Skip to content

Fix potential NPE in PinotHelixResourceManager tenant deletability checks#18777

Merged
Jackie-Jiang merged 1 commit into
apache:masterfrom
Akanksha-kedia:fix-npe-tenant-deletable-resource-manager
Jun 21, 2026
Merged

Fix potential NPE in PinotHelixResourceManager tenant deletability checks#18777
Jackie-Jiang merged 1 commit into
apache:masterfrom
Akanksha-kedia:fix-npe-tenant-deletable-resource-manager

Conversation

@Akanksha-kedia

Copy link
Copy Markdown
Contributor

Description

HelixAdmin.getResourceIdealState() can return null in two methods within tenant-deletability checks:

isBrokerTenantDeletable

The broker resource IdealState is fetched using BROKER_RESOURCE_INSTANCE. During cluster initialization or in edge cases (e.g., cluster not fully set up), this can be null. The previous code called brokerIdealState.getPartitionSet() directly, which would throw a NullPointerException.

isServerTenantDeletable

The method iterates over all resources via getAllResources() and then fetches each resource's IdealState. There is a TOCTOU race: a table resource can be concurrently deleted between getAllResources() and getResourceIdealState(), returning null. The previous code called tableIdealState.getPartitionSet() directly, which would throw a NullPointerException.

Fix

  • isBrokerTenantDeletable: Guard null brokerIdealState by returning true (safe default — no broker resource means no brokers are assigned to this tenant)
  • isServerTenantDeletable: Guard null tableIdealState with continue (consistent with how concurrent deletions are handled elsewhere in the codebase — see getServerToSegmentsMap, getServers)

Tests

No functional behavior change for the normal (non-null) path. The null guards are defensive fixes for edge cases during cluster state transitions.

Checklist

  • No new public APIs without documentation
  • Backward compatible change
  • Code follows existing patterns in the codebase

…ecks

getResourceIdealState() can return null when the broker resource has not
been initialized yet or when a table resource is concurrently deleted
between getAllResources() and getResourceIdealState().

- isBrokerTenantDeletable: guard against null brokerIdealState by
  returning true (safe: no broker assignments means tenant is deletable)
- isServerTenantDeletable: skip null tableIdealState entries arising
  from a race between resource enumeration and concurrent table deletion

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@Akanksha-kedia

Copy link
Copy Markdown
Contributor Author

@xiangfu0

@codecov-commenter

codecov-commenter commented Jun 16, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 0% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 64.79%. Comparing base (6464736) to head (9aa293b).

Files with missing lines Patch % Lines
...ntroller/helix/core/PinotHelixResourceManager.java 0.00% 3 Missing and 1 partial ⚠️
Additional details and impacted files
@@            Coverage Diff            @@
##             master   #18777   +/-   ##
=========================================
  Coverage     64.78%   64.79%           
  Complexity     1309     1309           
=========================================
  Files          3380     3380           
  Lines        209540   209544    +4     
  Branches      32797    32799    +2     
=========================================
+ Hits         135751   135774   +23     
+ Misses        62863    62847   -16     
+ Partials      10926    10923    -3     
Flag Coverage Δ
custom-integration1 100.00% <ø> (ø)
integration 100.00% <ø> (ø)
integration1 100.00% <ø> (ø)
integration2 0.00% <ø> (ø)
java-21 64.79% <0.00%> (+<0.01%) ⬆️
temurin 64.79% <0.00%> (+<0.01%) ⬆️
unittests 64.79% <0.00%> (+<0.01%) ⬆️
unittests1 56.98% <ø> (+<0.01%) ⬆️
unittests2 37.27% <0.00%> (+0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@Akanksha-kedia

Copy link
Copy Markdown
Contributor Author

@xiangfu0 @Jackie-Jiang all CI checks pass, review comments addressed. Please review when you get a chance.

@Jackie-Jiang Jackie-Jiang merged commit 8f5af9e into apache:master Jun 21, 2026
11 checks passed
cypherean pushed a commit to cypherean/pinot that referenced this pull request Jun 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants