Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(0 vs. 0) Dictionary index must be less than base vector's size #3216

Closed
kagamiori opened this issue Nov 12, 2022 · 1 comment
Closed

(0 vs. 0) Dictionary index must be less than base vector's size #3216

kagamiori opened this issue Nov 12, 2022 · 1 comment
Assignees
@kagamiori
Labels
bug Something isn't working fuzzer-found

Comments

@kagamiori
Copy link
Contributor

This bug can be reproduced by the following command:
velox/expression/tests/velox_expression_fuzzer_test --velox_fuzzer_enable_complex_types --velox_fuzzer_max_level_of_nesting 3 --only "array_min,reverse,slice,array_constructor,map_concat,map,pow,round,power,subscript,codepoint,quarter" --seed 2575563250.

======> Started iteration 0 (seed: 2575563250)
I1111 18:24:44.622756 2644461 ExpressionVerifier.cpp:129] Executing expression: subscript(map(slice("c0",7952708886284806954,"c1"),slice(10 elements starting at 80 {0.21375429420731962, 0.8506123200058937, 0.025995144620537758, 0.1558157887775451, 0.5748477678280324, ...},6467029812706003723,9024956895854829940)),4731416725670843811)
I1111 18:24:44.623111 2644461 ExpressionVerifier.cpp:42] 2 vectors as input:
I1111 18:24:44.623178 2644461 ExpressionVerifier.cpp:44] 	[DICTIONARY ARRAY<BIGINT>: 100 elements, 14 nulls], [DICTIONARY ARRAY<BIGINT>: 100 elements, 13 nulls], [DICTIONARY ARRAY<BIGINT>: 100 elements, 9 nulls], [DICTIONARY ARRAY<BIGINT>: 100 elements, 10 nulls], [ARRAY ARRAY<BIGINT>: 100 elements, 12 nulls]
I1111 18:24:44.623342 2644461 ExpressionVerifier.cpp:44] 	[FLAT BIGINT: 100 elements, 18 nulls]
E1111 18:24:44.626539 2644461 Exceptions.h:68] Line: buck-out/dev/gen/aab7ed39/velox/vector/velox_vector#header-mode-symlink-tree-with-header-map,headers/velox/vector/DictionaryVector-inl.h:50, Function:setInternalState, Expression: rawIndices_[i] < dictionaryValues_->size() (0 vs. 0) Dictionary index must be less than base vector's size. Index: 0., Source: RUNTIME, ErrorCode: INVALID_STATE
E1111 18:24:44.631105 2644461 FuzzerToolkit.cpp:131] Only one path threw exception:
terminate called after throwing an instance of 'facebook::velox::VeloxRuntimeError'
  what():  Exception: VeloxRuntimeError
Error Source: RUNTIME
Error Code: INVALID_STATE
Reason: (0 vs. 0) Dictionary index must be less than base vector's size. Index: 0.
Retriable: False
Expression: rawIndices_[i] < dictionaryValues_->size()
Context: subscript(map(slice(c0, 7952708886284806954:BIGINT, c1), <empty>:ARRAY<DOUBLE>), 4731416725670843811:BIGINT)
Top-Level Context: Same as context.
Function: setInternalState
File: buck-out/dev/gen/aab7ed39/velox/vector/velox_vector#header-mode-symlink-tree-with-header-map,headers/velox/vector/DictionaryVector-inl.h
Line: 50
Stack trace:
# 0  std::shared_ptr<facebook::velox::VeloxException::State const> facebook::velox::VeloxException::State::make<facebook::velox::VeloxException::make(char const*, unsigned long, char const*, std::basic_string_view<char, std::char_traits<char> >, std::basic_string_view<char, std::char_traits<char> >, std::basic_string_view<char, std::char_traits<char> >, std::basic_string_view<char, std::char_traits<char> >, bool, facebook::velox::VeloxException::Type, std::basic_string_view<char, std::char_traits<char> >)::$_0>(facebook::velox::VeloxException::Type, facebook::velox::VeloxException::make(char const*, unsigned long, char const*, std::basic_string_view<char, std::char_traits<char> >, std::basic_string_view<char, std::char_traits<char> >, std::basic_string_view<char, std::char_traits<char> >, std::basic_string_view<char, std::char_traits<char> >, bool, facebook::velox::VeloxException::Type, std::basic_string_view<char, std::char_traits<char> >)::$_0)
# 1  facebook::velox::VeloxException::VeloxException(char const*, unsigned long, char const*, std::basic_string_view<char, std::char_traits<char> >, std::basic_string_view<char, std::char_traits<char> >, std::basic_string_view<char, std::char_traits<char> >, std::basic_string_view<char, std::char_traits<char> >, bool, facebook::velox::VeloxException::Type, std::basic_string_view<char, std::char_traits<char> >)
# 2  facebook::velox::VeloxRuntimeError::VeloxRuntimeError(char const*, unsigned long, char const*, std::basic_string_view<char, std::char_traits<char> >, std::basic_string_view<char, std::char_traits<char> >, std::basic_string_view<char, std::char_traits<char> >, std::basic_string_view<char, std::char_traits<char> >, bool, std::basic_string_view<char, std::char_traits<char> >)
# 3  void facebook::velox::detail::veloxCheckFail<facebook::velox::VeloxRuntimeError, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&>(facebook::velox::detail::VeloxCheckFailArgs const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)
# 4  facebook::velox::DictionaryVector<double>::setInternalState()
# 5  facebook::velox::DictionaryVector<double>::DictionaryVector(facebook::velox::memory::MemoryPool*, boost::intrusive_ptr<facebook::velox::Buffer>, unsigned long, std::shared_ptr<facebook::velox::BaseVector>, boost::intrusive_ptr<facebook::velox::Buffer>, facebook::velox::SimpleVectorStats<double> const&, std::optional<int>, std::optional<int>, std::optional<bool>, std::optional<int>, std::optional<int>)
# 6  decltype (::new ((void*)(0)) facebook::velox::DictionaryVector<double>(std::declval<facebook::velox::memory::MemoryPool*&>(), std::declval<boost::intrusive_ptr<facebook::velox::Buffer>&>(), std::declval<unsigned long&>(), std::declval<std::shared_ptr<facebook::velox::BaseVector> >(), std::declval<boost::intrusive_ptr<facebook::velox::Buffer> >())) std::construct_at<facebook::velox::DictionaryVector<double>, facebook::velox::memory::MemoryPool*&, boost::intrusive_ptr<facebook::velox::Buffer>&, unsigned long&, std::shared_ptr<facebook::velox::BaseVector>, boost::intrusive_ptr<facebook::velox::Buffer> >(facebook::velox::DictionaryVector<double>*, facebook::velox::memory::MemoryPool*&, boost::intrusive_ptr<facebook::velox::Buffer>&, unsigned long&, std::shared_ptr<facebook::velox::BaseVector>&&, boost::intrusive_ptr<facebook::velox::Buffer>&&)
# 7  void std::allocator_traits<std::allocator<facebook::velox::DictionaryVector<double> > >::construct<facebook::velox::DictionaryVector<double>, facebook::velox::memory::MemoryPool*&, boost::intrusive_ptr<facebook::velox::Buffer>&, unsigned long&, std::shared_ptr<facebook::velox::BaseVector>, boost::intrusive_ptr<facebook::velox::Buffer> >(std::allocator<facebook::velox::DictionaryVector<double> >&, facebook::velox::DictionaryVector<double>*, facebook::velox::memory::MemoryPool*&, boost::intrusive_ptr<facebook::velox::Buffer>&, unsigned long&, std::shared_ptr<facebook::velox::BaseVector>&&, boost::intrusive_ptr<facebook::velox::Buffer>&&)
# 8  std::_Sp_counted_ptr_inplace<facebook::velox::DictionaryVector<double>, std::allocator<facebook::velox::DictionaryVector<double> >, (__gnu_cxx::_Lock_policy)2>::_Sp_counted_ptr_inplace<facebook::velox::memory::MemoryPool*&, boost::intrusive_ptr<facebook::velox::Buffer>&, unsigned long&, std::shared_ptr<facebook::velox::BaseVector>, boost::intrusive_ptr<facebook::velox::Buffer> >(std::allocator<facebook::velox::DictionaryVector<double> >, facebook::velox::memory::MemoryPool*&, boost::intrusive_ptr<facebook::velox::Buffer>&, unsigned long&, std::shared_ptr<facebook::velox::BaseVector>&&, boost::intrusive_ptr<facebook::velox::Buffer>&&)
# 9  std::__shared_count<(__gnu_cxx::_Lock_policy)2>::__shared_count<facebook::velox::DictionaryVector<double>, std::allocator<facebook::velox::DictionaryVector<double> >, facebook::velox::memory::MemoryPool*&, boost::intrusive_ptr<facebook::velox::Buffer>&, unsigned long&, std::shared_ptr<facebook::velox::BaseVector>, boost::intrusive_ptr<facebook::velox::Buffer> >(facebook::velox::DictionaryVector<double>*&, std::_Sp_alloc_shared_tag<std::allocator<facebook::velox::DictionaryVector<double> > >, facebook::velox::memory::MemoryPool*&, boost::intrusive_ptr<facebook::velox::Buffer>&, unsigned long&, std::shared_ptr<facebook::velox::BaseVector>&&, boost::intrusive_ptr<facebook::velox::Buffer>&&)
# 10 std::__shared_ptr<facebook::velox::DictionaryVector<double>, (__gnu_cxx::_Lock_policy)2>::__shared_ptr<std::allocator<facebook::velox::DictionaryVector<double> >, facebook::velox::memory::MemoryPool*&, boost::intrusive_ptr<facebook::velox::Buffer>&, unsigned long&, std::shared_ptr<facebook::velox::BaseVector>, boost::intrusive_ptr<facebook::velox::Buffer> >(std::_Sp_alloc_shared_tag<std::allocator<facebook::velox::DictionaryVector<double> > >, facebook::velox::memory::MemoryPool*&, boost::intrusive_ptr<facebook::velox::Buffer>&, unsigned long&, std::shared_ptr<facebook::velox::BaseVector>&&, boost::intrusive_ptr<facebook::velox::Buffer>&&)
# 11 std::shared_ptr<facebook::velox::DictionaryVector<double> >::shared_ptr<std::allocator<facebook::velox::DictionaryVector<double> >, facebook::velox::memory::MemoryPool*&, boost::intrusive_ptr<facebook::velox::Buffer>&, unsigned long&, std::shared_ptr<facebook::velox::BaseVector>, boost::intrusive_ptr<facebook::velox::Buffer> >(std::_Sp_alloc_shared_tag<std::allocator<facebook::velox::DictionaryVector<double> > >, facebook::velox::memory::MemoryPool*&, boost::intrusive_ptr<facebook::velox::Buffer>&, unsigned long&, std::shared_ptr<facebook::velox::BaseVector>&&, boost::intrusive_ptr<facebook::velox::Buffer>&&)
# 12 std::shared_ptr<facebook::velox::DictionaryVector<double> > std::allocate_shared<facebook::velox::DictionaryVector<double>, std::allocator<facebook::velox::DictionaryVector<double> >, facebook::velox::memory::MemoryPool*&, boost::intrusive_ptr<facebook::velox::Buffer>&, unsigned long&, std::shared_ptr<facebook::velox::BaseVector>, boost::intrusive_ptr<facebook::velox::Buffer> >(std::allocator<facebook::velox::DictionaryVector<double> > const&, facebook::velox::memory::MemoryPool*&, boost::intrusive_ptr<facebook::velox::Buffer>&, unsigned long&, std::shared_ptr<facebook::velox::BaseVector>&&, boost::intrusive_ptr<facebook::velox::Buffer>&&)
# 13 std::shared_ptr<facebook::velox::DictionaryVector<double> > std::make_shared<facebook::velox::DictionaryVector<double>, facebook::velox::memory::MemoryPool*&, boost::intrusive_ptr<facebook::velox::Buffer>&, unsigned long&, std::shared_ptr<facebook::velox::BaseVector>, boost::intrusive_ptr<facebook::velox::Buffer> >(facebook::velox::memory::MemoryPool*&, boost::intrusive_ptr<facebook::velox::Buffer>&, unsigned long&, std::shared_ptr<facebook::velox::BaseVector>&&, boost::intrusive_ptr<facebook::velox::Buffer>&&)
# 14 std::shared_ptr<facebook::velox::BaseVector> facebook::velox::addDictionary<(facebook::velox::TypeKind)6>(boost::intrusive_ptr<facebook::velox::Buffer>, boost::intrusive_ptr<facebook::velox::Buffer>, unsigned long, std::shared_ptr<facebook::velox::BaseVector>)
# 15 facebook::velox::BaseVector::wrapInDictionary(boost::intrusive_ptr<facebook::velox::Buffer>, boost::intrusive_ptr<facebook::velox::Buffer>, int, std::shared_ptr<facebook::velox::BaseVector>)::$_0::operator()() const::{lambda()#1}::operator()() const
# 16 facebook::velox::BaseVector::wrapInDictionary(boost::intrusive_ptr<facebook::velox::Buffer>, boost::intrusive_ptr<facebook::velox::Buffer>, int, std::shared_ptr<facebook::velox::BaseVector>)::$_0::operator()() const
# 17 facebook::velox::BaseVector::wrapInDictionary(boost::intrusive_ptr<facebook::velox::Buffer>, boost::intrusive_ptr<facebook::velox::Buffer>, int, std::shared_ptr<facebook::velox::BaseVector>)
# 18 std::shared_ptr<facebook::velox::BaseVector> facebook::velox::functions::SubscriptImpl<false, false, false, true>::applyMapTyped<long>(facebook::velox::SelectivityVector const&, std::shared_ptr<facebook::velox::BaseVector> const&, std::shared_ptr<facebook::velox::BaseVector> const&, facebook::velox::exec::EvalCtx&) const
# 19 facebook::velox::functions::SubscriptImpl<false, false, false, true>::applyMap(facebook::velox::SelectivityVector const&, std::vector<std::shared_ptr<facebook::velox::BaseVector>, std::allocator<std::shared_ptr<facebook::velox::BaseVector> > >&, facebook::velox::exec::EvalCtx&) const
# 20 facebook::velox::functions::SubscriptImpl<false, false, false, true>::apply(facebook::velox::SelectivityVector const&, std::vector<std::shared_ptr<facebook::velox::BaseVector>, std::allocator<std::shared_ptr<facebook::velox::BaseVector> > >&, std::shared_ptr<facebook::velox::Type const> const&, facebook::velox::exec::EvalCtx&, std::shared_ptr<facebook::velox::BaseVector>&) const
# 21 facebook::velox::exec::Expr::applyFunction(facebook::velox::SelectivityVector const&, facebook::velox::exec::EvalCtx&, std::shared_ptr<facebook::velox::BaseVector>&)
# 22 facebook::velox::exec::Expr::evalAll(facebook::velox::SelectivityVector const&, facebook::velox::exec::EvalCtx&, std::shared_ptr<facebook::velox::BaseVector>&)
# 23 facebook::velox::exec::Expr::evalWithNulls(facebook::velox::SelectivityVector const&, facebook::velox::exec::EvalCtx&, std::shared_ptr<facebook::velox::BaseVector>&)
# 24 facebook::velox::exec::Expr::evalEncodings(facebook::velox::SelectivityVector const&, facebook::velox::exec::EvalCtx&, std::shared_ptr<facebook::velox::BaseVector>&)
# 25 facebook::velox::exec::Expr::eval(facebook::velox::SelectivityVector const&, facebook::velox::exec::EvalCtx&, std::shared_ptr<facebook::velox::BaseVector>&, bool)
# 26 facebook::velox::exec::ExprSet::eval(int, int, bool, facebook::velox::SelectivityVector const&, facebook::velox::exec::EvalCtx&, std::vector<std::shared_ptr<facebook::velox::BaseVector>, std::allocator<std::shared_ptr<facebook::velox::BaseVector> > >&)
# 27 facebook::velox::exec::ExprSet::eval(facebook::velox::SelectivityVector const&, facebook::velox::exec::EvalCtx&, std::vector<std::shared_ptr<facebook::velox::BaseVector>, std::allocator<std::shared_ptr<facebook::velox::BaseVector> > >&)
# 28 facebook::velox::test::ExpressionVerifier::verify(std::shared_ptr<facebook::velox::core::ITypedExpr const> const&, std::shared_ptr<facebook::velox::RowVector> const&, std::shared_ptr<facebook::velox::BaseVector>&&, bool, std::vector<unsigned int, std::allocator<unsigned int> >)
# 29 facebook::velox::test::ExpressionFuzzer::go()
# 30 facebook::velox::test::expressionFuzzer(std::unordered_map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::vector<facebook::velox::exec::FunctionSignature const*, std::allocator<facebook::velox::exec::FunctionSignature const*> >, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::vector<facebook::velox::exec::FunctionSignature const*, std::allocator<facebook::velox::exec::FunctionSignature const*> > > > >, unsigned long)
# 31 FuzzerRunner::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned long, std::unordered_set<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)
# 32 main
# 33 __libc_start_call_main
# 34 __libc_start_main_alias_2
# 35 _start

*** Aborted at 1668219884 (Unix time, try 'date -d @1668219884') ***
*** Signal 6 (SIGABRT) (0x37b3c002859ed) received by PID 2644461 (pthread TID 0x7f608fa2af80) (linux TID 2644461) (maybe from PID 2644461, UID 228156) (code: -6), stack trace: ***
    @ 0000000000010fae folly::symbolizer::(anonymous namespace)::innerSignalHandler(int, siginfo_t*, void*)
                       ./folly/experimental/symbolizer/SignalHandler.cpp:449
    @ 000000000000f6d1 folly::symbolizer::(anonymous namespace)::signalHandler(int, siginfo_t*, void*)
                       ./folly/experimental/symbolizer/SignalHandler.cpp:470
    @ 0000000000000000 (unknown)
    @ 000000000009c9d3 __GI___pthread_kill
    @ 00000000000444ec __GI_raise
    @ 000000000002c432 __GI_abort
    @ 00000000000a3fd4 __gnu_cxx::__verbose_terminate_handler()
    @ 00000000000a1b39 __cxxabiv1::__terminate(void (*)())
    @ 00000000000a1ba4 std::terminate()
    @ 00000000000a1ec1 __cxa_rethrow
    @ 000000000002b63e facebook::velox::test::ExpressionVerifier::verify(std::shared_ptr<facebook::velox::core::ITypedExpr const> const&, std::shared_ptr<facebook::velox::RowVector> const&, std::shared_ptr<facebook::velox::BaseVector>&&, bool, std::vector<unsigned int, std::allocator<unsigned int> >)
                       ./velox/expression/tests/ExpressionVerifier.cpp:233
    @ 000000000007e35e facebook::velox::test::ExpressionFuzzer::go()
                       ./velox/expression/tests/ExpressionFuzzer.cpp:679
    @ 00000000000a55d6 facebook::velox::test::expressionFuzzer(std::unordered_map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::vector<facebook::velox::exec::FunctionSignature const*, std::allocator<facebook::velox::exec::FunctionSignature const*> >, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::vector<facebook::velox::exec::FunctionSignature const*, std::allocator<facebook::velox::exec::FunctionSignature const*> > > > >, unsigned long)
                       ./velox/expression/tests/ExpressionFuzzer.cpp:708
    @ 00000000002dee8f FuzzerRunner::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned long, std::unordered_set<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)
                       ./velox/expression/tests/FuzzerRunner.h:140
                       -> ./velox/expression/tests/ExpressionFuzzerTest.cpp
    @ 00000000002de73a main
                       ./velox/expression/tests/ExpressionFuzzerTest.cpp:63
    @ 000000000002c656 __libc_start_call_main
    @ 000000000002c717 __libc_start_main_alias_2
    @ 00000000002c10b0 _start
                       /home/engshare/third-party2/glibc/2.34/src/glibc-2.34/csu/../sysdeps/x86_64/start.S:116
Aborted (core dumped)
@kagamiori kagamiori added bug Something isn't working fuzzer-found labels Nov 12, 2022
@kagamiori kagamiori self-assigned this Nov 12, 2022
@kagamiori
Copy link
Contributor Author

Here is what happens: When the start argument of the slice() function (i.e., 2nd argument) is out of range, slice() produces an array vector where all rows are empty arrays. map() then receives two such arrays and produces a map vector of the size rows.end() but both keys and values child vectors are empty.

Next, subscript() builds an indices at selected rows (i.e., in the range of 1--99 in this example) and attempts to wrap the empty map values vector with this indices into a dictionary vector of size 100 (rows.size()). DictionaryVector::setInternalState() checks that the index pointed to by indices at 0--rows.size() are less than the length of the vector to be wrapped, which is 0. Hence the check of 0 < 0 fails.

@kagamiori kagamiori mentioned this issue Nov 17, 2022
Closed
kagamiori added a commit to kagamiori/velox that referenced this issue Nov 17, 2022
@kagamiori @facebook-github-bot
Fix wrapping of 0-length vector in element_at and subscript functions
e60f1d6 
Summary:
Expression fuzzer found a bug in element_at() and subscript() functions when the input vector has a 0-length element vector and there are unselected rows of this evaluation: facebookincubator#3216. In this situation, SubscriptImpl builds up an `indices` where unselected rows point to 0 (i.e., default value) and use it to wrap the 0-length element vector via BaseVector::wrapInDictionary. DictionaryVector<T>::setInternalState() checks that the index pointed to by `indices` is less than the length of the vector being wrapped, which are both 0 in this case. Hence the error happens.

This diff fixes this bug by directly creating a null vector when the input element vector has 0 length, instead of wrapping it in a dictionary.

Differential Revision: D41357753

fbshipit-source-id: 1025c6c40058103e8bd21e00b3dcff93453cf3e5
kagamiori added a commit to kagamiori/velox that referenced this issue Nov 21, 2022
@kagamiori @facebook-github-bot
Fix wrapping of 0-length vector in element_at and subscript functions (
7b86c51 
…facebookincubator#3284)

Summary:
Pull Request resolved: facebookincubator#3284

Expression fuzzer found a bug in element_at() and subscript() functions when the input vector has a 0-length element vector and there are unselected rows of this evaluation: facebookincubator#3216. In this situation, SubscriptImpl builds up an `indices` where unselected rows point to 0 (i.e., default value) and use it to wrap the 0-length element vector via BaseVector::wrapInDictionary. DictionaryVector<T>::setInternalState() checks that the index pointed to by `indices` is less than the length of the vector being wrapped, which are both 0 in this case. Hence the error happens.

This diff fixes this bug by directly creating a null vector when the input element vector has 0 length, instead of wrapping it in a dictionary.

Differential Revision: D41357753

fbshipit-source-id: e7c8d11b0cf84d7b3a72ccc79ec4234908a6b2ce
kagamiori added a commit to kagamiori/velox that referenced this issue Dec 2, 2022
@kagamiori @facebook-github-bot
Fix wrapping of 0-length vector in element_at and subscript functions (
7e42770 
…facebookincubator#3284)

Summary:
Pull Request resolved: facebookincubator#3284

Expression fuzzer found a bug in element_at() and subscript() functions when the input vector has a 0-length element vector and there are unselected rows of this evaluation: facebookincubator#3216. In this situation, SubscriptImpl builds up an `indices` where unselected rows point to 0 (i.e., default value) and use it to wrap the 0-length element vector via BaseVector::wrapInDictionary. DictionaryVector<T>::setInternalState() checks that the index pointed to by `indices` is less than the length of the vector being wrapped, which are both 0 in this case. Hence the error happens.

This diff fixes this bug by directly creating a null vector when the input element vector has 0 length, instead of wrapping it in a dictionary.

Reviewed By: bikramSingh91

Differential Revision: D41357753

fbshipit-source-id: aa84b67dfbcace5a12e97fc61163e92ec7f21663
facebook-github-bot pushed a commit that referenced this issue Dec 2, 2022
@kagamiori @facebook-github-bot
Fix wrapping of 0-length vector in element_at and subscript functions (
5a34db3 
…#3284)

Summary:
Pull Request resolved: #3284

Expression fuzzer found a bug in element_at() and subscript() functions when the input vector has a 0-length element vector and there are unselected rows of this evaluation: #3216. In this situation, SubscriptImpl builds up an `indices` where unselected rows point to 0 (i.e., default value) and use it to wrap the 0-length element vector via BaseVector::wrapInDictionary. DictionaryVector<T>::setInternalState() checks that the index pointed to by `indices` is less than the length of the vector being wrapped, which are both 0 in this case. Hence the error happens.

This diff fixes this bug by directly creating a null vector when the input element vector has 0 length, instead of wrapping it in a dictionary.

Reviewed By: bikramSingh91

Differential Revision: D41357753

fbshipit-source-id: 71d217f73733cb12914879b27b0b61ead7c8bf34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kagamiori kagamiori

Labels
bug Something isn't working fuzzer-found
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kagamiori