On Fri, Oct 11, 2019 at 07:27:39PM +0200, Tomas Vondra wrote:
>On Fri, Oct 11, 2019 at 03:05:38PM +0000, PG Bug reporting form wrote:
>>The following bug has been logged on the website:
>>
>>Bug reference: 16050
>>Logged by: Alexander Lakhin
>>Email address: exclusion@gmail.com
>>PostgreSQL version: 12.0
>>Operating system: Ubuntu 18.04
>>Description:
>>
>>The following query:
>>CREATE TEXT SEARCH DICTIONARY hunspell_num (Template=ispell,
>>DictFile=hunspell_sample_num, AffFile=hunspell_sample_long);
>>
>>crashes postgres with the stack trace:
>>Core was generated by `postgres: law regression [local] CREATE TEXT SEARCH
>>DICTIONARY '.
>
>Yep, I can reproduce it quite easily. With extra debug symbols and
>memory randomization it produces a bit clearer backtrace:
>
>
>Program received signal SIGSEGV, Segmentation fault.
>0x00000000008fd31b in getCompoundAffixFlagValue (Conf=0x2d053c8, s=0x7f7f7f7f7f7f7f7f <error: Cannot access memory at
address0x7f7f7f7f7f7f7f7f>) at spell.c:1126
>1126 while (*flagcur)
>(gdb) bt
>#0 0x00000000008fd31b in getCompoundAffixFlagValue (Conf=0x2d053c8, s=0x7f7f7f7f7f7f7f7f <error: Cannot access memory
ataddress 0x7f7f7f7f7f7f7f7f>) at spell.c:1126
>#1 0x00000000008fe627 in makeCompoundFlags (Conf=0x2d053c8, affix=303) at spell.c:1608
>#2 0x00000000008fe959 in mkSPNode (Conf=0x2d053c8, low=0, high=1, level=3) at spell.c:1680
>#3 0x00000000008fea1e in mkSPNode (Conf=0x2d053c8, low=0, high=1, level=2) at spell.c:1692
>#4 0x00000000008fe794 in mkSPNode (Conf=0x2d053c8, low=0, high=4, level=1) at spell.c:1652
>#5 0x00000000008fe794 in mkSPNode (Conf=0x2d053c8, low=0, high=9, level=0) at spell.c:1652
>...
>
>That is, makeCompontFlags calls getCompoundAffixFlagValue with invalid
>pointer 's', likely after it got already pfreed.
>
FWIW this is a pre-existing bug, it's not new in 12. I've been able to
reproduce it on all releases since 9.6.
On 9.5 the example does not work, because it does not include the
hunspell dictionaries. After copying those from 9.6, the CREATE command
complains about long flags not being supported - I've removed the first
line 'FLAG long' from the affix file, and then it works without a crash.
Looking at the commit history of spell.c, there seems to be a bunch of
commits in 2016 (e.g. f4ceed6ceba3) touching exactly this part of the
code (hunspell), and it also correlates quite nicely with the affected
branches (9.6+). So I guess it's a bug in those changes.
regards
--
Tomas Vondra http://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services