(stupid) bug in agg_select_candidate

Hallo,

I'm trying postgres 6.4.1 and I have problem with select command:

> create table t( text_column text );
> select sum( text_column ) from t;
This command makes no sense, but causes crash in backend:

pqReadData() -- backend closed the channel unexpectedly.
This probably means the backend terminated abnormally before or while processing the request.
We have lost the connection to the backend, so further processing is impossible. Terminating.

See backtrace:

(gdb) bt
#0 agg_select_candidate (typeid=25, candidates=0x81e7838) at
parse_func.c:230
#1 0x80bd5be in ParseFuncOrColumn (pstate=0x81ded30,
funcname=0x81deb40 "sum", fargs=0x81deba0, curr_resno=0x81ded30,
precedence=1) at parse_func.c:391
#2 0x80bc7b9 in transformExpr (pstate=0x81ded30, expr=0x81debc0,
precedence=1)
at parse_expr.c:267
#3 0x80c12fa in MakeTargetEntryComplex (pstate=0x81ded30, res=0x81debe0)
at parse_target.c:363
#4 0x80c1754 in transformTargetList (pstate=0x81ded30,
targetlist=0x81dec08)
at parse_target.c:569
#5 0x80b45f1 in transformSelectStmt (pstate=0x81ded30, stmt=0x81deca0)
at analyze.c:912
#6 0x80b382d in transformStmt (pstate=0x81ded30, parseTree=0x81deca0)
at analyze.c:200
... more ....

Problem is in function 'agg_select_candidate' itself, simple debugging
session follows: (comment starts with '!')

Reading symbols from /lib/libnsl.so.1...done.
Reading symbols from /lib/libdl.so.2...done.
Reading symbols from /lib/libm.so.6...done.
Reading symbols from /usr/lib/libreadline.so.3...done.
Reading symbols from /usr/lib/libhistory.so.3...done.
Reading symbols from /lib/libtermcap.so.2...done.
Reading symbols from /usr/lib/libncurses.so.4...done.
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/ld-linux.so.2...done.
0x401356f4 in __read ()
(gdb) break agg_select_candidate Quit
(gdb) break agg_select_candidate
Breakpoint 1 at 0x80bd2f9: file parse_func.c, line 198.
(gdb) cont
Continuing.

Breakpoint 1, agg_select_candidate (typeid=25, candidates=0x81e7838)
at parse_func.c:198
198 category = TypeCategory(typeid);
(gdb) next
199 ncandidates = 0;
(gdb)
200 last_candidate = NULL;

!!!!! setting to NULL (0)

(gdb)
201 for (current_candidate = candidates;
(gdb) print last_candidate
$1 = (struct _CandidateList *) 0x0
(gdb) next
202 current_candidate != NULL;
(gdb)
205 current_typeid = current_candidate->args[0];
(gdb)
206 current_category = TypeCategory(current_typeid);
(gdb)
208 if ((current_category == category)

!!!!! condidion isn't true

(gdb) print current_category
$2 = TIMESPAN_TYPE
(gdb) print category
$3 = STRING_TYPE
(gdb) next
230 last_candidate->next = NULL;

!!!! NULL is dereferenced ... this will crash backend

(gdb) next

Program received signal SIGSEGV, Segmentation fault.
agg_select_candidate (typeid=25, candidates=0x81e7838) at parse_func.c:230
Machine is x86, compiled with egcs-1.1.1.

thanks for any fix and happy Xmas,
David

--
* David Sauer, student of Czech Technical University
* electronic mail: davids(at)iol(dot)cz (mime compatible)