[fix](rpc) Fix AutoReleaseClosure data race with callback reuse

be/src/exec/exchange/vdata_stream_sender.h

@@ -164,6 +164,7 @@ class Channel {
 
     std::shared_ptr<ExchangeSendCallback<PTransmitDataResult>> get_send_callback(RpcInstance* ins,
                                                                                  bool eos) {
+        // here we reuse the callback because it's re-construction may be expensive due to many parameters' capture
         if (!_send_callback) {
             _send_callback = ExchangeSendCallback<PTransmitDataResult>::create_shared();
         } else {

be/src/exec/operator/exchange_sink_buffer.cpp

@@ -347,6 +347,7 @@ Status ExchangeSinkBuffer::_send_rpc(RpcInstance& instance_data) {
             }
             // The eos here only indicates that the current exchange sink has reached eos.
             // However, the queue still contains data from other exchange sinks, so RPCs need to continue being sent.
+            // `_send_rpc` must be the LAST operation in this function, because it may reuse the callback!
             s = _send_rpc(ins);
             if (!s) {
                 _failed(ins.id,
@@ -473,9 +474,9 @@ Status ExchangeSinkBuffer::_send_rpc(RpcInstance& instance_data) {
             } else if (eos) {
                 _ended(ins);
             }
-
             // The eos here only indicates that the current exchange sink has reached eos.
             // However, the queue still contains data from other exchange sinks, so RPCs need to continue being sent.
+            // `_send_rpc` must be the LAST operation in this function, because it may reuse the callback!
             s = _send_rpc(ins);
             if (!s) {
                 _failed(ins.id,

be/src/exec/runtime_filter/runtime_filter.cpp

@@ -39,10 +39,7 @@ Status RuntimeFilter::_push_to_remote(RuntimeState* state, const TNetworkAddress
     auto merge_filter_callback = DummyBrpcCallback<PMergeFilterResponse>::create_shared();
     auto merge_filter_closure =
             AutoReleaseClosure<PMergeFilterRequest, DummyBrpcCallback<PMergeFilterResponse>>::
-                    create_unique(merge_filter_request, merge_filter_callback,
-                                  state->query_options().ignore_runtime_filter_error
-                                          ? std::weak_ptr<QueryContext> {}
-                                          : state->get_query_ctx_weak());
+                    create_unique(merge_filter_request, merge_filter_callback);
     void* data = nullptr;
     int len = 0;
 

be/src/exec/runtime_filter/runtime_filter_mgr.cpp

@@ -259,8 +259,6 @@ Status RuntimeFilterMergeControllerEntity::send_filter_size(std::shared_ptr<Quer
     Status st = Status::OK();
     // After all runtime filters' size are collected, we should send response to all producers.
     if (cnt_val.merger->add_rf_size(request->filter_size())) {
-        auto ctx = query_ctx->ignore_runtime_filter_error() ? std::weak_ptr<QueryContext> {}
-                                                            : query_ctx;
         for (auto addr : cnt_val.source_addrs) {
             std::shared_ptr<PBackendService_Stub> stub(
                     ExecEnv::GetInstance()->brpc_internal_client_cache()->get_client(addr));
@@ -277,7 +275,7 @@ Status RuntimeFilterMergeControllerEntity::send_filter_size(std::shared_ptr<Quer
             auto closure = AutoReleaseClosure<PSyncFilterSizeRequest,
                                               DummyBrpcCallback<PSyncFilterSizeResponse>>::
                     create_unique(sync_request,
-                                  DummyBrpcCallback<PSyncFilterSizeResponse>::create_shared(), ctx);
+                                  DummyBrpcCallback<PSyncFilterSizeResponse>::create_shared());
 
             auto* pquery_id = closure->request_->mutable_query_id();
             pquery_id->set_hi(query_ctx->query_id().hi);
@@ -376,17 +374,13 @@ Status RuntimeFilterMergeControllerEntity::merge(std::shared_ptr<QueryContext> q
     }
 
     if (is_ready) {
-        return _send_rf_to_target(cnt_val,
-                                  query_ctx->ignore_runtime_filter_error()
-                                          ? std::weak_ptr<QueryContext> {}
-                                          : query_ctx,
-                                  merge_time, request->query_id(), query_ctx->execution_timeout());
+        return _send_rf_to_target(cnt_val, merge_time, request->query_id(),
+                                  query_ctx->execution_timeout());
     }
     return Status::OK();
 }
 
 Status RuntimeFilterMergeControllerEntity::_send_rf_to_target(GlobalMergeContext& cnt_val,
-                                                              std::weak_ptr<QueryContext> ctx,
                                                               int64_t merge_time,
                                                               PUniqueId query_id,
                                                               int execution_timeout) {
@@ -429,7 +423,7 @@ Status RuntimeFilterMergeControllerEntity::_send_rf_to_target(GlobalMergeContext
         auto closure = AutoReleaseClosure<PPublishFilterRequestV2,
                                           DummyBrpcCallback<PPublishFilterResponse>>::
                 create_unique(std::make_shared<PPublishFilterRequestV2>(apply_request),
-                              DummyBrpcCallback<PPublishFilterResponse>::create_shared(), ctx);
+                              DummyBrpcCallback<PPublishFilterResponse>::create_shared());
 
         closure->request_->set_merge_time(merge_time);
         *closure->request_->mutable_query_id() = query_id;

be/src/exec/runtime_filter/runtime_filter_mgr.h

@@ -182,8 +182,8 @@ class RuntimeFilterMergeControllerEntity {
                            const std::vector<TRuntimeFilterTargetParamsV2>&& target_info,
                            const int producer_size);
 
-    Status _send_rf_to_target(GlobalMergeContext& cnt_val, std::weak_ptr<QueryContext> ctx,
-                              int64_t merge_time, PUniqueId query_id, int execution_timeout);
+    Status _send_rf_to_target(GlobalMergeContext& cnt_val, int64_t merge_time, PUniqueId query_id,
+                              int execution_timeout);
 
     // protect _filter_map
     std::shared_mutex _filter_map_mutex;

be/src/exec/runtime_filter/runtime_filter_producer.cpp

@@ -98,51 +98,43 @@ Status RuntimeFilterProducer::publish(RuntimeState* state, bool build_hash_table
     return Status::OK();
 }
 
-class SyncSizeClosure : public AutoReleaseClosure<PSendFilterSizeRequest,
-                                                  DummyBrpcCallback<PSendFilterSizeResponse>> {
-    std::shared_ptr<Dependency> _dependency;
-    // Should use weak ptr here, because when query context deconstructs, should also delete runtime filter
-    // context, it not the memory is not released. And rpc is in another thread, it will hold rf context
-    // after query context because the rpc is not returned.
-    std::weak_ptr<RuntimeFilterWrapper> _wrapper;
-    using Base =
-            AutoReleaseClosure<PSendFilterSizeRequest, DummyBrpcCallback<PSendFilterSizeResponse>>;
-    friend class RuntimeFilterProducer;
-    ENABLE_FACTORY_CREATOR(SyncSizeClosure);
+// Callback for sync-size RPCs. Handles errors (disable wrapper + sub dependency) in call().
+class SyncSizeCallback : public DummyBrpcCallback<PSendFilterSizeResponse> {
+    ENABLE_FACTORY_CREATOR(SyncSizeCallback);
 
-    void _process_if_rpc_failed() override {
-        Defer defer {[&]() {
-            Base::_process_if_rpc_failed();
+public:
+    SyncSizeCallback(std::shared_ptr<Dependency> dependency,
+                     std::shared_ptr<RuntimeFilterWrapper> wrapper)
+            : _dependency(std::move(dependency)), _wrapper(wrapper) {}
+
+    void call() override {
+        // On error: disable the wrapper and sub the dependency here, because set_synced_size()
+        // will never be called (the merge node won't respond with a sync).
+        // On success: do NOT sub here. The merge node will respond with sync_filter_size,
+        // which calls set_synced_size() -> _dependency->sub().
+        if (cntl_->Failed()) {
+            if (auto w = _wrapper.lock()) {
+                w->set_state(RuntimeFilterWrapper::State::DISABLED, cntl_->ErrorText());
+            }
             ((CountedFinishDependency*)_dependency.get())->sub();
-        }};
-        auto wrapper = _wrapper.lock();
-        if (!wrapper) {
             return;
         }
 
-        wrapper->set_state(RuntimeFilterWrapper::State::DISABLED, cntl_->ErrorText());
-    }
-
-    void _process_if_meet_error_status(const Status& status) override {
-        Defer defer {[&]() {
-            Base::_process_if_meet_error_status(status);
+        Status status = Status::create(response_->status());
+        if (!status.ok()) {
+            if (auto w = _wrapper.lock()) {
+                w->set_state(RuntimeFilterWrapper::State::DISABLED, status.to_string());
+            }
             ((CountedFinishDependency*)_dependency.get())->sub();
-        }};
-        auto wrapper = _wrapper.lock();
-        if (!wrapper) {
-            return;
         }
-
-        wrapper->set_state(RuntimeFilterWrapper::State::DISABLED, status.to_string());
     }
 
-public:
-    SyncSizeClosure(std::shared_ptr<PSendFilterSizeRequest> req,
-                    std::shared_ptr<DummyBrpcCallback<PSendFilterSizeResponse>> callback,
-                    std::shared_ptr<Dependency> dependency,
-                    std::shared_ptr<RuntimeFilterWrapper> wrapper,
-                    std::weak_ptr<QueryContext> context)
-            : Base(req, callback, context), _dependency(std::move(dependency)), _wrapper(wrapper) {}
+private:
+    std::shared_ptr<Dependency> _dependency;
+    // Should use weak ptr here, because when query context deconstructs, should also delete runtime filter
+    // context, it not the memory is not released. And rpc is in another thread, it will hold rf context
+    // after query context because the rpc is not returned.
+    std::weak_ptr<RuntimeFilterWrapper> _wrapper;
 };
 
 void RuntimeFilterProducer::latch_dependency(
@@ -208,14 +200,15 @@ Status RuntimeFilterProducer::send_size(RuntimeState* state, uint64_t local_filt
 
     auto request = std::make_shared<PSendFilterSizeRequest>();
     request->set_stage(_stage);
-
-    auto callback = DummyBrpcCallback<PSendFilterSizeResponse>::create_shared();
+    auto callback = SyncSizeCallback::create_shared(_dependency, _wrapper);
+    // Store callback in the producer to keep it alive until the RPC completes.
+    // AutoReleaseClosure holds callbacks via weak_ptr, so without this the callback
+    // would be destroyed when this function returns and error-path sub() would never fire.
+    _sync_size_callback = callback;
     // RuntimeFilter maybe deconstructed before the rpc finished, so that could not use
     // a raw pointer in closure. Has to use the context's shared ptr.
-    auto closure = SyncSizeClosure::create_unique(request, callback, _dependency, _wrapper,
-                                                  state->query_options().ignore_runtime_filter_error
-                                                          ? std::weak_ptr<QueryContext> {}
-                                                          : state->get_query_ctx_weak());
+    auto closure = AutoReleaseClosure<PSendFilterSizeRequest, SyncSizeCallback>::create_unique(
+            request, callback);
     auto* pquery_id = request->mutable_query_id();
     pquery_id->set_hi(state->get_query_ctx()->query_id().hi);
     pquery_id->set_lo(state->get_query_ctx()->query_id().lo);

be/src/exec/runtime_filter/runtime_filter_producer.h

@@ -181,6 +181,11 @@ class RuntimeFilterProducer : public RuntimeFilter {
 
     int64_t _synced_size = -1;
     std::shared_ptr<CountedFinishDependency> _dependency;
+    // Holds the SyncSizeCallback alive until the send_filter_size RPC completes.
+    // AutoReleaseClosure stores callbacks via weak_ptr, so without this the callback
+    // would be destroyed when send_size() returns, and error-path sub() would never fire.
+    // Type-erased because the callback type is defined in the .cpp file.
+    std::shared_ptr<void> _sync_size_callback;
 
     std::atomic<State> _rf_state;
 };

be/src/util/brpc_closure.h

@@ -19,10 +19,8 @@
 
 #include <google/protobuf/stubs/common.h>
 
-#include <atomic>
 #include <utility>
 
-#include "runtime/query_context.h"
 #include "runtime/thread_context.h"
 #include "service/brpc.h"
 
@@ -84,9 +82,8 @@ class AutoReleaseClosure : public google::protobuf::Closure {
     ENABLE_FACTORY_CREATOR(AutoReleaseClosure);
 
 public:
-    AutoReleaseClosure(std::shared_ptr<Request> req, std::shared_ptr<Callback> callback,
-                       std::weak_ptr<QueryContext> context = {}, std::string_view error_msg = {})
-            : request_(req), callback_(callback), context_(std::move(context)) {
+    AutoReleaseClosure(std::shared_ptr<Request> req, std::shared_ptr<Callback> callback)
+            : request_(req), callback_(callback) {
         this->cntl_ = callback->cntl_;
         this->response_ = callback->response_;
     }
@@ -96,15 +93,15 @@ class AutoReleaseClosure : public google::protobuf::Closure {
     //  Will delete itself
     void Run() override {
         Defer defer {[&]() { delete this; }};
-        // If lock failed, it means the callback object is deconstructed, then no need
-        // to deal with the callback any more.
-        if (auto tmp = callback_.lock()) {
-            tmp->call();
-        }
+        // shouldn't do heavy work here. all heavy work should be done in callback's call() (which means in success/failure handlers)
         if (cntl_->Failed()) {
-            _process_if_rpc_failed();
+            LOG(WARNING) << "brpc failed: " << cntl_->ErrorText();
         } else {
-            _process_status<ResponseType>(response_.get());
+            _log_error_status<ResponseType>(response_.get());
+        }
+        // this must be the LAST operation in this function, because call() may reuse the callback! (response_ is in callback_)
+        if (auto tmp = callback_.lock()) {
+            tmp->call();
         }
     }
 
@@ -116,45 +113,24 @@ class AutoReleaseClosure : public google::protobuf::Closure {
     // at any stage.
     std::shared_ptr<Request> request_;
     std::shared_ptr<ResponseType> response_;
-    std::string error_msg_;
-
-protected:
-    virtual void _process_if_rpc_failed() {
-        std::string error_msg =
-                fmt::format("RPC meet failed: {} {}", cntl_->ErrorText(), error_msg_);
-        if (auto ctx = context_.lock(); ctx) {
-            ctx->cancel(Status::NetworkError(error_msg));
-        } else {
-            LOG(WARNING) << error_msg;
-        }
-    }
-
-    virtual void _process_if_meet_error_status(const Status& status) {
-        if (status.is<ErrorCode::END_OF_FILE>()) {
-            // no need to log END_OF_FILE, reduce the unlessful log
-            return;
-        }
-        if (auto ctx = context_.lock(); ctx) {
-            ctx->cancel(status);
-        } else {
-            LOG(WARNING) << "RPC meet error status: " << status;
-        }
-    }
 
 private:
-    template <typename Response>
-    void _process_status(Response* response) {}
-
     template <HasStatus Response>
-    void _process_status(Response* response) {
+    void _log_error_status(Response* response) {
         if (Status status = Status::create(response->status()); !status.ok()) {
-            _process_if_meet_error_status(status);
+            if (!status.is<ErrorCode::END_OF_FILE>()) {
+                LOG(WARNING) << "RPC meet error status: " << status;
+            }
         }
     }
-    // Use a weak ptr to keep the callback, so that the callback can be deleted if the main
-    // thread is freed.
+
+    template <typename Response>
+        requires(!HasStatus<Response>)
+    void _log_error_status(Response* /*response*/) {
+        // Response type has no status() method, nothing to log.
+    }
+    // Use a weak ptr to keep the callback, so that the callback can be deleted if the main thread is freed.
     Weak callback_;
-    std::weak_ptr<QueryContext> context_;
 };
 
 } // namespace doris