GH-50140: [C++][Gandiva] Fix castVARCHAR(decimal128) native memory corruption / SIGSEGV on allocation failure#50141
Open
lriggs wants to merge 2 commits into
Open
Conversation
|
|
github-actions
Bot
added
Component: C++
Component: Gandiva
awaiting review
kou
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Rationale for this change
The Gandiva
castVARCHAR_decimal128_int64path could corrupt native memory andcrash the process (SIGSEGV) when the output-string arena allocation failed
(e.g.
CAST(decimal AS VARCHAR)under memory pressure). Three independentdefects combined to cause this:
castVARCHARdecimal128 registry entry was missingNativeFunction::kCanReturnErrors, so generated code skipped the error checkand ignored any error the function reported.
gdv_fn_dec_to_stringset the output length to a positive value beforechecking whether the allocation succeeded, then returned
nullptr— leavingthe caller to copy from an invalid buffer with a positive length.
castVARCHAR_decimal128_int64did not validate a negative requested outputlength and did not handle an upstream allocation failure.
What changes are included in this PR?
function_registry_string.cc: AddNativeFunction::kCanReturnErrorsto thecastVARCHARdecimal128entry so the generated code checks for andpropagates errors instead of assuming the function never fails.
gdv_function_stubs.cc(gdv_fn_dec_to_string): Only write the outputlength after a successful allocation. On allocation failure, set
*dec_str_len = 0and return an empty string so callers never copy from aninvalid buffer using a stale, positive length.
precompiled/decimal_wrapper.cc(castVARCHAR_decimal128_int64):(
"Output buffer length can't be negative") instead of using it as a copysize.
gdv_fn_dec_to_stringcall failed, since the error has already been set.tests/decimal_test.cc: AddTestCastVarCharDecimalNegativeLength, aregression test that casts a decimal to varchar with a negative output length
and asserts the query fails gracefully with the expected error message rather
than crashing. This also exercises the
kCanReturnErrorsflag — without it theerror would not propagate and the test would fail.
Behavior change
Queries such as
CAST(decimal AS VARCHAR)that previously crashed the process(SIGSEGV) under memory pressure now fail gracefully with an error message about
the allocation failure / invalid length, and the rest of the system is
unaffected.
Are these changes tested?
Yes, unit tests.
Are there any user-facing changes?
No.