Thread: BUG #15514: process fails on jsonb_populate_recordset query. seesimple example below

BUG #15514: process fails on jsonb_populate_recordset query. seesimple example below

From
PG Bug reporting form
Date:
The following bug has been logged on the website:

Bug reference:      15514
Logged by:          4321ip
Email address:      4321ip@gmail.com
PostgreSQL version: 11.1
Operating system:   WindiwsServer 2012 64bit
Description:

CREATE TYPE myrowtype AS
(
    field jsonb,
    rank double precision
);
SELECT * FROM jsonb_populate_recordset(NULL :: myrowtype, '[]');

.....
Connection to the server has been lost.



On Wed, Nov 21, 2018 at 7:50 AM PG Bug reporting form <noreply@postgresql.org> wrote:
The following bug has been logged on the website:

Bug reference:      15514
Logged by:          4321ip
Email address:      4321ip@gmail.com
PostgreSQL version: 11.1
Operating system:   WindiwsServer 2012 64bit
Description:       

CREATE TYPE myrowtype AS
(
        field jsonb,
        rank double precision
);
SELECT * FROM jsonb_populate_recordset(NULL :: myrowtype, '[]');

.....
Connection to the server has been lost.

Thanks for the report. I am able to reproduce the crash in HEAD.
Following is the back trace of the crash.

Program received signal SIGSEGV, Segmentation fault.
0x000000000048cc63 in CreateTupleDescCopy (tupdesc=0x0) at tupdesc.c:117
117 desc = CreateTemplateTupleDesc(tupdesc->natts, tupdesc->tdhasoid);
(gdb) bt
#0  0x000000000048cc63 in CreateTupleDescCopy (tupdesc=0x0) at tupdesc.c:117
#1  0x000000000094fd4c in populate_recordset_worker (fcinfo=0x7ffc5fba0ee0, funcname=0xc5afe1 "jsonb_populate_recordset", is_json=false, have_record_arg=true) at jsonfuncs.c:3742
#2  0x000000000094f534 in jsonb_populate_recordset (fcinfo=0x7ffc5fba0ee0) at jsonfuncs.c:3497
#3  0x00000000006e01c3 in ExecMakeTableFunctionResult (setexpr=0x10d2828, econtext=0x10d26d8, argContext=0x10d6270, expectedDesc=0x10d3b40, randomAccess=false) at execSRF.c:231
#4  0x00000000006f36b4 in FunctionNext (node=0x10d25c0) at nodeFunctionscan.c:94
#5  0x00000000006df9f4 in ExecScanFetch (node=0x10d25c0, accessMtd=0x6f35f7 <FunctionNext>, recheckMtd=0x6f39f3 <FunctionRecheck>) at execScan.c:95
#6  0x00000000006dfa69 in ExecScan (node=0x10d25c0, accessMtd=0x6f35f7 <FunctionNext>, recheckMtd=0x6f39f3 <FunctionRecheck>) at execScan.c:145
#7  0x00000000006f3a3d in ExecFunctionScan (pstate=0x10d25c0) at nodeFunctionscan.c:270
#8  0x00000000006ddd60 in ExecProcNodeFirst (node=0x10d25c0) at execProcnode.c:445
#9  0x00000000006d2ef6 in ExecProcNode (node=0x10d25c0) at ../../../src/include/executor/executor.h:237
#10 0x00000000006d5743 in ExecutePlan (estate=0x10d2368, planstate=0x10d25c0, use_parallel_mode=false, operation=CMD_SELECT, sendTuples=true, numberTuples=0, direction=ForwardScanDirection, dest=0x10cf788, 
    execute_once=true) at execMain.c:1707
#11 0x00000000006d3516 in standard_ExecutorRun (queryDesc=0x1031ff8, direction=ForwardScanDirection, count=0, execute_once=true) at execMain.c:364
#12 0x00007f4b2739f7bd in pgss_ExecutorRun (queryDesc=0x1031ff8, direction=ForwardScanDirection, count=0, execute_once=true) at pg_stat_statements.c:893
#13 0x00000000006d3325 in ExecutorRun (queryDesc=0x1031ff8, direction=ForwardScanDirection, count=0, execute_once=true) at execMain.c:305
#14 0x00000000008bca5c in PortalRunSelect (portal=0x1073fc8, forward=true, count=0, dest=0x10cf788) at pquery.c:932
#15 0x00000000008bc6fb in PortalRun (portal=0x1073fc8, count=9223372036854775807, isTopLevel=true, run_once=true, dest=0x10cf788, altdest=0x10cf788, completionTag=0x7ffc5fba1860 "") at pquery.c:773
#16 0x00000000008b6740 in exec_simple_query (query_string=0x100ddd8 "SELECT * FROM jsonb_populate_recordset(NULL :: myrowtype, '[]');") at postgres.c:1215
#17 0x00000000008ba9ed in PostgresMain (argc=1, argv=0x1038660, dbname=0x10384a0 "postgres", username=0x100a7f8 "Kommih") at postgres.c:4243
#18 0x0000000000818d32 in BackendRun (port=0x1030480) at postmaster.c:4377
#19 0x0000000000818510 in BackendStartup (port=0x1030480) at postmaster.c:4068
#20 0x00000000008149fa in ServerLoop () at postmaster.c:1700
#21 0x00000000008142b0 in PostmasterMain (argc=3, argv=0x1008760) at postmaster.c:1373
#22 0x000000000073d2b5 in main (argc=3, argv=0x1008760) at main.c:228
(gdb) q

when the data is NULL, there is no data to populate and the tupleDesc is not updated.
Accessing of NULL pointer leads to crash. Attached quick simple patch fixes the problem.

Regards,
Haribabu Kommi
Fujitsu Australia
Attachment
>>>>> "Haribabu" == Haribabu Kommi <kommi.haribabu@gmail.com> writes:

 Haribabu> when the data is NULL, there is no data to populate and the
 Haribabu> tupleDesc is not updated. Accessing of NULL pointer leads to
 Haribabu> crash. Attached quick simple patch fixes the problem.

Yes, that's an oversight in 4984784f836 (from Tom) which fixed a
_different_ crash here.

Tom: I can take this one if you want?

-- 
Andrew (irc:RhodiumToad)


Andrew Gierth <andrew@tao11.riddles.org.uk> writes:
> Yes, that's an oversight in 4984784f836 (from Tom) which fixed a
> _different_ crash here.

Bleah.

> Tom: I can take this one if you want?

It's my bug, I'll take care of it (but not before tomorrow).

            regards, tom lane


On Wed, Nov 21, 2018 at 12:03:48AM -0500, Tom Lane wrote:
> Andrew Gierth <andrew@tao11.riddles.org.uk> writes:
>> Tom: I can take this one if you want?
>
> It's my bug, I'll take care of it (but not before tomorrow).

Thanks Tom.  I was looking at that a bit today as I am also involved in
this story.  But as you plan to finish wrapping it, I'll just withdraw.
--
Michael

Attachment
Haribabu Kommi <kommi.haribabu@gmail.com> writes:
> Accessing of NULL pointer leads to crash. Attached quick simple patch fixes
> the problem.

While that stops the crash, it doesn't do what we want, which is to
return a valid tupdesc.  Without that you get "set-valued function called
in context that cannot accept a set" errors.  I think the right fix is
to force a call of update_cached_tupdesc so that there always is a
tupdesc to copy.

            regards, tom lane



On Fri, Nov 23, 2018 at 7:21 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
Haribabu Kommi <kommi.haribabu@gmail.com> writes:
> Accessing of NULL pointer leads to crash. Attached quick simple patch fixes
> the problem.

While that stops the crash, it doesn't do what we want, which is to
return a valid tupdesc.  Without that you get "set-valued function called
in context that cannot accept a set" errors.  I think the right fix is
to force a call of update_cached_tupdesc so that there always is a
tupdesc to copy.

Thanks for checking, I thought of the same thing, but I wasn't sure.

Regards,
Haribabu Kommi
Fujitsu Australia