Thread: BUG #17474: Segmentation fault from INSERT ( JumbleExpr )
The following bug has been logged on the website:
Bug reference: 17474
Logged by: Victor Yegorov
Email address: vyegorov@gmail.com
PostgreSQL version: 14.2
Operating system: Ubuntu 20.04.4 LTS (focal)
Description:
Quite simple setup, that works on 13 version, is causing SEGFAULTs on 14.2.
Reproducible.
*** Table definition ***
Table "public.outputs"
Column | Type | Collation | Nullable | Default
----------------+-----------+-----------+----------+-------------------------------------
id | integer | | not null |
nextval('outputs_id_seq'::regclass)
transaction_id | integer | | |
address | bigint | | |
position | integer | | |
amount | bigint | | |
type | integer | | |
req_sigs | integer | | |
multisig_type | integer[] | | |
Indexes:
"outputs_pkey" PRIMARY KEY, btree (id)
"address" btree (address)
"outputs_amount_idx" btree (amount)
"transaction_id" btree (transaction_id)
"trx_pos" btree (transaction_id, "position")
Foreign-key constraints:
"outputs_transaction_id_fkey" FOREIGN KEY (transaction_id) REFERENCES
transactions(id) ON DELETE CASCADE
Referenced by:
TABLE "inputs" CONSTRAINT "inputs_output_id_fkey" FOREIGN KEY
(output_id) REFERENCES outputs(id) ON DELETE CASCADE
TABLE "output_datas" CONSTRAINT "output_datas_output_id_fkey" FOREIGN
KEY (output_id) REFERENCES outputs(id) ON DELETE CASCADE
*** INSERT statement ***
LOG: server process (PID 2585336) was terminated by signal 11: Segmentation
fault
DETAIL: Failed process was running: INSERT INTO outputs (transaction_id,
address, position, amount, type, req_sigs) VALUES (254800, 163252, 0, 1, 1,
1), (254800, 61860, 1, 1, 1, 1), (254800, 99617, 2, 1, 1, 1), (254800,
163255, 3, 1, 1, 1), (254800, 12098, 4, 1, 1, 1), (254800, 97997, 5, 1, 1,
1), (254800, 13404, 6, 1, 1, 1), (254800, 80413, 7, 1, 1, 1), (254800, 8319,
8, 1, 1, 1), (254800, 163261, 9, 1, 1, 1), (254800, 163262, 10, 1, 1, 1),
(254800, 163263, 11, 1, 1, 1), (254800, 163264, 12, 1, 1, 1), (254800,
163265, 13, 1, 1, 1), (254800, 163266, 14, 1, 1, 1), (254800, 163267, 15, 1,
1, 1), (254800, 163197, 16, 1, 1, 1), (254800, 163269, 17, 1, 1, 1),
(254800, 163270, 18, 1, 1, 1), (254800, 1238, 19, 1, 1, 1), (254800, 12093,
20, 1, 1, 1), (254800, 24167, 21, 1, 1, 1), (254800, 39000, 22, 1, 1, 1),
(254800, 163255, 23, 1, 1, 1), (254800, 163275, 24, 1, 1, 1), (254800,
93813, 25, 1, 1, 1), (254800, 163277, 26, 1, 1, 1), (254800, 163278, 27, 1,
1, 1), (254800, 8285, 28, 1, 1, 1), (254800, 9111, 29, 1, 1, 1), (254800,
54795, 30, 1, 1, 1), (254
Total length of the INSERT statement is round 100Kb.
*** Backtrace ***
Core was generated by `postgres: 14/main: parser litecoin 10.1.1.20(43434)
PARSE '.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000056397d94c297 in memcpy (__len=1016, __src=<optimized out>,
__dest=<optimized out>) at
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
34 /usr/include/x86_64-linux-gnu/bits/string_fortified.h: No such file
or directory.
(gdb) bt
#0 0x000056397d94c297 in memcpy (__len=1016, __src=<optimized out>,
__dest=<optimized out>) at
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
#1 AppendJumble (item=<optimized out>, item@entry=0x7f403929afd8 "u",
size=30595144541, size@entry=4, jstate=<optimized out>, jstate=<optimized
out>) at ./build/../src/backend/utils/misc/queryjumble.c:213
#2 0x000056397d94c6c4 in JumbleExpr (jstate=0x7f4038f652e0, node=<optimized
out>) at ./build/../src/backend/utils/misc/queryjumble.c:373
#3 0x000056397d94c8c1 in JumbleExpr (jstate=0x7f4038f652e0, node=<optimized
out>) at ./build/../src/backend/utils/misc/queryjumble.c:743
#4 0x000056397d94c8c1 in JumbleExpr (jstate=0x7f4038f652e0, node=<optimized
out>) at ./build/../src/backend/utils/misc/queryjumble.c:743
#5 0x000056397d94c5dc in JumbleRangeTable (rtable=0x7f403966a020,
jstate=0x7f4038f652e0) at
./build/../src/backend/utils/misc/queryjumble.c:300
#6 JumbleQueryInternal (jstate=0x7f4038f652e0, query=0x7f4039669b28) at
./build/../src/backend/utils/misc/queryjumble.c:248
#7 0x000056397d94cfec in JumbleQuery (query=query@entry=0x7f4039669b28,
querytext=querytext@entry=0x56397fdb9b59 "") at
./build/../src/backend/utils/misc/queryjumble.c:127
#8 0x000056397d5e26b3 in parse_analyze_varparams
(parseTree=parseTree@entry=0x7f4039669aa8,
sourceText=sourceText@entry=0x56397fdb9b59 "",
paramTypes=paramTypes@entry=0x7fff3a4f6748,
numParams=numParams@entry=0x7fff3a4f6734)
at ./build/../src/backend/parser/analyze.c:169
#9 0x000056397d80cc1e in exec_parse_message (numParams=<optimized out>,
paramTypes=<optimized out>, stmt_name=0x56397fdb9b58 "",
query_string=0x56397fdb9b59 "") at
./build/../src/backend/tcop/postgres.c:1458
#10 PostgresMain (argc=argc@entry=1, argv=argv@entry=0x7fff3a4f6a20,
dbname=<optimized out>, username=<optimized out>) at
./build/../src/backend/tcop/postgres.c:4515
#11 0x000056397d78cb6b in BackendRun (port=<optimized out>, port=<optimized
out>) at ./build/../src/backend/postmaster/postmaster.c:4530
#12 BackendStartup (port=<optimized out>) at
./build/../src/backend/postmaster/postmaster.c:4252
#13 ServerLoop () at ./build/../src/backend/postmaster/postmaster.c:1745
#14 0x000056397d78d9ec in PostmasterMain (argc=<optimized out>,
argv=0x56397fbacf10) at
./build/../src/backend/postmaster/postmaster.c:1417
#15 0x000056397d506c8d in main (argc=5, argv=0x56397fbacf10) at
./build/../src/backend/main/main.c:209
PG Bug reporting form <noreply@postgresql.org> writes:
> Quite simple setup, that works on 13 version, is causing SEGFAULTs on 14.2.
> Reproducible.
Can you provide a reproducer SQL script? The stack trace looks like
some element of the VALUES list is not in the format that JumbleExpr
is expecting, but there's nothing odd-looking about the fragment
you showed.
regards, tom lane
чт, 5 мая 2022 г. в 16:44, Tom Lane <tgl@sss.pgh.pa.us>:
PG Bug reporting form <noreply@postgresql.org> writes:
> Quite simple setup, that works on 13 version, is causing SEGFAULTs on 14.2.
> Reproducible.
Can you provide a reproducer SQL script? The stack trace looks like
some element of the VALUES list is not in the format that JumbleExpr
is expecting, but there's nothing odd-looking about the fragment
you showed.
I will try to find such a case, though it might not be straightforward.
Same query after the restart of Postgres succeeds. So it feels like we're accumulating smth here.
Victor Yegorov
PG Bug reporting form <noreply@postgresql.org> writes:
> (gdb) bt
> #0 0x000056397d94c297 in memcpy (__len=1016, __src=<optimized out>,
> __dest=<optimized out>) at
> /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
> #1 AppendJumble (item=<optimized out>, item@entry=0x7f403929afd8 "u",
> size=30595144541, size@entry=4, jstate=<optimized out>, jstate=<optimized
> out>) at ./build/../src/backend/utils/misc/queryjumble.c:213
If we take that at face value --- which isn't a very safe assumption when
dealing with optimized code --- it suggests that the loop in AppendJumble
has gone crazy and allowed "size" to wrap around to some large value.
If that happened then it'd iterate until "item" advances off the end of
memory and you get SIGSEGV.
I don't see how that could possibly happen though, short of a compiler
bug:
while (size > 0)
{
Size part_size;
...
part_size = Min(size, JUMBLE_SIZE - jumble_len);
...
size -= part_size;
}
How could the value of part_size exceed size?
I've spent time staring at that code before, because Coverity regularly
whines about queryjumble.c in terms suggesting that it sees a potential
for exactly this kind of bug. But I sure don't see it.
regards, tom lane