuntu 22.04
v0.10.2
cli
Jingzhou Fu
Wingtecher Lab of Tsinghua University
I have tested with a nightly build
Yes
The text was updated successfully, but these errors were encountered:
Thanks! This also reproduces on macOS/Apple Silicon.
Sorry, something went wrong.
Successfully merging a pull request may close this issue.
What happens?
DuckDB v0.10.2 (
duckdb_cli-linux-amd64
) crashes with a crafted ARRAY expression. It can also be reproduced in the nightly build.To Reproduce
Backtrace:
OS:
Ubuntu 22.04
DuckDB Version:
v0.10.2
DuckDB Client:
cli
Full Name:
Jingzhou Fu
Affiliation:
Wingtecher Lab of Tsinghua University
What is the latest build you tested with? If possible, we recommend testing with the latest nightly build.
I have tested with a nightly build
Did you include all relevant data sets for reproducing the issue?
Yes
Did you include all code required to reproduce the issue?
Did you include all relevant configuration (e.g., CPU architecture, Python version, Linux distribution) to reproduce the issue?
The text was updated successfully, but these errors were encountered: