[doris] branch master updated: fix heap-use-after-free on map_agg (#25380)

panxiaolei Thu, 12 Oct 2023 09:20:22 -0700

This is an automated email from the ASF dual-hosted git repository.

panxiaolei pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git



The following commit(s) were added to refs/heads/master by this push:
     new 26f50f4f0fc fix heap-use-after-free on map_agg (#25380)
26f50f4f0fc is described below

commit 26f50f4f0fc915b947cc28dbf2b6609dde331147
Author: Pxl <pxl...@qq.com>
AuthorDate: Fri Oct 13 00:19:25 2023 +0800

    fix heap-use-after-free on map_agg (#25380)
    
    fix heap-use-after-free on map_agg
---
 be/src/vec/aggregate_functions/aggregate_function_map.h  |  8 ++++----
 be/src/vec/common/arena.h                                | 14 +++++++-------
 regression-test/suites/query_p0/aggregate/map_agg.groovy |  6 ------
 3 files changed, 11 insertions(+), 17 deletions(-)

diff --git a/be/src/vec/aggregate_functions/aggregate_function_map.h 
b/be/src/vec/aggregate_functions/aggregate_function_map.h
index a1378ba07da..a0617305830 100644
--- a/be/src/vec/aggregate_functions/aggregate_function_map.h
+++ b/be/src/vec/aggregate_functions/aggregate_function_map.h
@@ -58,13 +58,13 @@ struct AggregateFunctionMapAggData {
         _value_column->clear();
     }
 
-    void add(const StringRef& key, const Field& value) {
+    void add(StringRef key, const Field& value) {
         DCHECK(key.data != nullptr);
         if (UNLIKELY(_map.find(key) != _map.end())) {
             return;
         }
 
-        _arena.insert(key.data, key.size);
+        key.data = _arena.insert(key.data, key.size);
 
         _map.emplace(key, _key_column->size());
         _key_column->insert_data(key.data, key.size);
@@ -95,7 +95,7 @@ struct AggregateFunctionMapAggData {
                 return;
             }
 
-            _arena.insert(key.data, key.size);
+            key.data = _arena.insert(key.data, key.size);
 
             _map.emplace(key, _key_column->size());
             _key_column->insert_data(key.data, key.size);
@@ -116,7 +116,7 @@ struct AggregateFunctionMapAggData {
             if (_map.find(key) != _map.cend()) {
                 continue;
             }
-            _arena.insert(key.data, key.size);
+            key.data = _arena.insert(key.data, key.size);
 
             _map.emplace(key, _key_column->size());
             static_cast<KeyColumnType&>(*_key_column).insert_data(key.data, 
key.size);
diff --git a/be/src/vec/common/arena.h b/be/src/vec/common/arena.h
index 9fad70d8451..90ebe2788bc 100644
--- a/be/src/vec/common/arena.h
+++ b/be/src/vec/common/arena.h
@@ -197,8 +197,8 @@ public:
       * NOTE This method is usable only for the last allocation made on this
       * Arena. For earlier allocations, see 'realloc' method.
       */
-    char* alloc_continue(size_t additional_bytes, char const*& range_start,
-                         size_t start_alignment = 0) {
+    [[nodiscard]] char* alloc_continue(size_t additional_bytes, char const*& 
range_start,
+                                       size_t start_alignment = 0) {
         if (!range_start) {
             // Start a new memory range.
             char* result = start_alignment ? aligned_alloc(additional_bytes, 
start_alignment)
@@ -245,7 +245,7 @@ public:
     }
 
     /// NOTE Old memory region is wasted.
-    char* realloc(const char* old_data, size_t old_size, size_t new_size) {
+    [[nodiscard]] char* realloc(const char* old_data, size_t old_size, size_t 
new_size) {
         char* res = alloc(new_size);
         if (old_data) {
             memcpy(res, old_data, old_size);
@@ -254,8 +254,8 @@ public:
         return res;
     }
 
-    char* aligned_realloc(const char* old_data, size_t old_size, size_t 
new_size,
-                          size_t alignment) {
+    [[nodiscard]] char* aligned_realloc(const char* old_data, size_t old_size, 
size_t new_size,
+                                        size_t alignment) {
         char* res = aligned_alloc(new_size, alignment);
         if (old_data) {
             memcpy(res, old_data, old_size);
@@ -265,13 +265,13 @@ public:
     }
 
     /// Insert string without alignment.
-    const char* insert(const char* data, size_t size) {
+    [[nodiscard]] const char* insert(const char* data, size_t size) {
         char* res = alloc(size);
         memcpy(res, data, size);
         return res;
     }
 
-    const char* aligned_insert(const char* data, size_t size, size_t 
alignment) {
+    [[nodiscard]] const char* aligned_insert(const char* data, size_t size, 
size_t alignment) {
         char* res = aligned_alloc(size, alignment);
         memcpy(res, data, size);
         return res;
diff --git a/regression-test/suites/query_p0/aggregate/map_agg.groovy 
b/regression-test/suites/query_p0/aggregate/map_agg.groovy
index 4fc90143464..3eecbc1043b 100644
--- a/regression-test/suites/query_p0/aggregate/map_agg.groovy
+++ b/regression-test/suites/query_p0/aggregate/map_agg.groovy
@@ -275,10 +275,4 @@ suite("map_agg") {
             select userid, map_agg(subject,score) as map from 
test_map_agg_score group by userid
         ) a order by userid;
     """
-
-    sql "DROP TABLE IF EXISTS `test_map_agg`"
-    sql "DROP TABLE IF EXISTS `test_map_agg_nullable`"
-    sql "DROP TABLE IF EXISTS `test_map_agg_numeric_key`"
-    sql "DROP TABLE IF EXISTS `test_map_agg_decimal`"
-    sql "DROP TABLE IF EXISTS `test_map_agg_score`"
  }


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org

[doris] branch master updated: fix heap-use-after-free on map_agg (#25380)

Reply via email to