Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BugFix] Fix the crash caused by JniScanner (backport #44903) #46186

Merged
merged 1 commit into from
May 27, 2024

Conversation

mergify[bot]
Copy link
Contributor

@mergify mergify bot commented May 24, 2024

Why I'm doing:

A crash may occur when reading array, map<string,string> types from HiveJniScanner. Taking array as an example, the reasons are as follows:

In OffHeapColumnVector, array uses childColumns[0] to store data. For each row of array data, there are 0 to multiple rows of data corresponding to it in childColumns[0], and offsetData is used to record the Start and end positions of each row of array data in childColumns[0].

Initially, childColumns[0] has the same capacity as array. Assuming that each row of array data corresponds to multiple rows of data in childColumns[0], when appending data, childColumns[0] must be expanded first to accommodate all the data in the array.

ChildColumns[0] is an OffHeapColumnVector of String type. It directly creates a new OffHeapColumnVector when expanding, which means that the offset of the data added later will start from 0, but the offsetData of the array is still continuous. So there will be a situation where offsetData[n-1] > offsetData[n], as shown in the figure below, this will be a disaster, because offsetData will be passed to be, and be will follow offsetData[n] - offsetData[n - 1] Calculate the length of the string. The length of a negative number will be assigned to an unsigned number, so the construction of the string will go out of bounds, causing be crash.
image

What I'm doing:

When OffHeapColumnVector is expanding, check whether childColumns already exists. If it already exists, there is no need to reset it and just keep it, because the expansion will be done automatically in the appendValue function of childColumns.

What type of PR is this:

  • BugFix
  • Feature
  • Enhancement
  • Refactor
  • UT
  • Doc
  • Tool

Does this PR entail a change in behavior?

  • Yes, this PR will result in a change in behavior.
  • No, this PR will not result in a change in behavior.

If yes, please specify the type of change:

  • Interface/UI changes: syntax, type conversion, expression evaluation, display information
  • Parameter changes: default values, similar parameters but with different default values
  • Policy changes: use new policy to replace old one, functionality automatically enabled
  • Feature removed
  • Miscellaneous: upgrade & downgrade compatibility, etc.

Checklist:

  • I have added test cases for my bug fix or my new feature
  • This pr needs user documentation (for new or modified features or behaviors)
    • I have added documentation for my new feature or new function
  • This is a backport pr

Bugfix cherry-pick branch check:

  • I have checked the version labels which the pr will be auto-backported to the target branch
    • 3.3
    • 3.2
    • 3.1
    • 3.0
    • 2.5

This is an automatic backport of pull request #44903 done by [Mergify](https://mergify.com). ## Why I'm doing:

A crash may occur when reading array, map<string,string> types from HiveJniScanner. Taking array as an example, the reasons are as follows:

In OffHeapColumnVector, array uses childColumns[0] to store data. For each row of array data, there are 0 to multiple rows of data corresponding to it in childColumns[0], and offsetData is used to record the Start and end positions of each row of array data in childColumns[0].

Initially, childColumns[0] has the same capacity as array. Assuming that each row of array data corresponds to multiple rows of data in childColumns[0], when appending data, childColumns[0] must be expanded first to accommodate all the data in the array.

ChildColumns[0] is an OffHeapColumnVector of String type. It directly creates a new OffHeapColumnVector when expanding, which means that the offset of the data added later will start from 0, but the offsetData of the array is still continuous. So there will be a situation where offsetData[n-1] > offsetData[n], as shown in the figure below, this will be a disaster, because offsetData will be passed to be, and be will follow offsetData[n] - offsetData[n - 1] Calculate the length of the string. The length of a negative number will be assigned to an unsigned number, so the construction of the string will go out of bounds, causing be crash.
image

What I'm doing:

When OffHeapColumnVector is expanding, check whether childColumns already exists. If it already exists, there is no need to reset it and just keep it, because the expansion will be done automatically in the appendValue function of childColumns.

What type of PR is this:

  • BugFix
  • Feature
  • Enhancement
  • Refactor
  • UT
  • Doc
  • Tool

Does this PR entail a change in behavior?

  • Yes, this PR will result in a change in behavior.
  • No, this PR will not result in a change in behavior.

If yes, please specify the type of change:

  • Interface/UI changes: syntax, type conversion, expression evaluation, display information
  • Parameter changes: default values, similar parameters but with different default values
  • Policy changes: use new policy to replace old one, functionality automatically enabled
  • Feature removed
  • Miscellaneous: upgrade & downgrade compatibility, etc.

Checklist:

  • I have added test cases for my bug fix or my new feature
  • This pr needs user documentation (for new or modified features or behaviors)
    • I have added documentation for my new feature or new function
  • This is a backport pr

Signed-off-by: changxin <[email protected]>
(cherry picked from commit b8cbc29)
@wanpengfei-git wanpengfei-git enabled auto-merge (squash) May 24, 2024 02:35
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

@wanpengfei-git wanpengfei-git merged commit d3edb38 into branch-3.2 May 27, 2024
37 of 38 checks passed
@wanpengfei-git wanpengfei-git deleted the mergify/bp/branch-3.2/pr-44903 branch May 27, 2024 02:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants