[Java] Incorrect getBufferSize for a dense union vector #38242

wotbrew · 2023-10-12T10:58:41Z

Describe the bug, including details regarding any error messages, version, and platform.

DenseUnionVector.getBufferSizeFor takes a count parameter. My expectation is the count represents the number of elements in the union you wish to account for.

However, that count is passed directly to internalStruct.getBufferSizeFor, which I suspect is a bug.

This is because struct fields normally have the same valueCount, but this is not likely true when used in a union. If your children have different lengths:

for fixed vectors, you will calculate the size of the leg contents incorrectly
dynamic vectors like VarBinary may require reading buffer contents to find the data size, potentially causing an out-of-bounds dereference

Observed on 13.0.0 and 12.0.1.

Repro:

package org.apache.arrow.vector.complex;

import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
import static org.junit.jupiter.api.Assertions.assertTrue;

import java.util.Arrays;
import java.util.List;

import org.apache.arrow.memory.BoundsChecking;
import org.apache.arrow.memory.BufferAllocator;
import org.apache.arrow.memory.RootAllocator;
import org.apache.arrow.vector.BaseValueVector;
import org.apache.arrow.vector.complex.DenseUnionVector;
import org.apache.arrow.vector.holders.NullableIntHolder;
import org.apache.arrow.vector.holders.NullableVarBinaryHolder;
import org.apache.arrow.vector.types.UnionMode;
import org.apache.arrow.vector.types.pojo.ArrowType;
import org.apache.arrow.vector.types.pojo.Field;
import org.apache.arrow.vector.types.pojo.FieldType;
import org.junit.jupiter.api.Test;

public class TestDuvBufferCount {
  @Test
  public void testBufferSize() {
    try (BufferAllocator allocator = new RootAllocator();
         DenseUnionVector duv = new DenseUnionVector("duv", allocator,
                 FieldType.nullable(new ArrowType.Union(UnionMode.Dense, null)), null)) {

      List<Field> fields = Arrays.asList(
              new Field("a", FieldType.notNullable(new ArrowType.Int(32, true)), null),
              new Field("b", FieldType.notNullable(new ArrowType.Binary()), null)
      );

      duv.initializeChildrenFromFields(fields);

      NullableIntHolder nih = new NullableIntHolder();
      NullableVarBinaryHolder nvbh = new NullableVarBinaryHolder();

      int ac = BaseValueVector.INITIAL_VALUE_ALLOCATION + 1;
      for (int i = 0; i < ac; i++) {
        duv.setTypeId(i, (byte) 0);
        duv.setSafe(i, nih);
      }

      int bc = 1;
      for (int i = 0; i < bc; i++) {
        duv.setTypeId(i + ac, (byte) 1);
        duv.setSafe(i + ac, nvbh);
      }

      duv.setValueCount(ac + bc);

      // will not necessarily see an error unless bounds checking is on.
      assertTrue(BoundsChecking.BOUNDS_CHECKING_ENABLED);
      assertDoesNotThrow(duv::getBufferSize);
    }
  }
}

Component(s)

Java

The text was updated successfully, but these errors were encountered:

Fixes apache#38242

…ufferSizeFor (apache#38242)

…UV getBufferSizeFor (apache#38242)

…ionVector#getBufferSizeFor (#38305) ### What changes are included in this PR? Fix incorrect implementation of `DenseUnionVector.getBufferSizeFor`. Sum the type id counts before calling `getBufferSizeFor` on the union's child vectors. ### Are these changes tested? Yes. A test verifies the OOB read (requires bounds check), and an example count is correct, fails as expected before fix. **This PR contains a "Critical Fix".** For users of DenseUnionVector the size can calculated incorrectly, as well as cause of out-of-bounds buffer reads which may return garbage (or potentially segfaulting) if bounds checking is off. * Closes: #38242 Authored-by: Dan Stone <[email protected]> Signed-off-by: Antoine Pitrou <[email protected]>

…enseUnionVector#getBufferSizeFor (apache#38305) ### What changes are included in this PR? Fix incorrect implementation of `DenseUnionVector.getBufferSizeFor`. Sum the type id counts before calling `getBufferSizeFor` on the union's child vectors. ### Are these changes tested? Yes. A test verifies the OOB read (requires bounds check), and an example count is correct, fails as expected before fix. **This PR contains a "Critical Fix".** For users of DenseUnionVector the size can calculated incorrectly, as well as cause of out-of-bounds buffer reads which may return garbage (or potentially segfaulting) if bounds checking is off. * Closes: apache#38242 Authored-by: Dan Stone <[email protected]> Signed-off-by: Antoine Pitrou <[email protected]>

wotbrew added the Type: bug label Oct 12, 2023

github-actions bot added the Component: Java label Oct 12, 2023

wotbrew changed the title ~~Incorrect getBufferSize for a dense union vector with (non-fixed) legs of different lengths.~~ Incorrect getBufferSize for a dense union vector Oct 12, 2023

wotbrew mentioned this issue Oct 12, 2023

Indexer uses new :bytes-per-chunk option xtdb/xtdb#2820

Closed

wotbrew added a commit to wotbrew/arrow that referenced this issue Oct 17, 2023

Fix incorrect internal struct accounting for DUV getBufferSizeFor

1f64a00

Fixes apache#38242

wotbrew added a commit to wotbrew/arrow that referenced this issue Oct 17, 2023

Fix incorrect internal struct accounting for DUV getBufferSizeFor

99b8ed8

Fixes apache#38242

wotbrew added a commit to wotbrew/arrow that referenced this issue Oct 17, 2023

apacheGH-38242: Fix incorrect internal struct accounting for DUV getB…

cd76cfe

…ufferSizeFor (apache#38242)

wotbrew added a commit to wotbrew/arrow that referenced this issue Oct 17, 2023

apacheGH-38242: [Java] Fix incorrect internal struct accounting for D…

e31875e

…UV getBufferSizeFor (apache#38242)

wotbrew added a commit to wotbrew/arrow that referenced this issue Oct 17, 2023

apacheGH-38242: [Java] Fix incorrect internal struct accounting for D…

1d115bd

…UV getBufferSizeFor (apache#38242)

wotbrew mentioned this issue Oct 17, 2023

GH-38242: [Java] Fix incorrect internal struct accounting for DenseUnionVector#getBufferSizeFor #38305

Merged

wotbrew added a commit to wotbrew/arrow that referenced this issue Oct 17, 2023

apacheGH-38242: [Java] Fix incorrect internal struct accounting for D…

12c9d04

…UV getBufferSizeFor (apache#38242)

github-actions bot assigned wotbrew Oct 17, 2023

wotbrew added a commit to wotbrew/arrow that referenced this issue Oct 17, 2023

apacheGH-38242: [Java] Fix incorrect internal struct accounting for D…

bb8d171

…UV getBufferSizeFor (apache#38242)

wotbrew changed the title ~~Incorrect getBufferSize for a dense union vector~~ [Java] Incorrect getBufferSize for a dense union vector Oct 17, 2023

wotbrew added a commit to wotbrew/arrow that referenced this issue Oct 20, 2023

apacheGH-38242: [Java] Fix incorrect internal struct accounting for D…

d1a13b1

…UV getBufferSizeFor (apache#38242)

wotbrew added a commit to wotbrew/arrow that referenced this issue Oct 20, 2023

apacheGH-38242: [Java] Fix incorrect internal struct accounting for D…

680578a

…UV getBufferSizeFor (apache#38242)

pitrou closed this as completed in #38305 Oct 23, 2023

pitrou added this to the 15.0.0 milestone Oct 23, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Java] Incorrect getBufferSize for a dense union vector #38242

[Java] Incorrect getBufferSize for a dense union vector #38242

wotbrew commented Oct 12, 2023 •

edited

Loading

[Java] Incorrect getBufferSize for a dense union vector #38242

[Java] Incorrect getBufferSize for a dense union vector #38242

Comments

wotbrew commented Oct 12, 2023 • edited Loading

Describe the bug, including details regarding any error messages, version, and platform.

Component(s)

wotbrew commented Oct 12, 2023 •

edited

Loading