[C++][Parquet] parquet-arrow-fuzz: Null-dereference READ in parquet::arrow::ListToSchemaField #45151
Description
Describe the bug, including details regarding any error messages, version, and platform.
Logs:
+----------------------------------------Release Build Stacktrace----------------------------------------+
--
| Command: /mnt/scratch0/clusterfuzz/resources/platform/linux/unshare -c -n /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz -rss_limit_mb=2560 -timeout=60 -runs=100 /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-c6b636409de75d68d704704c5ce7823cd75db10d
| Time ran: 0.06286072731018066
|
| INFO: Running with entropic power schedule (0xFF, 100).
| INFO: Seed: 1253766541
| INFO: Loaded 1 modules (696233 inline 8-bit counters): 696233 [0x573b99ea6210, 0x573b99f501b9),
| INFO: Loaded 1 PC tables (696233 PCs): 696233 [0x573b99f501c0,0x573b9a9efc50),
| /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz: Running 1 inputs 100 time(s) each.
| Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-c6b636409de75d68d704704c5ce7823cd75db10d
| AddressSanitizer:DEADLYSIGNAL
| =================================================================
| ==405==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x573b974bbe87 bp 0x7ffdde1a86c0 sp 0x7ffdde1a85a0 T0)
| ==405==The signal is caused by a READ memory access.
| ==405==Hint: address points to the zero page.
| #0 0x573b974bbe87 in operator-> /usr/local/include/c++/v1/__memory/shared_ptr.h:724:12
| #1 0x573b974bbe87 in parquet::arrow::(anonymous namespace)::ListToSchemaField(parquet::schema::GroupNode const&, parquet::internal::LevelInfo, parquet::arrow::(anonymous namespace)::SchemaTreeContext*, parquet::arrow::SchemaField const*, parquet::arrow::SchemaField*) arrow/cpp/src/parquet/arrow/schema.cc:680:14
| #2 0x573b974ae38a in GroupToSchemaField arrow/cpp/src/parquet/arrow/schema.cc:746:12
| #3 0x573b974ae38a in parquet::arrow::(anonymous namespace)::NodeToSchemaField(parquet::schema::Node const&, parquet::internal::LevelInfo, parquet::arrow::(anonymous namespace)::SchemaTreeContext*, parquet::arrow::SchemaField const*, parquet::arrow::SchemaField*) arrow/cpp/src/parquet/arrow/schema.cc:788:12
| #4 0x573b974bda2e in parquet::arrow::(anonymous namespace)::GroupToStruct(parquet::schema::GroupNode const&, parquet::internal::LevelInfo, parquet::arrow::(anonymous namespace)::SchemaTreeContext*, parquet::arrow::SchemaField const*, parquet::arrow::SchemaField*) arrow/cpp/src/parquet/arrow/schema.cc:535:5
| #5 0x573b974af34e in GroupToSchemaField arrow/cpp/src/parquet/arrow/schema.cc:773:12
| #6 0x573b974af34e in parquet::arrow::(anonymous namespace)::NodeToSchemaField(parquet::schema::Node const&, parquet::internal::LevelInfo, parquet::arrow::(anonymous namespace)::SchemaTreeContext*, parquet::arrow::SchemaField const*, parquet::arrow::SchemaField*) arrow/cpp/src/parquet/arrow/schema.cc:788:12
| #7 0x573b974ac31b in parquet::arrow::SchemaManifest::Make(parquet::SchemaDescriptor const*, std::__1::shared_ptr<arrow::KeyValueMetadata const> const&, parquet::ArrowReaderProperties const&, parquet::arrow::SchemaManifest*) arrow/cpp/src/parquet/arrow/schema.cc:1163:5
| #8 0x573b9738199e in Init arrow/cpp/src/parquet/arrow/reader.cc:149:12
| #9 0x573b9738199e in parquet::arrow::FileReader::Make(arrow::MemoryPool*, std::__1::unique_ptr<parquet::ParquetFileReader, std::__1::default_delete<parquet::ParquetFileReader>>, parquet::ArrowReaderProperties const&, std::__1::unique_ptr<parquet::arrow::FileReader, std::__1::default_delete<parquet::arrow::FileReader>>*) arrow/cpp/src/parquet/arrow/reader.cc:1334:52
| #10 0x573b97386330 in Build arrow/cpp/src/parquet/arrow/reader.cc:1375:10
| #11 0x573b97386330 in parquet::arrow::internal::FuzzReader(unsigned char const*, long) arrow/cpp/src/parquet/arrow/reader.cc:1426:5
| #12 0x573b9737e841 in LLVMFuzzerTestOneInput arrow/cpp/src/parquet/arrow/fuzz.cc:22:17
| #13 0x573b972332f0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
| #14 0x573b9721e565 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
| #15 0x573b97223fff in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
| #16 0x573b9724f2a2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
| #17 0x79a2ad7ab082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/libc-start.c:308:16
| #18 0x573b9721674d in _start
|
| AddressSanitizer can not provide additional info.
| SUMMARY: AddressSanitizer: SEGV (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x13f7e87)
| ==405==ABORTING
|
|
| +----------------------------------------Release Build Unsymbolized Stacktrace (diff)----------------------------------------+
|
| ==405==The signal is caused by a READ memory access.
| ==405==Hint: address points to the zero page.
| #0 0x573b974bbe87 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x13f7e87)
| #1 0x573b974ae38a (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x13ea38a)
| #2 0x573b974bda2e (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x13f9a2e)
| #3 0x573b974af34e (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x13eb34e)
| #4 0x573b974ac31b (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x13e831b)
| #5 0x573b9738199e (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x12bd99e)
| #6 0x573b97386330 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x12c2330)
| #7 0x573b9737e841 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x12ba841)
| #8 0x573b972332f0 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x116f2f0)
| #9 0x573b9721e565 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x115a565)
| #10 0x573b97223fff (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x115ffff)
| #11 0x573b9724f2a2 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x118b2a2)
| #12 0x79a2ad7ab082 (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)
| #13 0x573b9721674d (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x115274d)
+----------------------------------------Release Build Stacktrace----------------------------------------+
Command: /mnt/scratch0/clusterfuzz/resources/platform/linux/unshare -c -n /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz -rss_limit_mb=2560 -timeout=60 -runs=100 /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-c6b636409de75d68d704704c5ce7823cd75db10d
Time ran: 0.06286072731018066
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1253766541
INFO: Loaded 1 modules (696233 inline 8-bit counters): 696233 [0x573b99ea6210, 0x573b99f501b9),
INFO: Loaded 1 PC tables (696233 PCs): 696233 [0x573b99f501c0,0x573b9a9efc50),
/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz: Running 1 inputs 100 time(s) each.
Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-c6b636409de75d68d704704c5ce7823cd75db10d
AddressSanitizer:DEADLYSIGNAL
=================================================================
==405==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x573b974bbe87 bp 0x7ffdde1a86c0 sp 0x7ffdde1a85a0 T0)
==405==The signal is caused by a READ memory access.
==405==Hint: address points to the zero page.
#0 0x573b974bbe87 in operator-> /usr/local/include/c++/v1/__memory/shared_ptr.h:724:12
#1 0x573b974bbe87 in parquet::arrow::(anonymous namespace)::ListToSchemaField(parquet::schema::GroupNode const&, parquet::internal::LevelInfo, parquet::arrow::(anonymous namespace)::SchemaTreeContext*, parquet::arrow::SchemaField const*, parquet::arrow::SchemaField*) [arrow/cpp/src/parquet/arrow/schema.cc:680](https://github.com/apache/arrow/blob/1df4889505bb2256d7c3738e9c3218ef23d3f72c/cpp/src/parquet/arrow/schema.cc#L680):14
#2 0x573b974ae38a in GroupToSchemaField [arrow/cpp/src/parquet/arrow/schema.cc:746](https://github.com/apache/arrow/blob/1df4889505bb2256d7c3738e9c3218ef23d3f72c/cpp/src/parquet/arrow/schema.cc#L746):12
#3 0x573b974ae38a in parquet::arrow::(anonymous namespace)::NodeToSchemaField(parquet::schema::Node const&, parquet::internal::LevelInfo, parquet::arrow::(anonymous namespace)::SchemaTreeContext*, parquet::arrow::SchemaField const*, parquet::arrow::SchemaField*) [arrow/cpp/src/parquet/arrow/schema.cc:788](https://github.com/apache/arrow/blob/1df4889505bb2256d7c3738e9c3218ef23d3f72c/cpp/src/parquet/arrow/schema.cc#L788):12
#4 0x573b974bda2e in parquet::arrow::(anonymous namespace)::GroupToStruct(parquet::schema::GroupNode const&, parquet::internal::LevelInfo, parquet::arrow::(anonymous namespace)::SchemaTreeContext*, parquet::arrow::SchemaField const*, parquet::arrow::SchemaField*) [arrow/cpp/src/parquet/arrow/schema.cc:535](https://github.com/apache/arrow/blob/1df4889505bb2256d7c3738e9c3218ef23d3f72c/cpp/src/parquet/arrow/schema.cc#L535):5
#5 0x573b974af34e in GroupToSchemaField [arrow/cpp/src/parquet/arrow/schema.cc:773](https://github.com/apache/arrow/blob/1df4889505bb2256d7c3738e9c3218ef23d3f72c/cpp/src/parquet/arrow/schema.cc#L773):12
#6 0x573b974af34e in parquet::arrow::(anonymous namespace)::NodeToSchemaField(parquet::schema::Node const&, parquet::internal::LevelInfo, parquet::arrow::(anonymous namespace)::SchemaTreeContext*, parquet::arrow::SchemaField const*, parquet::arrow::SchemaField*) [arrow/cpp/src/parquet/arrow/schema.cc:788](https://github.com/apache/arrow/blob/1df4889505bb2256d7c3738e9c3218ef23d3f72c/cpp/src/parquet/arrow/schema.cc#L788):12
#7 0x573b974ac31b in parquet::arrow::SchemaManifest::Make(parquet::SchemaDescriptor const*, std::__1::shared_ptr<arrow::KeyValueMetadata const> const&, parquet::ArrowReaderProperties const&, parquet::arrow::SchemaManifest*) [arrow/cpp/src/parquet/arrow/schema.cc:1163](https://github.com/apache/arrow/blob/1df4889505bb2256d7c3738e9c3218ef23d3f72c/cpp/src/parquet/arrow/schema.cc#L1163):5
#8 0x573b9738199e in Init [arrow/cpp/src/parquet/arrow/reader.cc:149](https://github.com/apache/arrow/blob/1df4889505bb2256d7c3738e9c3218ef23d3f72c/cpp/src/parquet/arrow/reader.cc#L149):12
#9 0x573b9738199e in parquet::arrow::FileReader::Make(arrow::MemoryPool*, std::__1::unique_ptr<parquet::ParquetFileReader, std::__1::default_delete<parquet::ParquetFileReader>>, parquet::ArrowReaderProperties const&, std::__1::unique_ptr<parquet::arrow::FileReader, std::__1::default_delete<parquet::arrow::FileReader>>*) [arrow/cpp/src/parquet/arrow/reader.cc:1334](https://github.com/apache/arrow/blob/1df4889505bb2256d7c3738e9c3218ef23d3f72c/cpp/src/parquet/arrow/reader.cc#L1334):52
#10 0x573b97386330 in Build [arrow/cpp/src/parquet/arrow/reader.cc:1375](https://github.com/apache/arrow/blob/1df4889505bb2256d7c3738e9c3218ef23d3f72c/cpp/src/parquet/arrow/reader.cc#L1375):10
#11 0x573b97386330 in parquet::arrow::internal::FuzzReader(unsigned char const*, long) [arrow/cpp/src/parquet/arrow/reader.cc:1426](https://github.com/apache/arrow/blob/1df4889505bb2256d7c3738e9c3218ef23d3f72c/cpp/src/parquet/arrow/reader.cc#L1426):5
#12 0x573b9737e841 in LLVMFuzzerTestOneInput [arrow/cpp/src/parquet/arrow/fuzz.cc:22](https://github.com/apache/arrow/blob/1df4889505bb2256d7c3738e9c3218ef23d3f72c/cpp/src/parquet/arrow/fuzz.cc#L22):17
#13 0x573b972332f0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
#14 0x573b9721e565 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
#15 0x573b97223fff in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
#16 0x573b9724f2a2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#17 0x79a2ad7ab082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/libc-start.c:308:16
#18 0x573b9721674d in _start
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x13f7e87)
==405==ABORTING
+----------------------------------------Release Build Unsymbolized Stacktrace (diff)----------------------------------------+
==405==The signal is caused by a READ memory access.
==405==Hint: address points to the zero page.
#0 0x573b974bbe87 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x13f7e87)
#1 0x573b974ae38a (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x13ea38a)
#2 0x573b974bda2e (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x13f9a2e)
#3 0x573b974af34e (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x13eb34e)
#4 0x573b974ac31b (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x13e831b)
#5 0x573b9738199e (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x12bd99e)
#6 0x573b97386330 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x12c2330)
#7 0x573b9737e841 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x12ba841)
#8 0x573b972332f0 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x116f2f0)
#9 0x573b9721e565 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x115a565)
#10 0x573b97223fff (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x115ffff)
#11 0x573b9724f2a2 (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x118b2a2)
#12 0x79a2ad7ab082 (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)
#13 0x573b9721674d (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x115274d)
Which is introduced in #43995
Component(s)
C++, Parquet