github-actions[bot] commented on code in PR #60192: URL: https://github.com/apache/doris/pull/60192#discussion_r3013226083
########## be/src/exprs/function/array/function_array_combinations.cpp: ########## @@ -0,0 +1,187 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +#include "common/compiler_util.h" +#include "common/status.h" +#include "core/assert_cast.h" +#include "core/column/column_array.h" +#include "core/column/column_const.h" +#include "core/data_type/data_type.h" +#include "core/data_type/data_type_array.h" +#include "core/data_type/data_type_decimal.h" +#include "core/data_type/data_type_nullable.h" +#include "core/types.h" +#include "exprs/function/function.h" +#include "exprs/function/function_helpers.h" +#include "exprs/function/simple_function_factory.h" + +namespace doris { +// array_combinations([1, 2, 3],2) -> [[1,2], [1,3], [2,3]] +// array_combinations([1, NULL, 3, NULL, 5],4) -> [[1,NULL,3,NULL], [1,NULL,3,5], [NULL,3,NULL,5]] + +class FunctionArrayCombinations : public IFunction { +public: + static constexpr auto name = "array_combinations"; + static FunctionPtr create() { return std::make_shared<FunctionArrayCombinations>(); } + bool is_variadic() const override { return false; } + String get_name() const override { return name; } + + size_t get_number_of_arguments() const override { return 2; } + + bool use_default_implementation_for_nulls() const override { return true; } + + DataTypePtr get_return_type_impl(const DataTypes& arguments) const override { + const auto* array_type = assert_cast<const DataTypeArray*>(arguments[0].get()); + auto elem_t = make_nullable(array_type->get_nested_type()); + auto res = std::make_shared<DataTypeArray>( + make_nullable(std::make_shared<DataTypeArray>(elem_t))); + return res; + } + + Status execute_impl(FunctionContext* context, Block& block, const ColumnNumbers& arguments, + uint32_t result, size_t input_rows_count) const override { + auto array = block.get_by_position(arguments[0]).column; + ColumnPtr num = block.get_by_position(arguments[1]).column; + Int64 combination_length = num->get_int(0); + + if (combination_length > MAX_COMBINATION_LENGTH || combination_length < 1) { + return Status::InvalidArgument( + fmt::format("execute failed, function {}'s second argument must be bigger than " + "0 and not bigger than 5", + get_name())); + } + + ColumnPtr res; + const auto* src_arr = assert_cast<const ColumnArray*>(remove_nullable(array).get()); + const auto& offsets = + assert_cast<const ColumnArray::ColumnOffsets&>(src_arr->get_offsets_column()); + Status status = vector_const(src_arr, input_rows_count, res, offsets, combination_length); + if (!status.ok()) { + return status; + } + block.replace_by_position(result, std::move(res)); + return status; + } + + ColumnNumbers get_arguments_that_are_always_constant() const override { return {1}; } + +private: + static const size_t MAX_COMBINATION_LENGTH = 5; + static const size_t MAX_COMBINATION_COUNT = 100000; + + // Then combinationCount(n, k) = combinationCount(n-1, k-1) * n/k (https://en.wikipedia.org/wiki/Combination#Number_of_k-combinations) + // The formula is recursive. Here, instead of starting with k=combinationCount, n=arrayLength and recursing, + // we start with k=0 n=(arrayLength-combinationLength) and proceed "bottom up". + size_t _combination_count(size_t array_length, size_t combination_length) const { + size_t combinations = 1; + + for (size_t i = 1; i <= combination_length; i++) { + combinations = combinations * (array_length - combination_length + i) / i; + } + + return combinations; + } + + ALWAYS_INLINE std::vector<size_t> _first_combination(Int64 combination_length, + size_t length) const { + std::vector<size_t> comb(combination_length + 1); + std::iota(comb.begin(), comb.begin() + combination_length, 0); + comb[combination_length] = length; + return comb; + } + + // Generates the next k-combination in colex order. + // + // scan from the lowest index upward and increment the first + // position that can be increased without breaking the strictly + // increasing invariant. Resetting all lower positions to their + // minimal values ensures the result is the smallest combination + // greater than the current one. + bool _next_combination(std::vector<size_t>& comb, Int64 combination_length) const { + for (size_t i = 0; i < combination_length; ++i) { + if (comb[i] + 1 < comb[i + 1]) { + ++comb[i]; + std::iota(comb.begin(), comb.begin() + i, 0); + return true; + } + } + return false; + } + + Status vector_const(const ColumnArray* nested_src_column_ptr, size_t input_rows_count, + ColumnPtr& res, const ColumnArray::ColumnOffsets& offsets, + Int64 combination_length) const { + const auto& src_data = nested_src_column_ptr->get_data(); + const auto& src_offsets = offsets.get_data(); + + auto inner_data = src_data.clone_empty(); + auto inner_offsets = ColumnArray::ColumnOffsets::create(); + auto inner_arr = ColumnArray::create(std::move(inner_data), std::move(inner_offsets)); + auto* inner = assert_cast<ColumnArray*>(inner_arr.get()); + + auto outer_offsets = ColumnArray::ColumnOffsets::create(); + auto& outer_offsets_data = outer_offsets->get_data(); + outer_offsets_data.resize(input_rows_count); + + size_t prev_off = 0, outer_off = 0; + + for (size_t row = 0; row < input_rows_count; ++row) { + size_t curr_off = src_offsets[row]; + size_t row_len = curr_off - prev_off; + + if (combination_length <= 0 || combination_length > row_len) { + outer_offsets_data[row] = outer_off; + prev_off = curr_off; + continue; + } + Review Comment: **[Minor] Dead code**: `combination_length <= 0` can never be true here because `execute_impl` already validates `combination_length >= 1` before calling `vector_const`. The condition `combination_length > row_len` is the only effective check. Consider removing the dead `<= 0` check or adding a `DCHECK(combination_length >= 1)` before the loop to document the invariant. ########## be/src/exprs/function/array/function_array_combinations.cpp: ########## @@ -0,0 +1,187 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +#include "common/compiler_util.h" +#include "common/status.h" +#include "core/assert_cast.h" +#include "core/column/column_array.h" +#include "core/column/column_const.h" +#include "core/data_type/data_type.h" +#include "core/data_type/data_type_array.h" +#include "core/data_type/data_type_decimal.h" +#include "core/data_type/data_type_nullable.h" +#include "core/types.h" +#include "exprs/function/function.h" +#include "exprs/function/function_helpers.h" +#include "exprs/function/simple_function_factory.h" + +namespace doris { +// array_combinations([1, 2, 3],2) -> [[1,2], [1,3], [2,3]] +// array_combinations([1, NULL, 3, NULL, 5],4) -> [[1,NULL,3,NULL], [1,NULL,3,5], [NULL,3,NULL,5]] + +class FunctionArrayCombinations : public IFunction { +public: + static constexpr auto name = "array_combinations"; + static FunctionPtr create() { return std::make_shared<FunctionArrayCombinations>(); } + bool is_variadic() const override { return false; } + String get_name() const override { return name; } + + size_t get_number_of_arguments() const override { return 2; } + + bool use_default_implementation_for_nulls() const override { return true; } + + DataTypePtr get_return_type_impl(const DataTypes& arguments) const override { + const auto* array_type = assert_cast<const DataTypeArray*>(arguments[0].get()); + auto elem_t = make_nullable(array_type->get_nested_type()); + auto res = std::make_shared<DataTypeArray>( + make_nullable(std::make_shared<DataTypeArray>(elem_t))); + return res; + } + + Status execute_impl(FunctionContext* context, Block& block, const ColumnNumbers& arguments, + uint32_t result, size_t input_rows_count) const override { + auto array = block.get_by_position(arguments[0]).column; + ColumnPtr num = block.get_by_position(arguments[1]).column; + Int64 combination_length = num->get_int(0); + + if (combination_length > MAX_COMBINATION_LENGTH || combination_length < 1) { + return Status::InvalidArgument( + fmt::format("execute failed, function {}'s second argument must be bigger than " + "0 and not bigger than 5", + get_name())); + } + + ColumnPtr res; + const auto* src_arr = assert_cast<const ColumnArray*>(remove_nullable(array).get()); + const auto& offsets = + assert_cast<const ColumnArray::ColumnOffsets&>(src_arr->get_offsets_column()); + Status status = vector_const(src_arr, input_rows_count, res, offsets, combination_length); + if (!status.ok()) { + return status; + } + block.replace_by_position(result, std::move(res)); + return status; + } + + ColumnNumbers get_arguments_that_are_always_constant() const override { return {1}; } + +private: + static const size_t MAX_COMBINATION_LENGTH = 5; + static const size_t MAX_COMBINATION_COUNT = 100000; + + // Then combinationCount(n, k) = combinationCount(n-1, k-1) * n/k (https://en.wikipedia.org/wiki/Combination#Number_of_k-combinations) + // The formula is recursive. Here, instead of starting with k=combinationCount, n=arrayLength and recursing, + // we start with k=0 n=(arrayLength-combinationLength) and proceed "bottom up". + size_t _combination_count(size_t array_length, size_t combination_length) const { + size_t combinations = 1; + + for (size_t i = 1; i <= combination_length; i++) { + combinations = combinations * (array_length - combination_length + i) / i; + } + + return combinations; + } + Review Comment: **[Critical] Integer overflow in `_combination_count` — potential DoS** The intermediate expression `combinations * (array_length - combination_length + i)` can overflow `size_t` (64-bit unsigned) before the division by `i`. With `combination_length = 5`, overflow occurs when `array_length ≈ 57,000` (at iteration i=4, the intermediate product is ~n^4/6 which exceeds 2^64). When the overflow wraps around to a small value, it passes the `MAX_COMBINATION_COUNT` check at line 153. The subsequent `do...while(_next_combination(...))` loop then iterates the **true** C(n,k) times — potentially billions of iterations — causing an infinite hang and/or OOM. Arrays with 57,000+ elements are routine in OLAP workloads (e.g., from `collect_list`, data import, `array_concat`). This is a practical denial-of-service vector. **Recommended fix**: Use overflow-safe arithmetic: ```cpp size_t _combination_count(size_t array_length, size_t combination_length) const { size_t combinations = 1; for (size_t i = 1; i <= combination_length; i++) { size_t multiplicand = array_length - combination_length + i; if (multiplicand != 0 && combinations > std::numeric_limits<size_t>::max() / multiplicand) { return MAX_COMBINATION_COUNT + 1; // overflow → will fail the check } combinations = combinations * multiplicand / i; } return combinations; } ``` Alternatively, use `__builtin_mul_overflow` for GCC/Clang. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
