From: | Teodor Sigaev <teodor(at)sigaev(dot)ru> |
---|---|
To: | Pgsql Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | aggregate crash |
Date: | 2019-12-27 17:13:26 |
Message-ID: | bd34e930-cfec-ea9b-3827-a8bc50891393@sigaev.ru |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Hi!
Found crash on production instance, assert-enabled build crashes in pfree()
call, with default config. v11, v12 and head are affected, but, seems, you need
to be a bit lucky.
The bug is comparing old and new aggregate pass-by-ref values only by pointer
value itself, despite on null flag. Any function which returns null doesn't
worry about actual returned Datum value, so that comparison isn't enough. Test
case shows bug with ExecInterpExpr() but there several similar places (thanks
Nikita Glukhov for help).
Attached patch adds check of null flag.
How to reproduce:
http://sigaev.ru/misc/xdump.sql.bz2
bzcat xdump.sql.bz2 | psql postgres && psql postgres < x.sql
Backtrace from v12 (note, newValue and oldValue are differ on current call, but
oldValue points into pfreed memory) :
#0 0x0000000000c8405a in GetMemoryChunkContext (pointer=0x80a808250) at
../../../../src/include/utils/memutils.h:130
130 AssertArg(MemoryContextIsValid(context));
(gdb) bt
#0 0x0000000000c8405a in GetMemoryChunkContext (pointer=0x80a808250) at
../../../../src/include/utils/memutils.h:130
#1 0x0000000000c85ae5 in pfree (pointer=0x80a808250) at mcxt.c:1058
#2 0x000000000080475e in ExecAggTransReparent (aggstate=0x80a806370,
pertrans=0x80a87e830, newValue=34535940744, newValueIsNull=false,
oldValue=34535932496, oldValueIsNull=false)
at execExprInterp.c:4209
#3 0x00000000007ff51f in ExecInterpExpr (state=0x80a87f4d8,
econtext=0x80a8065a8, isnull=0x7fffffffd7b7) at execExprInterp.c:1747
#4 0x000000000082c12b in ExecEvalExprSwitchContext (state=0x80a87f4d8,
econtext=0x80a8065a8, isNull=0x7fffffffd7b7) at
../../../src/include/executor/executor.h:308
#5 0x000000000082bc0f in advance_aggregates (aggstate=0x80a806370) at nodeAgg.c:679
#6 0x000000000082b8a6 in agg_retrieve_direct (aggstate=0x80a806370) at
nodeAgg.c:1847
#7 0x0000000000828782 in ExecAgg (pstate=0x80a806370) at nodeAgg.c:1572
#8 0x000000000080e712 in ExecProcNode (node=0x80a806370) at
../../../src/include/executor/executor.h:240
#9 0x000000000080a4a1 in ExecutePlan (estate=0x80a806120,
planstate=0x80a806370, use_parallel_mode=false, operation=CMD_SELECT,
sendTuples=true, numberTuples=0,
direction=ForwardScanDirection, dest=0x80a851cc0, execute_once=true) at
execMain.c:1646
#10 0x000000000080a362 in standard_ExecutorRun (queryDesc=0x80a853120,
direction=ForwardScanDirection, count=0, execute_once=true) at execMain.c:364
#11 0x000000000080a114 in ExecutorRun (queryDesc=0x80a853120,
direction=ForwardScanDirection, count=0, execute_once=true) at execMain.c:308
#12 0x0000000000a79d6f in PortalRunSelect (portal=0x80a70d120, forward=true,
count=0, dest=0x80a851cc0) at pquery.c:929
#13 0x0000000000a79807 in PortalRun (portal=0x80a70d120,
count=9223372036854775807, isTopLevel=true, run_once=true, dest=0x80a851cc0,
altdest=0x80a851cc0, completionTag=0x7fffffffdc30 "")
at pquery.c:770
#14 0x0000000000a74e49 in exec_simple_query (
query_string=0x800d02950
"SELECT\nT1._Q_001_F_000,\nT1._Q_001_F_001,\nT1._Q_001_F_002RRef,\nT1._Q_001_F_003RRef,\nT1._Q_001_F_004RRef,\nT1._Q_001_F_005RRef,\nMAX(CASE
WHEN (T1._Q_001_F_010 > CAST(0 AS NUMERIC)) THEN T2._Q_001_F_009RR"...) at
postgres.c:1227
#15 0x0000000000a74123 in PostgresMain (argc=1, argv=0x80a6ef8f0,
dbname=0x80a6ef850 "postgres", username=0x80a6ef830 "teodor") at postgres.c:4291
#16 0x00000000009a4c3b in BackendRun (port=0x80a6e6000) at postmaster.c:4498
#17 0x00000000009a403a in BackendStartup (port=0x80a6e6000) at postmaster.c:4189
#18 0x00000000009a2f63 in ServerLoop () at postmaster.c:1727
#19 0x00000000009a0a0a in PostmasterMain (argc=3, argv=0x7fffffffe3c8) at
postmaster.c:1400
#20 0x000000000088deef in main (argc=3, argv=0x7fffffffe3c8) at main.c:210
--
Teodor Sigaev E-mail: teodor(at)sigaev(dot)ru
WWW: http://www.sigaev.ru/
Attachment | Content-Type | Size |
---|---|---|
x.sql | application/sql | 1.6 KB |
aggfix.patch | text/x-patch | 2.9 KB |
From | Date | Subject | |
---|---|---|---|
Next Message | Peter Eisentraut | 2019-12-27 17:20:13 | Re: Allow cluster owner to bypass authentication |
Previous Message | Justin Pryzby | 2019-12-27 17:02:20 | Re: [PATCH v1] pg_ls_tmpdir to show directories |