ORC-2123: [C++] Fix heap-use-after-free in ORC SearchArgument rewriteLeaves

hubgeter · wgtmac · commit dff5e92d304c · 2026-03-12T17:51:58.000+08:00
### What changes were proposed in this pull request? This PR aims to fix heap-use-after-free in ORC SearchArgument rewriteLeaves. ### Why are the changes needed? this is a heap-use-after-free bug. ``` ==1649778==ERROR: AddressSanitizer: heap-use-after-free on address 0x7d0addc552f8 at pc 0x5561f1da808c bp 0x79e18a173b40 sp 0x79e18a173b38 READ of size 8 at 0x7d0addc552f8 thread T621 (rs_normal [work) #0 0x5561f1da808b in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::__shared_count(std::__shared_count<(__gnu_cxx::_Lock_policy)2> const&) /mnt/disk2/tengjianping/local/ldb_toolchain/bin/../lib/gcc/x86_64-pc-linux-gnu/15/include/g++-v15/bits/shared_ptr_base.h:1073:19 #1 0x55622c94b9ce in std::__shared_ptr<orc::ExpressionTree, (__gnu_cxx::_Lock_policy)2>::__shared_ptr(std::__shared_ptr<orc::ExpressionTree, (__gnu_cxx::_Lock_policy)2> const&) (/mnt/disk2/tengjianping/doris-master/output/be/lib/doris_be+0x8b6e99ce) #2 0x55622c94849c in std::shared_ptr<orc::ExpressionTree>::shared_ptr(std::shared_ptr<orc::ExpressionTree> const&) (/mnt/disk2/tengjianping/doris-master/output/be/lib/doris_be+0x8b6e649c) #3 0x55622c94d976 in std::__detail::_Hash_node<std::shared_ptr<orc::ExpressionTree>, false>* std::__detail::_Hashtable_alloc<std::allocator<std::__detail::_Hash_node<std::shared_ptr<orc::ExpressionTree>, false>>>::_M_allocate_node<std::shared_ptr<orc::ExpressionTree> const&>(std::shared_ptr<orc::ExpressionTree> const&) (/mnt/disk2/tengjianping/doris-master/output/be/lib/doris_be+0x8b6eb976) #4 0x55622c94d7cb in std::pair<std::__detail::_Node_iterator<std::shared_ptr<orc::ExpressionTree>, true, false>, bool> std::_Hashtable<std::shared_ptr<orc::ExpressionTree>, std::shared_ptr<orc::ExpressionTree>, std::allocator<std::shared_ptr<orc::ExpressionTree>>, std::__detail::_Identity, std::equal_to<std::shared_ptr<orc::ExpressionTree>>, std::hash<std::shared_ptr<orc::ExpressionTree>>, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<false, true, true>>::_M_emplace_uniq<std::shared_ptr<orc::ExpressionTree> const&>(std::shared_ptr<orc::ExpressionTree> const&) (/mnt/disk2/tengjianping/doris-master/output/be/lib/doris_be+0x8b6eb7cb) #5 0x55622c94d62c in std::_Hashtable<std::shared_ptr<orc::ExpressionTree>, std::shared_ptr<orc::ExpressionTree>, std::allocator<std::shared_ptr<orc::ExpressionTree>>, std::__detail::_Identity, std::equal_to<std::shared_ptr<orc::ExpressionTree>>, std::hash<std::shared_ptr<orc::ExpressionTree>>, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<false, true, true>>::insert(std::shared_ptr<orc::ExpressionTree> const&) (/mnt/disk2/tengjianping/doris-master/output/be/lib/doris_be+0x8b6eb62c) #6 0x55622c94d3dc in std::unordered_set<std::shared_ptr<orc::ExpressionTree>, std::hash<std::shared_ptr<orc::ExpressionTree>>, std::equal_to<std::shared_ptr<orc::ExpressionTree>>, std::allocator<std::shared_ptr<orc::ExpressionTree>>>::insert(std::shared_ptr<orc::ExpressionTree> const&) (/mnt/disk2/tengjianping/doris-master/output/be/lib/doris_be+0x8b6eb3dc) #7 0x55622c947db0 in orc::rewriteLeaves(std::shared_ptr<orc::ExpressionTree>, unsigned long*) SearchArgument.cc #8 0x55622c947809 in orc::SearchArgumentBuilderImpl::build() (/mnt/disk2/tengjianping/doris-master/output/be/lib/doris_be+0x8b6e5809) ``` ### How was this patch tested? Pass the CIs. ### Was this patch authored or co-authored using generative AI tooling? NO Closes #2572 from hubgeter/fix_orc_core. Authored-by: daidai <changyuwei@selectdb.com> Signed-off-by: Gang Wu <ustcwg@gmail.com>
diff --git a/c++/src/sargs/SearchArgument.cc b/c++/src/sargs/SearchArgument.cc
@@ -315,7 +315,6 @@ namespace orc {
     // Perform BFS
     while (!nodes.empty()) {
       TreeNode& node = nodes.front();
-      nodes.pop_front();
 
       if (node->getOperator() == ExpressionTree::Operator::LEAF) {
         leaves.insert(node);
@@ -324,6 +323,7 @@ namespace orc {
           nodes.push_back(child);
         }
       }
+      nodes.pop_front();
     }
 
     // Update the leaf in place

Original file line number	Diff line number	Diff line change
`@@ -315,7 +315,6 @@ namespace orc {`
`315`	`315`	`// Perform BFS`
`316`	`316`	`while (!nodes.empty()) {`
`317`	`317`	`TreeNode& node = nodes.front();`
`318`		`- nodes.pop_front();`
`319`	`318`
`320`	`319`	`if (node->getOperator() == ExpressionTree::Operator::LEAF) {`
`321`	`320`	`leaves.insert(node);`
`@@ -324,6 +323,7 @@ namespace orc {`
`324`	`323`	`nodes.push_back(child);`
`325`	`324`	`}`
`326`	`325`	`}`
	`326`	`+ nodes.pop_front();`
`327`	`327`	`}`
`328`	`328`
`329`	`329`	`// Update the leaf in place`