Skip to content

[BugFix] Guard against iterator UB in get_column_values when rssid not found (backport #69617)#69658

Open
mergify[bot] wants to merge 1 commit intobranch-3.5.14from
mergify/bp/branch-3.5.14/pr-69617
Open

[BugFix] Guard against iterator UB in get_column_values when rssid not found (backport #69617)#69658
mergify[bot] wants to merge 1 commit intobranch-3.5.14from
mergify/bp/branch-3.5.14/pr-69617

Conversation

@mergify
Copy link
Contributor

@mergify mergify bot commented Mar 2, 2026
edited by wanpengfei-git
Loading

Why I'm doing:

When the PrimaryIndex contains stale entries pointing to rowsets that have been compacted away, TabletUpdates::get_column_values crashes with SIGSEGV. The root cause is that upper_bound(rssid) returns begin() when the requested rssid is smaller than all keys in rssid_to_rowsets, and then --iter on begin() is undefined behavior. In practice this causes the iterator to point to the map's sentinel node, leading to dereference of corrupted memory.

Core dump analysis confirmed:

  • rssid = 432750 from PrimaryIndex lookup
  • rssid_to_rowsets min key = 476512 (old rowsets already compacted)
  • --begin() UB → dereference of corrupted RowsetMetaPB pointer 0x80804509150b1880 → SIGSEGV

What I'm doing:

Add a bounds check before decrementing the upper_bound iterator. When iter == begin(), return InternalError with a descriptive message instead of crashing.

What type of PR is this:

  • BugFix
  • Feature
  • Enhancement
  • Refactor
  • UT
  • Doc
  • Tool

Does this PR entail a change in behavior?

  • Yes, this PR will result in a change in behavior.
  • No, this PR will not result in a change in behavior.

If yes, please specify the type of change:

  • Interface/UI changes: syntax, type conversion, expression evaluation, display information
  • Parameter changes: default values, similar parameters but with different default values
  • Policy changes: use new policy to replace old one, functionality automatically enabled
  • Feature removed
  • Miscellaneous: upgrade & downgrade compatibility, etc.

Checklist:

  • I have added test cases for my bug fix or my new feature
  • This PR needs user documentation (for new or modified features or behaviors)
    • I have added documentation for my new feature or new function
  • This is a backport PR

Bugfix cherry-pick branch check:

@luohaha @claude @mergify
[BugFix] Guard against iterator UB in get_column_values when rssid no…
2b81668 
…t found (#69617)

Signed-off-by: luohaha <18810541851@163.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
(cherry picked from commit 7adfd51)
@wanpengfei-git wanpengfei-git enabled auto-merge (squash) March 2, 2026 02:24
@mergify mergify bot mentioned this pull request Mar 2, 2026
Merged
23 tasks
@github-actions
Copy link
Contributor

github-actions bot commented Mar 2, 2026
edited
Loading

🌎 Translation Required?

All translation files are up to date.
No translation actions are required for this PR.

🕒 Last updated: Mon, 02 Mar 2026 02:51:04 GMT

@mergify
Copy link
Contributor Author

mergify bot commented Mar 2, 2026
edited
Loading

🧪 CI Insights

Here's what we observed from your CI run for 2b81668.

🟢 All jobs passed!

But CI Insights is watching 👀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@luohaha luohaha

Labels

automerge docs-maintainer

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@luohaha