BUG #17912: Invalid memory access when converting plpython' array containing empty array

From: PG Bug reporting form <noreply(at)postgresql(dot)org>
To: pgsql-bugs(at)lists(dot)postgresql(dot)org
Cc: exclusion(at)gmail(dot)com
Subject: BUG #17912: Invalid memory access when converting plpython' array containing empty array
Date: 2023-04-28 11:00:01
Message-ID: 17912-82ceed78731d9cdc@postgresql.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-bugs

The following bug has been logged on the website:

Bug reference: 17912
Logged by: Alexander Lakhin
Email address: exclusion(at)gmail(dot)com
PostgreSQL version: 15.2
Operating system: Ubuntu 22.04

When the following query executed:
return [[], "a"]
$$ LANGUAGE plpython3u;
SELECT test();

valgrind detects an incorrect memory access:
==00:00:00:05.073 1489859== Invalid write of size 1
==00:00:00:05.073 1489859== at 0x4878C38: PLyObject_ToScalar
==00:00:00:05.073 1489859== by 0x4877267: PLySequence_ToArray_recurse
==00:00:00:05.073 1489859== by 0x48776AF: PLySequence_ToArray
==00:00:00:05.073 1489859== by 0x4877E9C: PLy_output_convert
==00:00:00:05.073 1489859== by 0x487101E: PLy_exec_function
==00:00:00:05.073 1489859== by 0x487201B: plpython3_call_handler
==00:00:00:05.073 1489859== by 0x401A95: ExecInterpExpr
==00:00:00:05.073 1489859== by 0x3FE2A6: ExecInterpExprStillValid
==00:00:00:05.073 1489859== by 0x440563: ExecEvalExprSwitchContext
==00:00:00:05.073 1489859== by 0x440563: ExecProject (executor.h:375)
==00:00:00:05.073 1489859== by 0x440563: ExecResult (nodeResult.c:136)
==00:00:00:05.073 1489859== by 0x40EBA2: ExecProcNodeFirst
==00:00:00:05.073 1489859== by 0x407196: ExecProcNode (executor.h:259)
==00:00:00:05.073 1489859== by 0x407196: ExecutePlan (execMain.c:1636)
==00:00:00:05.073 1489859== by 0x407376: standard_ExecutorRun
==00:00:00:05.073 1489859== Address 0x112e9340 is 320 bytes inside a block
of size 8,192 alloc'd
==00:00:00:05.073 1489859== at 0x4848899: malloc
==00:00:00:05.073 1489859== by 0x73ACFA: AllocSetContextCreateInternal
==00:00:00:05.073 1489859== by 0x415DFF: CreateExprContextInternal
==00:00:00:05.073 1489859== by 0x41623E: CreateExprContext
==00:00:00:05.073 1489859== by 0x41648A: ExecAssignExprContext
==00:00:00:05.073 1489859== by 0x44075F: ExecInitResult
==00:00:00:05.073 1489859== by 0x40ED32: ExecInitNode
==00:00:00:05.073 1489859== by 0x407AA9: InitPlan (execMain.c:938)
==00:00:00:05.073 1489859== by 0x407C85: standard_ExecutorStart
==00:00:00:05.073 1489859== by 0x407DDD: ExecutorStart (execMain.c:144)
==00:00:00:05.073 1489859== by 0x5C6723: PortalStart (pquery.c:517)
==00:00:00:05.073 1489859== by 0x5C32DF: exec_simple_query

Without valgrind, but with asserts enabled, I get:
WARNING: problem in alloc set ExprContext: detected write past chunk end in
block 0x562777dfbeb0, chunk 0x562777dfbed8
WARNING: problem in alloc set ExprContext: req size > alloc size for chunk
0x562777dfbef0 in block 0x562777dfbeb0
(1 row)

When the function returns '["a", []]', I see no anomalies.

As I can see, for the first case we get len = 0 in PLySequence_ToArray();
elems, nulls palloc'ed with zero elements, but PLyObject_ToScalar() tries
write a value into nulls[0]...

Reproduced on REL_11_STABLE..master.


Browse pgsql-bugs by date

  From Date Subject
Next Message Daniel Gustafsson 2023-04-28 12:01:47 Re: pg_basebackup: errors on macOS on directories with ".DS_Store" files
Previous Message Kyotaro Horiguchi 2023-04-28 07:07:52 Re: BUG #17804: Assertion failed in pg_stat after fetching from pg_stat_database and switching cache->snapshot