(doris) branch branch-3.0 updated: [fix](coalesce) fix 'heap-use-after-free' of function coalesce (#42666) (#42668)

Tue, 29 Oct 2024 00:26:12 -0700 

This is an automated email from the ASF dual-hosted git repository.

hellostephen pushed a commit to branch branch-3.0
in repository https://gitbox.apache.org/repos/asf/doris.git


The following commit(s) were added to refs/heads/branch-3.0 by this push:
     new 12ea20ae5bf [fix](coalesce) fix 'heap-use-after-free' of function 
coalesce (#42666) (#42668)
12ea20ae5bf is described below

commit 12ea20ae5bfffb01cd33143e983197578310181d
Author: TengJianPing <18241664+jackte...@users.noreply.github.com>
AuthorDate: Tue Oct 29 15:25:59 2024 +0800

    [fix](coalesce) fix 'heap-use-after-free' of function coalesce (#42666) 
(#42668)
    
    ## Proposed changes
    BP #42666
    
    Should not modify state of vexpr when executing the expr, since it may
    be executed in parallel.
    
    Issue introduced by https://github.com/apache/doris/pull/42136
    
    ```
    ==75397==ERROR: AddressSanitizer: heap-use-after-free on address 
0x60700294b060 at pc 0x56507fb8a370 bp 0x7fc861cd7050 sp 0x7fc861cd7048
    19:58:49   READ of size 8 at 0x60700294b060 thread T1463 (Pipe_normal [wo)
    19:58:49       #0 0x56507fb8a36f in 
doris::vectorized::FunctionCoalesce::execute_impl(doris::FunctionContext*, 
doris::vectorized::Block&, std::vector<unsigned long, std::allocator<unsigned 
long> > const&, unsigned long, unsigned long) const 
/root/doris/be/src/vec/functions/function_coalesce.cpp:163:13
    19:58:49       #1 0x56507958edfe in 
doris::vectorized::DefaultExecutable::execute_impl(doris::FunctionContext*, 
doris::vectorized::Block&, std::vector<unsigned long, std::allocator<unsigned 
long> > const&, unsigned long, unsigned long) const 
/root/doris/be/src/vec/functions/function.h:463:26
    19:58:49       #2 0x56507dbcbf5c in 
doris::vectorized::PreparedFunctionImpl::_execute_skipped_constant_deal(doris::FunctionContext*,
 doris::vectorized::Block&, std::vector<unsigned long, std::allocator<unsigned 
long> > const&, unsigned long, unsigned long, bool) const 
/root/doris/be/src/vec/functions/function.cpp
    19:58:49       #3 0x56507dbc65e3 in 
doris::vectorized::PreparedFunctionImpl::execute_without_low_cardinality_columns(doris::FunctionContext*,
 doris::vectorized::Block&, std::vector<unsigned long, std::allocator<unsigned 
long> > const&, unsigned long, unsigned long, bool) const 
/root/doris/be/src/vec/functions/function.cpp:245:12
    19:58:49       #4 0x56507dbc683b in 
doris::vectorized::PreparedFunctionImpl::execute(doris::FunctionContext*, 
doris::vectorized::Block&, std::vector<unsigned long, std::allocator<unsigned 
long> > const&, unsigned long, unsigned long, bool) const 
/root/doris/be/src/vec/functions/function.cpp:251:12
    19:58:49       #5 0x56507958c81c in 
doris::vectorized::IFunctionBase::execute(doris::FunctionContext*, 
doris::vectorized::Block&, std::vector<unsigned long, std::allocator<unsigned 
long> > const&, unsigned long, unsigned long, bool) const 
/root/doris/be/src/vec/functions/function.h:194:19
    19:58:49       #6 0x565079578bee in 
doris::vectorized::VectorizedFnCall::_do_execute(doris::vectorized::VExprContext*,
 doris::vectorized::Block*, int*, std::vector<unsigned long, 
std::allocator<unsigned long> >&) 
/root/doris/be/src/vec/exprs/vectorized_fn_call.cpp:188:5
    19:58:49       #7 0x56507957a3e4 in 
doris::vectorized::VectorizedFnCall::execute(doris::vectorized::VExprContext*, 
doris::vectorized::Block*, int*) 
/root/doris/be/src/vec/exprs/vectorized_fn_call.cpp:203:12
    19:58:49       #8 0x56507964994a in 
doris::vectorized::VExprContext::execute(doris::vectorized::Block*, int*) 
/root/doris/be/src/vec/exprs/vexpr_context.cpp:55:5
    19:58:49       #9 0x56508f8d7496 in 
doris::pipeline::OperatorXBase::do_projections(doris::RuntimeState*, 
doris::vectorized::Block*, doris::vectorized::Block*) const 
/root/doris/be/src/pipeline/exec/operator.cpp:294:13
    19:58:49       #10 0x56508f8d96ba in 
doris::pipeline::OperatorXBase::get_block_after_projects(doris::RuntimeState*, 
doris::vectorized::Block*, bool*) 
/root/doris/be/src/pipeline/exec/operator.cpp:335:18
    19:58:49       #11 0x565093c2560b in 
doris::pipeline::PipelineTask::execute(bool*) 
/root/doris/be/src/pipeline/pipeline_task.cpp:374:13
    19:58:49       #12 0x565093c6a164 in 
doris::pipeline::TaskScheduler::_do_work(int) 
/root/doris/be/src/pipeline/task_scheduler.cpp:138:9
    19:58:49       #13 0x565062529d1d in doris::ThreadPool::dispatch_thread() 
/root/doris/be/src/util/threadpool.cpp:543:24
    19:58:49       #14 0x5650625021ce in std::function<void ()>::operator()() 
const 
/var/local/ldb-toolchain/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/std_function.h:560:9
    19:58:49       #15 0x5650625021ce in doris::Thread::supervise_thread(void*) 
/root/doris/be/src/util/thread.cpp:498:5
    19:58:49       #16 0x7fca1844a608 in start_thread 
/build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
    19:58:49       #17 0x7fca186f7132 in __clone 
/build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
    19:58:49
    19:58:49   0x60700294b060 is located 16 bytes inside of 80-byte region 
[0x60700294b050,0x60700294b0a0)
    19:58:49   freed by thread T1462 (Pipe_normal [wo) here:
    19:58:49       #0 0x56505dd2f80d in operator delete(void*) 
(/mnt/ssd01/pipline/OpenSourceDoris/clusterEnv/P0/Cluster0/be/lib/doris_be+0x2f79e80d)
 (BuildId: 60cc2a41212f4e75)
    19:58:49       #1 0x565079596a6f in 
std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() 
/var/local/ldb-toolchain/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/shared_ptr_base.h:702:11
    19:58:49       #2 0x565079596a6f in 
std::__shared_ptr<doris::vectorized::IFunctionBase, 
(__gnu_cxx::_Lock_policy)2>::~__shared_ptr() 
/var/local/ldb-toolchain/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/shared_ptr_base.h:1149:31
    19:58:49       #3 0x565079596a6f in 
std::__shared_ptr<doris::vectorized::IFunctionBase, 
(__gnu_cxx::_Lock_policy)2>::operator=(std::__shared_ptr<doris::vectorized::IFunctionBase,
 (__gnu_cxx::_Lock_policy)2>&&) 
/var/local/ldb-toolchain/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/shared_ptr_base.h:1245:2
    19:58:49       #4 0x56507fb89acd in 
std::shared_ptr<doris::vectorized::IFunctionBase>::operator=(std::shared_ptr<doris::vectorized::IFunctionBase>&&)
 
/var/local/ldb-toolchain/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/shared_ptr.h:385:27
    19:58:49       #5 0x56507fb89acd in 
doris::vectorized::FunctionCoalesce::execute_impl(doris::FunctionContext*, 
doris::vectorized::Block&, std::vector<unsigned long, std::allocator<unsigned 
long> > const&, unsigned long, unsigned long) const 
/root/doris/be/src/vec/functions/function_coalesce.cpp:89:30
    19:58:49       #6 0x56507958edfe in 
doris::vectorized::DefaultExecutable::execute_impl(doris::FunctionContext*, 
doris::vectorized::Block&, std::vector<unsigned long, std::allocator<unsigned 
long> > const&, unsigned long, unsigned long) const 
/root/doris/be/src/vec/functions/function.h:463:26
    19:58:49       #7 0x56507dbcbf5c in 
doris::vectorized::PreparedFunctionImpl::_execute_skipped_constant_deal(doris::FunctionContext*,
 doris::vectorized::Block&, std::vector<unsigned long, std::allocator<unsigned 
long> > const&, unsigned long, unsigned long, bool) const 
/root/doris/be/src/vec/functions/function.cpp
    19:58:49       #8 0x56507dbc65e3 in 
doris::vectorized::PreparedFunctionImpl::execute_without_low_cardinality_columns(doris::FunctionContext*,
 doris::vectorized::Block&, std::vector<unsigned long, std::allocator<unsigned 
long> > const&, unsigned long, unsigned long, bool) const 
/root/doris/be/src/vec/functions/function.cpp:245:12
    19:58:49       #9 0x56507dbc683b in 
doris::vectorized::PreparedFunctionImpl::execute(doris::FunctionContext*, 
doris::vectorized::Block&, std::vector<unsigned long, std::allocator<unsigned 
long> > const&, unsigned long, unsigned long, bool) const 
/root/doris/be/src/vec/functions/function.cpp:251:12
    19:58:49       #10 0x56507958c81c in 
doris::vectorized::IFunctionBase::execute(doris::FunctionContext*, 
doris::vectorized::Block&, std::vector<unsigned long, std::allocator<unsigned 
long> > const&, unsigned long, unsigned long, bool) const 
/root/doris/be/src/vec/functions/function.h:194:19
    19:58:49       #11 0x565079578bee in 
doris::vectorized::VectorizedFnCall::_do_execute(doris::vectorized::VExprContext*,
 doris::vectorized::Block*, int*, std::vector<unsigned long, 
std::allocator<unsigned long> >&) 
/root/doris/be/src/vec/exprs/vectorized_fn_call.cpp:188:5
    19:58:49       #12 0x56507957a3e4 in 
doris::vectorized::VectorizedFnCall::execute(doris::vectorized::VExprContext*, 
doris::vectorized::Block*, int*) 
/root/doris/be/src/vec/exprs/vectorized_fn_call.cpp:203:12
    19:58:49       #13 0x56507964994a in 
doris::vectorized::VExprContext::execute(doris::vectorized::Block*, int*) 
/root/doris/be/src/vec/exprs/vexpr_context.cpp:55:5
    19:58:49       #14 0x56508f8d7496 in 
doris::pipeline::OperatorXBase::do_projections(doris::RuntimeState*, 
doris::vectorized::Block*, doris::vectorized::Block*) const 
/root/doris/be/src/pipeline/exec/operator.cpp:294:13
    19:58:49       #15 0x56508f8d96ba in 
doris::pipeline::OperatorXBase::get_block_after_projects(doris::RuntimeState*, 
doris::vectorized::Block*, bool*) 
/root/doris/be/src/pipeline/exec/operator.cpp:335:18
    19:58:49       #16 0x565093c2560b in 
doris::pipeline::PipelineTask::execute(bool*) 
/root/doris/be/src/pipeline/pipeline_task.cpp:374:13
    ```
---
 be/src/vec/functions/function_coalesce.cpp | 20 +++++++++-----------
 1 file changed, 9 insertions(+), 11 deletions(-)

diff --git a/be/src/vec/functions/function_coalesce.cpp 
b/be/src/vec/functions/function_coalesce.cpp
index d3450e97e98..c461b260ab8 100644
--- a/be/src/vec/functions/function_coalesce.cpp
+++ b/be/src/vec/functions/function_coalesce.cpp
@@ -56,7 +56,6 @@ class FunctionCoalesce : public IFunction {
 public:
     static constexpr auto name = "coalesce";
 
-    mutable DataTypePtr result_type;
     mutable FunctionBasePtr func_is_not_null;
 
     static FunctionPtr create() { return std::make_shared<FunctionCoalesce>(); 
}
@@ -70,26 +69,25 @@ public:
     size_t get_number_of_arguments() const override { return 0; }
 
     DataTypePtr get_return_type_impl(const DataTypes& arguments) const 
override {
+        DataTypePtr res;
         for (const auto& arg : arguments) {
             if (!arg->is_nullable()) {
-                result_type = arg;
+                res = arg;
                 break;
             }
         }
 
-        result_type = result_type ? result_type : arguments[0];
-        return result_type;
+        res = res ? res : arguments[0];
+
+        const ColumnsWithTypeAndName is_not_null_col {{nullptr, 
make_nullable(res), ""}};
+        func_is_not_null = SimpleFunctionFactory::instance().get_function(
+                "is_not_null_pred", is_not_null_col, 
std::make_shared<DataTypeUInt8>());
+
+        return res;
     }
 
     Status execute_impl(FunctionContext* context, Block& block, const 
ColumnNumbers& arguments,
                         size_t result, size_t input_rows_count) const override 
{
-        if (!func_is_not_null) [[unlikely]] {
-            const ColumnsWithTypeAndName is_not_null_col {
-                    {nullptr, make_nullable(result_type), ""}};
-            func_is_not_null = SimpleFunctionFactory::instance().get_function(
-                    "is_not_null_pred", is_not_null_col, 
std::make_shared<DataTypeUInt8>(),
-                    {.enable_decimal256 = 
context->state()->enable_decimal256()});
-        }
         DCHECK_GE(arguments.size(), 1);
         DataTypePtr result_type = block.get_by_position(result).type;
         ColumnNumbers filtered_args;


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org

Reply via email to