[SPARK-24452][SQL][Core] Avoid possible overflow in int add or multiple

[kiszk]

What changes were proposed in this pull request?

This PR fixes possible overflow in int add or multiply. In particular, their overflows in multiply are detected by Spotbugs

The following assignments may cause overflow in right hand side. As a result, the result may be negative.

long = int * int
long = int + int

To avoid this problem, this PR performs cast from int to long in right hand side.

How was this patch tested?

Existing UTs.

[SparkQA]

Test build #91404 has finished for PR 21481 at commit 324fd5c.

• This patch passes all tests.
• This patch merges cleanly.
• This patch adds no public classes.

[kiszk]

cc @ueshin @hvanhovell

[kiszk]

cc @cloud-fan

[JoshRosen]

Hey @kiszk, thanks for tracking this down. This change looks good to me.

I have a couple of questions, mostly aimed towards figuring out how we can categorically solve this problem:

1. What's the impact of this issue? Have you observed actual crashes or silent data corruption caused by this problem? I ask because it looks like this could be a plausible cause of a data corruption bug that I've been investigating.
2. Are these five files the only occurrence of this problem or are there potentially others? I've noticed that all of the files modified here are .java files: is that a coincidence or is that the result of running some Java linting tool? If the latter, is it possible that we have similar issues in other files which we haven't found yet?
3. Do you have any ideas for how we can categorically prevent this class of problem in the future? Are there compiler plugins or linters which can warn on these cases and turn them into compile-time errors? Or code-review checklists that we can employ to more easily spot these potential overflows? This is a hard problem, but I think it's worth brainstorming on categorical solutions since this isn't the first time we've hit this class of problem (but hopefully it can be the last!).

I think we should definitely backport this fix, at least to 2.3 and possibly earlier.

[cloud-fan]

+1 on @JoshRosen 's ideas.

I've already seen several overflow fixes from @kiszk , it will be good if we have some tools to check it, even we need to run the tool manually. One idea may be to force to use java 8's safe math functions: https://docs.oracle.com/javase/8/docs/api/java/lang/Math.html#addExact-int-int-

[kiszk]

Good questions.

For 2, at first I found one of these issues when I looked at a file. Then, I ran grep command with long .*=.*\* and long .*=.*\+ in .java file. Then, I picked them up manually. It looks labor-intensive.

For 3, here is my thought.
SpotBugs may be a good candidate to check it.
SpotBug is a successor of findBugs. When I ran FindBugs before, I found some problems regarding possible overflow and then made a PR that was integrated. On the other hand, these issues may not be detected at that time.

I will look at SpotBugs after my presentation at SAIS will be finished :)

[kiszk]

@JoshRosen @cloud-fan
Here is an update.

I have just apply findBugs to OffHeapColumnVector.java and UnsafeArrayData.java.
In OffHeapColumnVector.java, most of possible overflows are detected. But, not all.
In UnsafeArrayData.java, two possible overflows are detected. Line 86 and 456. I overlooked Line 86.

[cloud-fan]

is findBugs available for scala code as well?

[kiszk]

Since it is Java bytecode analysis, it is available for Scala code, too.
In my quick test, findBugs overlooked a possible overflow. On the other hand, findBugs found another redundant null check.

[kiszk]

Since I found an plug-in for maven, I will also include a patch to add findBugs/SpotBugs into maven in this PR.

[JoshRosen]

Let's merge this as-is and do the build improvements in a separate PR. That's important because we may want to backport the overflow fix to maintenance branches and may want to do so independent of the build changes.

[kiszk]

Thank you for your comment. I will create another PR for integrating findBugs/SpotBugs into maven.

[cloud-fan]

do we need to cast everything to long? I think long + int + int + int is safe.

[kiszk]

You are right. It was too conservative. (2L * uaoSize) + klen + vlen + 8 can generate LMUL or LADD as follows:

    LDC 2
    ILOAD 9
    I2L
    LMUL
    ILOAD 4
    I2L
    LADD
    ILOAD 8
    I2L
    LADD
    LDC 8
    LADD
    LSTORE 10

[cloud-fan]

ditto

[cloud-fan]

@kiszk when you were running findBugs locally, did you find more overflow bugs that are not present in this PR? Let's put all discovered overflow bugs in this PR and have another PR to integrate findBugs with maven. Thanks!

[SparkQA]

Test build #91717 has finished for PR 21481 at commit 50a2585.

• This patch fails Java style tests.
• This patch merges cleanly.
• This patch adds no public classes.

[kiszk]

@cloud-fan addressed all of the possible integer overflows detected by SpotBugs.

[SparkQA]

Test build #91922 has finished for PR 21481 at commit a87c417.

• This patch passes all tests.
• This patch merges cleanly.
• This patch adds no public classes.

[cloud-fan]

thanks, merging to master/2.3!