Postgres Pro
Downloads
Home   >   mailing lists

Thread: [sqlsmith] Crash in tsquery_rewrite/QTNBinary

[sqlsmith] Crash in tsquery_rewrite/QTNBinary

From
Andreas Seltenreich
Date:
Hi,

the following query crashes master as of 4212cb7.

select ts_rewrite(         tsquery_phrase(            tsquery $$'sanct' & 'peter'$$,            tsquery $$'5' <->
'6'$$,    42),         tsquery $$'5' <-> '6'$$,         plainto_tsquery('I') );
 

Backtrace below.

regards,
Andreas

Program terminated with signal SIGSEGV, Segmentation fault.
#0  QTNBinary (in=0x0) at tsquery_util.c:256
#1  0x0000559debd68643 in QTNBinary (in=0x559ded7cc998) at tsquery_util.c:260
#2  0x0000559debd68643 in QTNBinary (in=in@entry=0x559ded7cd068) at tsquery_util.c:260
#3  0x0000559debd67df5 in tsquery_rewrite (fcinfo=0x559ded72c040) at tsquery_rewrite.c:453
#4  0x0000559debb754f4 in ExecMakeFunctionResultNoSets (fcache=0x559ded72bfd0, econtext=0x559ded72bda8,
isNull=0x559ded72d350"", isDone=<optimized out>) at execQual.c:2046
 
#5  0x0000559debb7ba1e in ExecTargetList (tupdesc=<optimized out>, isDone=0x7ffce180da6c, itemIsDone=0x559ded72d490,
isnull=0x559ded72d350"", values=0x559ded72d330, econtext=0x559ded72bda8, targetlist=0x559ded72d458) at execQual.c:5486
 
#6  ExecProject (projInfo=<optimized out>, isDone=isDone@entry=0x7ffce180da6c) at execQual.c:5710
#7  0x0000559debb92c79 in ExecResult (node=node@entry=0x559ded72bc90) at nodeResult.c:155
#8  0x0000559debb74478 in ExecProcNode (node=node@entry=0x559ded72bc90) at execProcnode.c:392
#9  0x0000559debb702fe in ExecutePlan (dest=0x559ded7c8b98, direction=<optimized out>, numberTuples=0,
sendTuples=<optimizedout>, operation=CMD_SELECT, use_parallel_mode=<optimized out>, planstate=0x559ded72bc90,
estate=0x559ded72bb78)at execMain.c:1568
 
#10 standard_ExecutorRun (queryDesc=0x559ded727a18, direction=<optimized out>, count=0) at execMain.c:338
#11 0x0000559debc9c238 in PortalRunSelect (portal=portal@entry=0x559ded71f958, forward=forward@entry=1 '\001', count=0,
count@entry=9223372036854775807,dest=dest@entry=0x559ded7c8b98) at pquery.c:946
 
#12 0x0000559debc9d89e in PortalRun (portal=portal@entry=0x559ded71f958, count=count@entry=9223372036854775807,
isTopLevel=isTopLevel@entry=1'\001', dest=dest@entry=0x559ded7c8b98, altdest=altdest@entry=0x559ded7c8b98,
completionTag=completionTag@entry=0x7ffce180dee0"") at pquery.c:787
 
#13 0x0000559debc9af42 in exec_simple_query (query_string=0x559ded795048 "...") at postgres.c:1094
#14 PostgresMain (argc=<optimized out>, argv=argv@entry=0x559ded7390b0, dbname=<optimized out>, username=<optimized
out>)at postgres.c:4069
 
#15 0x0000559deb9ee2f8 in BackendRun (port=0x559ded726ef0) at postmaster.c:4274
#16 BackendStartup (port=0x559ded726ef0) at postmaster.c:3946
#17 ServerLoop () at postmaster.c:1704
#18 0x0000559debc2ebb4 in PostmasterMain (argc=3, argv=0x559ded7004a0) at postmaster.c:1312
#19 0x0000559deb9ef68d in main (argc=3, argv=0x559ded7004a0) at main.c:228

Re: [HACKERS] [sqlsmith] Crash in tsquery_rewrite/QTNBinary

From
Artur Zakirov
Date:
Hi,

2016-12-07 9:06 GMT+03:00 Andreas Seltenreich <seltenreich@gmx.de>:
> Hi,
>
> the following query crashes master as of 4212cb7.
>
> select ts_rewrite(
>           tsquery_phrase(
>              tsquery $$'sanct' & 'peter'$$,
>              tsquery $$'5' <-> '6'$$,
>              42),
>           tsquery $$'5' <-> '6'$$,
>           plainto_tsquery('I') );
>

This happens also for queries:

select ts_rewrite(
          to_tsquery('5 & (6 | 5)'),
          to_tsquery('5'),
          to_tsquery('I'));

select ts_rewrite(
          to_tsquery('5 & 6 <-> 5'),
          to_tsquery('5'),
          to_tsquery('I'));

It happens because 'I' is stop word and substitute query becomes
empty. And for queries above we need recursive dropvoidsubtree()
function. Without this patch this function cleans only first level of
tree. And query above becomes: '6 | void'.

Firstly I made recursive dropvoidsubtree(). But attached patch cleans
query tree in dofindsubquery() to avoid extra tree scan.

-- 
Artur Zakirov
Postgres Professional: http://www.postgrespro.com
Russian Postgres Company

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
Attachment

Re: [HACKERS] [sqlsmith] Crash in tsquery_rewrite/QTNBinary

From
Tom Lane
Date:
Artur Zakirov <a.zakirov@postgrespro.ru> writes:
> 2016-12-07 9:06 GMT+03:00 Andreas Seltenreich <seltenreich@gmx.de>:
>> the following query crashes master as of 4212cb7.

> It happens because 'I' is stop word and substitute query becomes
> empty. And for queries above we need recursive dropvoidsubtree()
> function. Without this patch this function cleans only first level of
> tree. And query above becomes: '6 | void'.

> Firstly I made recursive dropvoidsubtree(). But attached patch cleans
> query tree in dofindsubquery() to avoid extra tree scan.

This patch looks good to me.  I have to admit that I'd been suspicious
of dropvoidsubtree() the last time I looked at this code, but I didn't
have adequate reason to touch it.  Pushed with some minor comment
adjustments.
        regards, tom lane