Re: BUG #18840: Segmentation fault in executing select unnest(array(oidvector)) - Mailing list pgsql-bugs
| From | Tom Lane |
|---|---|
| Subject | Re: BUG #18840: Segmentation fault in executing select unnest(array(oidvector)) |
| Date | |
| Msg-id | 2557612.1741822653@sss.pgh.pa.us Whole thread Raw |
| In response to | BUG #18840: Segmentation fault in executing select unnest(array(oidvector)) (PG Bug reporting form <noreply@postgresql.org>) |
| Responses |
Re: BUG #18840: Segmentation fault in executing select unnest(array(oidvector))
|
| List | pgsql-bugs |
PG Bug reporting form <noreply@postgresql.org> writes:
> I encountered a segmentation fault when using 'select
> unnest(array(oidvector))'.
Thanks for the report! The cause of this bug is confusion about
whether oidvector is an array type or scalar type. It is an array
type, because get_element_type says that its element type is "oid",
but it is also a scalar type, because get_array_type says that its
array type is "oidvector[]". The parser and planner think that the
result of the ARRAY() construct should be of type oidvector[], but
arrayfuncs.c's initArrayResultAny() comes to the opposite conclusion.
Before initArrayResultAny() was invented in 9.5, we correctly executed
the construct and produced oidvector[]. So I'm inclined to think that
that's the right answer, and 0001 attached makes it that way again.
While poking at this I found a related problem, which is that
ARRAY[oidvector] also thinks the result type is oidvector. This seems
wrong to me, because there's not supposed to be any such thing as a
multidimensional oidvector. I couldn't find any case that crashed as
a result, but I may just not have tried hard enough. It's certainly
possible to exhibit clearly-wrong results, for example
regression=# select array['11 22 33'::int2vector];
array
-------
1
(1 row)
0002 attached fixes that part.
The crash you found is sufficient reason to back-patch 0001, even
though it changes results in some non-crash cases. I'm less sure
about whether to back-patch 0002. If anyone can find a crash
case involving ARRAY[], I think we should do so.
regards, tom lane
From 33c9e4ea3aa8fca50a45ea075fd35af85c9b4e77 Mon Sep 17 00:00:00 2001
From: Tom Lane <tgl@sss.pgh.pa.us>
Date: Wed, 12 Mar 2025 18:04:11 -0400
Subject: [PATCH v1 1/2] Fix initArrayResultAny for int2vector and oidvector.
If the given input_type yields valid results from both
get_element_type and get_array_type, initArrayResultAny believed the
former and treated the input as an array type. However this is
inconsistent with what get_promoted_array_type does, leading to
situations where the output of an ARRAY() subquery is labeled with
the wrong type. That at least results in strange output, and can
result in crashes if further processing such as unnest() is applied.
AFAIK this is only possible with the int2vector and oidvector
types, which are special-cased to be treated mostly as true arrays
even though they aren't quite.
Fix by switching the logic to match get_promoted_array_type by
testing get_array_type not get_element_type, and remove an Assert
thereby made pointless. (We need not introduce a symmetrical
check for get_element_type in the other if-branch, because
initArrayResultArr will check it.) This restores the behavior
that existed before bac27394a introduced initArrayResultAny.
There is an equivalent problem with ARRAY[] constructs, but at
least for those I've failed to demonstrate a crash. So it might
be better not to back-patch a change for those. This patch just
adds some test cases to document that issue.
Bug: #18840
Reported-by: yang lei <ylshiyu@126.com>
Author: Tom Lane <tgl@sss.pgh.pa.us>
Discussion: https://postgr.es/m/18840-fbc9505f066e50d6@postgresql.org
Backpatch-through: 13
---
src/backend/utils/adt/arrayfuncs.c | 12 ++-
src/test/regress/expected/arrays.out | 134 +++++++++++++++++++++++++++
src/test/regress/sql/arrays.sql | 22 +++++
3 files changed, 163 insertions(+), 5 deletions(-)
diff --git a/src/backend/utils/adt/arrayfuncs.c b/src/backend/utils/adt/arrayfuncs.c
index d777f38ed99..c8f53c6fbe7 100644
--- a/src/backend/utils/adt/arrayfuncs.c
+++ b/src/backend/utils/adt/arrayfuncs.c
@@ -5782,9 +5782,14 @@ ArrayBuildStateAny *
initArrayResultAny(Oid input_type, MemoryContext rcontext, bool subcontext)
{
ArrayBuildStateAny *astate;
- Oid element_type = get_element_type(input_type);
- if (OidIsValid(element_type))
+ /*
+ * int2vector and oidvector will satisfy both get_element_type and
+ * get_array_type. We prefer to treat them as scalars, to be consistent
+ * with get_promoted_array_type. Hence, check get_array_type not
+ * get_element_type.
+ */
+ if (!OidIsValid(get_array_type(input_type)))
{
/* Array case */
ArrayBuildStateArr *arraystate;
@@ -5801,9 +5806,6 @@ initArrayResultAny(Oid input_type, MemoryContext rcontext, bool subcontext)
/* Scalar case */
ArrayBuildState *scalarstate;
- /* Let's just check that we have a type that can be put into arrays */
- Assert(OidIsValid(get_array_type(input_type)));
-
scalarstate = initArrayResult(input_type, rcontext, subcontext);
astate = (ArrayBuildStateAny *)
MemoryContextAlloc(scalarstate->mcontext,
diff --git a/src/test/regress/expected/arrays.out b/src/test/regress/expected/arrays.out
index 0b61fb5bb78..5b8889cd013 100644
--- a/src/test/regress/expected/arrays.out
+++ b/src/test/regress/expected/arrays.out
@@ -2457,6 +2457,140 @@ select array(select array['Hello', i::text] from generate_series(9,11) i);
{{Hello,9},{Hello,10},{Hello,11}}
(1 row)
+-- int2vector and oidvector should be treated as scalar types for this purpose
+select pg_typeof(array(select '11 22 33'::int2vector from generate_series(1,5)));
+ pg_typeof
+--------------
+ int2vector[]
+(1 row)
+
+select array(select '11 22 33'::int2vector from generate_series(1,5));
+ array
+----------------------------------------------------------
+ {"11 22 33","11 22 33","11 22 33","11 22 33","11 22 33"}
+(1 row)
+
+select unnest(array(select '11 22 33'::int2vector from generate_series(1,5)));
+ unnest
+----------
+ 11 22 33
+ 11 22 33
+ 11 22 33
+ 11 22 33
+ 11 22 33
+(5 rows)
+
+select pg_typeof(array(select '11 22 33'::oidvector from generate_series(1,5)));
+ pg_typeof
+-------------
+ oidvector[]
+(1 row)
+
+select array(select '11 22 33'::oidvector from generate_series(1,5));
+ array
+----------------------------------------------------------
+ {"11 22 33","11 22 33","11 22 33","11 22 33","11 22 33"}
+(1 row)
+
+select unnest(array(select '11 22 33'::oidvector from generate_series(1,5)));
+ unnest
+----------
+ 11 22 33
+ 11 22 33
+ 11 22 33
+ 11 22 33
+ 11 22 33
+(5 rows)
+
+-- array[] really ought to do the same, but historically hasn't
+select pg_typeof(array['11 22 33'::int2vector]);
+ pg_typeof
+------------
+ int2vector
+(1 row)
+
+select array['11 22 33'::int2vector];
+ array
+-------
+ 1
+(1 row)
+
+select pg_typeof(unnest(array['11 22 33'::int2vector]));
+ pg_typeof
+-----------
+ smallint
+ smallint
+ smallint
+(3 rows)
+
+select unnest(array['11 22 33'::int2vector]);
+ unnest
+--------
+ 11
+ 22
+ 33
+(3 rows)
+
+select pg_typeof(unnest('11 22 33'::int2vector));
+ pg_typeof
+-----------
+ smallint
+ smallint
+ smallint
+(3 rows)
+
+select unnest('11 22 33'::int2vector);
+ unnest
+--------
+ 11
+ 22
+ 33
+(3 rows)
+
+select pg_typeof(array['11 22 33'::oidvector]);
+ pg_typeof
+-----------
+ oidvector
+(1 row)
+
+select array['11 22 33'::oidvector];
+ array
+-------
+ 1
+(1 row)
+
+select pg_typeof(unnest(array['11 22 33'::oidvector]));
+ pg_typeof
+-----------
+ oid
+ oid
+ oid
+(3 rows)
+
+select unnest(array['11 22 33'::oidvector]);
+ unnest
+--------
+ 11
+ 22
+ 33
+(3 rows)
+
+select pg_typeof(unnest('11 22 33'::oidvector));
+ pg_typeof
+-----------
+ oid
+ oid
+ oid
+(3 rows)
+
+select unnest('11 22 33'::oidvector);
+ unnest
+--------
+ 11
+ 22
+ 33
+(3 rows)
+
-- Insert/update on a column that is array of composite
create temp table t1 (f1 int8_tbl[]);
insert into t1 (f1[5].q1) values(42);
diff --git a/src/test/regress/sql/arrays.sql b/src/test/regress/sql/arrays.sql
index 03cc8cfcd91..41a360dc18f 100644
--- a/src/test/regress/sql/arrays.sql
+++ b/src/test/regress/sql/arrays.sql
@@ -713,6 +713,28 @@ select array_replace(array['AB',NULL,'CDE'],NULL,'12');
select array(select array[i,i/2] from generate_series(1,5) i);
select array(select array['Hello', i::text] from generate_series(9,11) i);
+-- int2vector and oidvector should be treated as scalar types for this purpose
+select pg_typeof(array(select '11 22 33'::int2vector from generate_series(1,5)));
+select array(select '11 22 33'::int2vector from generate_series(1,5));
+select unnest(array(select '11 22 33'::int2vector from generate_series(1,5)));
+select pg_typeof(array(select '11 22 33'::oidvector from generate_series(1,5)));
+select array(select '11 22 33'::oidvector from generate_series(1,5));
+select unnest(array(select '11 22 33'::oidvector from generate_series(1,5)));
+
+-- array[] really ought to do the same, but historically hasn't
+select pg_typeof(array['11 22 33'::int2vector]);
+select array['11 22 33'::int2vector];
+select pg_typeof(unnest(array['11 22 33'::int2vector]));
+select unnest(array['11 22 33'::int2vector]);
+select pg_typeof(unnest('11 22 33'::int2vector));
+select unnest('11 22 33'::int2vector);
+select pg_typeof(array['11 22 33'::oidvector]);
+select array['11 22 33'::oidvector];
+select pg_typeof(unnest(array['11 22 33'::oidvector]));
+select unnest(array['11 22 33'::oidvector]);
+select pg_typeof(unnest('11 22 33'::oidvector));
+select unnest('11 22 33'::oidvector);
+
-- Insert/update on a column that is array of composite
create temp table t1 (f1 int8_tbl[]);
--
2.43.5
From 126a317976b95ccf4f76c6bbd9e70708282df95a Mon Sep 17 00:00:00 2001
From: Tom Lane <tgl@sss.pgh.pa.us>
Date: Wed, 12 Mar 2025 19:18:39 -0400
Subject: [PATCH v1 2/2] Make ARRAY[] treat int2vector and oidvector like
ARRAY_SUBLINK does.
Historically ARRAY[oidvector] has decided that the result type
is also oidvector, which it is not really. This causes visibly
bogus answers in some cases but gives seemingly-sane results
in others; I have not found a case where it'd crash. Nonetheless,
it's surely very bogus that ARRAY[] and ARRAY_SUBLINK come to
different conclusions. Make ARRAY[] act like ARRAY_SUBLINK, that
is decide that the result type is oidvector[]. The test cases
created by the previous patch show the change in behavior;
but we have no pre-existing tests that notice, suggesting
strongly that nobody thought about this case.
I looked at other callers of type_is_array and didn't find any
that I wanted to change, so I just hacked up this one test
rather than trying to invent some nicer solution.
This should be applied to master, but I'm unsure whether to
back-patch.
Bug: #18840
Reported-by: yang lei <ylshiyu@126.com>
Author: Tom Lane <tgl@sss.pgh.pa.us>
Discussion: https://postgr.es/m/18840-fbc9505f066e50d6@postgresql.org
---
src/backend/parser/parse_expr.c | 14 +++++--
src/test/regress/expected/arrays.out | 62 ++++++++++++----------------
src/test/regress/sql/arrays.sql | 2 +-
3 files changed, 39 insertions(+), 39 deletions(-)
diff --git a/src/backend/parser/parse_expr.c b/src/backend/parser/parse_expr.c
index bad1df732ea..9caf1e481a2 100644
--- a/src/backend/parser/parse_expr.c
+++ b/src/backend/parser/parse_expr.c
@@ -2053,10 +2053,18 @@ transformArrayExpr(ParseState *pstate, A_ArrayExpr *a,
/*
* Check for sub-array expressions, if we haven't already found
- * one.
+ * one. Note we don't accept domain-over-array as a sub-array,
+ * nor int2vector nor oidvector; those have constraints that don't
+ * map well to being treated as a sub-array.
*/
- if (!newa->multidims && type_is_array(exprType(newe)))
- newa->multidims = true;
+ if (!newa->multidims)
+ {
+ Oid newetype = exprType(newe);
+
+ if (newetype != INT2VECTOROID && newetype != OIDVECTOROID &&
+ type_is_array(newetype))
+ newa->multidims = true;
+ }
}
newelems = lappend(newelems, newe);
diff --git a/src/test/regress/expected/arrays.out b/src/test/regress/expected/arrays.out
index 5b8889cd013..7afd7356bbe 100644
--- a/src/test/regress/expected/arrays.out
+++ b/src/test/regress/expected/arrays.out
@@ -2502,34 +2502,30 @@ select unnest(array(select '11 22 33'::oidvector from generate_series(1,5)));
11 22 33
(5 rows)
--- array[] really ought to do the same, but historically hasn't
+-- array[] should do the same
select pg_typeof(array['11 22 33'::int2vector]);
- pg_typeof
-------------
- int2vector
+ pg_typeof
+--------------
+ int2vector[]
(1 row)
select array['11 22 33'::int2vector];
- array
--------
- 1
+ array
+--------------
+ {"11 22 33"}
(1 row)
select pg_typeof(unnest(array['11 22 33'::int2vector]));
- pg_typeof
------------
- smallint
- smallint
- smallint
-(3 rows)
+ pg_typeof
+------------
+ int2vector
+(1 row)
select unnest(array['11 22 33'::int2vector]);
- unnest
---------
- 11
- 22
- 33
-(3 rows)
+ unnest
+----------
+ 11 22 33
+(1 row)
select pg_typeof(unnest('11 22 33'::int2vector));
pg_typeof
@@ -2548,32 +2544,28 @@ select unnest('11 22 33'::int2vector);
(3 rows)
select pg_typeof(array['11 22 33'::oidvector]);
- pg_typeof
------------
- oidvector
+ pg_typeof
+-------------
+ oidvector[]
(1 row)
select array['11 22 33'::oidvector];
- array
--------
- 1
+ array
+--------------
+ {"11 22 33"}
(1 row)
select pg_typeof(unnest(array['11 22 33'::oidvector]));
pg_typeof
-----------
- oid
- oid
- oid
-(3 rows)
+ oidvector
+(1 row)
select unnest(array['11 22 33'::oidvector]);
- unnest
---------
- 11
- 22
- 33
-(3 rows)
+ unnest
+----------
+ 11 22 33
+(1 row)
select pg_typeof(unnest('11 22 33'::oidvector));
pg_typeof
diff --git a/src/test/regress/sql/arrays.sql b/src/test/regress/sql/arrays.sql
index 41a360dc18f..399a0797f3b 100644
--- a/src/test/regress/sql/arrays.sql
+++ b/src/test/regress/sql/arrays.sql
@@ -721,7 +721,7 @@ select pg_typeof(array(select '11 22 33'::oidvector from generate_series(1,5)));
select array(select '11 22 33'::oidvector from generate_series(1,5));
select unnest(array(select '11 22 33'::oidvector from generate_series(1,5)));
--- array[] really ought to do the same, but historically hasn't
+-- array[] should do the same
select pg_typeof(array['11 22 33'::int2vector]);
select array['11 22 33'::int2vector];
select pg_typeof(unnest(array['11 22 33'::int2vector]));
--
2.43.5
pgsql-bugs by date: