fix(c/driver_manager): protect against uninitialized AdbcError

[cdaudt]

ADBC C API functions should initialize AdbcError struct passed into them instead of assuming that the caller did so. Given that these are "output-only" type parameters there is usually no expectation that they need to be zeroed coming into API calls.
This PR updates driver-manager. If all looks good and it gets merged, I'll follow up with equivalent PRs for the drivers.

[github-actions]

⚠️ Please follow the Conventional Commits format in CONTRIBUTING.md for PR titles.

[lidavidm]

Thanks!

I'll note, some drivers deliberately append to an existing error, which we can't do with this. (Also, this means that you need to check and release the error before making further calls: probably good practice, but will also trip people up)

[lidavidm]

Finally, I think all current implementations assume caller will zero things, for all structures - not just the error.

[cdaudt]

Hi - thanks for the feedback. The api defines this field as '[out]' and thus the caller should not expect that anything passed into the API will survive. e.g. here: AdbcConnectionRelease
But I do agree that while the driver manager is okay in that calls such as AdbcConnectionRelease are only called from the API clients, the same is not true in the actual drivers, where the same function is used both to provide the public API as well as the callback to the driver manager today. Will need to address that in equivalent changes to the drivers.

[lidavidm]

Fair enough.

I'm going to be out for the next couple weeks so I won't be able to review, but it's probably reasonable. (I'd still rather that people explicitly zero things like AdbcStatement before use, though.)

I'll also note individual drivers are both linked to directly and used via the driver manager so there's not a clear internal/external API boundary there. (Oh, you already noted that.)

[lidavidm]

Reset or something might be clearer? (Or is there a need for a function when it's only one line of code?)

[cdaudt]

It is small - I can replace with a direct call to memset.

[cdaudt]

After seeing @kou comments below I'll rename the fn to AdbcErrorReset and check for null as well.

[lidavidm]

Also, CC @zeroshade if you have any opinions?

[kou]

Our documentations says that the caller must initialize AdbcError:

arrow-adbc/adbc.h

Lines 169 to 171 in 639ca71

	/// optional out parameter, which can be inspected. If provided, it is
	/// the responsibility of the caller to zero-initialize the AdbcError
	/// value.

Should we update this too?

The suggested behavior may be convenience but may cause a memory leak unexpectedly:

struct AdbcError error = {};
AdbcDatabaseNew(..., &error); // error
// error->release(error); // forget to call release()
AdbcDatabaseNew(..., &error); // reuse same error.
                              // current behavior: message is appended
                              // suggested behavior: memory leak 

[kou]

We should add a NULL check because error is an optional out parameter.

[cdaudt]

yes, you're right. So maybe a reason to keep the AdbcErrorInit function, and add a null check. I missed that comment in adbc.h - if that is the defined behaviour then the docs should probably replicate it to the individual API calls (DatabaseNew/ConnectionNew/StatementNew already call out that the Database/Connection/Statement parameters must be zero initialized).
As a defensive mechanism on the API whoever I do think it should be explicit in zeroing it, as in the current implementation if it is not zeroed then you get erratic behaviour (which is how I came across this - I was getting a segmentation violation because "message" had junk in it going in because I didn't realize I needed to initialize to zero, and that caused SetError to incorrectly call error->release() which also contained junk and caused the segmentation violation).
the need for the "error->release()" call by the API caller is something I had planned to bring up separately - seems like a bad idea to pass allocation back in an optional error field that is then responsibility of the caller to free (and I don't even see that mentioned in the documentation btw).

[lidavidm]

The struggle is that we don't want to assume libc malloc/free (possibly we could/should have). You can see this pattern in the Arrow C Data Interface as well where all structs have an explicit release callback.

[lidavidm]

If it's documented in the header (thanks Kou for checking!) then we should stick to the existing behavior.

[cdaudt]

If it's documented in the header (thanks Kou for checking!) then we should stick to the existing behavior.

this patch doesn't require a change to the existing behaviour. If a caller does pass in a zero AdbcError then this patch doesn't harm that (just an added memset overhead which is a small price to pay for the protection to the API imo).
Do you mean you prefer I drop the patch?
The separate issue of driver-manager -> driver calls bypassing the zero'ed out AdbcError expectation on purpose seems like a bad way to get driver-manager & driver to collaborate on filling up an error structure. I can send a separate patch to try to address that.

[lidavidm]

Ah, you're right. Then checking for null should be enough.

[cdaudt]

Ah, you're right. Then checking for null should be enough.

okay - I've resubmitted the PR with the null check + rename AdbcErrorInit -> AdbcErrorReset (and added a testcase for nullptr being passed into AdbcError). I did mess up the amend and ended up with an extra merge commit (haven't done a PR in a little while). Let me know if it looks okay or I should resubmit.

[lidavidm]

LGTM. Thanks!

Kou or @zeroshade, any other opinions here?

[lidavidm]

Ah, though there's still leaks in the tests.

[lidavidm]

Probably because of the exact issue that Kou pointed out; it makes it easier to leak memory if you don't check the error (though of course, you should be checking the error).

[lidavidm]

So the real question is which footgun do we prefer

[kou]

So the real question is which footgun do we prefer

I prefer the current specification (the caller is responsible to initialize AdbcError) because it's not strange in general C API and the suggested API may cause memory leaks implicitly like the current tests.

(It's not a strong opinion.)

[kou]

We need to call invalid_err.release(&invalid_err) after this.

[cdaudt]

Yes, there are a few missing releases (in my patch and other tests). Updating the patchset to add these.

[kou]

Ditto.

[kou]

Ditto.

[cdaudt]

hi @kou @lidavidm just a ping on this - are you okay to proceed with this PR? If so I'll rebase to latest and resubmit.

[kou]

I think that we don't need this but I defer to @lidavidm.

[kou]

Do we need this if? I think that this must have ADBC_STATUS_INVALID_STATE error.

Suggested change

	if (invalid_err.release) invalid_err.release(&invalid_err);
	invalid_err.release(&invalid_err);

[kou]

Why do we need this if?

Suggested change

	if (error.release) error.release(&error);
	error.release(&error);

[kou]

Why do we need this instead of existing error?

[kou]

Is this correct?

Suggested change

	ASSERT_THAT(AdbcDatabaseNew(&database, &error), IsOkStatus(&invalid_err));
	ASSERT_THAT(AdbcDatabaseNew(&database, &invalid_err), IsOkStatus(&invalid_err));

[kou]

Suggested change

	if (invalid_err.release) invalid_err.release(&invalid_err);
	invalid_err.release(&invalid_err);

[kou]

Suggested change

[kou]

Suggested change

[kou]

Suggested change

[kou]

Suggested change

	if (error.release) error.release(&error);
	error.release(&error);

and others...

[lidavidm]

I think for self-consistency we should stick with requiring that the user zero out all structs before use. This is maybe less convenient but makes intent clearer.

[lidavidm]

In light of bugs like #729, effectively the implementation requires that all structs must be zero-initialized (Golang-based drivers require that all inputs must be initialized). #946/#954 will only exacerbate this, so I think we will have to keep things as-is. Thank you for raising this behavior with us!