Fix dangling reference in CartesianProductJoin (#2684)

hannahbast · Hannah Bast · commit cca37689eb8b · 2026-02-02T07:37:13.000+01:00
A `CartesianProductJoin` materializes its inputs, except for the one with the largest size estimate, which is consumed lazily if possible. The materialized inputs are stored in the cache when there is enough space available. Because of a regression introduced in #2307, it could happen that the materialized input was evicted from the cache while the `CartesianProductJoin` still held a reference to it, leading to a dangling reference and undefined behavior. This is now fixed by keeping the materialized inputs alive for the duration of the `CartesianProductJoin`. Also add a corresponding regression test. In particular, fixes #2683 NOTE: Results being kept alive while already evicted from the cache means that we use more memory than intended. However, that is a more general problem that is not specific to this case and should be addressed separately.
diff --git a/src/engine/CartesianProductJoin.cpp b/src/engine/CartesianProductJoin.cpp
@@ -1,6 +1,12 @@
-//  Copyright 2023, University of Freiburg,
-//                  Chair of Algorithms and Data Structures.
-//  Author: Johannes Kalmbach <kalmbach@cs.uni-freiburg.de>
+// Copyright 2024 - 2026 The QLever Authors, in particular:
+//
+// 2023 - 2025 Johannes Kalmbach <kalmbach@cs.uni-freiburg.de>, UFR
+// 2026        Hannah Bast <bast@cs.uni-freiburg.de>, UFR
+//
+// UFR = University of Freiburg, Chair of Algorithms and Data Structures
+
+// You may not use this file except in compliance with the Apache 2.0 License,
+// which can be found in the `LICENSE` file at the root of the QLever project.
 
 #include "engine/CartesianProductJoin.h"
 
@@ -360,7 +366,7 @@ CPP_template_def(typename R)(requires ql::ranges::range<R>) Result::LazyResult
 // _____________________________________________________________________________
 Result::LazyResult CartesianProductJoin::createLazyConsumer(
     LocalVocab staticMergedVocab,
-    ql::span<const std::shared_ptr<const Result>> subresults,
+    std::vector<std::shared_ptr<const Result>> subresults,
     std::shared_ptr<const Result> lazyResult) const {
   AD_CONTRACT_CHECK(lazyResult);
   std::vector<std::reference_wrapper<const IdTable>> idTables;
@@ -371,7 +377,8 @@ Result::LazyResult CartesianProductJoin::createLazyConsumer(
   auto get = [self = this, staticMergedVocab = std::move(staticMergedVocab),
               limit = getLimitOffset().limitOrDefault(),
               offset = getLimitOffset()._offset, idTables = std::move(idTables),
-              lastTableOffset = size_t{0}, producedTableSize = size_t{0},
+              subresults = std::move(subresults), lastTableOffset = size_t{0},
+              producedTableSize = size_t{0},
               idTableOpt = std::optional<Result::IdTableVocabPair>{}](
                  auto& idTableVocabPair) mutable {
     // These things have to be done after handling a single input, so we do them
diff --git a/src/engine/CartesianProductJoin.h b/src/engine/CartesianProductJoin.h
@@ -1,6 +1,12 @@
-//  Copyright 2023, University of Freiburg,
-//                  Chair of Algorithms and Data Structures.
-//  Author: Johannes Kalmbach <kalmbach@cs.uni-freiburg.de>
+// Copyright 2024 - 2026 The QLever Authors, in particular:
+//
+// 2023 - 2025 Johannes Kalmbach <kalmbach@cs.uni-freiburg.de>, UFR
+// 2026        Hannah Bast <bast@cs.uni-freiburg.de>, UFR
+//
+// UFR = University of Freiburg, Chair of Algorithms and Data Structures
+
+// You may not use this file except in compliance with the Apache 2.0 License,
+// which can be found in the `LICENSE` file at the root of the QLever project.
 
 #ifndef QLEVER_SRC_ENGINE_CARTESIANPRODUCTJOIN_H
 #define QLEVER_SRC_ENGINE_CARTESIANPRODUCTJOIN_H
@@ -132,7 +138,7 @@ class CartesianProductJoin : public Operation {
   // Similar to `produceTablesLazily` but can handle a single lazy result.
   Result::LazyResult createLazyConsumer(
       LocalVocab staticMergedVocab,
-      ql::span<const std::shared_ptr<const Result>> subresults,
+      std::vector<std::shared_ptr<const Result>> subresults,
       std::shared_ptr<const Result> lazyResult) const;
 };
 
diff --git a/test/engine/CartesianProductJoinTest.cpp b/test/engine/CartesianProductJoinTest.cpp
@@ -1,6 +1,12 @@
-//  Copyright 2024, University of Freiburg,
-//                  Chair of Algorithms and Data Structures.
-//  Author: Johannes Kalmbach <kalmbach@cs.uni-freiburg.de>
+// Copyright 2024 - 2026 The QLever Authors, in particular:
+//
+// 2024 Johannes Kalmbach <kalmbach@cs.uni-freiburg.de>, UFR
+// 2025 Hannah Bast <bast@cs.uni-freiburg.de>, UFR
+//
+// UFR = University of Freiburg, Chair of Algorithms and Data Structures
+
+// You may not use this file except in compliance with the Apache 2.0 License,
+// which can be found in the `LICENSE` file at the root of the QLever project.
 
 #include <gmock/gmock.h>
 
@@ -647,6 +653,64 @@ INSTANTIATE_TEST_SUITE_P(
       return std::move(stream).str();
     });
 
+// Test that `CartesianProductJoin::createLazyConsumer` keeps the materialized
+// child results alive even after the cache evicts them.
+//
+// NOTE: This is part of https://github.com/ad-freiburg/qlever/pull/2684, which
+// fixes the regression from https://github.com/ad-freiburg/qlever/issues/2307,
+// where `createLazyConsumer` stored `reference_wrapper<const IdTable>` without
+// capturing the owning `shared_ptr<const Result>`, leading to use-after-free
+// when the cache evicted the child results under concurrent load.
+TEST(CartesianProductJoin, createLazyConsumerKeepsChildResultsAlive) {
+  auto* qec = ad_utility::testing::getQec();
+  using Vars = std::vector<std::optional<Variable>>;
+
+  // Clear the cache to avoid interference from other tests.
+  qec->getQueryTreeCache().clearAll();
+
+  // Create two inputs for a `CartesianProductJoin`, a materialized input with
+  // small size estimate, and a lazy input with larger size estimate.
+  //
+  // NOTE: The `CartesianProductJoin` sorts its children by size estimate,
+  // and consumes only the child with the largest size estimate lazily.
+  CartesianProductJoin::Children children;
+  IdTable materializedInput = makeIdTableFromVector({{1}, {2}, {3}});
+  children.push_back(ad_utility::makeExecutionTree<ValuesForTesting>(
+      qec, materializedInput.clone(), Vars{Variable{"?a"}}));
+  std::dynamic_pointer_cast<ValuesForTesting>(
+      children.back()->getRootOperation())
+      ->sizeEstimate() = 1;
+  std::vector<IdTable> lazyInput;
+  lazyInput.push_back(makeIdTableFromVector({{10}, {11}}));
+  lazyInput.push_back(makeIdTableFromVector({{12}, {13}}));
+  children.push_back(ad_utility::makeExecutionTree<ValuesForTesting>(
+      qec, std::move(lazyInput), Vars{Variable{"?b"}}));
+  std::dynamic_pointer_cast<ValuesForTesting>(
+      children.back()->getRootOperation())
+      ->sizeEstimate() = 100;
+
+  // Pre-populate the cache with the materialized input and keep a `weak_ptr`
+  // to track its lifetime.
+  auto childResult = children[0]->getRootOperation()->getResult(
+      false, ComputationMode::FULLY_MATERIALIZED);
+  std::weak_ptr<const Result> weakChildResult = childResult;
+  childResult.reset();
+
+  // Now perform the Cartesian product join and get the lazy result.
+  // Internally, `calculateSubResults` finds the materialized input in the
+  // cache, and `createLazyConsumer` stores a `reference_wrapper` to the
+  // `IdTable` of the materialized input.
+  CartesianProductJoin join{qec, std::move(children)};
+  auto result = join.computeResultOnlyForTesting(true);
+  ASSERT_FALSE(result.isFullyMaterialized());
+
+  // Clear the cache and check that the materialized input has been
+  // kept alive by the lazy consumer. In an earlier version of the code, any
+  // reference to it would have been dangling at this point.
+  qec->getQueryTreeCache().clearAll();
+  ASSERT_FALSE(weakChildResult.expired());
+}
+
 // _____________________________________________________________________________
 TEST(CartesianProductJoin, clone) {
   auto qec = getQec();
