(orc) branch branch-2.2 updated: ORC-2123: [C++] Fix heap-use-after-free in ORC SearchArgument rewriteLeaves

Thu, 12 Mar 2026 02:53:02 -0700 

This is an automated email from the ASF dual-hosted git repository.

gangwu pushed a commit to branch branch-2.2
in repository https://gitbox.apache.org/repos/asf/orc.git


The following commit(s) were added to refs/heads/branch-2.2 by this push:
     new a81eaa54a ORC-2123: [C++] Fix heap-use-after-free in ORC 
SearchArgument rewriteLeaves
a81eaa54a is described below

commit a81eaa54a6a86d8d232aa17df19b415b4a29c928
Author: daidai <[email protected]>
AuthorDate: Thu Mar 12 17:51:58 2026 +0800

    ORC-2123: [C++] Fix heap-use-after-free in ORC SearchArgument rewriteLeaves
    
    ### What changes were proposed in this pull request?
    
    This PR aims to fix heap-use-after-free in ORC SearchArgument rewriteLeaves.
    
    ### Why are the changes needed?
    
    this is a heap-use-after-free bug.
    
    ```
    ==1649778==ERROR: AddressSanitizer: heap-use-after-free on address 
0x7d0addc552f8 at pc 0x5561f1da808c bp 0x79e18a173b40 sp 0x79e18a173b38
    READ of size 8 at 0x7d0addc552f8 thread T621 (rs_normal [work)
        #0 0x5561f1da808b in 
std::__shared_count<(__gnu_cxx::_Lock_policy)2>::__shared_count(std::__shared_count<(__gnu_cxx::_Lock_policy)2>
 const&) 
/mnt/disk2/tengjianping/local/ldb_toolchain/bin/../lib/gcc/x86_64-pc-linux-gnu/15/include/g++-v15/bits/shared_ptr_base.h:1073:19
        #1 0x55622c94b9ce in std::__shared_ptr<orc::ExpressionTree, 
(__gnu_cxx::_Lock_policy)2>::__shared_ptr(std::__shared_ptr<orc::ExpressionTree,
 (__gnu_cxx::_Lock_policy)2> const&) 
(/mnt/disk2/tengjianping/doris-master/output/be/lib/doris_be+0x8b6e99ce)
        #2 0x55622c94849c in 
std::shared_ptr<orc::ExpressionTree>::shared_ptr(std::shared_ptr<orc::ExpressionTree>
 const&) 
(/mnt/disk2/tengjianping/doris-master/output/be/lib/doris_be+0x8b6e649c)
        #3 0x55622c94d976 in 
std::__detail::_Hash_node<std::shared_ptr<orc::ExpressionTree>, false>* 
std::__detail::_Hashtable_alloc<std::allocator<std::__detail::_Hash_node<std::shared_ptr<orc::ExpressionTree>,
 false>>>::_M_allocate_node<std::shared_ptr<orc::ExpressionTree> 
const&>(std::shared_ptr<orc::ExpressionTree> const&) 
(/mnt/disk2/tengjianping/doris-master/output/be/lib/doris_be+0x8b6eb976)
        #4 0x55622c94d7cb in 
std::pair<std::__detail::_Node_iterator<std::shared_ptr<orc::ExpressionTree>, 
true, false>, bool> std::_Hashtable<std::shared_ptr<orc::ExpressionTree>, 
std::shared_ptr<orc::ExpressionTree>, 
std::allocator<std::shared_ptr<orc::ExpressionTree>>, std::__detail::_Identity, 
std::equal_to<std::shared_ptr<orc::ExpressionTree>>, 
std::hash<std::shared_ptr<orc::ExpressionTree>>, 
std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, 
std::__detail::_Prim [...]
        #5 0x55622c94d62c in 
std::_Hashtable<std::shared_ptr<orc::ExpressionTree>, 
std::shared_ptr<orc::ExpressionTree>, 
std::allocator<std::shared_ptr<orc::ExpressionTree>>, std::__detail::_Identity, 
std::equal_to<std::shared_ptr<orc::ExpressionTree>>, 
std::hash<std::shared_ptr<orc::ExpressionTree>>, 
std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, 
std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<false, 
true, true>>::insert(std::shared_ptr<orc: [...]
        #6 0x55622c94d3dc in 
std::unordered_set<std::shared_ptr<orc::ExpressionTree>, 
std::hash<std::shared_ptr<orc::ExpressionTree>>, 
std::equal_to<std::shared_ptr<orc::ExpressionTree>>, 
std::allocator<std::shared_ptr<orc::ExpressionTree>>>::insert(std::shared_ptr<orc::ExpressionTree>
 const&) 
(/mnt/disk2/tengjianping/doris-master/output/be/lib/doris_be+0x8b6eb3dc)
        #7 0x55622c947db0 in 
orc::rewriteLeaves(std::shared_ptr<orc::ExpressionTree>, unsigned long*) 
SearchArgument.cc
        #8 0x55622c947809 in orc::SearchArgumentBuilderImpl::build() 
(/mnt/disk2/tengjianping/doris-master/output/be/lib/doris_be+0x8b6e5809)
    ```
    
    ### How was this patch tested?
    
    Pass the CIs.
    
    ### Was this patch authored or co-authored using generative AI tooling?
    
    NO
    
    Closes #2572 from hubgeter/fix_orc_core.
    
    Authored-by: daidai <[email protected]>
    Signed-off-by: Gang Wu <[email protected]>
    (cherry picked from commit dff5e92d304c83557f0ee92c578c9d55c04c6e0e)
    Signed-off-by: Gang Wu <[email protected]>
---
 c++/src/sargs/SearchArgument.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/c++/src/sargs/SearchArgument.cc b/c++/src/sargs/SearchArgument.cc
index ff0ba1e2d..612f0912e 100644
--- a/c++/src/sargs/SearchArgument.cc
+++ b/c++/src/sargs/SearchArgument.cc
@@ -315,7 +315,6 @@ namespace orc {
     // Perform BFS
     while (!nodes.empty()) {
       TreeNode& node = nodes.front();
-      nodes.pop_front();
 
       if (node->getOperator() == ExpressionTree::Operator::LEAF) {
         leaves.insert(node);
@@ -324,6 +323,7 @@ namespace orc {
           nodes.push_back(child);
         }
       }
+      nodes.pop_front();
     }
 
     // Update the leaf in place

Reply via email to