Skip to content

branch-3.1: [Bug](function) fix to_ipv6 cause stack-buffer-overflow error #53713 #54012

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
morrySnow merged 1 commit into from
Jul 30, 2025
Merged

branch-3.1: [Bug](function) fix to_ipv6 cause stack-buffer-overflow error #53713 #54012

morrySnow merged 1 commit into from
Jul 30, 2025

Conversation

@zhangstar333
Copy link
Contributor

@zhangstar333 zhangstar333 commented Jul 29, 2025
edited by morrySnow
Loading

Cherry-picked from #53713

@zhangstar333
[Bug](function) fix to_ipv6 cause stack-buffer-overflow error (apache…
d6b81ef 
…#53713)

Problem Summary:

memcpy(dst, &result, sizeof(result));
when use memcpy, it's size if sizeof(result), so use int64 maybe
overflow of dst

```
==3524968==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f18404e1d73 at pc 0x559e2c162b01 bp 0x7f18439e5dc0 sp 0x7f18439e5db8
WRITE of size 8 at 0x7f18404e1d73 thread T1265 (brpc_light)
    #0 0x559e2c162b00 in bool doris::vectorized::parse_ipv4<char const, doris::vectorized::parse_ipv6(char const*, char const*, unsigned char*)::'lambda'()>(char const*&, doris::vectorized::parse_ipv6(char const*, char const*, unsigned char*)::'lambda'(), unsigned char*, long) /mnt/disk8/zhangsida/doris/be/src/vec/common/format_ip.h:165:5
    apache#1 0x559e2c161eb3 in bool doris::vectorized::parse_ipv6<char const, doris::vectorized::parse_ipv6(char const*, char const*, unsigned char*)::'lambda'()>(char const*&, doris::vectorized::parse_ipv6(char const*, char const*, unsigned char*)::'lambda'(), unsigned char*, int) /mnt/disk8/zhangsida/doris/be/src/vec/common/format_ip.h:416:18
    apache#2 0x559e2c160c44 in doris::vectorized::parse_ipv6(char const*, char const*, unsigned char*) /mnt/disk8/zhangsida/doris/be/src/vec/common/format_ip.h:467:9
    apache#3 0x559e2c160c44 in doris::vectorized::parse_ipv6_whole(char const*, char const*, unsigned char*) /mnt/disk8/zhangsida/doris/be/src/vec/common/format_ip.h:475:12
    apache#4 0x559e2c160c44 in doris::IPv6Value::from_string(unsigned __int128&, char const*, unsigned long) /mnt/disk8/zhangsida/doris/be/src/vec/runtime/ipv6_value.h:71:16
    apache#5 0x559e4fdb05f3 in doris::vectorized::FunctionToIP<(doris::vectorized::IPConvertExceptionMode)0, (doris::PrimitiveType)37>::execute_impl(doris::FunctionContext*, doris::vectorized::Block&, std::vector<unsigned int, std::allocator<unsigned int>> const&, unsigned int, unsigned long) const /mnt/disk8/zhangsida/doris/be/src/vec/functions/function_ip.h:1180:21
    apache#6 0x559e4c233b1e in doris::vectorized::DefaultExecutable::execute_impl(doris::FunctionContext*, doris::vectorized::Block&, std::vector<unsigned int, std::allocator<unsigned int>> const&, unsigned int, unsigned long) const /mnt/disk8/zhangsida/doris/be/src/vec/functions/function.h:447:26
    apache#7 0x559e4eebcef3 in doris::vectorized::PreparedFunctionImpl::_execute_skipped_constant_deal(doris::FunctionContext*, doris::vectorized::Block&, std::vector<unsigned int, std::allocator<unsigned int>> const&, unsigned int, unsigned long, bool) const /mnt/disk8/zhangsida/doris/be/src/vec/functions/function.cpp
    apache#8 0x559e4eeb68c4 in doris::vectorized::PreparedFunctionImpl::default_implementation_for_constant_arguments(doris::FunctionContext*, doris::vectorized::Block&, std::vector<unsigned int, std::allocator<unsigned int>> const&, unsigned int, unsigned long, bool, bool*) const /mnt/disk8/zhangsida/doris/be/src/vec/functions/function.cpp:168:5
    apache#9 0x559e4eeb8fc4 in doris::vectorized::PreparedFunctionImpl::execute_without_low_cardinality_columns(doris::FunctionContext*, doris::vectorized::Block&, std::vector<unsigned int, std::allocator<unsigned int>> const&, unsigned int, unsigned long, bool) const /mnt/disk8/zhangsida/doris/be/src/vec/functions/function.cpp:237:5
```
@Thearas
Copy link
Contributor

Thearas commented Jul 29, 2025

Thank you for your contribution to Apache Doris.
Don't know what should be done next? See How to process your PR.

Please clearly describe your PR:

  1. What problem was fixed (it's best to include specific error reporting information). How it was fixed.
  2. Which behaviors were modified. What was the previous behavior, what is it now, why was it modified, and what possible impacts might there be.
  3. What features were added. Why was this function added?
  4. Which code was refactored and why was this part of the code refactored?
  5. Which functions were optimized and what is the difference before and after the optimization?

@zhangstar333 zhangstar333 requested a review from morrySnow as a code owner July 29, 2025 04:35
@zhangstar333
Copy link
Contributor Author

zhangstar333 commented Jul 29, 2025

run buildall

@doris-robot
Copy link

doris-robot commented Jul 29, 2025

BE UT Coverage Report

Increment line coverage 75.00% (3/4) 🎉

Increment coverage report
Complete coverage report

Category Coverage
Function Coverage 45.38% (12621/27813)
Line Coverage 36.21% (112399/310392)
Region Coverage 35.26% (58088/164721)
Branch Coverage 32.45% (31583/97316)

@doris-robot
Copy link

doris-robot commented Jul 29, 2025

TPC-H: Total hot run time: 32792 ms 
machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpch-tools
Tpch sf100 test result on commit d6b81efec15618968235d0c351e9d4c6e4420a6b, data reload: false

------ Round 1 ----------------------------------
q1	17583	5446	5466	5446
q2	2064	280	164	164
q3	10633	1239	759	759
q4	10230	877	465	465
q5	8262	2369	2145	2145
q6	186	162	133	133
q7	886	753	607	607
q8	9336	1445	1201	1201
q9	5331	4930	4942	4930
q10	6763	2295	1833	1833
q11	487	287	271	271
q12	330	362	216	216
q13	17781	3572	2980	2980
q14	220	225	207	207
q15	529	465	454	454
q16	416	429	374	374
q17	645	871	393	393
q18	6997	6640	6470	6470
q19	1502	950	554	554
q20	321	333	207	207
q21	3106	2172	1986	1986
q22	1063	1044	997	997
Total cold run time: 104671 ms
Total hot run time: 32792 ms

----- Round 2, with runtime_filter_mode=off -----
q1	5523	5474	5475	5474
q2	237	342	237	237
q3	2264	2662	2310	2310
q4	1360	1777	1342	1342
q5	4417	4907	4975	4907
q6	166	163	124	124
q7	2053	2007	1859	1859
q8	2619	2803	2702	2702
q9	7231	7275	7193	7193
q10	3036	3352	2747	2747
q11	579	490	481	481
q12	635	749	639	639
q13	3424	3777	3158	3158
q14	292	295	270	270
q15	522	466	468	466
q16	464	495	441	441
q17	1230	1728	1235	1235
q18	7639	7541	7338	7338
q19	806	1102	1160	1102
q20	1998	2051	1884	1884
q21	5372	4994	4798	4798
q22	1083	1082	1023	1023
Total cold run time: 52950 ms
Total hot run time: 51730 ms

@doris-robot
Copy link

doris-robot commented Jul 29, 2025

TPC-DS: Total hot run time: 197616 ms 
machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpcds-tools
TPC-DS sf100 test result on commit d6b81efec15618968235d0c351e9d4c6e4420a6b, data reload: false

query1	1322	921	882	882
query2	6219	1929	1870	1870
query3	11014	4440	4562	4440
query4	33118	23836	23955	23836
query5	4714	616	461	461
query6	280	188	178	178
query7	4007	499	317	317
query8	297	239	241	239
query9	9522	2595	2581	2581
query10	504	319	254	254
query11	18213	15292	15194	15194
query12	160	106	103	103
query13	1561	539	415	415
query14	9546	6771	7368	6771
query15	244	204	192	192
query16	7932	637	479	479
query17	1555	776	610	610
query18	2143	420	317	317
query19	219	193	167	167
query20	128	114	118	114
query21	207	127	112	112
query22	4683	4538	4410	4410
query23	34983	34289	34315	34289
query24	7320	2673	2689	2673
query25	537	505	429	429
query26	807	295	177	177
query27	1999	474	360	360
query28	5335	2257	2218	2218
query29	653	608	488	488
query30	234	189	164	164
query31	1004	918	828	828
query32	72	85	58	58
query33	477	378	304	304
query34	755	859	523	523
query35	794	804	728	728
query36	1006	1083	1003	1003
query37	108	100	69	69
query38	4020	3979	3998	3979
query39	1519	1533	1467	1467
query40	218	122	107	107
query41	51	50	49	49
query42	121	106	102	102
query43	492	521	472	472
query44	1338	829	830	829
query45	183	186	175	175
query46	876	1058	679	679
query47	2046	2016	1980	1980
query48	436	479	354	354
query49	734	511	397	397
query50	670	706	437	437
query51	7331	7344	7325	7325
query52	101	101	94	94
query53	227	267	194	194
query54	551	555	491	491
query55	83	78	80	78
query56	257	262	245	245
query57	1301	1311	1230	1230
query58	245	233	229	229
query59	3104	3142	3084	3084
query60	288	281	254	254
query61	111	113	116	113
query62	793	737	686	686
query63	230	198	190	190
query64	3531	1019	651	651
query65	3367	3288	3317	3288
query66	776	417	312	312
query67	16547	15918	15563	15563
query68	6752	840	551	551
query69	498	300	278	278
query70	1160	1157	1108	1108
query71	392	303	268	268
query72	5956	3699	3947	3699
query73	635	798	349	349
query74	10267	9304	9252	9252
query75	3183	3148	2646	2646
query76	3102	1182	766	766
query77	511	362	279	279
query78	10429	10413	9610	9610
query79	3739	910	587	587
query80	1620	523	435	435
query81	569	274	220	220
query82	1163	126	93	93
query83	179	164	146	146
query84	244	107	87	87
query85	788	354	298	298
query86	480	326	290	290
query87	4315	4304	4250	4250
query88	5052	2397	2388	2388
query89	417	340	296	296
query90	1747	194	190	190
query91	135	141	117	117
query92	68	56	51	51
query93	3000	897	567	567
query94	768	422	311	311
query95	341	281	276	276
query96	495	617	289	289
query97	3202	3291	3156	3156
query98	231	201	202	201
query99	1654	1440	1255	1255
Total cold run time: 298311 ms
Total hot run time: 197616 ms

@doris-robot
Copy link

doris-robot commented Jul 29, 2025

ClickBench: Total hot run time: 28.82 s 
machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/clickbench-tools
ClickBench test result on commit d6b81efec15618968235d0c351e9d4c6e4420a6b, data reload: false

query1	0.03	0.03	0.03
query2	0.07	0.03	0.03
query3	0.24	0.06	0.06
query4	1.62	0.11	0.11
query5	0.51	0.51	0.52
query6	1.13	0.75	0.72
query7	0.02	0.01	0.02
query8	0.04	0.03	0.03
query9	0.57	0.50	0.50
query10	0.56	0.57	0.56
query11	0.15	0.10	0.10
query12	0.13	0.11	0.11
query13	0.63	0.60	0.60
query14	0.78	0.80	0.81
query15	0.84	0.84	0.82
query16	0.39	0.37	0.39
query17	1.01	1.01	1.11
query18	0.24	0.22	0.23
query19	1.87	1.80	1.90
query20	0.01	0.01	0.01
query21	15.37	0.95	0.61
query22	0.74	0.83	0.68
query23	15.02	1.45	0.61
query24	3.31	1.09	0.73
query25	0.14	0.12	0.15
query26	0.42	0.15	0.14
query27	0.05	0.05	0.06
query28	13.29	1.05	0.44
query29	12.59	4.00	3.29
query30	0.26	0.09	0.06
query31	2.82	0.61	0.38
query32	3.23	0.54	0.45
query33	2.96	3.04	3.02
query34	16.57	5.19	4.52
query35	4.62	4.55	4.52
query36	0.63	0.49	0.49
query37	0.09	0.06	0.06
query38	0.05	0.04	0.04
query39	0.03	0.02	0.02
query40	0.16	0.13	0.12
query41	0.07	0.03	0.02
query42	0.04	0.02	0.02
query43	0.03	0.03	0.04
Total cold run time: 103.33 s
Total hot run time: 28.82 s

@morrySnow morrySnow changed the title branch31: [Bug](function) fix to_ipv6 cause stack-buffer-overflow error (#53713) branch-3.1: [Bug](function) fix to_ipv6 cause stack-buffer-overflow error #53713 Jul 29, 2025
@hello-stephen
Copy link
Contributor

hello-stephen commented Jul 29, 2025

BE Regression && UT Coverage Report

Increment line coverage 100.00% (4/4) 🎉

Increment coverage report
Complete coverage report

Category Coverage
Function Coverage 76.22% (20945/27480)
Line Coverage 69.60% (215888/310184)
Region Coverage 67.62% (129179/191047)
Branch Coverage 61.20% (67221/109830)

1 similar comment
@hello-stephen
Copy link
Contributor

hello-stephen commented Jul 30, 2025

BE Regression && UT Coverage Report

Increment line coverage 100.00% (4/4) 🎉

Increment coverage report
Complete coverage report

Category Coverage
Function Coverage 76.22% (20945/27480)
Line Coverage 69.60% (215888/310184)
Region Coverage 67.62% (129179/191047)
Branch Coverage 61.20% (67221/109830)

@hello-stephen
Copy link
Contributor

hello-stephen commented Jul 30, 2025

BE Regression && UT Coverage Report

Increment line coverage 100.00% (4/4) 🎉

Increment coverage report
Complete coverage report

Category Coverage
Function Coverage 76.25% (20953/27480)
Line Coverage 69.65% (216030/310184)
Region Coverage 67.66% (129258/191047)
Branch Coverage 61.24% (67256/109830)

@morrySnow morrySnow merged commit aa4db3d into apache:branch-3.1 Jul 30, 2025
24 of 25 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@morrySnow morrySnow morrySnow approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@zhangstar333 @Thearas @doris-robot @hello-stephen @morrySnow