Skip site navigation (1) Skip section navigation (2)

Bug in backend/lib/stringinfo.c:enlargeStringInfo()

From: Nick Wellnhofer <wellnhofer(at)aevum(dot)de>
To: pgsql-bugs(at)postgresql(dot)org
Subject: Bug in backend/lib/stringinfo.c:enlargeStringInfo()
Date: 2004-05-11 15:12:14
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-bugs

for some time a postgres process on one of our web servers repeatedly 
gets into an infinite loop. This happens very rarely, about once in a 
week. Today I installed gdb on the server to trace down the problem.

I found out that the process was looping in enlargeStringInfo() in 
backend/lib/stringinfo.c. The call trace was

#0  0x0810e490 in enlargeStringInfo ()
#1  0x081138e4 in pq_getmessage ()
#2  0x0816561b in SocketBackend ()
#3  0x081657bb in ReadCommand ()
#4  0x08167a5e in PostgresMain ()
#5  0x08144353 in BackendFork ()
#6  0x08143d33 in BackendStartup ()
#7  0x08142516 in ServerLoop ()
#8  0x08142057 in PostmasterMain ()
#9  0x08114a4d in main ()
#10 0x400e8857 in __libc_start_main () from /lib/

The "needed" argument to enlargeStringInfo was 0x5454502b, apparently 
caused by another bug, which I have yet to find.

So the following loop never stops

	while (needed > newlen)
		newlen = 2 * newlen;

because needed and newlen are compared as signed integers. (If "newlen" 
has grown to 0x40000000 it's still smaller than "needed". Multiplying by 
2 overflows and yields 0x80000000, which is negative, thus still smaller 
than "needed". Multiplying by 2 again yields 0, ...)

The numbers should be compared as unsigned ints. Or the maximum string 
length should be restricted.

On the other hand I wonder if it's desired to even try the following 
memory allocation of at least a GB of RAM. The pq_getmessage() that 
called enlargeStringInfo() has a "maxlen" argument of 0, that seems to 
mean unlimited.

The real cause of the problem seems to be a frontend/backend 
communication problem. The "needed" argument 0x5454502b comes from a 
4-byte length field which string content is 'TTP/'. Looks like a part of 
a HTTP request to me.

I'm using Apache/mod_perl/DBI to access Postgres. Can I log the 
frontend/backend communication somehow?

Nick Wellnhofer

aevum gmbh
leopoldstr. 87
80802 m√ľnchen

fon: +4989 38380653
fax: +4989 38799384


pgsql-bugs by date

Next:From: Laurent FAILLIEDate: 2004-05-11 15:23:58
Subject: Re: BUG #1151: Initdb fails ...
Previous:From: Tom LaneDate: 2004-05-11 15:03:17
Subject: Re: BUG #1151: Initdb fails ...

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group