input_thread: use flb_pipe_r in handle_input_event to fix crash on re…

[zshuang0316]

Issue

In handle_input_event(), the raw POSIX read() syscall was used to read from the pipe file descriptor:

bytes = read(fd, &val, sizeof(val));
if (bytes == -1) {
    flb_errno();
    return -1;
}

On Windows, read() is not compatible with pipe file descriptors created by Fluent Bit's flb_pipe abstraction layer, which can cause a crash or undefined behavior. Even on Linux, bypassing the abstraction is inconsistent with the rest of the codebase.

Solution

Replace the raw read() call with the cross-platform flb_pipe_r() abstraction, and replace flb_errno() with flb_pipe_error() for consistent error reporting — matching the pattern already used in handle_input_thread_event() and elsewhere in the same file:

bytes = flb_pipe_r(fd, &val, sizeof(val));
if (bytes == -1) {
    flb_pipe_error();
    return -1;
}

---

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

• [N/A] Example configuration file for the change
• [N/A] Debug log output from testing the change
  Crashes disappeared after this change when enabled threaded in my test environment.

• [N/A] Attached Valgrind output that shows no leaks or memory corruption was found

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

• [N/A] Run local packaging test showing all targets (including any new ones) build.
• [N/A] Set ok-package-test label to test for all targets (requires maintainer to do).

Documentation

• [N/A] Documentation required for this feature

Backporting

• Backport to latest stable release.

---

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

Summary by CodeRabbit

• Bug Fixes
  • Enhanced error reporting accuracy in input thread event processing for improved diagnostics.

[coderabbitai]

📝 Walkthrough

Walkthrough

The input-thread event handler in src/flb_input_thread.c was updated to use the library-specific flb_pipe_r() function instead of the raw read() system call when reading pipe payloads. Correspondingly, error handling was adjusted to use flb_pipe_error() instead of flb_errno() for consistency.

Changes

Cohort / File(s)	Summary
Pipe Reading Function Alignment src/flb_input_thread.c	Replaced read(fd, ...) with flb_pipe_r(fd, ...) for reading uint64_t payload; updated error reporting from flb_errno() to flb_pipe_error() on failed reads.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A pipe reads cleaner now, I say,
With functions fit in just the right way,
No more raw calls, no more mistakes,
The library path that clarity makes! 🎉

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately identifies the main change: replacing raw read() with flb_pipe_r() in handle_input_event to fix a crash issue. It directly relates to the primary modification in the changeset.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/flb_input_thread.c`:
- Around line 62-65: The handlers currently call flb_pipe_r(fd, &val,
sizeof(val)) and only treat bytes == -1 (or <= 0) as errors, which allows 0
(peer closed) or short reads to proceed and corrupt the decoded bit-field; in
handle_input_event and handle_input_thread_event update the read handling to
verify that the returned bytes == sizeof(val) and treat any other return (0 or
short read or -1) as an error/closed peer path (call flb_pipe_error() or the
existing cleanup flow), and apply the same full-length validation to the other
occurrences of flb_pipe_r reading fixed-size protocol messages so you never
decode a partially-populated val.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 882dbc71-0f0a-447c-888c-df5325b8d159

📥 Commits

Reviewing files that changed from the base of the PR and between 32a3cbb and c59f654.

📒 Files selected for processing (1)

• src/flb_input_thread.c

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Locate mk_event_channel_create implementation/usages =="
rg -n -C3 'mk_event_channel_create|socketpair|pipe\(|recv\(|send\('

echo
echo "== Locate fixed-size flb_pipe_r reads and their guards =="
rg -n -C4 'flb_pipe_r\([^;]*sizeof\((val|uint64_t)\)\)' src include

echo
echo "== Inspect guards around handle_input_event and handle_input_thread_event =="
rg -n -C6 'handle_input_event|handle_input_thread_event|bytes == -1|bytes <= 0|bytes != sizeof' src/flb_input_thread.c

Repository: fluent/fluent-bit

Length of output: 50374

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Reading src/flb_input_thread.c lines 50-80 ==="
sed -n '50,80p' src/flb_input_thread.c

echo ""
echo "=== Checking flb_pipe.h for flb_pipe_r definition ==="
rg -n "^[^/]*flb_pipe_r" include/fluent-bit/flb_pipe.h -A 5

echo ""
echo "=== Looking for all guard patterns after flb_pipe_r calls ==="
rg -n -A 2 'flb_pipe_r.*sizeof' src/flb_input_thread.c

echo ""
echo "=== Checking both handler functions in detail ==="
rg -n -B 5 -A 8 'handle_input_event|handle_input_thread_event' src/flb_input_thread.c | head -80

Repository: fluent/fluent-bit

Length of output: 3962

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Search for all fixed-size flb_pipe_r reads ==="
rg -n 'flb_pipe_r.*sizeof.*uint64_t|flb_pipe_r.*sizeof.*output_flush' src/ -A 3 | head -60

echo ""
echo "=== Check if short-read validation exists anywhere for fixed-size protocol messages ==="
rg -n 'bytes != sizeof|ret != sizeof' src/flb_input_thread.c src/flb_output_thread.c

echo ""
echo "=== Verify the exact bit-field macros being used ==="
rg -n 'FLB_BITS_U64_HIGH|FLB_BITS_U64_LOW' include/fluent-bit/ -B 1 -A 1 | head -30

Repository: fluent/fluent-bit

Length of output: 1303

---

🏁 Script executed:

#!/bin/bash
set -euo pusedo pipefail

echo "=== Check mk_event_channel_create to understand channel semantics ==="
rg -n 'mk_event_channel_create' lib/monkey/include/monkey/ -A 15 2>/dev/null | head -50

echo ""
echo "=== Search for short-read handling in flb_pipe_write_all and flb_pipe_read_all ==="
cat src/flb_pipe.c 2>/dev/null || echo "File may not exist or other error"

Repository: fluent/fluent-bit

Length of output: 112

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Search for flb_pipe_read_all and flb_pipe_write_all implementations ==="
cat src/flb_pipe.c

echo ""
echo "=== Check if there's any documentation on atomicity ==="
rg -n 'socketpair|mk_event_channel' include/fluent-bit/ -B 2 -A 5 | head -60

Repository: fluent/fluent-bit

Length of output: 5485

---

Check guards before decoding fixed-size protocol messages in event handlers.

Lines 63 and 107 only reject -1. With flb_pipe_r() (wrapping recv/read), returning 0 (closed peer) or short positive reads is possible. Without validating full message reception, partial val data will corrupt bit-field extraction and misroute events.

Proposed fix

     bytes = flb_pipe_r(fd, &val, sizeof(val));
-    if (bytes == -1) {
+    if (bytes <= 0) {
         flb_pipe_error();
         return -1;
     }
+    if (bytes != sizeof(val)) {
+        flb_error("[thread event loop] short read on fd=%i, got=%i expected=%zu",
+                  fd, bytes, sizeof(val));
+        return -1;
+    }

Similar patterns exist at lines 437–438 and 774–775 in the same file, though they use only <= 0 checks without validating message completeness. Both handle_input_event and handle_input_thread_event need this fix.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/flb_input_thread.c` around lines 62 - 65, The handlers currently call
flb_pipe_r(fd, &val, sizeof(val)) and only treat bytes == -1 (or <= 0) as
errors, which allows 0 (peer closed) or short reads to proceed and corrupt the
decoded bit-field; in handle_input_event and handle_input_thread_event update
the read handling to verify that the returned bytes == sizeof(val) and treat any
other return (0 or short read or -1) as an error/closed peer path (call
flb_pipe_error() or the existing cleanup flow), and apply the same full-length
validation to the other occurrences of flb_pipe_r reading fixed-size protocol
messages so you never decode a partially-populated val.