Thread: BUG #3675: Crash on xpath function with 2 parameters
The following bug has been logged online: Bug reference: 3675 Logged by: Jeremy Palmer Email address: jpalmer@linz.govt.nz PostgreSQL version: 8.3b1 Operating system: WinXP SP2 Description: Crash on xpath function with 2 parameters Details: The following query crashes the backend: SELECT xpath('/my:a/text()', '<my:a xmlns:my="http://example.com">test</my:a>'); Server log: 2007-10-13 22:45:38 NZDT LOG: database system was interrupted; last known up at 2007-10-13 22:43:54 NZDT 2007-10-13 22:45:38 NZDT LOG: database system was not properly shut down; automatic recovery in progress 2007-10-13 22:45:38 NZDT LOG: record with zero length at 0/871688 2007-10-13 22:45:38 NZDT LOG: redo is not required 2007-10-13 22:45:38 NZDT LOG: database system is ready to accept connections 2007-10-13 22:45:38 NZDT LOG: autovacuum launcher started 2007-10-13 22:45:38 NZDT LOG: loaded library "$libdir/plugins/plugin_debugger.dll" 2007-10-13 22:45:44 NZDT LOG: loaded library "$libdir/plugins/plugin_debugger.dll" 2007-10-13 22:45:47 NZDT LOG: loaded library "$libdir/plugins/plugin_debugger.dll" 2007-10-13 22:45:48 NZDT LOG: loaded library "$libdir/plugins/plugin_debugger.dll" 2007-10-13 22:46:29 NZDT LOG: server process (PID 2984) was terminated by exception 0xC0000005 2007-10-13 22:46:29 NZDT HINT: See C include file "ntstatus.h" for a description of the hex value. 2007-10-13 22:46:29 NZDT LOG: terminating any other active server processes 2007-10-13 22:46:29 NZDT WARNING: terminating connection because of crash of another server process 2007-10-13 22:46:29 NZDT DETAIL: The postmaster has commanded this server process to roll back the current transaction and exit, because another server process exited abnormally and possibly corrupted shared memory. 2007-10-13 22:46:29 NZDT HINT: In a moment you should be able to reconnect to the database and repeat your command. 2007-10-13 22:46:29 NZDT WARNING: terminating connection because of crash of another server process 2007-10-13 22:46:29 NZDT DETAIL: The postmaster has commanded this server process to roll back the current transaction and exit, because another server process exited abnormally and possibly corrupted shared memory. 2007-10-13 22:46:29 NZDT HINT: In a moment you should be able to reconnect to the database and repeat your command. 2007-10-13 22:46:29 NZDT LOG: all server processes terminated; reinitializing 2007-10-13 22:46:30 NZDT FATAL: pre-existing shared memory block is still in use 2007-10-13 22:46:30 NZDT HINT: Check if there are any old server processes still running, and terminate them. I'm using the default configuration as setup by the win32 pginstaller. Thanks Jeremy
On Sat, 13 Oct 2007, Jeremy Palmer wrote: > The following bug has been logged online: > > Bug reference: 3675 > PostgreSQL version: 8.3b1 > Operating system: WinXP SP2 > Description: Crash on xpath function with 2 parameters > Details: > > The following query crashes the backend: > > SELECT xpath('/my:a/text()', '<my:a > xmlns:my="http://example.com">test</my:a>'); > This patch avoids the double free of xpathcomp and fixes things for me. Kris Jurka
Kris Jurka <books@ejurka.com> writes: > On Sat, 13 Oct 2007, Jeremy Palmer wrote: >> The following query crashes the backend: >> >> SELECT xpath('/my:a/text()', '<my:a >> xmlns:my="http://example.com">test</my:a>'); >> > This patch avoids the double free of xpathcomp and fixes things for me. Hmm, I wonder why that doesn't crash here? It certainly looks pretty broken --- maybe some versions of libxml have internal defenses against this. Patch applied, and I also cleaned up some other places where an error escape might possibly lead to double free. (The other ones are probably not real risks, since libxml presumably doesn't elog, but we might as well try to make the code bulletproof in case more PG-aware code gets inserted in these paths.) regards, tom lane