Describe the bug
In LargeListVector.setValueCount(), the precondition check that validates childValueCount before casting from long to int uses || instead of &&, making the condition always evaluate to true:
Preconditions.checkArgument(
childValueCount <= Integer.MAX_VALUE || childValueCount >= Integer.MIN_VALUE,
"LargeListVector doesn't yet support 64-bit allocations: %s",
childValueCount);For any long value x, at least one of x <= Integer.MAX_VALUE or x >= Integer.MIN_VALUE is always true (their union covers the entire long range), so the check never rejects any value.
This means:
- A
childValueCount exceeding Integer.MAX_VALUE silently truncates when cast to (int), causing data corruption
- A negative
childValueCount (from corrupted offset data) is silently passed through
Expected behavior
The check should use && with a lower bound of 0 (since childValueCount represents element count and must be non-negative):
Preconditions.checkArgument(
childValueCount <= Integer.MAX_VALUE && childValueCount >= 0,
"LargeListVector doesn't yet support 64-bit allocations: %s",
childValueCount);This is consistent with the correct implementation in LargeListViewVector.setValueCount() (line 887-890).
Component(s)
Java
Describe the bug
In
LargeListVector.setValueCount(), the precondition check that validateschildValueCountbefore casting fromlongtointuses||instead of&&, making the condition always evaluate totrue:For any
longvaluex, at least one ofx <= Integer.MAX_VALUEorx >= Integer.MIN_VALUEis always true (their union covers the entirelongrange), so the check never rejects any value.This means:
childValueCountexceedingInteger.MAX_VALUEsilently truncates when cast to(int), causing data corruptionchildValueCount(from corrupted offset data) is silently passed throughExpected behavior
The check should use
&&with a lower bound of0(sincechildValueCountrepresents element count and must be non-negative):This is consistent with the correct implementation in
LargeListViewVector.setValueCount()(line 887-890).Component(s)
Java