ARROW-9285: [C++] Detect unauthorized memory allocations in function kernels

[joosthooz]

Targets https://issues.apache.org/jira/browse/ARROW-9285
If a kernel uses preallocated memory allocation (MemAllocation::PREALLOCATE), it should not create new buffers. This code aims to check for this.
Questions/TODO;

• If the check triggers an abort by using DCHECK_*, it is not possible to test whether a misbehaving kernel is detected. I added an example test with a misbehaving kernel, but for that to work the check should throw an Error that the test can then check for using ASSERT_RAISES_WITH_MESSAGE
• Should the check only happen for output buffers? Now it also checks the input batches
• Scalar kernels have a field preallocate_contiguous_, but there might be additional cases where this check could be useful? For example if validity_preallocated_ is true, we could check if there aren't any newly created validity buffers. But the current AddBuffersToSet() code does not support this.
• Vector kernels do not have such a field, but may still pre-allocate their memory. Now I just use the condition (kernel_->mem_allocation == MemAllocation::PREALLOCATE) but I don't know if that is the right way to go.

[github-actions]

Thanks for opening a pull request!

If this is not a minor PR. Could you open an issue for this pull request on JIRA? https://issues.apache.org/jira/browse/ARROW

Opening JIRAs ahead of time contributes to the Openness of the Apache Arrow project.

Then could you also rename pull request title in the following format?

ARROW-${JIRA_ID}: [${COMPONENT}] ${SUMMARY}

or

MINOR: [${COMPONENT}] ${SUMMARY}

See also:

• Other pull requests
• Contribution Guidelines - How to contribute patches

[edponce]

@joosthooz I have following initial comments:

1. ScalarExecutor has two possible preallocation policies (contiguous and per-batch) but they both are assigned to out->value which is an ArrayData (out is a Datum wrapping either an Array or a Scalar. I think we need to validate out only for the Array case. Use out.array() to access ArrayData and its buffers.
   • Note: buffer[0] is the null bitmap, which does not need this validation bc it has its own nullity policies (see NullPropagatorandNullHandling`).
2. The VectorExecutor can also preallocate so it also requires this validation. I think here we would also validate out.
3. Kernels establish preallocation policy via kernel.mem_allocation = MemAllocation::PREALLOCATE during registration. For example, here.

cc @bkietz @pitrou

[edponce]

@joosthooz Need to change this PR title to: ARROW-9285: [C++] Detect unauthorized memory allocations in function kernels

[github-actions]

https://issues.apache.org/jira/browse/ARROW-9285

[edponce]

I am curious if hashing all the values-buffers pointers would suffice instead of storing them in a set. We would still need to traverse nested data structures to capture all the child buffers. This could be solved using a Visitor.

[joosthooz]

Hashing would be nicer, but it would also trigger the error if a kernel deletes a buffer it doesn't need anymore. And I don't think we care about that, just newly allocated ones. What do you think?

[pitrou]

Sorry for not posting a more detailed review (for now!), these are only two high-level comments.

[pitrou]

I'm not sure how we want to handle this feature at all, but we definitely don't want to run those checks unconditionally, unless they're extremely trivial. Perhaps this can be enabled only on debug builds? (#ifndef _NDEBUG, for example)

cc @lidavidm

[lidavidm]

I think debug-only is fine as this will be most useful for developers.

[joosthooz]

The checks are now inside #ifndef NDEBUG.

[pitrou]

These should not be added in the public APIs. Instead, these functions should only exist in the corresponding test file, IMHO.

[joosthooz]

I've removed them again, also from the function registry. I'm now using a different way of calling the function through an executor, instead of going through CallFunction

[pitrou]

Nit: to reduce the performance overhead, std::unordered_set<Buffer*> would be better.

[pitrou]

ExecutionError a Gandiva-specific error. Perhaps use Status::Invalid?

[pitrou]

I think there's a problem with this approach: MemAllocation::PREALLOCATE preallocates only fixed-width buffers, not variable-width buffers. So for example, for a string array, indices will be preallocated but not data.

Besides, child buffers are never preallocated. So what happens is that you must check that preallocated buffers are not changed, but this doesn't prevent other buffers from being allocated as well.

[github-actions]

Thank you for your contribution. Unfortunately, this pull request has been marked as stale because it has had no activity in the past 365 days. Please remove the stale label or comment below, or this PR will be closed in 14 days. Feel free to re-open this if it has been closed in error. If you do not have repository permissions to reopen the PR, please tag a maintainer.