[core/zip+lzma] Properly account for header size

[hahnjo]

The compression algorithms only see the buffers without the header, so the sizes have to be adjusted accordingly.

Fixes #14508

FYI @Dr15Jones

[phsft-bot]

Starting build on ROOT-performance-centos8-multicore/soversion, ROOT-ubuntu2204/nortcxxmod, ROOT-ubuntu2004/python3, mac12arm/cxx20, windows10/default
How to customize builds

[hahnjo]

IMHO this is quite bad - to how many ROOT versions should we backport this? This problem is basically hiding there all the way since commit 4b54256 in 2011!

[phsft-bot]

Build failed on windows10/default.
Running on null:C:\build\workspace\root-pullrequests-build
See console output.

Failing tests:

• projectroot.roottest.root.tree.cache.roottest_root_tree_cache_TooSmall
• projectroot.roottest.root.tree.cloning.roottest_root_tree_cloning_assertBranchCount
• projectroot.roottest.root.tree.cloning.roottest_root_tree_cloning_deepClass
• projectroot.roottest.root.tree.entrylist.gtesttest_root_tree_entrylist_test_tentrylist_regression_intoverflow
• projectroot.roottest.root.tree.fastcloning.roottest_root_tree_fastcloning_runSplitMismatch
• projectroot.roottest.root.tree.fastcloning.roottest_root_tree_fastcloning_runfilemergererror
• projectroot.roottest.root.tree.fastcloning.roottest_root_tree_fastcloning_runcloneChain
• projectroot.roottest.root.tree.fastcloning.roottest_root_tree_fastcloning_runabstract_copy
• projectroot.roottest.root.tree.fastcloning.roottest_root_tree_fastcloning_runoutoforder
• projectroot.roottest.root.tree.fastcloning.roottest_root_tree_fastcloning_runPlot

And 5 more

[github-actions]

Test Results

    10 files      10 suites   1d 22h 34m 10s ⏱️
 2 497 tests  2 495 ✅   0 💤 2 ❌
23 869 runs  23 593 ✅ 272 💤 4 ❌

For more details on these failures, see this check.

Results for commit 45e09b2.

♻️ This comment has been updated with latest results.

[phsft-bot]

Starting build on ROOT-performance-centos8-multicore/soversion, ROOT-ubuntu2204/nortcxxmod, ROOT-ubuntu2004/python3, mac12arm/cxx20, windows10/default
How to customize builds

[hahnjo]

So @jblomer naively asked "what about ZLIB", and it turns out to be equally wrong... I also added a test that at least catches the compression side of things. For the decompression, it's a bit harder because it's not clear how to check if the library read more bytes than it should have (without it running into errors because of decompression errors).

[hahnjo]

After more investigation, it seems that all existing code paths in TKey.cxx, TBufferXML.cxx, TMessage.cxx, and TBasket.cxx allocate a buffer that is slightly larger, so it's probably not an as critical problem for the non-RNTuple case...

[phsft-bot]

Starting build on ROOT-performance-centos8-multicore/soversion, ROOT-ubuntu2204/nortcxxmod, ROOT-ubuntu2004/python3, mac12arm/cxx20, windows10/default
How to customize builds

[pcanal]

(pending review)

[hahnjo]

To reiterate on why we "only" need to fix gzip and lzma: The other compression algorithms already do this,

root/core/lz4/src/ZipLZ4.cxx

Lines 54 to 58 in e8545f7

	if (cxlevel >= 4) {
	returnStatus = LZ4_compress_HC(src, &tgt[kHeaderSize], *srcsize, *tgtsize - kHeaderSize, cxlevel);
	} else {
	returnStatus = LZ4_compress_default(src, &tgt[kHeaderSize], *srcsize, *tgtsize - kHeaderSize);
	}

root/core/zip/src/RZip.cxx

Lines 145 to 148 in e8545f7

	state.out_buf = tgt;
	state.out_size = (unsigned) (*tgtsize);
	state.out_offset = HDRSIZE;
	state.R__window_size = 0L;

(that's the very original code with the old compression algorithm; it uses an offset which is correct by construction)

root/core/zstd/src/ZipZSTD.cxx

Lines 32 to 35 in e8545f7

	size_t retval = ZSTD_compressCCtx(fCtx.get(),
	&tgt[kHeaderSize], static_cast<size_t>(*tgtsize - kHeaderSize),
	src, static_cast<size_t>(*srcsize),
	2*cxlevel);

[pcanal]

Note that the problem appears (and/or is uncovered) 'recently' and was "introduced" by e052b58: [ntuple] RPageSinkBuf: Always seal before CommitCluster (prior to this commit valgrind is silent).

[hahnjo]

Somewhat, that commit made it more likely for regular users to run into the problem: Essentially, the commit moved code around to always seal pages in CommitPage. Before it was only done when implicit MT was enabled, and the original reproducer code fails in ROOT 6.30 with a preceding call to ROOT::EnableImplicitMT(). In my understanding, that's also what CMSSW does, so for them it doesn't make a difference. (In fact, the problematic pattern of exactly allocating as many bytes as the uncompressed page holds can be traced back to commits 1ea8447 and 88bd1f0 at the very beginning of RPageSinkBuf's history)

[hahnjo]

ping @pcanal it would be really good to have the fix in, my understanding is that it blocks CMS RNTuple work...

[phsft-bot]

Starting build on ROOT-performance-centos8-multicore/soversion, ROOT-ubuntu2204/nortcxxmod, ROOT-ubuntu2004/python3, mac12arm/cxx20, windows10/default
How to customize builds

[pcanal]

To reiterate on why we "only" need to fix gzip and lzma: The other compression algorithms already do this,

Indeed. The diffs was made less obvious because:
ZLIB decompression is already doing the right thing.
ZLIB and LZMA use a struct to pass the configuration rather than function argument so the code pattern is slight different.

it seems that all existing code paths in TKey.cxx, TBufferXML.cxx, TMessage.cxx, and TBasket.cxx allocate a buffer that is slightly larger, so it's probably not an as critical problem

Right, the allocations is done:

      Int_t buflen = TMath::Max(512,fKeylen + fObjlen + 9*nbuffers + 28); //add 28 bytes in case object is placed in a deleted gap

and used via

          char *bufcur = &fBuffer[fKeylen];

so the only extra is 9*nbuffers + 28 which reduces the risk of writing the end since the size is larger than fObjlen + kHeaderSize but that leaves 2 additional question:

• why are those added?
• why doesn't RNTuple need it?

01bb696 hints that the compression engine were seen as writing past the end ... it is plausible since the prior delta was ``9*nbuffers + 8withnbuffers==0` is common case. (in hindsight, this commit was not investigated long enough and needed a test).

The 9*nbuffers is meant to be for the keys and is now inaccurate (most algorithms have a 9 bytes header but for lz4 we have seemingly 73. This part is missing from the RNTuple usage. The consequences is that on data set that is not compressible TTree might use a bit more space (header + barely compressed size) vs RNTuple (uncompressed size which might be less than header + barely compressed size).

This of course assume that the compression algorithm strictly respect the limit given (it would be a serious security risk if not).

The 8 is commented as "8 bytes in case object is placed in a deleted gap" (the 20 was seemingly added to work-around the bug fixed here) and is not clear to me (the 'delete gap' is most likely talking about a space 'freed' inside a ROOT file.

[pcanal]

LGTM. Thanks. This patch needs to be backported to as many older releases as possible as it can lead to a memory over-write even in the case of TTree (the compression is being given a memory area smaller than it is and unless the compression algorithm stops before it has over-inflated the object by 28+9 bytes, it might still happens)

A a side note, the extra size given by TKey and TBaskets probably should be removed (delta understanding why there was a +8 "in case object is placed in a deleted gap".

[pcanal]

(delta understanding why there was a +8 "in case object is placed in a deleted gap".

I am now guessing that this was a micro optimization to better manage the memory. We should also consider to remove it.

[hahnjo]

01bb696 hints that the compression engine were seen as writing past the end ... it is plausible since the prior delta was 9*nbuffers + 8 with nbuffers==0 is common case. (in hindsight, this commit was not investigated long enough and needed a test).

I think nbuffers >= 1 in all cases, so we should always have 9 additional bytes beyond what we tell R__zipMultipleAlgorithm.

This of course assume that the compression algorithm strictly respect the limit given (it would be a serious security risk if not).

Yes, we have to operate under that assumption.

This patch needs to be backported to as many older releases as possible as it can lead to a memory over-write even in the case of TTree (the compression is being given a memory area smaller than it is and unless the compression algorithm stops before it has over-inflated the object by 28+9 bytes, it might still happens)

Yes, I think the compression algorithms stop at the buffer sizes we give them. Unless I'm missing something, this means only RNTuple was affected by this and TTree was fine because of the slightly larger buffers? For now, I've opened backports for 6.30 (#14624), 6.28 (#14625), and 6.26 (#14626). If we find that TTree is also affected, we can (and have to) open more backports.

A a side note, the extra size given by TKey and TBaskets probably should be removed (delta understanding why there was a +8 "in case object is placed in a deleted gap".

Ok, we can try (in master). We have to be careful though, I don't want to introduce more memory errors for writing TTrees...