Skip to content

GH-49470: [C++][Gandiva] Fix crashes in substring_index and truncate with extreme integer values#49471

Merged
zanmato1984 merged 2 commits intoapache:mainfrom
dmitry-chirkov-dremio:fix-gandiva-extreme-int-crashes
Mar 15, 2026
Merged

GH-49470: [C++][Gandiva] Fix crashes in substring_index and truncate with extreme integer values#49471
zanmato1984 merged 2 commits intoapache:mainfrom
dmitry-chirkov-dremio:fix-gandiva-extreme-int-crashes

Conversation

@dmitry-chirkov-dremio
Copy link
Contributor

@dmitry-chirkov-dremio dmitry-chirkov-dremio commented Mar 9, 2026
edited by github-actions bot
Loading

Rationale for this change

Two Gandiva functions crash when called with extreme integer parameter values:

  1. substring_index(VARCHAR, VARCHAR, INT) crashes with SIGBUS when count is INT_MIN
  2. truncate(BIGINT, INT) crashes with SIGSEGV when scale is INT_MAX or INT_MIN

What changes are included in this PR?

substring_index fix (gdv_string_function_stubs.cc):

  • Replace abs(cnt) with safe int64_t computation to avoid undefined behavior when cnt == INT_MIN

truncate fix (precompiled/extended_math_ops.cc):

  • Return input unchanged for positive scales (no-op for integers)
  • Return 0 for scales < -38 to prevent out-of-bounds access in GetScaleMultiplier

Are these changes tested?

Yes. Added coverage for INT_MAX/INT_MIN values in gdv_function_stubs_test.cc and extended_math_ops_test.cc.

Are there any user-facing changes?

No.

This PR contains a "Critical Fix". These changes fix crashes caused by:

  • abs(INT_MIN) triggering undefined behavior (integer overflow) in substring_index
  • Out-of-bounds array access in GetScaleMultiplier when truncate receives extreme scale values

@github-actions
Copy link

github-actions bot commented Mar 9, 2026

⚠️ GitHub issue #49470 has been automatically assigned in GitHub to PR creator.

lriggs
lriggs reviewed Mar 9, 2026
View reviewed changes
@github-actions github-actions bot added awaiting committer review Awaiting committer review and removed awaiting review Awaiting review labels Mar 9, 2026
lriggs
lriggs reviewed Mar 11, 2026
View reviewed changes
zanmato1984
zanmato1984 approved these changes Mar 13, 2026
View reviewed changes
Copy link
Contributor

@zanmato1984 zanmato1984 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The failing CI seems unrelated .

+1

@zanmato1984 zanmato1984 merged commit d6ce56e into apache:main Mar 15, 2026
53 of 54 checks passed
@zanmato1984 zanmato1984 removed the awaiting committer review Awaiting committer review label Mar 15, 2026
@zanmato1984 zanmato1984 mentioned this pull request Mar 15, 2026
Closed
@conbench-apache-arrow
Copy link

conbench-apache-arrow bot commented Mar 16, 2026

After merging your PR, Conbench analyzed the 3 benchmarking runs that have been run so far on merge-commit d6ce56e.

There were no benchmark performance regressions. 🎉

The full Conbench report has more details. It also includes information about 1 possible false positive for unstable benchmarks that are known to sometimes produce them.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zanmato1984 zanmato1984 zanmato1984 approved these changes

+1 more reviewer

@lriggs lriggs lriggs approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Component: C++ Component: Gandiva

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dmitry-chirkov-dremio @zanmato1984 @lriggs