(doris) branch master updated: [Fix](mow) Fix potential use after free in `CalcDeleteBitmapToken` (#59920)

Thu, 15 Jan 2026 18:53:39 -0800 

This is an automated email from the ASF dual-hosted git repository.

yiguolei pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git


The following commit(s) were added to refs/heads/master by this push:
     new fbcca5ecc6e [Fix](mow) Fix potential use after free in 
`CalcDeleteBitmapToken` (#59920)
fbcca5ecc6e is described below

commit fbcca5ecc6e3e1b8ab44cee8a8e73d36b8c63270
Author: bobhan1 <[email protected]>
AuthorDate: Fri Jan 16 10:53:24 2026 +0800

    [Fix](mow) Fix potential use after free in `CalcDeleteBitmapToken` (#59920)
    
    ### What problem does this PR solve?
    When `BaseBetaRowsetWriter` is destructed(this may happen when the load
    is canceled) before the execution of the task submitted to thread pool,
    the task may encounter coredump due to use after free.
    ```
    (gdb) bt
    #0  __GI___pthread_sigmask (how=2, newmask=<optimized out>, oldmask=0x0) at 
./nptl/pthread_sigmask.c:43
    #1  0x00007fa1d0c1171e in PosixSignals::chained_handler(int, siginfo*, 
void*) [clone .part.0] () from 
/usr/lib/jvm/java-17-openjdk-amd64/lib/server/libjvm.so
    #2  0x00007fa1d0c12206 in JVM_handle_linux_signal () from 
/usr/lib/jvm/java-17-openjdk-amd64/lib/server/libjvm.so
    #3  <signal handler called>
    #4  doris::TUniqueId::TUniqueId (this=0x7f99955f2208, other51=...) at 
/home/zcp/repo_center/doris_branch-4.0/doris/gensrc/build/gen_cpp/Types_types.cpp:2571
    #5  0x00005653d14008ca in doris::AttachTask::init (rc=..., this=<optimized 
out>) at 
/home/zcp/repo_center/doris_branch-4.0/doris/be/src/runtime/thread_context.cpp:29
    #6  doris::AttachTask::AttachTask (this=<optimized out>, rc=...) at 
/home/zcp/repo_center/doris_branch-4.0/doris/be/src/runtime/thread_context.cpp:34
    #7  0x00005653d0d05087 in 
doris::CalcDeleteBitmapToken::submit_func<doris::BaseBetaRowsetWriter::_generate_delete_bitmap(int)::$_0>(doris::BaseBetaRowsetWriter::_generate_delete_bitmap(int)::$_0&&)::{lambda()#1}::operator()()
 const (this=0x7f9cdf302500)
        at 
/home/zcp/repo_center/doris_branch-4.0/doris/be/src/olap/calc_delete_bitmap_executor.h:74
    #8  std::__invoke_impl<void, 
doris::CalcDeleteBitmapToken::submit_func<doris::BaseBetaRowsetWriter::_generate_delete_bitmap(int)::$_0>(doris::BaseBetaRowsetWriter::_generate_delete_bitmap(int)::$_0&&)::{lambda()#1}&>(std::__invoke_other,
 
doris::CalcDeleteBitmapToken::submit_func<doris::BaseBetaRowsetWriter::_generate_delete_bitmap(int)::$_0>(doris::BaseBetaRowsetWriter::_generate_delete_bitmap(int)::$_0&&)::{lambda()#1}&)
 (__f=...)
        at 
/usr/local/ldb-toolchain-v0.26/bin/../lib/gcc/x86_64-pc-linux-gnu/15/include/g++-v15/bits/invoke.h:63
    #9  std::__invoke_r<void, 
doris::CalcDeleteBitmapToken::submit_func<doris::BaseBetaRowsetWriter::_generate_delete_bitmap(int)::$_0>(doris::BaseBetaRowsetWriter::_generate_delete_bitmap(int)::$_0&&)::{lambda()#1}&>(doris::CalcDeleteBitmapToken::submit_func<doris::BaseBetaRowsetWriter::_generate_delete_bitmap(int)::$_0>(doris::BaseBetaRowsetWriter::_generate_delete_bitmap(int)::$_0&&)::{lambda()#1}&)
 (__fn=...) at 
/usr/local/ldb-toolchain-v0.26/bin/../lib/gcc/x86_64-pc-linux-gnu/15/incl [...]
    #10 std::_Function_handler<void (), 
doris::CalcDeleteBitmapToken::submit_func<doris::BaseBetaRowsetWriter::_generate_delete_bitmap(int)::$_0>(doris::BaseBetaRowsetWriter::_generate_delete_bitmap(int)::$_0&&)::{lambda()#1}>::_M_invoke(std::_Any_data
 const&) (
        __functor=...) at 
/usr/local/ldb-toolchain-v0.26/bin/../lib/gcc/x86_64-pc-linux-gnu/15/include/g++-v15/bits/std_function.h:292
    #11 0x00005653d16392e5 in doris::ThreadPool::dispatch_thread 
(this=0x7fa120d9af00) at 
/home/zcp/repo_center/doris_branch-4.0/doris/be/src/util/threadpool.cpp:616
    #12 0x00005653d162e38c in std::function<void ()>::operator()() const 
(this=0x7f99955f2208) at 
/usr/local/ldb-toolchain-v0.26/bin/../lib/gcc/x86_64-pc-linux-gnu/15/include/g++-v15/bits/std_function.h:593
    #13 doris::Thread::supervise_thread (arg=0x7fa0c0049110) at 
/home/zcp/repo_center/doris_branch-4.0/doris/be/src/util/thread.cpp:460
    #14 0x00007fa1cfcacac3 in start_thread (arg=<optimized out>) at 
./nptl/pthread_create.c:442
    #15 0x00007fa1cfd3e850 in clone3 () at 
../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
    ```
    
    ### Release note
    
    None
    
    ### Check List (For Author)
    
    - Test <!-- At least one of them must be included. -->
        - [ ] Regression test
        - [ ] Unit Test
        - [ ] Manual test (add detailed scripts or steps below)
        - [ ] No need to test or manual test. Explain why:
    - [ ] This is a refactor/code format and no logic has been changed.
            - [ ] Previous test can cover this change.
            - [ ] No code files have been changed.
            - [ ] Other reason <!-- Add your reason?  -->
    
    - Behavior changed:
        - [ ] No.
        - [ ] Yes. <!-- Explain the behavior change -->
    
    - Does this need documentation?
        - [ ] No.
    - [ ] Yes. <!-- Add document PR link here. eg:
    https://github.com/apache/doris-website/pull/1214 -->
    
    ### Check List (For Reviewer who merge this PR)
    
    - [ ] Confirm the release note
    - [ ] Confirm test cases
    - [ ] Confirm document
    - [ ] Add branch pick label <!-- Add branch pick label that this PR
    should merge into -->
---
 be/src/olap/rowset/beta_rowset_writer.cpp | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/be/src/olap/rowset/beta_rowset_writer.cpp 
b/be/src/olap/rowset/beta_rowset_writer.cpp
index 6a99f1d447b..b27094eb337 100644
--- a/be/src/olap/rowset/beta_rowset_writer.cpp
+++ b/be/src/olap/rowset/beta_rowset_writer.cpp
@@ -285,6 +285,9 @@ BaseBetaRowsetWriter::~BaseBetaRowsetWriter() {
                           fmt::format("Failed to delete file={}", seg_path));
         }
     }
+    if (_calc_delete_bitmap_token) {
+        _calc_delete_bitmap_token->cancel();
+    }
 }
 
 BetaRowsetWriter::~BetaRowsetWriter() {
@@ -293,10 +296,6 @@ BetaRowsetWriter::~BetaRowsetWriter() {
      * is cancelled, the objects involved in the job should be preserved 
during segcompaction to
      * avoid crashs for memory issues. */
     WARN_IF_ERROR(_wait_flying_segcompaction(), "segment compaction failed");
-
-    if (_calc_delete_bitmap_token != nullptr) {
-        _calc_delete_bitmap_token->cancel();
-    }
 }
 
 Status BaseBetaRowsetWriter::init(const RowsetWriterContext& 
rowset_writer_context) {


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to