BUG #16176: NULL value returned by category_sql argument to crosstab() causes segmentation fault

The following bug has been logged on the website:

Bug reference: 16176
Logged by: Ireneusz Pluta
Email address: ipluta(at)wp(dot)pl
PostgreSQL version: 12.1
Operating system: FreeBSD 12.1
Description:

The testcase:

$ psql -Xa service=test < testcase.sql
\pset null <NULL>
Null display is "<NULL>".
select version();

version


------------------------------------------------------------------------------------------------------------------------------------------------------
PostgreSQL 12.1 on x86_64-unknown-freebsd12.1, compiled by FreeBSD
clang version 8.0.1 (tags/RELEASE_801/final 366581) (based on LLVM 8.0.1),
64-bit
(1 row)
​
create extension if not exists tablefunc;
NOTICE: extension "tablefunc" already exists, skipping
CREATE EXTENSION
-- this will not fail or crash:
select * from crosstab ('values (1, 2, 12), (1, 3, 13), (2, 2, 22), (2,
3, 23), (3, 2, 32), (3, 3, 33) order by 1, 2, 3', 'values (2), (3)') as rr
(a int, "2" int, "3" int);
a | 2 | 3
---+----+----
1 | 12 | 13
2 | 22 | 23
3 | 32 | 33
(3 rows)
​
-- this will crash pg12, but not version() < 12 - note NULL value in
categories query:
select * from crosstab ('values (1, 2, 12), (1, 3, 13), (2, 2, 22), (2,
3, 23), (3, 2, 32), (3, 3, 33) order by 1, 2, 3', 'values (2), (null)') as
rr (a int, "2" int, "3" int);
server closed the connection unexpectedly
This probably means the server terminated abnormally
before or while processing the request.
connection to server was lost

Backtrace:

Attaching to process 64160
Reading symbols from /usr/local/pgsql121/bin/postgres...
Reading symbols from /usr/local/lib/libxml2.so.2...
(No debugging symbols found in /usr/local/lib/libxml2.so.2)
Reading symbols from /usr/lib/libssl.so.111...
Reading symbols from /usr/lib/debug//usr/lib/libssl.so.111.debug...
Reading symbols from /lib/libcrypto.so.111...
Reading symbols from /usr/lib/debug//lib/libcrypto.so.111.debug...
Reading symbols from /lib/libm.so.5...
Reading symbols from /usr/lib/debug//lib/libm.so.5.debug...
Reading symbols from /lib/libc.so.7...
Reading symbols from /usr/lib/debug//lib/libc.so.7.debug...
Reading symbols from /lib/libz.so.6...
Reading symbols from /usr/lib/debug//lib/libz.so.6.debug...
Reading symbols from /usr/lib/liblzma.so.5...
Reading symbols from /usr/lib/debug//usr/lib/liblzma.so.5.debug...
Reading symbols from /lib/libthr.so.3...
Reading symbols from /usr/lib/debug//lib/libthr.so.3.debug...
Reading symbols from /usr/local/pgsql121/lib/pg_stat_statements.so...
Reading symbols from /libexec/ld-elf.so.1...
Reading symbols from /usr/lib/debug//libexec/ld-elf.so.1.debug...
[Switching to LWP 103151 of process 64160]
_poll () at _poll.S:3
3 _poll.S: No such file or directory.
(gdb) set pagination off
(gdb) set logging file crosstab.txt
(gdb) set logging on
Copying output to crosstab.txt.
(gdb) cont
Continuing.
​
Program received signal SIGSEGV, Segmentation fault.
strlen (str=0x0) at /usr/src/lib/libc/string/strlen.c:101
warning: Source file is more recent than executable.
101 va = (*lp - mask01);
(gdb) bt
#0 strlen (str=0x0) at /usr/src/lib/libc/string/strlen.c:101
#1 0x0000000000932f2c in dopr (target=0x7fffffffd5a0,
format=0x9115975fc "%s", args=0x7fffffffd580) at snprintf.c:443
#2 0x00000000009355f1 in pg_vsnprintf (str=<optimized out>,
count=<optimized out>, fmt=0x9115975fc "%s", args=0x3000000020) at
snprintf.c:195
#3 pg_snprintf (str=<optimized out>, count=<optimized out>,
fmt=0x9115975fc "%s") at snprintf.c:208
#4 0x0000000911598bca in load_categories_hash (cats_sql=<optimized
out>, per_query_ctx=<optimized out>) at tablefunc.c:774
#5 crosstab_hash (fcinfo=<optimized out>) at tablefunc.c:677
#6 0x00000000006603d7 in ExecMakeTableFunctionResult
(setexpr=<optimized out>, econtext=0x91151e460, argContext=<optimized out>,
expectedDesc=0x91151f020, randomAccess=<optimized out>) at execSRF.c:233
#7 0x000000000066f795 in FunctionNext (node=0x91151e350) at
nodeFunctionscan.c:95
#8 0x000000000065834d in ExecProcNode (node=<optimized out>) at
../../../src/include/executor/executor.h:239
#9 ExecutePlan (estate=<optimized out>, planstate=0x91151e350,
operation=<optimized out>, numberTuples=<optimized out>,
direction=<optimized out>, dest=0x911591ae8, use_parallel_mode=<optimized
out>, sendTuples=<optimized out>, execute_once=<optimized out>) at
execMain.c:1646
#10 standard_ExecutorRun (queryDesc=0x801aa1910, direction=<optimized
out>, count=0, execute_once=<optimized out>) at execMain.c:364
#11 0x0000000801aea9e0 in pgss_ExecutorRun (queryDesc=0x801aa1910,
direction=ForwardScanDirection, count=0, execute_once=<optimized out>) at
pg_stat_statements.c:893
#12 0x00000000007bf8f8 in PortalRunSelect (portal=0x911441110,
forward=<optimized out>, count=0, dest=<optimized out>) at pquery.c:929
#13 0x00000000007bf52d in PortalRun (portal=0x911441110,
count=9223372036854775807, isTopLevel=<optimized out>, run_once=<optimized
out>, dest=0x911591ae8, altdest=0x911591ae8, completionTag=0x7fffffffdb30
"") at pquery.c:770
#14 0x00000000007be607 in exec_simple_query (query_string=0x8013dc110
"select * from crosstab ('values (1, 2, 12), (1, 3, 13), (2, 2, 22), (2, 3,
23), (3, 2, 32), (3, 3, 33) order by 1, 2, 3', 'values (2), (null)') as rr
(a int, \"2\" int, \"3\" int);") at postgres.c:1215
#15 0x00000000007bc2fa in PostgresMain (argc=<optimized out>,
argv=<optimized out>, dbname=<optimized out>, username=<optimized out>) at
postgres.c:4232
#16 0x00000000007381a2 in BackendRun (port=0x91140c000) at
postmaster.c:4437
#17 0x00000000007378ba in BackendStartup (port=0x91140c000) at
postmaster.c:4128
#18 ServerLoop () at postmaster.c:1704
#19 0x0000000000734b42 in PostmasterMain (argc=3, argv=0x7fffffffe8b0)
at postmaster.c:1377
#20 0x00000000006a57ee in main (argc=3, argv=0x7fffffffe8b0) at
main.c:228
(gdb)