amorynan opened a new pull request, #37936:
URL: https://github.com/apache/doris/pull/37936
if we select nested type such as map/array/struct after large string , when
string type in mysql_row_buf reserve make buffer size is not large enough ,
which will lead nested type open_dynamic_mode make _pos pointer out range of
mysql_row_buf, then nested type call push_string, and reserve() will make
heap_buffer_overflow
```
==200769==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x62d0051c12ba at pc 0x55a77788692d bp 0x7fb52f474a30 sp 0x7fb52f4741f8
READ of size 36541 at 0x62d0051c12ba thread T2309 (Pipe_normal [wo)
#0 0x55a77788692c in __asan_memcpy
(/mnt/disk1/wangqiannan/amory/doris/output/be/lib/doris_be+0x60c1c92c)
(BuildId: 4513940b6b9e22fa)
#1 0x55a7a1f622fa in doris::MysqlRowBuffer<false>::reserve(long)
/mnt/disk1/wangqiannan/amory/doris/be/src/util/mysql_row_buffer.cpp:140:5
#2 0x55a7a1f638eb in doris::MysqlRowBuffer<false>::push_string(char
const*, long)
/mnt/disk1/wangqiannan/amory/doris/be/src/util/mysql_row_buffer.cpp:473:5
#3 0x55a7a21f16eb in doris::Status
doris::vectorized::DataTypeMapSerDe::_write_column_to_mysql<false>(doris::vectorized::IColumn
const&, doris::MysqlRowBuffer<false>&, int, bool,
doris::vectorized::DataTypeSerDe::FormatOptions const&) const
/mnt/disk1/wangqiannan/amory/doris/be/src/vec/data_types/serde/data_type_map_serde.cpp:410:21
#4 0x55a7a21e4c1e in
doris::vectorized::DataTypeMapSerDe::write_column_to_mysql(doris::vectorized::IColumn
const&, doris::MysqlRowBuffer<false>&, int, bool,
doris::vectorized::DataTypeSerDe::FormatOptions const&) const
/mnt/disk1/wangqiannan/amory/doris/be/src/vec/data_types/serde/data_type_map_serde.cpp:478:12
#5 0x55a7a22070e6 in doris::Status
doris::vectorized::DataTypeNullableSerDe::_write_column_to_mysql<false>(doris::vectorized::IColumn
const&, doris::MysqlRowBuffer<false>&, int, bool,
doris::vectorized::DataTypeSerDe::FormatOptions const&) const
/mnt/disk1/wangqiannan/amory/doris/be/src/vec/data_types/serde/data_type_nullable_serde.cpp:300:9
#6 0x55a7a21fbc5e in
doris::vectorized::DataTypeNullableSerDe::write_column_to_mysql(doris::vectorized::IColumn
const&, doris::MysqlRowBuffer<false>&, int, bool,
doris::vectorized::DataTypeSerDe::FormatOptions const&) const
/mnt/disk1/wangqiannan/amory/doris/be/src/vec/data_types/serde/data_type_nullable_serde.cpp:317:12
#7 0x55a7c2e97e6c in
doris::vectorized::VMysqlResultWriter<false>::write(doris::RuntimeState*,
doris::vectorized::Block&)
/mnt/disk1/wangqiannan/amory/doris/be/src/vec/sink/vmysql_result_writer.cpp:216:17
#8 0x55a7c8031b83 in
doris::pipeline::ResultSinkOperatorX::sink(doris::RuntimeState*,
doris::vectorized::Block*, bool)
/mnt/disk1/wangqiannan/amory/doris/be/src/pipeline/exec/result_sink_operator.cpp:142:5
#9 0x55a7c99a81d6 in
doris::pipeline::PipelineTask::execute(bool*)::$_1::operator()() const
/mnt/disk1/wangqiannan/amory/doris/be/src/pipeline/pipeline_task.cpp:361:38
#10 0x55a7c99a4b27 in doris::pipeline::PipelineTask::execute(bool*)
/mnt/disk1/wangqiannan/amory/doris/be/src/pipeline/pipeline_task.cpp:364:22
#11 0x55a7c9a23a2b in doris::pipeline::TaskScheduler::_do_work(unsigned
long)
/mnt/disk1/wangqiannan/amory/doris/be/src/pipeline/task_scheduler.cpp:138:9
#12 0x55a7c9a269ca in
doris::pipeline::TaskScheduler::start()::$_0::operator()() const
/mnt/disk1/wangqiannan/amory/doris/be/src/pipeline/task_scheduler.cpp:64:9
#13 0x55a7c9a2694e in void std::__invoke_impl<void,
doris::pipeline::TaskScheduler::start()::$_0&>(std::__invoke_other,
doris::pipeline::TaskScheduler::start()::$_0&)
/mnt/disk1/wangqiannan/tool/ldb_toolchain_16/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:61:14
#14 0x55a7c9a268ae in std::enable_if<is_invocable_r_v<void,
doris::pipeline::TaskScheduler::start()::$_0&>, void>::type
std::__invoke_r<void,
doris::pipeline::TaskScheduler::start()::$_0&>(doris::pipeline::TaskScheduler::start()::$_0&)
/mnt/disk1/wangqiannan/tool/ldb_toolchain_16/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:111:2
#15 0x55a7c9a26635 in std::_Function_handler<void (),
doris::pipeline::TaskScheduler::start()::$_0>::_M_invoke(std::_Any_data const&)
/mnt/disk1/wangqiannan/tool/ldb_toolchain_16/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/std_function.h:291:9
#16 0x55a777b226da in std::function<void ()>::operator()() const
/mnt/disk1/wangqiannan/tool/ldb_toolchain_16/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/std_function.h:560:9
#17 0x55a77e95ec94 in doris::FunctionRunnable::run()
/mnt/disk1/wangqiannan/amory/doris/be/src/util/threadpool.cpp:48:27
#18 0x55a77e941015 in doris::ThreadPool::dispatch_thread()
/mnt/disk1/wangqiannan/amory/doris/be/src/util/threadpool.cpp:543:24
#19 0x55a77e97eb23 in void std::__invoke_impl<void, void
(doris::ThreadPool::*&)(), doris::ThreadPool*&>(std::__invoke_memfun_deref,
void (doris::ThreadPool::*&)(), doris::ThreadPool*&)
/mnt/disk1/wangqiannan/tool/ldb_toolchain_16/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:74:14
#20 0x55a77e97e928 in std::__invoke_result<void
(doris::ThreadPool::*&)(), doris::ThreadPool*&>::type std::__invoke<void
(doris::ThreadPool::*&)(), doris::ThreadPool*&>(void (doris::ThreadPool::*&)(),
doris::ThreadPool*&)
/mnt/disk1/wangqiannan/tool/ldb_toolchain_16/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:96:14
#21 0x55a77e97e860 in void std::_Bind<void (doris::ThreadPool::*
(doris::ThreadPool*))()>::__call<void, 0ul>(std::tuple<>&&,
std::_Index_tuple<0ul>)
/mnt/disk1/wangqiannan/tool/ldb_toolchain_16/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/functional:420:11
#22 0x55a77e97e655 in void std::_Bind<void (doris::ThreadPool::*
(doris::ThreadPool*))()>::operator()<void>()
/mnt/disk1/wangqiannan/tool/ldb_toolchain_16/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/functional:503:17
#23 0x55a77e97e54e in void std::__invoke_impl<void, std::_Bind<void
(doris::ThreadPool::* (doris::ThreadPool*))()>&>(std::__invoke_other,
std::_Bind<void (doris::ThreadPool::* (doris::ThreadPool*))()>&)
/mnt/disk1/wangqiannan/tool/ldb_toolchain_16/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:61:14
#24 0x55a77e97e48e in std::enable_if<is_invocable_r_v<void,
std::_Bind<void (doris::ThreadPool::* (doris::ThreadPool*))()>&>, void>::type
std::__invoke_r<void, std::_Bind<void (doris::ThreadPool::*
(doris::ThreadPool*))()>&>(std::_Bind<void (doris::ThreadPool::*
(doris::ThreadPool*))()>&)
/mnt/disk1/wangqiannan/tool/ldb_toolchain_16/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:111:2
#25 0x55a77e97dd85 in std::_Function_handler<void (), std::_Bind<void
(doris::ThreadPool::* (doris::ThreadPool*))()>>::_M_invoke(std::_Any_data
const&)
/mnt/disk1/wangqiannan/tool/ldb_toolchain_16/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/std_function.h:291:9
#26 0x55a777b226da in std::function<void ()>::operator()() const
/mnt/disk1/wangqiannan/tool/ldb_toolchain_16/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/std_function.h:560:9
#27 0x55a77e8fb841 in doris::Thread::supervise_thread(void*)
/mnt/disk1/wangqiannan/amory/doris/be/src/util/thread.cpp:498:5
#28 0x7fc1c3a111c9 in start_thread (/lib64/libpthread.so.0+0x81c9)
(BuildId: 823fccea3475e5870a4167dfe47df20e53222db0)
#29 0x7fc1c4400e72 in clone (/lib64/libc.so.6+0x39e72) (BuildId:
ec3d7025354f1f1985831ff08ef0eb3b50aefbce)
0x62d0051c12ba is located 0 bytes after 36538-byte region
[0x62d0051b8400,0x62d0051c12ba)
allocated by thread T2309 (Pipe_normal [wo) here:
#0 0x55a7778c20bd in operator new[](unsigned long)
(/mnt/disk1/wangqiannan/amory/doris/output/be/lib/doris_be+0x60c580bd)
(BuildId: 4513940b6b9e22fa)
#1 0x55a7a1f621c1 in doris::MysqlRowBuffer<false>::reserve(long)
/mnt/disk1/wangqiannan/amory/doris/be/src/util/mysql_row_buffer.cpp:137:21
#2 0x55a7a1f638eb in doris::MysqlRowBuffer<false>::push_string(char
const*, long)
/mnt/disk1/wangqiannan/amory/doris/be/src/util/mysql_row_buffer.cpp:473:5
#3 0x55a7a1fd0d75 in doris::Status
doris::vectorized::DataTypeStringSerDeBase<doris::vectorized::ColumnStr<unsigned
int>>::_write_column_to_mysql<false>(doris::vectorized::IColumn const&,
doris::MysqlRowBuffer<false>&, int, bool,
doris::vectorized::DataTypeSerDe::FormatOptions const&) const
/mnt/disk1/wangqiannan/amory/doris/be/src/vec/data_types/serde/data_type_string_serde.h:260:16
#4 0x55a7a1fccc1e in
doris::vectorized::DataTypeStringSerDeBase<doris::vectorized::ColumnStr<unsigned
int>>::write_column_to_mysql(doris::vectorized::IColumn const&,
doris::MysqlRowBuffer<false>&, int, bool,
doris::vectorized::DataTypeSerDe::FormatOptions const&) const
/mnt/disk1/wangqiannan/amory/doris/be/src/vec/data_types/serde/data_type_string_serde.h:215:16
#5 0x55a7c2e97e6c in
doris::vectorized::VMysqlResultWriter<false>::write(doris::RuntimeState*,
doris::vectorized::Block&)
/mnt/disk1/wangqiannan/amory/doris/be/src/vec/sink/vmysql_result_writer.cpp:216:17
#6 0x55a7c8031b83 in
doris::pipeline::ResultSinkOperatorX::sink(doris::RuntimeState*,
doris::vectorized::Block*, bool)
/mnt/disk1/wangqiannan/amory/doris/be/src/pipeline/exec/result_sink_operator.cpp:142:5
#7 0x55a7c99a81d6 in
doris::pipeline::PipelineTask::execute(bool*)::$_1::operator()() const
/mnt/disk1/wangqiannan/amory/doris/be/src/pipeline/pipeline_task.cpp:361:38
```
## Proposed changes
Issue Number: close #xxx
<!--Describe your changes.-->
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
