Mryange opened a new pull request, #64944:
URL: https://github.com/apache/doris/pull/64944

   ### What problem does this PR solve?
   
   
   `ColumnNullable::update_crc32c_batch()` normalized nullable fixed-width 
nested columns by mutating `_nested_column` in a logically const hash path. The 
mutation replaces NULL rows with default nested values before calling the 
non-null nested crc32c hash routine, which keeps the intended hash semantics, 
but it also changes the source column object while other readers may still 
access the same block.
   
   Root cause: `update_crc32c_batch()` moved/mutated the nested column and 
wrote it back to `ColumnNullable::_nested_column`. When the same nullable 
column is read concurrently by another path such as `insert_indices_from()`, 
the old nested column or its raw data can be released while it is still being 
read.
   
   A focused BEUT can reproduce the problem before this fix:
   
   ```text
   ==2227142==ERROR: AddressSanitizer: heap-use-after-free
   READ of size 4
       #0 doris::ColumnVector<(doris::PrimitiveType)5>::insert_indices_from(...)
          be/ut_build_ASAN/../src/core/column/column_vector.cpp:369:21
       #1 doris::ColumnVector<(doris::PrimitiveType)5>::insert_indices_from(...)
          be/ut_build_ASAN/../src/core/column/column_vector.cpp:373:5
       #2 doris::ColumnNullable::insert_indices_from(...)
          be/ut_build_ASAN/../src/core/column/column_nullable.cpp:378:25
   
   freed by thread T18 here:
       #12 doris::ColumnNullable::update_crc32c_batch(unsigned int*, unsigned 
char const*) const
           be/ut_build_ASAN/../src/core/column/column_nullable.cpp:194:86
   
   SUMMARY: AddressSanitizer: heap-use-after-free
   ```
   
   This PR keeps the crc32c hash result unchanged by normalizing a private 
nested-column copy for hashing. The source `ColumnNullable` object is no longer 
modified by the const hash method, so concurrent readers do not observe a 
replaced or freed nested column.
   ### Release note
   
   None
   
   ### Check List (For Author)
   
   - Test <!-- At least one of them must be included. -->
       - [ ] Regression test
       - [ ] Unit Test
       - [ ] Manual test (add detailed scripts or steps below)
       - [ ] No need to test or manual test. Explain why:
           - [ ] This is a refactor/code format and no logic has been changed.
           - [ ] Previous test can cover this change.
           - [ ] No code files have been changed.
           - [ ] Other reason <!-- Add your reason?  -->
   
   - Behavior changed:
       - [ ] No.
       - [ ] Yes. <!-- Explain the behavior change -->
   
   - Does this need documentation?
       - [ ] No.
       - [ ] Yes. <!-- Add document PR link here. eg: 
https://github.com/apache/doris-website/pull/1214 -->
   
   ### Check List (For Reviewer who merge this PR)
   
   - [ ] Confirm the release note
   - [ ] Confirm test cases
   - [ ] Confirm document
   - [ ] Add branch pick label <!-- Add branch pick label that this PR should 
merge into -->
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to