GH-39577: [C++] Fix tail-word access cross buffer boundary in CompareBinaryColumnToRow

[zanmato1984]

Rationale for this change

Default buffer alignment (64b) doesn't guarantee the safety of tail-word access in KeyCompare::CompareBinaryColumnToRow. Comment #39577 (comment) is a concrete example.

What changes are included in this PR?

Make KeyCompare::CompareBinaryColumnToRow tail-word safe.

Are these changes tested?

UT included.

Are there any user-facing changes?

No.

• Closes: [C++][Acero] ASAN reports heap buffer overflow in arrow::compute::KeyCompare::CompareBinaryColumnToRow #39577

[github-actions]

Thanks for opening a pull request!

If this is not a minor PR. Could you open an issue for this pull request on GitHub? https://github.com/apache/arrow/issues/new/choose

Opening GitHub issues ahead of time contributes to the Openness of the Apache Arrow project.

Then could you also rename the pull request title in the following format?

GH-${GITHUB_ISSUE_ID}: [${COMPONENT}] ${SUMMARY}

or

MINOR: [${COMPONENT}] ${SUMMARY}

In the case of PARQUET issues on JIRA the title also supports:

PARQUET-${JIRA_ISSUE_ID}: [${COMPONENT}] ${SUMMARY}

See also:

• Other pull requests
• Contribution Guidelines - Contributing Overview

[pitrou]

Could you add this to internals_test instead?

[zanmato1984]

Sure. Done.

[pitrou]

length - num_loops_less_one * 8 is used several times in this closure, can you factor it out and give it a meaningful name (perhaps num_tail_bytes)?

But, actually, isn't length - num_loops_less_one * 8 simply equal to length?

[zanmato1984]

length - num_loops_less_one * 8 is used several times in this closure, can you factor it out and give it a meaningful name (perhaps num_tail_bytes)?

Yeah, that's reasonable. Done.

But, actually, isn't length - num_loops_less_one * 8 simply equal to length?

Sorry I don't quite understand how this is coming. For instance, for fsb(19) type, length will be 19 and length - num_loops_less_one * 8 (aka. num_tail_bytes) will be 3.

[pitrou]

You're right, thank you.

[pitrou]

Is tail_mask still useful here? We're extracting exactly the desired number of bytes.

[zanmato1984]

Good catch! Removed tail_mask.

[pitrou]

Thanks a lot for finding this out @zanmato1984 ! I posted some comments above.

[zanmato1984]

Thanks a lot for finding this out @zanmato1984 ! I posted some comments above.

Thank you for looking and the very helpful comments @pitrou ! Change updated.

[pitrou]

@github-actions crossbow submit -g cpp

[github-actions]

Revision: f8cce17

Submitted crossbow builds: ursacomputing/crossbow @ actions-71248b8771

Task	Status
test-alpine-linux-cpp
test-build-cpp-fuzz
test-conda-cpp
test-conda-cpp-valgrind
test-cuda-cpp
test-debian-11-cpp-amd64
test-debian-11-cpp-i386
test-fedora-38-cpp
test-ubuntu-20.04-cpp
test-ubuntu-20.04-cpp-bundled
test-ubuntu-20.04-cpp-minimal-with-formats
test-ubuntu-20.04-cpp-thread-sanitizer
test-ubuntu-22.04-cpp
test-ubuntu-22.04-cpp-20
test-ubuntu-22.04-cpp-no-threading

[pitrou]

@raulcd I think this is a good candidate for 15.0.0.

[raulcd]

@pitrou is this worth a new Release Candidate? I created RC1 a couple of hours ago and have already generated all binaries (just waiting for one job to finish) for it successfully, see: #39641

[pitrou]

@raulcd Not in itself. But if you have to craft a RC2 for other reasons, this would be nice to include.

[conbench-apache-arrow]

After merging your PR, Conbench analyzed the 6 benchmarking runs that have been run so far on merge-commit cd3321b.

There were no benchmark performance regressions. 🎉

The full Conbench report has more details. It also includes information about 2 possible false positives for unstable benchmarks that are known to sometimes produce them.