Skip to content

Tie vector lifetimes to DataChunkHandle#737

Merged
mlafeldt merged 6 commits into
mainfrom
fix-673-via-lifetimes
Apr 9, 2026
Merged

Tie vector lifetimes to DataChunkHandle#737
mlafeldt merged 6 commits into
mainfrom
fix-673-via-lifetimes

Conversation

@mlafeldt

@mlafeldt mlafeldt commented Apr 9, 2026
edited
Loading

Copy link
Copy Markdown
Member

Problem: FlatVector / ListVector / ArrayVector / StructVector could outlive their parent DataChunkHandle and read freed memory.

This PR:

  • adds 'a plus PhantomData<&'a ()> to all four vector wrappers
  • ties DataChunkHandle accessors to &self so returned vectors cannot outlive the chunk
  • propagates the same lifetime through child-vector accessors
  • adds a compile_fail doctest for the ListVector reproducer from Unsoundness: ListVector is missing a lifetime specifier, allowing use-after-free #673
  • removes the public raw vector constructors by making from_raw crate-private

Breaking:

  • downstream code that names these types now needs FlatVector<'_>, ListVector<'_>, etc.
  • direct raw construction from duckdb_vector is no longer part of the public API, raw callback code should go through WritableVector

Fixes #673

@mlafeldt mlafeldt self-assigned this Apr 9, 2026
mlafeldt added 5 commits April 9, 2026 11:40
@mlafeldt
Drop Vector trait and Any-based downcast in arrow helpers
da827f0 
The Vector trait existed solely to enable an Any downcast back to
FlatVector inside the arrow conversion helpers, and only FlatVector
ever implemented it. Replace `&mut dyn Vector` with `&mut FlatVector`
directly so the helpers no longer pretend to be polymorphic.
@mlafeldt
Tie vector lifetimes to DataChunkHandle to fix #673
c78c0e7 
- Flat/List/Array/StructVector could outlive their DataChunkHandle and
  read freed memory
- Add 'a + PhantomData<&'a ()> to all four vector types. DataChunkHandle
  accessors return FlatVector<'_> tied to &self, child accessors
  propagate
- Replace From<duckdb_vector> with unsafe fn from_raw<'a>
- Add compile_fail doctest on ListVector with the issue's reproducer
- Breaking change: downstream needs FlatVector<'_> + unsafe from_raw
  instead of From<duckdb_vector>
@mlafeldt
Tighten docs and flag aliasing follow-up
15d7e2e
@mlafeldt
More doc tweaks
b8867f3
@mlafeldt
Restrict raw vector constructors
99a7cad
@mlafeldt mlafeldt force-pushed the fix-673-via-lifetimes branch 2 times, most recently from 5938c22 to c8ed32c Compare April 9, 2026 10:24
@mlafeldt mlafeldt force-pushed the fix-673-via-lifetimes branch from c8ed32c to f6ea4a4 Compare April 9, 2026 10:29
@mlafeldt mlafeldt merged commit 6a00611 into main Apr 9, 2026
4 checks passed
@mlafeldt mlafeldt deleted the fix-673-via-lifetimes branch April 9, 2026 10:39
This was referenced Apr 9, 2026
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@mlafeldt mlafeldt

Labels

Breaking Change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Unsoundness: ListVector is missing a lifetime specifier, allowing use-after-free

1 participant

@mlafeldt