Skip to content

fix(parquet): Avoid panic on malformed thrift bool fields in parquet metadata#9840

Merged
etseidl merged 2 commits into
apache:mainfrom
BoazC-MSFT:fix-parquet-thrift-field-types-error-handling
Apr 28, 2026
Merged

fix(parquet): Avoid panic on malformed thrift bool fields in parquet metadata#9840
etseidl merged 2 commits into
apache:mainfrom
BoazC-MSFT:fix-parquet-thrift-field-types-error-handling

Conversation

@BoazC-MSFT
Copy link
Copy Markdown
Contributor

@BoazC-MSFT BoazC-MSFT commented Apr 27, 2026

Return a Parquet error when a compact thrift field is expected to be a bool but the field header contains a non-bool wire type. This replaces the remaining bool_val unwraps in generated thrift readers and the hand-expanded DataPageHeaderV2 reader.

Add regression tests for malformed DictionaryPageHeader.is_sorted and DataPageHeaderV2.is_compressed headers to ensure corrupt input returns an error instead of panicking.

Which issue does this PR close?

Rationale for this change

See #9839

What changes are included in this PR?

Proper error handling instead of using unwrap.

Are these changes tested?

Yes. Added 2 UTs.

Are there any user-facing changes?

An error string that can find its way all the way to the end user.

@BoazC-MSFT
Avoid panic on malformed thrift bool fields in parquet metadata
d134340 
Return a Parquet error when a compact thrift field is expected to be a bool but the field header contains a non-bool wire type. This replaces the remaining bool_val unwraps in
 generated thrift readers and the hand-expanded DataPageHeaderV2 reader.

Add regression tests for malformed DictionaryPageHeader.is_sorted and DataPageHeaderV2.is_compressed headers to ensure corrupt input returns an error instead of panicking.
@github-actions github-actions Bot added the parquet Changes to the parquet crate label Apr 27, 2026
@etseidl
Copy link
Copy Markdown
Contributor

etseidl commented Apr 27, 2026

run benchmark metadata

@adriangbot
Copy link
Copy Markdown

adriangbot commented Apr 27, 2026

🤖 Arrow criterion benchmark running (GKE) | trigger
Instance: c4a-highmem-16 (12 vCPU / 65 GiB) | Linux bench-c4329628226-1851-d988g 6.12.55+ #1 SMP Sun Feb 1 08:59:41 UTC 2026 aarch64 GNU/Linux

CPU Details (lscpu) 
Architecture:                            aarch64
CPU op-mode(s):                          64-bit
Byte Order:                              Little Endian
CPU(s):                                  16
On-line CPU(s) list:                     0-15
Vendor ID:                               ARM
Model name:                              Neoverse-V2
Model:                                   1
Thread(s) per core:                      1
Core(s) per cluster:                     16
Socket(s):                               -
Cluster(s):                              1
Stepping:                                r0p1
BogoMIPS:                                2000.00
Flags:                                   fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm jscvt fcma lrcpc dcpop sha3 sm3 sm4 asimddp sha512 sve asimdfhm dit uscat ilrcpc flagm sb paca pacg dcpodp sve2 sveaes svepmull svebitperm svesha3 svesm4 flagm2 frint svei8mm svebf16 i8mm bf16 dgh rng bti
L1d cache:                               1 MiB (16 instances)
L1i cache:                               1 MiB (16 instances)
L2 cache:                                32 MiB (16 instances)
L3 cache:                                80 MiB (1 instance)
NUMA node(s):                            1
NUMA node0 CPU(s):                       0-15
Vulnerability Gather data sampling:      Not affected
Vulnerability Indirect target selection: Not affected
Vulnerability Itlb multihit:             Not affected
Vulnerability L1tf:                      Not affected
Vulnerability Mds:                       Not affected
Vulnerability Meltdown:                  Not affected
Vulnerability Mmio stale data:           Not affected
Vulnerability Reg file data sampling:    Not affected
Vulnerability Retbleed:                  Not affected
Vulnerability Spec rstack overflow:      Not affected
Vulnerability Spec store bypass:         Mitigation; Speculative Store Bypass disabled via prctl
Vulnerability Spectre v1:                Mitigation; __user pointer sanitization
Vulnerability Spectre v2:                Mitigation; CSV2, BHB
Vulnerability Srbds:                     Not affected
Vulnerability Tsa:                       Not affected
Vulnerability Tsx async abort:           Not affected
Vulnerability Vmscape:                   Not affected

Comparing fix-parquet-thrift-field-types-error-handling (d134340) to 4fa8d2f (merge-base) diff
BENCH_NAME=metadata
BENCH_COMMAND=cargo bench --features=arrow,async,test_common,experimental,object_store --bench metadata
BENCH_FILTER=
Results will be posted here when complete

File an issue against this benchmark runner

@adriangbot
Copy link
Copy Markdown

adriangbot commented Apr 27, 2026

🤖 Arrow criterion benchmark completed (GKE) | trigger

Instance: c4a-highmem-16 (12 vCPU / 65 GiB)

CPU Details (lscpu) 
Architecture:                            aarch64
CPU op-mode(s):                          64-bit
Byte Order:                              Little Endian
CPU(s):                                  16
On-line CPU(s) list:                     0-15
Vendor ID:                               ARM
Model name:                              Neoverse-V2
Model:                                   1
Thread(s) per core:                      1
Core(s) per cluster:                     16
Socket(s):                               -
Cluster(s):                              1
Stepping:                                r0p1
BogoMIPS:                                2000.00
Flags:                                   fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm jscvt fcma lrcpc dcpop sha3 sm3 sm4 asimddp sha512 sve asimdfhm dit uscat ilrcpc flagm sb paca pacg dcpodp sve2 sveaes svepmull svebitperm svesha3 svesm4 flagm2 frint svei8mm svebf16 i8mm bf16 dgh rng bti
L1d cache:                               1 MiB (16 instances)
L1i cache:                               1 MiB (16 instances)
L2 cache:                                32 MiB (16 instances)
L3 cache:                                80 MiB (1 instance)
NUMA node(s):                            1
NUMA node0 CPU(s):                       0-15
Vulnerability Gather data sampling:      Not affected
Vulnerability Indirect target selection: Not affected
Vulnerability Itlb multihit:             Not affected
Vulnerability L1tf:                      Not affected
Vulnerability Mds:                       Not affected
Vulnerability Meltdown:                  Not affected
Vulnerability Mmio stale data:           Not affected
Vulnerability Reg file data sampling:    Not affected
Vulnerability Retbleed:                  Not affected
Vulnerability Spec rstack overflow:      Not affected
Vulnerability Spec store bypass:         Mitigation; Speculative Store Bypass disabled via prctl
Vulnerability Spectre v1:                Mitigation; __user pointer sanitization
Vulnerability Spectre v2:                Mitigation; CSV2, BHB
Vulnerability Srbds:                     Not affected
Vulnerability Tsa:                       Not affected
Vulnerability Tsx async abort:           Not affected
Vulnerability Vmscape:                   Not affected
Details 

group                                            fix-parquet-thrift-field-types-error-handling    main
-----                                            ---------------------------------------------    ----
decode metadata (wide) with schema               1.00     27.2±0.32ms        ? ?/sec              1.02     27.7±0.41ms        ? ?/sec
decode metadata (wide) with skip PES             1.00     26.0±0.43ms        ? ?/sec              1.04     26.9±0.49ms        ? ?/sec
decode metadata (wide) with skip all stats       1.00     28.6±0.39ms        ? ?/sec              1.04     29.8±2.74ms        ? ?/sec
decode metadata (wide) with skip column stats    1.00     27.7±0.25ms        ? ?/sec              1.03     28.5±0.40ms        ? ?/sec
decode metadata (wide) with skip size stats      1.00     30.1±0.23ms        ? ?/sec              1.02     30.6±0.41ms        ? ?/sec
decode metadata (wide) with stats mask           1.00     26.1±0.28ms        ? ?/sec              1.03     26.7±0.47ms        ? ?/sec
decode metadata with schema                      1.00      3.9±0.02µs        ? ?/sec              1.03      4.0±0.03µs        ? ?/sec
decode metadata with skip PES                    1.00      6.8±0.06µs        ? ?/sec              1.02      6.9±0.05µs        ? ?/sec
decode metadata with skip column stats           1.00      6.6±0.06µs        ? ?/sec              1.02      6.8±0.04µs        ? ?/sec
decode metadata with stats mask                  1.00      6.7±0.07µs        ? ?/sec              1.02      6.9±0.05µs        ? ?/sec
decode parquet metadata                          1.00      6.9±0.05µs        ? ?/sec              1.03      7.2±0.05µs        ? ?/sec
decode parquet metadata (wide)                   1.00     29.1±0.26ms        ? ?/sec              1.03     29.9±0.46ms        ? ?/sec
decode parquet metadata w/ size stats (wide)     1.00     34.9±0.42ms        ? ?/sec              1.02     35.6±0.44ms        ? ?/sec
open(default)                                    1.00      7.7±0.09µs        ? ?/sec              1.00      7.7±0.05µs        ? ?/sec
open(page index)                                 1.01     87.1±0.08µs        ? ?/sec              1.00     86.2±0.11µs        ? ?/sec

Resource Usage

base (merge-base)

Metric Value
Wall time 150.0s
Peak memory 4.3 GiB
Avg memory 4.2 GiB
CPU user 144.9s
CPU sys 0.7s
Peak spill 0 B

branch

Metric Value
Wall time 145.0s
Peak memory 4.3 GiB
Avg memory 4.2 GiB
CPU user 142.7s
CPU sys 0.2s
Peak spill 0 B

File an issue against this benchmark runner

etseidl
etseidl approved these changes Apr 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@etseidl etseidl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like an improvement to me. Thanks @BoazC-MSFT

Comment thread parquet/src/file/metadata/thrift/mod.rs Outdated
@etseidl
Copy link
Copy Markdown
Contributor

etseidl commented Apr 28, 2026

I plan to merge this after the 58.2.0 RC is tagged. Thanks again @BoazC-MSFT.

@etseidl etseidl merged commit fe3c0c9 into apache:main Apr 28, 2026
16 checks passed
@alamb alamb mentioned this pull request May 7, 2026
Closed
Rich-T-kid pushed a commit to Rich-T-kid/arrow-rs that referenced this pull request Jun 2, 2026
@BoazC-MSFT @Rich-T-kid
fix(parquet): Avoid panic on malformed thrift bool fields in parquet …
3f9e980 
…metadata (apache#9840)

Return a Parquet error when a compact thrift field is expected to be a
`bool` but the field header contains a non-bool wire type. This replaces
the remaining `bool_val` unwraps in generated thrift readers and the
hand-expanded `DataPageHeaderV2` reader.

Add regression tests for malformed `DictionaryPageHeader.is_sorted` and
`DataPageHeaderV2.is_compressed` headers to ensure corrupt input returns
an error instead of panicking.

# Which issue does this PR close?

- Closes apache#9839.

# Rationale for this change
See apache#9839

# What changes are included in this PR?
Proper error handling instead of using `unwrap`.

# Are these changes tested?
Yes. Added 2 UTs.

# Are there any user-facing changes?
An error string that can find its way all the way to the end user.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@etseidl etseidl etseidl approved these changes

Assignees

No one assigned

Labels

parquet Changes to the parquet crate

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Panic when reading malformed compact-Thrift bool fields in Parquet page metadata

3 participants

@BoazC-MSFT @etseidl @adriangbot