Thomas Munro <thomas.munro@enterprisedb.com> writes:
> When SH_INSERT tries to insert that final extra value, insertdist
> keeps exceeding SH_GROW_MAX_DIB (25) no matter how many times we
> double the size (at least until my computer gives up, somewhere around
> 11 doublings and 75GB of virtual memory). If you set SH_GROW_MAX_DIB
> to 26 then it succeeds, but I guess some other attack could be crafted
> for that. What is the theory behind this parameter?
You beat me to it --- after looking at simplehash.h I'd guessed that
either the SH_GROW_MAX_DIB or SH_GROW_MAX_MOVE code path was causing
an infinite loop, but I'd not gotten to determining which one yet.
I'd ask what's the theory behind SH_GROW_MAX_MOVE, as well. Neither
of them are obviously loop-proof.
Note that the sample data has a lot of collisions:
regression=# select hashint8(val), count(*) from reproducer group by 1 order by 2 desc; hashint8 | count
-------------+------- 441526644 | 2337-1117776826 | 1221-1202007016 | 935-2068831050 | 620 1156644653 | 538
553783815| 510 259780770 | 444 371047036 | 394 915722575 | 359... etc etc ...
It's evidently more complicated than just that the code fails with
more than SH_GROW_MAX_DIB duplicate hashcodes, but I suspect not
by a lot. There needs to be a safety valve that prevents letting
the hash fill factor approach zero, which is what's happening in
this test case.
(I wonder whether these loops oughtn't contain CHECK_FOR_INTERRUPTS,
btw.)
regards, tom lane