Re: BUG #17950: Incorrect memory access in gtsvector_picksplit()

29.05.2023 23:00, PG Bug reporting form wrote:
> The following bug has been logged on the website:
>
> Bug reference: 17950

I managed to reduce the reproducer to the following:
CREATE TABLE tst(t tsvector);
INSERT INTO tst SELECT array_to_string(array(SELECT 'a' || x::text FROM generate_series(1, 125) x), ' ')::tsvector FROM
generate_series(1, 3000);
INSERT INTO tst SELECT '' FROM generate_series(1, 100);
CREATE INDEX gistidx ON tst USING gist (t tsvector_ops(siglen=1));

(Sorry for the previous messy script.)

A trivial fix for the issue is attached.

BTW, when looking at the index contents (page 0) using pageinspect, I saw:
 itemoffset |    ctid     | itemlen | dead | keys
------------+-------------+---------+------+-----------------------------------
          1 | (367,65535) |      16 | f    | (a)=("0 true bits, 0 false bits")
          2 | (368,65535) |      16 | f    | (a)=("0 true bits, 0 false bits")
The text describing keys looks confusing, just as if siglen was 0, but it's
not the case.
This is explained by the code:
        int            siglen = GETSIGLEN(key);
        int            cnttrue = (ISALLTRUE(key)) ? SIGLENBIT(siglen) : sizebitvec(GETSIGN(key), siglen);

        sprintf(outbuf, SINGOUTSTR, cnttrue, (int) SIGLENBIT(siglen) - cnttrue);

When ISALLTRUE, the code tries to calculate bit count from siglen, but
siglen is 0 in this case.
So maybe fix it in passing too...

Best regards,
Alexander