Hi,
While working on the pg_get_domain_ddl() patch [1], I installed an
event trigger on ddl_command_end in test_setup.sql to automatically
round-trip DDL. This triggered a UBSAN crash on CI [2] that turns out
to be a pre-existing bug since b488c580aef(?).
The DROP MAPPING code path in tsearchcmds.c unconditionally calls:
```
EventTriggerCollectAlterTSConfig(stmt, cfgId, NULL, 0);
```
Inside EventTriggerCollectAlterTSConfig(), this reaches:
```
command->d.atscfg.dictIds = palloc_array(Oid, ndicts); /* ndicts=0 */
memcpy(command->d.atscfg.dictIds, dictIds, sizeof(Oid) * ndicts);
^^^^^^^ NULL
```
Under -fsanitize=undefined this triggers SIGABRT and crashes the server.
The bug has been latent for 11 years because without an active event
trigger, currentEventTriggerState is NULL and the function returns early
at the top, never reaching the memcpy. The standard regression suite
never had an event trigger installed during the tsdicts test — until now.
Reproducer (crashes only under UBSAN) and patch attached:
This affects all branches back to 9.5 where b488c580aef landed.
[1] https://www.postgresql.org/message-id/CAPgqM1V4LW2qiDLPsusb7s0kYbSDJjH5Tt%2B-ZzVmPU7xV0TJNQ%40mail.gmail.com
[2] https://cirrus-ci.com/task/6170470552174592
--
Cheers,
Florin
EDB -- www.enterprisedb.com
