BUG #14245: Segfault on weird to_tsquery

From: david(at)gravitext(dot)com
To: pgsql-bugs(at)postgresql(dot)org
Subject: BUG #14245: Segfault on weird to_tsquery
Date: 2016-07-12 17:58:55
Message-ID: 20160712175855.1414.10498@wrigleys.postgresql.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs pgsql-hackers

The following bug has been logged on the website:

Bug reference: 14245
Logged by: David Kellum
Email address: david(at)gravitext(dot)com
PostgreSQL version: 9.6beta2
Operating system: Linux
Description:

I am doing some (fuzz) testing of full text queries and managed to
generate the following case which causes a SEGFAULT on PostgreSQL 9.6
beta1 and beta2:

select to_tsquery('!(a & !b) & c') as tsquery

This weird query outputs the following on 9.5.2, instead of crashing:

"!( !'b' ) & 'c'"

Below is my log output, which includes a stack trace:

Jul 12 10:04:01 klein kernel: postgres[22191]: segfault at 10 ip
00000000007754cd sp 00007ffc64b4a950 error 4 in postgres[400000+5f8000]
Jul 12 10:04:01 klein systemd[1]: Started Process Core Dump (PID 22192/UID
0).
Jul 12 10:04:01 klein postgres[482]: LOG: server process (PID 22191) was
terminated by signal 11: Segmentation fault
Jul 12 10:04:01 klein postgres[482]: DETAIL: Failed process was running:
select to_tsquery('!(a & !b) & c') as tsquery
Jul 12 10:04:01 klein postgres[482]: LOG: terminating any other active
server processes
Jul 12 10:04:01 klein postgres[482]: WARNING: terminating connection
because of crash of another server process
Jul 12 10:04:01 klein postgres[482]: DETAIL: The postmaster has commanded
this server process to roll back the current transaction and exit, because
another server process exited abnormally and possibly corrupted shared
memory.
Jul 12 10:04:01 klein postgres[482]: HINT: In a moment you should be able
to reconnect to the database and repeat your command.
Jul 12 10:04:01 klein postgres[482]: LOG: all server processes terminated;
reinitializing
Jul 12 10:04:01 klein postgres[482]: LOG: database system was interrupted;
last known up at 2016-07-12 10:03:47 PDT
Jul 12 10:04:01 klein systemd-coredump[22193]: Process 22191 (postgres) of
user 88 dumped core.
Stack trace of thread
22191:
#0 0x00000000007754cd
normalize_phrase_tree (postgres)
#1 0x00000000007756e1
normalize_phrase_tree (postgres)
#2 0x00000000007756d5
normalize_phrase_tree (postgres)
#3 0x00000000007759bb
cleanup_fakeval_and_phrase (postgres)
#4 0x0000000000774613
parse_tsquery (postgres)
#5 0x00000000006ca21a
to_tsquery_byid (postgres)
#6 0x00000000007ad5a7
DirectFunctionCall2Coll (postgres)
#7 0x00000000005b79c1
ExecMakeFunctionResultNoSets (postgres)
#8 0x00000000005bd285
ExecProject (postgres)
#9 0x00000000005d1722
ExecResult (postgres)
#10 0x00000000005b6a58
ExecProcNode (postgres)
#11 0x00000000005b2fef
standard_ExecutorRun (postgres)
#12 0x00000000006bbaf8
PortalRunSelect (postgres)
#13 0x00000000006bcf1e
PortalRun (postgres)
#14 0x00000000006ba979
PostgresMain (postgres)
#15 0x000000000046f35f
ServerLoop (postgres)
#16 0x000000000066124c
PostmasterMain (postgres)
#17 0x00000000004703ff main
(postgres)
#18 0x00007fe114812741
__libc_start_main (libc.so.6)
#19 0x0000000000470499 _start
(postgres)
Jul 12 10:04:02 klein postgres[482]: LOG: database system was not properly
shut down; automatic recovery in progress
Jul 12 10:04:02 klein postgres[482]: LOG: invalid record length at
1/2FA3E1C8: wanted 24, got 0
Jul 12 10:04:02 klein postgres[482]: LOG: redo is not required
Jul 12 10:04:02 klein postgres[482]: LOG: MultiXact member wraparound
protections are now enabled
Jul 12 10:04:02 klein postgres[482]: LOG: database system is ready to
accept connections
Jul 12 10:04:02 klein postgres[482]: LOG: autovacuum launcher started

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Jeff Janes 2016-07-12 18:06:39 Re: pg_basebackup wish list
Previous Message Peter Eisentraut 2016-07-12 17:54:15 Re: pgbench - compute & show latency consistently

Browse pgsql-bugs by date

  From Date Subject
Next Message Peter Geoghegan 2016-07-12 18:40:37 Re: BUG #14245: Segfault on weird to_tsquery
Previous Message Mike Porter 2016-07-12 17:13:51 Re: grouping treated as keyword in function return table