[GitHub] lucene-solr pull request #411: Debugging PriorityQueue.java

Tue, 26 Jun 2018 12:24:01 -0700 

GitHub user rsaavedraf opened a pull request:

    https://github.com/apache/lucene-solr/pull/411

    Debugging PriorityQueue.java

    The change I'm proposing eliminates a problem by properly checking the 
validity of maxSize itself, before even computing heapSize=maxSize+1.
    
    In the constructor, when maxSize has a value == Integer.MAX_VALUE, then 
heapSize = maxSize+1 ends up being negative, more exactly -2147483648 (aka. 
Integer.MIN_VALUE.)  This is quite a bug because then the if statement checking 
that heapSize was larger than ArrayUtil.MAX_ARRAY_LENGTH ends up false, so the 
IllegalArgumentException is never thrown. Yet the code in PriorityQueue.java 
fails immediately afterwards when reaching "new Object[heapSize]" because of 
heapSize being negative, causing a NegativeArraySize exception.
    
    We saw this problem with our software which was using Solr 6.6.2.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/rsaavedraf/lucene-solr patch-1

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/lucene-solr/pull/411.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #411
    
----
commit b9a1168f2d1fcf82d6bdec2ff329462638d63bb1
Author: rsaavedraf <40606625+rsaavedraf@...>
Date:   2018-06-26T19:14:19Z

    Debugging PriorityQueue.java
    
    The change I'm proposing eliminates a problem by properly checking the 
validity of maxSize itself, before even computing heapSize=maxSize+1.
    In the constructor, when maxSize has a value == Integer.MAX_VALUE, then 
heapSize = maxSize+1 ends up being negative, more exactly -2147483648 (aka. 
Integer.MIN_VALUE.)  This is quite a bug because then the if statement checking 
that heapSize was larger than ArrayUtil.MAX_ARRAY_LENGTH-1 ends up false, so 
the IllegalArgumentException is never thrown. Yet the code fails immediately 
afterwards when reaching "new Object[heapSize]" because of heapSize being 
negative, causing a NegativeArraySize exception.
    We saw this problem with our software which was using Solr 6.6.2.

----


---

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to