Thread: [BUGS] BUG #14641: Segfault on searching KNN using btree_gist

The following bug has been logged on the website:

Bug reference:      14641
Logged by:          Denis Smirnov
Email address:      darthunix@gmail.com
PostgreSQL version: 9.6.2
Operating system:   Ubuntu 14.04.5 LTS, Trusty Tahr x86_64
Description:

Hi,

I face a segmentation fault in postgresql when searching KNN using
multicolumn btree_gist index. The problem was reproduced on three equivalent
ubuntu servers. The problem is reproducing only with btree_gist index (if I
drop it, everything is ok)
Steps to reproduce:


create table t (id serial, amount money);

insert into t (amount) select (random() * 1000)::integer from
generate_series(1, 1000);

create extension btree_gist;

create index t_gist_idx on t using gist(id, amount);

select p.id, p.amount, s.nearest from t as p
left join lateral
( select p.id, array_agg(l.id) as nearest from (   select id from t where amount < p.amount    order by amount <->
p.amountlimit 10 ) l
 
) s
using(id)
where p.id <= 500;
---------------------------------------------------------
WARNING:  57P02: terminating connection because of crash of another server
process
ПОДРОБНОСТИ:  The postmaster has commanded this server process to roll back
the current transaction and exit, because another server process exited
abnormally and possibly corrupted shared memory.
ПОДСКАЗКА:  In a moment you should be able to reconnect to the database and
repeat your command.
ПОЛОЖЕНИЕ:  quickdie, postgres.c:2601
ошибка SSL SYSCALL: конец файла (EOF)
Подключение к серверу потеряно. Попытка восстановления удачна.


On some sandbox servers I got reproducing with p.id <= 15 on some only <=
500. PostgreSQL log:

2017-05-04 06:33:13 UTC [3682-24] DETAIL:  Failed process was running: select p.id, p.amount, s.nearest from t as pleft
joinlateral(  select p.id, array_agg(l.id) as nearest from (    select id from t where amount < p.amount     order by
amount<-> p.amount limit 10  ) l) susing(id)where p.id <= 500;
 
2017-05-04 06:33:13 UTC [3682-25] LOG:  terminating any other active server
processes
2017-05-04 06:33:13 UTC [32302-2] WARNING:  terminating connection because
of crash of another server process
2017-05-04 06:33:13 UTC [32302-3] DETAIL:  The postmaster has commanded this
server process to roll back the current transaction and exit, because
another server process exited abnormally and possibly corrupted shared
memory.
2017-05-04 06:33:13 UTC [32302-4] HINT:  In a moment you should be able to
reconnect to the database and repeat your command.
2017-05-04 06:33:13 UTC [3682-26] LOG:  all server processes terminated;
reinitializing
2017-05-04 06:33:13 UTC [32309-1] LOG:  database system was interrupted;
last known up at 2017-05-04 06:32:48 UTC
2017-05-04 06:33:13 UTC [32309-2] LOG:  database system was not properly
shut down; automatic recovery in progress
2017-05-04 06:33:13 UTC [32309-3] LOG:  invalid record length at 5/8E02F678:
wanted 24, got 0
2017-05-04 06:33:13 UTC [32309-4] LOG:  redo is not required
2017-05-04 06:33:14 UTC [32309-5] LOG:  MultiXact member wraparound
protections are now enabled
2017-05-04 06:33:14 UTC [3682-27] LOG:  database system is ready to accept
connections
2017-05-04 06:33:14 UTC [32314-1] LOG:  autovacuum launcher started


--
Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs

darthunix@gmail.com writes:
> I face a segmentation fault in postgresql when searching KNN using
> multicolumn btree_gist index.

Reproduced here, will look.  Thanks for the report!

Program terminated with signal 11, Segmentation fault.
#0  0x0000000000881052 in GetMemoryChunkContext (pointer=0x14d46e8)   at ../../../../src/include/utils/memutils.h:124
124             AssertArg(MemoryContextIsValid(context));
(gdb) bt
#0  0x0000000000881052 in GetMemoryChunkContext (pointer=0x14d46e8)   at ../../../../src/include/utils/memutils.h:124
#1  pfree (pointer=0x14d46e8) at mcxt.c:952
#2  0x00000000004a0492 in getNextNearest (scan=0x14709e0,    dir=<value optimized out>) at gistget.c:547
#3  gistgettuple (scan=0x14709e0, dir=<value optimized out>) at gistget.c:656
#4  0x00000000004cee63 in index_getnext_tid (scan=0x14709e0,    direction=<value optimized out>) at indexam.c:541
#5  0x000000000062ffab in IndexOnlyNext (node=0x15abcd0)   at nodeIndexonlyscan.c:116
#6  0x000000000061cc67 in ExecScanFetch (node=0x15abcd0,    accessMtd=0x62ff30 <IndexOnlyNext>, recheckMtd=0x62ff00
<IndexOnlyRecheck>)  at execScan.c:95 
#7  ExecScan (node=0x15abcd0, accessMtd=0x62ff30 <IndexOnlyNext>,    recheckMtd=0x62ff00 <IndexOnlyRecheck>) at
execScan.c:162
#8  0x000000000061b858 in ExecProcNode (node=0x15abcd0) at execProcnode.c:459
...
(gdb) f 0
#0  0x0000000000881052 in GetMemoryChunkContext (pointer=0x14d46e8)   at ../../../../src/include/utils/memutils.h:124
124             AssertArg(MemoryContextIsValid(context));
(gdb) p context
$1 = (MemoryContext) 0x7f7f7f7f7f7f7f7f
(gdb) x/8x 0x14d46e8
0x14d46e8:      0x7f7f7f7f      0x7f7f7f7f      0x7f7f7f7f      0x7f7f7f7f
0x14d46f8:      0x7f7f7f7f      0x7f7f7f7f      0x7f7f7f7f      0x7f7f7f7f
(gdb) f 2
#2  0x00000000004a0492 in getNextNearest (scan=0x14709e0,    dir=<value optimized out>) at gistget.c:547
547                     pfree(scan->xs_hitup);

Looks like getNextNearest is trying to pfree an already-pfreed tuple.
        regards, tom lane


--
Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs