Skip to content

NULL Pointer Dereference bug #47409

New issue
New issue
Open
Open
NULL Pointer Dereference bug#47409
Labels
Component: C++Type: bug
@0dayhunter777

Description

@0dayhunter777
0dayhunter777
opened on Aug 22, 2025

Describe the bug, including details regarding any error messages, version, and platform.

I would like to report a NULL Pointer Dereference bug I encountered while testing the latest version(21.0.0) of arrow.

The gdb debugging log is in arrow/gdb_debug_log, and the input is in arrow/input

Reproduction steps:

  1. gdb arrow
  2. r input/null_dereference

Output:

(gdb) r null_dereference
Starting program: /root/SemaFuzz/Benchmarks/arrow/fuzz/arrowfuzz null_dereference
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
@@GetShareKey -> 0xC3B3C5D0
[New Thread 0x7bfa618ca700 (LWP 2239)]
[Thread 0x7bfa618ca700 (LWP 2239) exited]
[New Thread 0x7bfa618ca700 (LWP 2240)]

Thread 3 "arrowfuzz" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7bfa618ca700 (LWP 2240)]
0x00007bfa84f82cd1 in arrow::json::HandlerBase::Null (this=0x7bfa5c000c20)
at /root/SemaFuzz/Benchmarks/arrow/arrow-apache-arrow-19.0.1/cpp/src/arrow/json/parser.cc:675
675 status_ = builder_set_.AppendNull(builder_stack_.back(), field_index_, builder_);
(gdb) bt
#0 0x00007bfa84f82cd1 in arrow::json::HandlerBase::Null (this=0x7bfa5c000c20)
at /root/SemaFuzz/Benchmarks/arrow/arrow-apache-arrow-19.0.1/cpp/src/arrow/json/parser.cc:675
#1 0x00007bfa84f9bf87 in arrow::rapidjson::GenericReader<arrow::rapidjson::UTF8, arrow::rapidjson::UTF8, arrow::rapidjson::CrtAllocator>::ParseNull<332u, arrow::rapidjson::EncodedInputStream<arrow::rapidjson::UTF8, arrow::rapidjson::MemoryStream>, arrow::json::Handler<(arrow::json::UnexpectedFieldBehavior)2> > (this=0x7bfa618c9500, is=..., handler=warning: RTTI symbol not found for class 'arrow::json::Handler<(arrow::json::UnexpectedFieldBehavior)2>'
...) at /usr/include/rapidjson/reader.h:710
#2 0x00007bfa84f9a0de in arrow::rapidjson::GenericReader<arrow::rapidjson::UTF8, arrow::rapidjson::UTF8, arrow::rapidjson::CrtAllocator>::ParseValue<332u, arrow::rapidjson::EncodedInputStream<arrow::rapidjson::UTF8, arrow::rapidjson::MemoryStream>, arrow::json::Handler<(arrow::json::UnexpectedFieldBehavior)2> > (this=0x7bfa618c9500, is=..., handler=warning: RTTI symbol not found for class 'arrow::json::Handler<(arrow::json::UnexpectedFieldBehavior)2>'
...) at /usr/include/rapidjson/reader.h:1394
#3 0x00007bfa84f9994e in arrow::rapidjson::GenericReader<arrow::rapidjson::UTF8, arrow::rapidjson::UTF8, arrow::rapidjson::CrtAllocator>::Transit<332u, arrow::rapidjson::EncodedInputStream<arrow::rapidjson::UTF8, arrow::rapidjson::MemoryStream>, arrow::json::Handler<(arrow::json::UnexpectedFieldBehavior)2> > (this=0x7bfa618c9500,
src=arrow::rapidjson::GenericReader<arrow::rapidjson::UTF8, arrow::rapidjson::UTF8, arrow::rapidjson::CrtAllocator>::IterativeParsingStartState,
token=arrow::rapidjson::GenericReader<arrow::rapidjson::UTF8, arrow::rapidjson::UTF8, arrow::rapidjson::CrtAllocator>::NullToken,
dst=arrow::rapidjson::GenericReader<arrow::rapidjson::UTF8, arrow::rapidjson::UTF8, arrow::rapidjson::CrtAllocator>::IterativeParsingValueState,
is=..., handler=warning: RTTI symbol not found for class 'arrow::json::Handler<(arrow::json::UnexpectedFieldBehavior)2>'
...) at /usr/include/rapidjson/reader.h:1792
#4 0x00007bfa84f98888 in arrow::rapidjson::GenericReader<arrow::rapidjson::UTF8, arrow::rapidjson::UTF8, arrow::rapidjson::CrtAllocator>::IterativeParse<332u, arrow::rapidjson::EncodedInputStream<arrow::rapidjson::UTF8, arrow::rapidjson::MemoryStream>, arrow::json::Handler<(arrow::json::UnexpectedFieldBehavior)2> > (this=0x7bfa618c9500, is=..., handler=warning: RTTI symbol not found for class 'arrow::json::Handler<(arrow::json::UnexpectedFieldBehavior)2>'
...) at /usr/include/rapidjson/reader.h:1832
#5 0x00007bfa84f98614 in arrow::rapidjson::GenericReader<arrow::rapidjson::UTF8, arrow::rapidjson::UTF8, arrow::rapidjson::CrtAllocator>::Parse<332u, arrow::rapidjson::EncodedInputStream<arrow::rapidjson::UTF8, arrow::rapidjson::MemoryStream>, arrow::json::Handler<(arrow::json::UnexpectedFieldBehavior)2> > (this=0x7bfa618c9500, is=..., handler=warning: RTTI symbol not found for class 'arrow::json::Handler<(arrow::json::UnexpectedFieldBehavior)2>'
...) at /usr/include/rapidjson/reader.h:487
#6 0x00007bfa84f981ad in arrow::json::HandlerBase::DoParse<arrow::json::Handler<(arrow::json::UnexpectedFieldBehavior)2>, arrow::rapidjson::EncodedInputStream<arrow::rapidjson::UTF8, arrow::rapidjson::MemoryStream> > (this=0x7bfa5c000c20, handler=warning: RTTI symbol not found for class 'arrow::json::Handler<(arrow::json::UnexpectedFieldBehavior)2>'
..., json=..., json_size=98)
at /root/SemaFuzz/Benchmarks/arrow/arrow-apache-arrow-19.0.1/cpp/src/arrow/json/parser.cc:774
#7 0x00007bfa84f9806f in arrow::json::HandlerBase::DoParse<arrow::json::Handler<(arrow::json::UnexpectedFieldBehavior)2> > (this=0x7bfa5c000c20, handler=warning: RTTI symbol not found for class 'arrow::json::Handler<(arrow::json::UnexpectedFieldBehavior)2>'
...,
json=warning: RTTI symbol not found for class 'std::_Sp_counted_ptr_inplace<arrow::Buffer, std::allocatorarrow::Buffer, (__gnu_cxx::_Lock_policy)2>'
warning: RTTI symbol not found for class 'std::_Sp_counted_ptr_inplace<arrow::Buffer, std::allocatorarrow::Buffer, (__gnu_cxx::_Lock_policy)2>'
std::shared_ptrarrow::Buffer (use count 2, weak count 0) = {...})
at /root/SemaFuzz/Benchmarks/arrow/arrow-apache-arrow-19.0.1/cpp/src/arrow/json/parser.cc:801
#8 0x00007bfa84f97d76 in arrow::json::Handler<(arrow::json::UnexpectedFieldBehavior)2>::Parse (this=0x7bfa5c000c20, json=warning: RTTI symbol not found for class 'std::_Sp_counted_ptr_inplace<arrow::Buffer, std::allocatorarrow::Buffer, (__gnu_cxx::_Lock_policy)2>'
warning: RTTI symbol not found for class 'std::_Sp_counted_ptr_inplace<arrow::Buffer, std::allocatorarrow::Buffer, (__gnu_cxx::_Lock_policy)2>'

std::shared_ptrarrow::Buffer (use count 2, weak count 0) = {...}) at /root/SemaFuzz/Benchmarks/arrow/arrow-apache-arrow-19.0.1/cpp/src/arrow/json/parser.cc:1081
#9 0x00007bfa84fc2cd4 in arrow::json::(anonymous namespace)::ParseBlock (block=..., parse_options=..., pool=0x7bfa85cc5d40 arrow::global_state+320,
out_size=0x0) at /root/SemaFuzz/Benchmarks/arrow/arrow-apache-arrow-19.0.1/cpp/src/arrow/json/reader.cc:162
#10 0x00007bfa84ff9200 in arrow::json::(anonymous namespace)::TableReaderImpl::ParseAndInsert (this=0x3ca97a50, block=...)
at /root/SemaFuzz/Benchmarks/arrow/arrow-apache-arrow-19.0.1/cpp/src/arrow/json/reader.cc:287
#11 0x00007bfa84ff9108 in arrow::json::(anonymous namespace)::TableReaderImpl::Read()::{lambda()#1}::operator()() const (this=0x3ca97ec8)
at /root/SemaFuzz/Benchmarks/arrow/arrow-apache-arrow-19.0.1/cpp/src/arrow/json/reader.cc:268
#12 0x00007bfa84ff9070 in arrow::internal::FnOnce<arrow::Status ()>::FnImpl<arrow::json::(anonymous namespace)::TableReaderImpl::Read()::{lambda()#1}>::invoke() (
this=0x3ca97ec0) at /root/SemaFuzz/Benchmarks/arrow/arrow-apache-arrow-19.0.1/cpp/src/arrow/util/functional.h:152
#13 0x00007bfa8504735d in arrow::internal::FnOnce<arrow::Status ()>::operator()() && (this=0x3ca97698)
at /root/SemaFuzz/Benchmarks/arrow/arrow-apache-arrow-19.0.1/cpp/src/arrow/util/functional.h:140
#14 0x00007bfa851f302c in arrow::internal::(anonymous namespace)::ThreadedTaskGroup::AppendReal(arrow::internal::FnOnce<arrow::Status ()>)::{lambda()#1}::operator()() (this=0x3ca97688) at /root/SemaFuzz/Benchmarks/arrow/arrow-apache-arrow-19.0.1/cpp/src/arrow/util/task_group.cc:114
#15 0x00007bfa851f2e5c in arrow::internal::FnOnce<void ()>::FnImpl<arrow::internal::(anonymous namespace)::ThreadedTaskGroup::AppendReal(arrow::internal::FnOnce<arrow::Status ()>)::{lambda()#1}>::invoke() (this=0x3ca97680) at /root/SemaFuzz/Benchmarks/arrow/arrow-apache-arrow-19.0.1/cpp/src/arrow/util/functional.h:152
#16 0x00007bfa8520d279 in arrow::internal::FnOnce<void ()>::operator()() && (this=0x7bfa618c9c60)
at /root/SemaFuzz/Benchmarks/arrow/arrow-apache-arrow-19.0.1/cpp/src/arrow/util/functional.h:140
#17 0x00007bfa852249cd in arrow::internal::WorkerLoop (state=warning: RTTI symbol not found for class 'std::_Sp_counted_ptr_inplace<arrow::internal::ThreadPool::State, std::allocatorarrow::internal::ThreadPool::State, (__gnu_cxx::_Lock_policy)2>'
warning: RTTI symbol not found for class 'std::_Sp_counted_ptr_inplace<arrow::internal::ThreadPool::State, std::allocatorarrow::internal::ThreadPool::State, (__gnu_cxx::_Lock_policy)2>'
std::shared_ptrarrow::internal::ThreadPool::State (use count 3, weak count 1) = {...}, it=
{_M_id = {_M_thread = 136315308648192}}) at /root/SemaFuzz/Benchmarks/arrow/arrow-apache-arrow-19.0.1/cpp/src/arrow/util/thread_pool.cc:478
#18 0x00007bfa852241bf in arrow::internal::ThreadPool::LaunchWorkersUnlocked(int)::$_6::operator()() const (this=0x3ca98158)
at /root/SemaFuzz/Benchmarks/arrow/arrow-apache-arrow-19.0.1/cpp/src/arrow/util/thread_pool.cc:643
#19 0x00007bfa85224118 in std::__invoke_impl<void, arrow::internal::ThreadPool::LaunchWorkersUnlocked(int)::$_6>(std::__invoke_other, arrow::internal::ThreadPool::LaunchWorkersUnlocked(int)::$_6&&) (__f=...) at /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/invoke.h:60
#20 0x00007bfa85223fc8 in std::__invokearrow::internal::ThreadPool::LaunchWorkersUnlocked(int)::$_6(arrow::internal::ThreadPool::LaunchWorkersUnlocked(int)::$_6&&) (__fn=...) at /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/invoke.h:95
#21 0x00007bfa85223f50 in std::thread::_Invoker<std::tuplearrow::internal::ThreadPool::LaunchWorkersUnlocked(int)::$_6 >::_M_invoke<0ul>(std::_Index_tuple<0ul>)
(this=0x3ca98158) at /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/thread:264
#22 0x00007bfa85223ed0 in std::thread::_Invoker<std::tuplearrow::internal::ThreadPool::LaunchWorkersUnlocked(int)::$_6 >::operator()() (this=0x3ca98158)
at /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/thread:271
#23 0x00007bfa85223ae4 in std::thread::_State_impl<std::thread::_Invoker<std::tuplearrow::internal::ThreadPool::LaunchWorkersUnlocked(int)::$_6 > >::_M_run() (
this=0x3ca98150) at /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/thread:215
#24 0x00007bfa8650a67f in ?? () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#25 0x00007bfa81ed06db in start_thread (arg=0x7bfa618ca700) at pthread_create.c:463
#26 0x00007bfa81bf961f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Compiler version: g++ 9.4.0
OS version: ubuntu22.04.1

arrow.zip

Component(s)

C++

Metadata

Metadata

Assignees

No one assigned

    Labels

    Component: C++Type: bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions