[jira] [Commented] (ARROW-13638) [R] ExecNode_Aggregate keep_alives aren't kept alive

David Li (Jira) Mon, 16 Aug 2021 11:33:05 -0700


    [ 
https://issues.apache.org/jira/browse/ARROW-13638?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17399929#comment-17399929
 ]


David Li commented on ARROW-13638:
----------------------------------

{noformat}
(gdb) bt
#0  __cxxabiv1::__dynamic_cast (src_ptr=0x55555a7aea20, 
    src_type=0x7fffe9f0efd0 <typeinfo for arrow::compute::FunctionOptions>, 
    dst_type=0x7fffe9f0f200 <typeinfo for 
arrow::compute::ScalarAggregateOptions>, src2dst=0)
    at 
/home/conda/feedstock_root/build_artifacts/ctng-compilers_1610729750655/work/.build/x86_64-conda-linux-gnu/src/gcc/libstdc++-v3/libsupc++/dyncast.cc:55
#1  0x00007fff6c74080f in 
arrow::internal::checked_cast<arrow::compute::ScalarAggregateOptions const&, 
arrow::compute::FunctionOptions const&> (value=...) at 
/home/lidavidm/Code/upstream/arrow-13627/cpp/src/arrow/util/checked_cast.h:38
#2  0x00007fff6c91633e in arrow::compute::internal::(anonymous 
namespace)::GroupedAnyImpl::Init (this=0x7fff60004b80, 
    ctx=0x7fffe9f19e80 <ExecPlan_create(bool)::threaded_context>, 
options=0x55555a7aea20)
    at 
/home/lidavidm/Code/upstream/arrow-13627/cpp/src/arrow/compute/kernels/hash_aggregate.cc:1769
#3  0x00007fff6c925d49 in arrow::compute::internal::(anonymous 
namespace)::HashAggregateInit<arrow::compute::internal::(anonymous 
namespace)::GroupedAnyImpl> (ctx=0x7fff8c6ff170, args=...)
    at 
/home/lidavidm/Code/upstream/arrow-13627/cpp/src/arrow/compute/kernels/hash_aggregate.cc:777
#4  0x00007fff6c7b049d in 
std::_Function_handler<arrow::Result<std::unique_ptr<arrow::compute::KernelState,
 std::default_delete<arrow::compute::KernelState> > > 
(arrow::compute::KernelContext*, arrow::compute::KernelInitArgs const&), 
arrow::Result<std::unique_ptr<arrow::compute::KernelState, 
std::default_delete<arrow::compute::KernelState> > > 
(*)(arrow::compute::KernelContext*, arrow::compute::KernelInitArgs 
const&)>::_M_invoke(std::_Any_data const&, arrow::compute::KernelContext*&&, 
arrow::compute::KernelInitArgs const&) (__functor=..., 
__args#0=@0x7fff8c6ff0c8: 0x7fff8c6ff170, __args#1=...)
    at 
/home/lidavidm/miniconda3/envs/arrow4/x86_64-conda-linux-gnu/include/c++/9.3.0/bits/std_function.h:286
#5  0x00007fff6c7c201a in 
std::function<arrow::Result<std::unique_ptr<arrow::compute::KernelState, 
std::default_delete<arrow::compute::KernelState> > > 
(arrow::compute::KernelContext*, arrow::compute::KernelInitArgs 
const&)>::operator()(arrow::compute::KernelContext*, 
arrow::compute::KernelInitArgs const&) const (this=0x5555562a9d80, 
__args#0=0x7fff8c6ff170, 
    __args#1=...)
    at 
/home/lidavidm/miniconda3/envs/arrow4/x86_64-conda-linux-gnu/include/c++/9.3.0/bits/std_function.h:688
#6  0x00007fff6c918bc2 in arrow::compute::internal::InitKernels (kernels=..., 
    ctx=0x7fffe9f19e80 <ExecPlan_create(bool)::threaded_context>, 
aggregates=..., in_descrs=...)
    at 
/home/lidavidm/Code/upstream/arrow-13627/cpp/src/arrow/compute/kernels/hash_aggregate.cc:2035
#7  0x00007fff6c7cc52e in arrow::compute::(anonymous 
namespace)::GroupByNode::InitLocalStateIfNeeded (
    this=0x55555a7aef60, state=0x55555a7ced60)
    at 
/home/lidavidm/Code/upstream/arrow-13627/cpp/src/arrow/compute/exec/aggregate_node.cc:555
#8  0x00007fff6c7ca0d0 in arrow::compute::(anonymous 
namespace)::GroupByNode::Consume (this=0x55555a7aef60, batch=...)
    at 
/home/lidavidm/Code/upstream/arrow-13627/cpp/src/arrow/compute/exec/aggregate_node.cc:348
#9  0x00007fff6c7cbab8 in arrow::compute::(anonymous 
namespace)::GroupByNode::InputReceived (this=0x55555a7aef60, 
    input=0x55555a796950, seq=0, batch=...)
    at 
/home/lidavidm/Code/upstream/arrow-13627/cpp/src/arrow/compute/exec/aggregate_node.cc:470
#10 0x00007fff6c81032d in arrow::compute::(anonymous 
namespace)::ProjectNode::InputReceived (this=0x55555a796950, 
    input=0x55555a64d630, seq=0, batch=...)
    at 
/home/lidavidm/Code/upstream/arrow-13627/cpp/src/arrow/compute/exec/project_node.cc:97
 {noformat}
so this happens because the GroupByNode initializes thread-local states lazily, 
after the options have been potentially destructed.

> [R] ExecNode_Aggregate keep_alives aren't kept alive
> ----------------------------------------------------
>
>                 Key: ARROW-13638
>                 URL: https://issues.apache.org/jira/browse/ARROW-13638
>             Project: Apache Arrow
>          Issue Type: Bug
>          Components: R
>            Reporter: David Li
>            Priority: Major
>             Fix For: 6.0.0
>
>
> This causes a use-after-free on function options
> [https://github.com/apache/arrow/blob/6f62649392a7e704ad7b730e792b9ba2d62783f6/r/src/compute-exec.cpp#L138-L165]
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (ARROW-13638) [R] ExecNode_Aggregate keep_alives aren't kept alive

Reply via email to