Re: BUG #16176: NULL value returned by category_sql argument to crosstab() causes segmentation fault

From: Joe Conway <mail(at)joeconway(dot)com>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, ipluta(at)wp(dot)pl
Cc: pgsql-bugs(at)lists(dot)postgresql(dot)org
Subject: Re: BUG #16176: NULL value returned by category_sql argument to crosstab() causes segmentation fault
Date: 2019-12-21 14:14:41
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-bugs

On 12/20/19 1:00 PM, Tom Lane wrote:
> PG Bug reporting form <noreply(at)postgresql(dot)org> writes:
>> -- this will crash pg12, but not version() < 12 - note NULL value in
>> categories query:
>> select * from crosstab ('values (1, 2, 12), (1, 3, 13), (2, 2, 22), (2,
>> 3, 23), (3, 2, 32), (3, 3, 33) order by 1, 2, 3', 'values (2), (null)') as
>> rr (a int, "2" int, "3" int);
> Yeah, duplicated here. It seems tablefunc is passing a NULL string
> pointer to sprintf(). Previously, that would work on some platforms
> and crash on others --- as of v12, it crashes everywhere.
> What we need here is to figure out what the hashtab string key ought
> to be for a NULL category. I suspect what was happening before
> (on non-crashing platforms) was that you implicitly got "(nil)"
> or some spelling like that, which is not great because it could
> conflict with a valid user key. Alternatively, we could refuse
> NULL category values ... not sure if that's desirable.
> Anyway, this is *not* a new bug, it's just possible to hit it on
> more platforms now.

It appears that in pg11 (and presumably prior) when snprintf() is called
it is resolved (here at least )to __GI___snprintf() which comes directly
from libc. On my desktop machine the system snprintf() deals with a null
pointer argument without crashing. I guess this is why the crash was
platform dependent.

In pg12 (and presumably master), it is resolved to our own port function
pg_snprintf(), which in turn works its way to dopr(), where strlen() is
called on a null pointer and "<boom>". Undoubtedly strlen() is a bit
more consistent than snprintf() across platforms in this regard.

From what I can see, even on pg11 and prior, having a null category
never did anything useful. And in the 16 years or so since this has been
around, no one in my memory ever asked for that functionality, so I am
inclined to refuse NULL category values unless someone wants to make a
good case otherwise.


Crunchy Data -
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development

In response to


Browse pgsql-bugs by date

  From Date Subject
Next Message Tom Lane 2019-12-21 15:02:05 Re: BUG #16104: Invalid DSA Memory Alloc Request in Parallel Hash
Previous Message Tomas Vondra 2019-12-21 11:40:03 Re: Indexing on JSONB field not working