parse_fuzz_test internal exception due to Failed to bind column reference #17781
Description
What happens?
Hi! We found a crashing test case when testing with the parse_fuzz_test fuzzing driver.
To Reproduce
CREATE TABLE t1(a INT, b TIMESTAMP);
INSERT INTO t1 VALUES(1, '2020-01-01 00:00:00'), (2, '2020-01-02 00:00:00');
CREATE TABLE t2(c INT, d TIMESTAMP);
INSERT INTO t2 VALUES(1, '2020-01-01 00:01:00'), (2, '2020-01-02 00:00:00');
SELECT * FROM t1 ASOF JOIN t2 ON t1=b == t2.d AND t1.b >= t2.d - INTERVAL '1' SECOND;
Stderr and backtrace:
ABORT THROWN BY INTERNAL EXCEPTION: Failed to bind column reference "d" [1.0] (bindings: {#[0.0], #[0.1]})
==236352== ERROR: libFuzzer: deadly signal
#0 0x4e92e1 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3 #1 0x5496ca in fuzzer::PrintStackTrace() /tmp/libfuzzer/./FuzzerUtil.cpp:205:5 #2 0x5298b8 in fuzzer::Fuzzer::CrashCallback() /tmp/libfuzzer/./FuzzerLoop.cpp:236:3 #3 0x529873 in fuzzer::Fuzzer::StaticCrashSignalCallback() /tmp/libfuzzer/./FuzzerLoop.cpp:208:6
#4 0x7f2f03c5c51f (/lib/x86_64-linux-gnu/libc.so.6+0x4251f) (BuildId: cd410b710f0f094c6832edd95931006d883af48e) #5 0x7f2f03cb09fb in __pthread_kill_implementation nptl/pthread_kill.c:43:17 #6 0x7f2f03cb09fb in __pthread_kill_internal nptl/pthread_kill.c:78:10 #7 0x7f2f03cb09fb in pthread_kill nptl/pthread_kill.c:89:10
#8 0x7f2f03c5c475 in gsignal signal/../sysdeps/posix/raise.c:26:13
#9 0x7f2f03c427f2 in abort stdlib/abort.c:79:7 #10 0x5907a1 in duckdb::InternalException::InternalException(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&) /src/duckdb/src/common/exception.cpp:338:2 #11 0x8398b9 in duckdb::InternalException::InternalException<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, unsigned long, unsigned long, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, unsigned long, unsigned long, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>) /src/duckdb/src/include/duckdb/common/exception.hpp:318:8 #12 0x7f325d in duckdb::ColumnBindingResolver::VisitReplace(duckdb::BoundColumnRefExpression&, duckdb::unique_ptr<duckdb::Expression, std::__1::default_delete<duckdb::Expression>, true>*) /src/duckdb/src/execution/column_binding_resolver.cpp:182:8 #13 0x16a6058 in duckdb::LogicalOperatorVisitor::VisitExpression(duckdb::unique_ptr<duckdb::Expression, std::__1::default_delete<duckdb::Expression>, true>*) /src/duckdb/src/planner/logical_operator_visitor.cpp:227:12 #14 0x1656a13 in duckdb::ExpressionIterator::EnumerateChildren(duckdb::Expression&, std::__1::function<void (duckdb::unique_ptr<duckdb::Expression, std::__1::default_delete<duckdb::Expression>, true>&)> const&) /src/duckdb/src/planner/expression_iterator.cpp #15 0x16a71fa in duckdb::LogicalOperatorVisitor::VisitExpressionChildren(duckdb::Expression&) /src/duckdb/src/planner/logical_operator_visitor.cpp:274:2
#16 0x16a69d4 in duckdb::LogicalOperatorVisitor::VisitExpression(duckdb::unique_ptr<duckdb::Expression, std::__1::default_delete<duckdb::Expression>, true>*) /src/duckdb/src/planner/logical_operator_visitor.cpp:269:3 #17 0x1656f20 in duckdb::ExpressionIterator::EnumerateChildren(duckdb::Expression&, std::__1::function<void (duckdb::unique_ptr<duckdb::Expression, std::__1::default_delete<duckdb::Expression>, true>&)> const&) /src/duckdb/src/planner/expression_iterator.cpp #18 0x16a71fa in duckdb::LogicalOperatorVisitor::VisitExpressionChildren(duckdb::Expression&) /src/duckdb/src/planner/logical_operator_visitor.cpp:274:2 #19 0x16a69d4 in duckdb::LogicalOperatorVisitor::VisitExpression(duckdb::unique_ptr<duckdb::Expression, std::__1::default_delete<duckdb::Expression>, true>*) /src/duckdb/src/planner/logical_operator_visitor.cpp:269:3
#20 0x1656a13 in duckdb::ExpressionIterator::EnumerateChildren(duckdb::Expression&, std::__1::function<void (duckdb::unique_ptr<duckdb::Expression, std::__1::default_delete<duckdb::Expression>, true>&)> const&) /src/duckdb/src/planner/expression_iterator.cpp #21 0x16a71fa in duckdb::LogicalOperatorVisitor::VisitExpressionChildren(duckdb::Expression&) /src/duckdb/src/planner/logical_operator_visitor.cpp:274:2
#22 0x16a69d4 in duckdb::LogicalOperatorVisitor::VisitExpression(duckdb::unique_ptr<duckdb::Expression, std::__1::default_delete<duckdb::Expression>, true>*) /src/duckdb/src/planner/logical_operator_visitor.cpp:269:3
#23 0x7f162f in duckdb::ColumnBindingResolver::VisitOperator(duckdb::LogicalOperator&) /src/duckdb/src/execution/column_binding_resolver.cpp:34:4
#24 0x16a1abf in duckdb::LogicalOperatorVisitor::VisitOperatorChildren(duckdb::LogicalOperator&) /src/duckdb/src/planner/logical_operator_visitor.cpp:19:4
#25 0x7f20de in duckdb::ColumnBindingResolver::VisitOperator(duckdb::LogicalOperator&) /src/duckdb/src/execution/column_binding_resolver.cpp:159:2
#26 0x820b2a in duckdb::PhysicalPlanGenerator::ResolveAndPlan(duckdb::unique_ptr<duckdb::LogicalOperator, std::__1::default_delete<duckdb::LogicalOperator>, true>) /src/duckdb/src/execution/physical_plan_generator.cpp:34:11
#27 0x820733 in duckdb::PhysicalPlanGenerator::Plan(duckdb::unique_ptr<duckdb::LogicalOperator, std::__1::default_delete<duckdb::LogicalOperator>, true>) /src/duckdb/src/execution/physical_plan_generator.cpp:23:15
...
OS:
Linux
DuckDB Version:
1f8b683 (May 23)
DuckDB Client:
fuzzer
Hardware:
No response
Full Name:
gal1ium
Affiliation:
HKU
What is the latest build you tested with? If possible, we recommend testing with the latest nightly build.
I have tested with a source build
Did you include all relevant data sets for reproducing the issue?
Yes
Did you include all code required to reproduce the issue?
- Yes, I have
Did you include all relevant configuration (e.g., CPU architecture, Python version, Linux distribution) to reproduce the issue?
- Yes, I have