YQ RD fixed use after free (#10978)

GrigoriyPA · web-flow · commit 11838a0bf642 · 2024-10-29T12:23:11.000+03:00
diff --git a/ydb/core/fq/libs/row_dispatcher/json_parser.cpp b/ydb/core/fq/libs/row_dispatcher/json_parser.cpp
@@ -264,7 +264,7 @@ class TJsonParser::TImpl {
 public:
     TImpl(const TVector<TString>& columns, const TVector<TString>& types, ui64 batchSize, TDuration batchCreationTimeout)
         : Alloc(__LOCATION__, NKikimr::TAlignedPagePoolCounters(), true, false)
-        , TypeEnv(Alloc)
+        , TypeEnv(std::make_unique<NKikimr::NMiniKQL::TTypeEnvironment>(Alloc))
         , BatchSize(batchSize)
         , BatchCreationTimeout(batchCreationTimeout)
         , ParsedValues(columns.size())
@@ -273,7 +273,7 @@ class TJsonParser::TImpl {
 
         with_lock (Alloc) {
             auto functonRegistry = NKikimr::NMiniKQL::CreateFunctionRegistry(&PrintBackTrace, NKikimr::NMiniKQL::CreateBuiltinRegistry(), false, {});
-            NKikimr::NMiniKQL::TProgramBuilder programBuilder(TypeEnv, *functonRegistry);
+            NKikimr::NMiniKQL::TProgramBuilder programBuilder(*TypeEnv, *functonRegistry);
 
             Columns.reserve(columns.size());
             for (size_t i = 0; i < columns.size(); i++) {
@@ -370,8 +370,12 @@ class TJsonParser::TImpl {
     }
 
     ~TImpl() {
-        Alloc.Acquire();
-        ClearColumns(0);
+        with_lock (Alloc) {
+            ClearColumns(0);
+            ParsedValues.clear();
+            Columns.clear();
+            TypeEnv.reset();
+        }
     }
 
 private:
@@ -392,7 +396,7 @@ class TJsonParser::TImpl {
 
 private:
     NKikimr::NMiniKQL::TScopedAlloc Alloc;
-    NKikimr::NMiniKQL::TTypeEnvironment TypeEnv;
+    std::unique_ptr<NKikimr::NMiniKQL::TTypeEnvironment> TypeEnv;
 
     const ui64 BatchSize;
     const TDuration BatchCreationTimeout;
@@ -402,7 +406,7 @@ class TJsonParser::TImpl {
     TJsonParserBuffer Buffer;
     simdjson::ondemand::parser Parser;
 
-    TVector<std::vector<NYql::NUdf::TUnboxedValue, NKikimr::NMiniKQL::TMKQLAllocator<NYql::NUdf::TUnboxedValue>>> ParsedValues;
+    TVector<NKikimr::NMiniKQL::TUnboxedValueVector> ParsedValues;
 };
 
 TJsonParser::TJsonParser(const TVector<TString>& columns, const TVector<TString>& types, ui64 batchSize, TDuration batchCreationTimeout)
diff --git a/ydb/core/fq/libs/row_dispatcher/ut/json_parser_ut.cpp b/ydb/core/fq/libs/row_dispatcher/ut/json_parser_ut.cpp
@@ -1,3 +1,5 @@
+#include <ydb/core/base/backtrace.h>
+
 #include <ydb/core/fq/libs/ydb/ydb.h>
 #include <ydb/core/fq/libs/events/events.h>
 
@@ -22,7 +24,16 @@ class TFixture : public NUnitTest::TBaseFixture {
     TFixture()
     : Runtime(true) {}
 
+    static void SegmentationFaultHandler(int) {
+        Cerr << "segmentation fault call stack:" << Endl;
+        FormatBackTrace(&Cerr);
+        abort();
+    }
+
     void SetUp(NUnitTest::TTestContext&) override {
+        NKikimr::EnableYDBBacktraceFormat();
+        signal(SIGSEGV, &SegmentationFaultHandler);
+
         TAutoPtr<TAppPrepare> app = new TAppPrepare();
         Runtime.SetLogBackend(CreateStderrBackend());
         Runtime.SetLogPriority(NKikimrServices::FQ_ROW_DISPATCHER, NLog::PRI_TRACE);
diff --git a/ydb/core/fq/libs/row_dispatcher/ut/ya.make b/ydb/core/fq/libs/row_dispatcher/ut/ya.make
@@ -20,7 +20,6 @@ PEERDIR(
     ydb/library/yql/udfs/common/yson2
     ydb/tests/fq/pq_async_io
     ydb/library/yql/sql/pg_dummy
-    ydb/library/yql/udfs/common/clickhouse/client
 )
 
 SIZE(MEDIUM)

Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,6 @@ PEERDIR(`
`20`	`20`	`ydb/library/yql/udfs/common/yson2`
`21`	`21`	`ydb/tests/fq/pq_async_io`
`22`	`22`	`ydb/library/yql/sql/pg_dummy`
`23`		`- ydb/library/yql/udfs/common/clickhouse/client`
`24`	`23`	`)`
`25`	`24`
`26`	`25`	`SIZE(MEDIUM)`