BUG #17022: SQL causing engine crash - Mailing list pgsql-bugs
| From | PG Bug reporting form |
|---|---|
| Subject | BUG #17022: SQL causing engine crash |
| Date | |
| Msg-id | 17022-8e7e280c9b4baedb@postgresql.org Whole thread Raw |
| Responses |
Re: BUG #17022: SQL causing engine crash
|
| List | pgsql-bugs |
The following bug has been logged on the website: Bug reference: 17022 Logged by: Robins Tharakan Email address: tharakan@gmail.com PostgreSQL version: 13.3 Operating system: Amazon Linux 2 Description: Hi, SQLSmith is constantly crashing v13.3 with SQL(s) that appear linked to a PostGIS (v3.0.3) bug - see Error Report below. I decided to post this here (backtracking on an earlier thought), since #0 / #1 are postgres functions and I wasn't really sure if the arguments to these functions are sanitized. For e.g. whether pg_detoast_datum_slice() is expected to check input bounds (count=40 in this case). Sample SQL (I couldn't narrow this down further): ========== $ psql psql (13beta2, server 13.3) Type "help" for help. regression=> select 1 from public.spatial_ref_sys as sample_0 tablesample bernoulli (6.8) where case when ((cast(null as geometry) && cast(null as geometry)) and (NULL is NULL)) then case when sample_0.auth_srid is NULL then cast(null as geometry) else cast(null as geometry) end else case when sample_0.auth_srid is NULL then cast(null as geometry) else cast(null as geometry) end end &/& case when (pg_catalog.pg_current_snapshot() is not NULL) and (cast(null as timestamptz) >= (select backend_start from pg_catalog.pg_stat_activity limit 1 offset 4) ) then public.geometry( cast(cast(null as geography) as geography)) else public.geometry( cast(cast(null as geography) as geography)) end; server closed the connection unexpectedly This probably means the server terminated abnormally before or while processing the request. The connection to the server was lost. Attempting reset: Failed. Another Example: ============== SELECT 1 FROM (SELECT NULL::int a LIMIT 0) AS ref_0 WHERE CASE WHEN CASE WHEN pg_catalog.jsonb_build_array() ? version() THEN cast(NULL AS point) ELSE cast(NULL AS point) END @(SELECT NULL::lseg LIMIT 0) THEN cast(NULL AS GEOGRAPHY) END && CASE WHEN ( CASE WHEN ref_0.a IS NULL THEN cast(NULL AS float4) ELSE cast(NULL AS float4) END <= ( SELECT NULL::real LIMIT 0 ) ) THEN NULL::GEOGRAPHY END limit 58; Backtrace (common to most such crashes): ======== #0 detoast_attr_slice (attr=attr@entry=0x0, sliceoffset=sliceoffset@entry=0, slicelength=slicelength@entry=40) at detoast.c:226 #1 0x00000000008a3b55 in pg_detoast_datum_slice (datum=datum@entry=0x0, first=first@entry=0, count=count@entry=40) at fmgr.c:1754 #2 0x000014e217f4f793 in gserialized_datum_get_gidx_p (gsdatum=gsdatum@entry=0, gidx=gidx@entry=0x7fffb1ba7730) at gserialized_gist.c:185 #3 0x000014e217f4faa9 in gserialized_datum_get_gbox_p (gsdatum=0, gbox=gbox@entry=0x7fffb1ba77d0) at gserialized_gist.c:157 #4 0x000014e217ef971b in gserialized_sel_internal (root=<optimized out>, args=<optimized out>, varRelid=<optimized out>, mode=0) at gserialized_estimate.c:2253 #5 0x000014e217ef9799 in gserialized_gist_sel (fcinfo=fcinfo@entry=0x7fffb1ba7850) at gserialized_estimate.c:2281 #6 0x00000000008a24f4 in DirectFunctionCall5Coll (func=func@entry=0x14e217ef9780 <gserialized_gist_sel>, collation=collation@entry=0, arg1=<optimized out>, arg2=<optimized out>, arg3=<optimized out>, arg4=<optimized out>, arg5=0) at fmgr.c:908 #7 0x000014e217ef96a4 in gserialized_gist_sel_nd (fcinfo=<optimized out>) at gserialized_estimate.c:2204 #8 0x00000000008a2c6e in FunctionCall4Coll (flinfo=0x7fffb1ba7970, collation=<optimized out>, arg1=<optimized out>, arg2=<optimized out>, arg3=<optimized out>, arg4=<optimized out>) at fmgr.c:1216 #9 0x00000000008a3247 in OidFunctionCall4Coll (functionId=<optimized out>, collation=collation@entry=0, arg1=arg1@entry=49189016, arg2=arg2@entry=1118028, arg3=arg3@entry=50164232, arg4=arg4@entry=0) at fmgr.c:1452 #10 0x000000000070b45d in restriction_selectivity (root=root@entry=0x2ee9098, operatorid=1118028, args=0x2fd7208, inputcollid=0, varRelid=varRelid@entry=0) at plancat.c:1785 Reference: a) PostGIS Bug report - https://trac.osgeo.org/postgis/ticket/4919 - Robins AWS Database Engineer
pgsql-bugs by date: