Thread: BUG #17300: Server crashes on deserializing text multirange
The following bug has been logged on the website:
Bug reference: 17300
Logged by: Alexander Lakhin
Email address: exclusion@gmail.com
PostgreSQL version: 14.1
Operating system: Ubuntu 20.04
Description:
The following query:
select ('[\"\\\\\",\"\\\\' || repeat('a', 200) ||
'\"]')::textrange::textmultirange
leads to the server crash with the following stacktrace:
Core was generated by `postgres: law regression [local] SELECT
'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __memmove_avx_unaligned_erms () at
../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:440
440 ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such
file or directory.
(gdb) bt
#0 __memmove_avx_unaligned_erms () at
../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:440
#1 0x000055d4175fb385 in multirange_get_range (rangetyp=0x55d4195096c0,
multirange=0x55d419513fc8, i=0)
at multirangetypes.c:723
#2 0x000055d4175fba26 in multirange_deserialize (rangetyp=0x55d4195096c0,
multirange=0x55d419513fc8,
range_count=0x7ffec30cb3bc, ranges=0x7ffec30cb3c8) at
multirangetypes.c:830
#3 0x000055d4175fa03c in multirange_out (fcinfo=0x7ffec30cb450) at
multirangetypes.c:311
#4 0x000055d4176fb1de in FunctionCall1Coll (flinfo=0x55d419512a20,
collation=0, arg1=94369446182856) at fmgr.c:1138
#5 0x000055d4176fc79c in OutputFunctionCall (flinfo=0x55d419512a20,
val=94369446182856) at fmgr.c:1575
#6 0x000055d416fd2bff in printtup (slot=0x55d419511978,
self=0x55d41951ff18) at printtup.c:357
#7 0x000055d4172b8ac9 in ExecutePlan (estate=0x55d419511420,
planstate=0x55d419511658, use_parallel_mode=false,
operation=CMD_SELECT, sendTuples=true, numberTuples=0,
direction=ForwardScanDirection, dest=0x55d41951ff18,
execute_once=true) at execMain.c:1582
#8 0x000055d4172b6578 in standard_ExecutorRun (queryDesc=0x55d4194677d0,
direction=ForwardScanDirection, count=0,
execute_once=true) at execMain.c:361
#9 0x000055d4172b6363 in ExecutorRun (queryDesc=0x55d4194677d0,
direction=ForwardScanDirection, count=0,
execute_once=true) at execMain.c:305
#10 0x000055d417533510 in PortalRunSelect (portal=0x55d4194a9110,
forward=true, count=0, dest=0x55d41951ff18)
at pquery.c:921
#11 0x000055d417533134 in PortalRun (portal=0x55d4194a9110,
count=9223372036854775807, isTopLevel=true, run_once=true,
dest=0x55d41951ff18, altdest=0x55d41951ff18, qc=0x7ffec30cb870) at
pquery.c:765
#12 0x000055d41752c01e in exec_simple_query (
query_string=0x55d4194453b0 "select ('[\\\"\\\\\\\\\\\",\\\"\\\\\\\\' ||
repeat('a', 200) || '\\\"]')::textrange::textmultirange;") at
postgres.c:1214
#13 0x000055d417530f0d in PostgresMain (argc=1, argv=0x7ffec30cba90,
dbname=0x55d419470ff8 "regression",
username=0x55d419470fd8 "law") at postgres.c:4486
#14 0x000055d41745579c in BackendRun (port=0x55d419469f10) at
postmaster.c:4530
#15 0x000055d417454ff7 in BackendStartup (port=0x55d419469f10) at
postmaster.c:4252
#16 0x000055d417450dec in ServerLoop () at postmaster.c:1745
#17 0x000055d417450549 in PostmasterMain (argc=8, argv=0x55d41943f620) at
postmaster.c:1417
#18 0x000055d41733fd34 in main (argc=8, argv=0x55d41943f620) at main.c:209
The query without casting to the multirange type:
select ('[\"\\\\\",\"\\\\' || repeat('a', 200) || '\"]')::textrange
doesn't fail.
PG Bug reporting form <noreply@postgresql.org> writes:
> The following query:
> select ('[\"\\\\\",\"\\\\' || repeat('a', 200) ||
> '\"]')::textrange::textmultirange
> leads to the server crash with the following stacktrace:
I think the problem here is that the range bound values inside the
multirange are supposed to be aligned (at least, write_multirange_data
thinks so) but multirange_get_range isn't accounting for the alignment
padding between the two values it extracts. In this example that
causes it to extract an insane length for the second value.
If so, this would indicate extremely slipshod testing of the multirange
stuff, because the breakage is necessarily reached by multirange_out.
regards, tom lane
On Thu, Dec 2, 2021 at 1:39 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
> PG Bug reporting form <noreply@postgresql.org> writes:
> > The following query:
>
> > select ('[\"\\\\\",\"\\\\' || repeat('a', 200) ||
> > '\"]')::textrange::textmultirange
>
> > leads to the server crash with the following stacktrace:
>
> I think the problem here is that the range bound values inside the
> multirange are supposed to be aligned (at least, write_multirange_data
> thinks so) but multirange_get_range isn't accounting for the alignment
> padding between the two values it extracts. In this example that
> causes it to extract an insane length for the second value.
>
> If so, this would indicate extremely slipshod testing of the multirange
> stuff, because the breakage is necessarily reached by multirange_out.
Sorry for the delay. I'm going to fix this in the next couple of days.
------
Regards,
Alexander Korotkov
On Mon, Dec 6, 2021 at 10:39 PM Alexander Korotkov <aekorotkov@gmail.com> wrote:
> On Thu, Dec 2, 2021 at 1:39 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
> > PG Bug reporting form <noreply@postgresql.org> writes:
> > > The following query:
> >
> > > select ('[\"\\\\\",\"\\\\' || repeat('a', 200) ||
> > > '\"]')::textrange::textmultirange
> >
> > > leads to the server crash with the following stacktrace:
> >
> > I think the problem here is that the range bound values inside the
> > multirange are supposed to be aligned (at least, write_multirange_data
> > thinks so) but multirange_get_range isn't accounting for the alignment
> > padding between the two values it extracts. In this example that
> > causes it to extract an insane length for the second value.
> >
> > If so, this would indicate extremely slipshod testing of the multirange
> > stuff, because the breakage is necessarily reached by multirange_out.
>
> Sorry for the delay. I'm going to fix this in the next couple of days.
The proposed patch fixes the patch (and adds some minimal testing for
it). I'm going to push it if no objections (backpatch to v14).
------
Regards,
Alexander Korotkov
Attachment
On Sat, Dec 11, 2021 at 4:48 AM Alexander Korotkov <aekorotkov@gmail.com> wrote:
> On Mon, Dec 6, 2021 at 10:39 PM Alexander Korotkov <aekorotkov@gmail.com> wrote:
> > On Thu, Dec 2, 2021 at 1:39 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
> > > PG Bug reporting form <noreply@postgresql.org> writes:
> > > > The following query:
> > >
> > > > select ('[\"\\\\\",\"\\\\' || repeat('a', 200) ||
> > > > '\"]')::textrange::textmultirange
> > >
> > > > leads to the server crash with the following stacktrace:
> > >
> > > I think the problem here is that the range bound values inside the
> > > multirange are supposed to be aligned (at least, write_multirange_data
> > > thinks so) but multirange_get_range isn't accounting for the alignment
> > > padding between the two values it extracts. In this example that
> > > causes it to extract an insane length for the second value.
> > >
> > > If so, this would indicate extremely slipshod testing of the multirange
> > > stuff, because the breakage is necessarily reached by multirange_out.
> >
> > Sorry for the delay. I'm going to fix this in the next couple of days.
>
> The proposed patch fixes the patch (and adds some minimal testing for
> it). I'm going to push it if no objections (backpatch to v14).
Pushed!
------
Regards,
Alexander Korotkov