BUG #17725: Sefault when seg_in() called with a large argument

The following bug has been logged on the website:

Bug reference: 17725
Logged by: Robins Tharakan
Email address: tharakan(at)gmail(dot)com
PostgreSQL version: 15.1
Operating system: Ubuntu 20.04
Description:

Hi,

The following SQL Segfaults on master (tested on b3bb7d12af).

SQL: SELECT seg_in(numeric_out(round(31, 10000)))

Backtrace on ea5ae4cae6(at)REL_14_STABLE:
=====================================
#0 __strcpy_avx2 () at ../sysdeps/x86_64/multiarch/strcpy-avx2.S:578
#1 0x00007f31c421f4aa in restore (
result=0x55009893ace0 <error: Cannot access memory at address
0x55009893ace0>, val=31, n=-46) at seg.c:1009
#2 0x00007f31c421dab9 in seg_out (fcinfo=0x7ffe3ddff6c0) at seg.c:135
#3 0x000055d296a40aa9 in FunctionCall1Coll (flinfo=0x55d298735478,
collation=0, arg1=94362989160448) at fmgr.c:1138
#4 0x000055d296a42004 in OutputFunctionCall (flinfo=0x55d298735478,
val=94362989160448) at fmgr.c:1575
#5 0x000055d29634a8b4 in printtup (slot=0x55d2987344b8,
self=0x55d298936cc0)
at printtup.c:357
#6 0x000055d2966196c6 in ExecutePlan (estate=0x55d298733f80,
planstate=0x55d2987341b8, use_parallel_mode=false, operation=CMD_SELECT,

sendTuples=true, numberTuples=0, direction=ForwardScanDirection,
dest=0x55d298936cc0, execute_once=true) at execMain.c:1582
#7 0x000055d2966172fd in standard_ExecutorRun (queryDesc=0x55d2987289d0,
direction=ForwardScanDirection, count=0, execute_once=true)
at execMain.c:361
#8 0x00007f31dbea134d in pgss_ExecutorRun (queryDesc=0x55d2987289d0,
direction=ForwardScanDirection, count=0, execute_once=true)
at pg_stat_statements.c:1003
#9 0x000055d2966170f3 in ExecutorRun (queryDesc=0x55d2987289d0,
direction=ForwardScanDirection, count=0, execute_once=true)
at execMain.c:303

Backtrace Full excerpt:
======================
#0 __strcpy_avx2 () at ../sysdeps/x86_64/multiarch/strcpy-avx2.S:578
No locals.
#1 0x00007f31c421f4aa in restore (
result=0x55009893ace0 <error: Cannot access memory at address
0x55009893ace0>, val=31, n=-46) at seg.c:1009
buf = "00000000003e1\000\060\060\060\060\060\060\060\060\060\060"
p = 0x55d29893ace8 "e+01"
exp = 48
i = 17
dp = 11
sign = 0
#2 0x00007f31c421dab9 in seg_out (fcinfo=0x7ffe3ddff6c0) at seg.c:135
seg = 0x55d29872e800
result = 0x55d29893ace0 "3.100000e+01"
p = 0x55d29893ace0 "3.100000e+01"
#3 0x000055d296a40aa9 in FunctionCall1Coll (flinfo=0x55d298735478,
collation=0, arg1=94362989160448) at fmgr.c:1138
fcinfodata = {fcinfo = {flinfo = 0x55d298735478, context = 0x0,
resultinfo = 0x0, fncollation = 0, isnull = false, nargs = 1,
args = 0x7ffe3ddff6e0},
fcinfo_data = "xTs\230\322U", '\000' <repeats 23 times>,
"U\001\000\000\350r\230\322U\000\000\000m\223\230\322U\000"}
fcinfo = 0x7ffe3ddff6c0
result = 94362958816336
__func__ = "FunctionCall1Coll"
#4 0x000055d296a42004 in OutputFunctionCall (flinfo=0x55d298735478,
val=94362989160448) at fmgr.c:1575
No locals.
#5 0x000055d29634a8b4 in printtup (slot=0x55d2987344b8,
self=0x55d298936cc0)
at printtup.c:357
outputstr = 0x55d296882235 <check_stack_depth+13> "\204\300td\276"
thisState = 0x55d298735468
attr = 94362989160448
typeinfo = 0x55d2987343a0
myState = 0x55d298936cc0
oldcontext = 0x55d298733e60
buf = 0x55d298936d10
natts = 1
i = 0

Error Log:
=========
2022-12-20 02:44:43.728 UTC [633388] LOG: server process (PID 783919) was
terminated by signal 11: Segmentation fault
2022-12-20 02:44:43.728 UTC [633388] DETAIL: Failed process was running:
SELECT seg_in(numeric_out(round(31,1000000)));
2022-12-20 02:44:43.728 UTC [633388] LOG: terminating any other active
server processes

Thanks to SQLSmith / SQLReduce for helping with the find.

-
Robins Tharakan
Amazon Web Services