BUG #18334: Segfault when running a query with parallel workers

The following bug has been logged on the website:

Bug reference: 18334
Logged by: Marcin Barczyński
Email address: mba(dot)ogolny(at)gmail(dot)com
PostgreSQL version: 13.13
Operating system: Ubuntu 22.04.3 LTS
Description:

Obfuscated query:

WITH dt1 AS (
SELECT
right(d.p, -length('STR1') -1) || 'STR4' || f.n AS p1
FROM dc d
INNER JOIN fc f ON f.pid = d.id
AND f.vid = d.vid
WHERE f.vid = func1('STR2')
AND d.aids && ARRAY[(
SELECT id from dc
WHERE p = 'STR1' AND vid = func1('STR2')
)]
AND right(d.p, -length('STR1') -1) || 'STR4' || f.n != ''
), dt2 AS (
SELECT
d.p || 'STR4' || f.n AS p2
FROM dc d
INNER JOIN fc f ON f.pid = d.id
AND f.vid = d.vid
WHERE f.vid = func1('STR3')
AND d.aids && ARRAY[(
SELECT id from dc
WHERE p = '' AND vid = func1('STR3')
)]
AND d.p || 'STR4' || f.n != ''

)
SELECT dt2.p2
FROM dt1 RIGHT OUTER JOIN dt2 ON p1 = p2
WHERE p1 IS NULL;

Log messages:

2024-02-03 09:16:33.798 EST [3261686-102] app= LOG: background worker
"parallel worker" (PID 2387431) was terminated by signal 11: Segmentation
fault
2024-02-03 09:16:33.798 EST [3261686-103] app= DETAIL: Failed process was
running: set max_parallel_workers=8; set work_mem='20GB';

Backtrace:

#0 0x0000557ba04345ac in dsa_get_address (area=0x557ba22e9668,
dp=<optimized out>) at
utils/mmgr/./build/../src/backend/utils/mmgr/dsa.c:955
#1 0x0000557ba014ec21 in ExecParallelHashNextTuple (tuple=0x7fc42a891560,
hashtable=0x557ba233dcb8) at
executor/./build/../src/backend/executor/nodeHash.c:3272
#2 ExecParallelScanHashBucket (hjstate=0x557ba22fdf28,
econtext=0x557ba22fddf0) at
executor/./build/../src/backend/executor/nodeHash.c:2059
#3 0x0000557ba01514b5 in ExecHashJoinImpl (parallel=<optimized out>,
pstate=<optimized out>) at
executor/./build/../src/backend/executor/nodeHashjoin.c:455
#4 ExecParallelHashJoin (pstate=<optimized out>) at
executor/./build/../src/backend/executor/nodeHashjoin.c:637
#5 0x0000557ba013547d in ExecProcNodeInstr (node=0x557ba22fdf28) at
executor/./build/../src/backend/executor/execProcnode.c:467
#6 0x0000557ba012b03d in ExecProcNode (node=0x557ba22fdf28) at
executor/./build/../src/include/executor/executor.h:248
#7 ExecutePlan (execute_once=<optimized out>, dest=0x557ba2281a78,
direction=<optimized out>, numberTuples=0, sendTuples=<optimized out>,
operation=CMD_SELECT, use_parallel_mode=<optimized out>,
planstate=0x557ba22fdf28, estate=0x557ba22c1008)
at executor/./build/../src/backend/executor/execMain.c:1632
#8 standard_ExecutorRun (queryDesc=0x557ba22d17c0, direction=<optimized
out>, count=0, execute_once=<optimized out>) at
executor/./build/../src/backend/executor/execMain.c:350
#9 0x00007fc42a976f25 in pgss_ExecutorRun (queryDesc=0x557ba22d17c0,
direction=ForwardScanDirection, count=0, execute_once=<optimized out>) at
./build/../contrib/pg_stat_statements/pg_stat_statements.c:1045
#10 0x00007fc42e5d56d2 in explain_ExecutorRun (queryDesc=0x557ba22d17c0,
direction=ForwardScanDirection, count=0, execute_once=<optimized out>) at
./build/../contrib/auto_explain/auto_explain.c:334
#11 0x0000557ba0131ba9 in ExecutorRun (execute_once=true, count=<optimized
out>, direction=ForwardScanDirection, queryDesc=0x557ba22d17c0) at
executor/./build/../src/backend/executor/execMain.c:292
#12 ParallelQueryMain (seg=seg(at)entry=0x557ba2239b18,
toc=toc(at)entry=0x7fc42a890000) at
executor/./build/../src/backend/executor/execParallel.c:1448
#13 0x0000557b9fff010e in ParallelWorkerMain (main_arg=<optimized out>) at
access/transam/./build/../src/backend/access/transam/parallel.c:1494
#14 0x0000557ba0231ada in StartBackgroundWorker () at
postmaster/./build/../src/backend/postmaster/bgworker.c:890
#15 0x0000557ba0241ffe in do_start_bgworker (rw=<optimized out>) at
postmaster/./build/../src/backend/postmaster/postmaster.c:5896
#16 maybe_start_bgworkers () at
postmaster/./build/../src/backend/postmaster/postmaster.c:6121
#17 0x0000557ba024224d in sigusr1_handler (postgres_signal_arg=<optimized
out>) at postmaster/./build/../src/backend/postmaster/postmaster.c:5281
#18 <signal handler called>
#19 0x00007fc42d65959d in __GI___select (nfds=nfds(at)entry=8,
readfds=readfds(at)entry=0x7ffda2d1ba20, writefds=writefds(at)entry=0x0,
exceptfds=exceptfds(at)entry=0x0, timeout=timeout(at)entry=0x7ffda2d1b980) at
../sysdeps/unix/sysv/linux/select.c:69
#20 0x0000557ba02433d6 in ServerLoop () at
postmaster/./build/../src/backend/postmaster/postmaster.c:1706
#21 0x0000557ba02450e5 in PostmasterMain (argc=5, argv=<optimized out>) at
postmaster/./build/../src/backend/postmaster/postmaster.c:1415
#22 0x0000557b9ff5a017 in main (argc=5, argv=0x557ba2121300) at
main/./build/../src/backend/main/main.c:210

It happens non-deterministically but frequently in our environment.

I have a core dump and will gladly send additional info if needed.