| From: | Tender Wang <tndrwang(at)gmail(dot)com> |
|---|---|
| To: | Richard Guo <guofenglinux(at)gmail(dot)com> |
| Cc: | exclusion(at)gmail(dot)com, pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Subject: | Re: BUG #19405: Assertion in eval_windowaggregates() fails due to integer overflow |
| Date: | 2026-02-15 08:48:04 |
| Message-ID: | CAHewXNnpM95Zg8ARhZwO87_6+4+ag5iBYhoaOJ0TAD_-ygm9tg@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Richard Guo <guofenglinux(at)gmail(dot)com> 于2026年2月14日周六 17:41写道:
>
> On Fri, Feb 13, 2026 at 7:09 PM PG Bug reporting form
> <noreply(at)postgresql(dot)org> wrote:
> > The following script:
> > CREATE TABLE t (i integer);
> > INSERT INTO t SELECT g FROM generate_series(1, 2) g;
> > SELECT SUM(i) OVER (ROWS BETWEEN 1 PRECEDING AND 0x7fffffffffffffff
> > FOLLOWING EXCLUDE CURRENT ROW) FROM t;
>
> Thanks for the report. Reproduced here.
>
> It seems to be caused by a signed integer overflow in row_is_in_frame
> when calculating the frame's end position:
>
> if (pos > winstate->currentpos + offset)
> return -1;
>
> When offset is very large (close to INT64_MAX, as in the reported
> case), the addition can overflow, in which case the result would wrap
> to a negative number (with -fwrapv), causing the comparison to
> incorrectly return true. In release builds, this causes valid rows to
> be excluded from the window frame. In debug builds, it leads to an
> assertion failure.
Yes, the code above may overflow; in debug builds, the assertion would fail.
>
> I think we can fix this by leveraging the overflow-aware integer
> operation (ie, pg_add_s64_overflow) to perform the addition here. If
> an overflow is detected, we can assume the frame boundary extends to
> the end of the partition, meaning the current row is within the frame.
>
I've also considered similar solutions. But I'm not very familiar
with the window function
internal codes, so not sure it's the right fix.
> Right, I noticed this one too. Basically, nodeWindowAgg.c doesn't
> check for overflow when adding startOffsetValue or endOffsetValue.
> Since these values are provided by the user and can be arbitrarily
> large, simple addition does not seem safe. I think we may need to
> switch to overflow-aware integer operations in all relevant code.
>Here is an updated patch to fix all relevant code in nodeWindowAgg.c.
v2 seems to cover all cases. WFM.
In window.sql, we don't have a test case for this issue. I think we
should add it to the window.sql
--
Thanks,
Tender Wang
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David G. Johnston | 2026-02-15 14:55:27 | BUG #19410: Cannot ser client_encoding |
| Previous Message | PG Bug reporting form | 2026-02-15 01:53:30 | BUG #19410: Cannot ser client_encoding |