BUG #17725: Sefault when seg_in() called with a large argument

The following bug has been logged on the website:

Bug reference:      17725
Logged by:          Robins Tharakan
Email address:      tharakan@gmail.com
PostgreSQL version: 15.1
Operating system:   Ubuntu 20.04
Description:

Hi,

The following SQL Segfaults on master (tested on b3bb7d12af).

SQL: SELECT seg_in(numeric_out(round(31, 10000)))


Backtrace on ea5ae4cae6@REL_14_STABLE:
=====================================
#0  __strcpy_avx2 () at ../sysdeps/x86_64/multiarch/strcpy-avx2.S:578
#1  0x00007f31c421f4aa in restore (
    result=0x55009893ace0 <error: Cannot access memory at address
0x55009893ace0>, val=31, n=-46) at seg.c:1009
#2  0x00007f31c421dab9 in seg_out (fcinfo=0x7ffe3ddff6c0) at seg.c:135
#3  0x000055d296a40aa9 in FunctionCall1Coll (flinfo=0x55d298735478, 
    collation=0, arg1=94362989160448) at fmgr.c:1138
#4  0x000055d296a42004 in OutputFunctionCall (flinfo=0x55d298735478, 
    val=94362989160448) at fmgr.c:1575
#5  0x000055d29634a8b4 in printtup (slot=0x55d2987344b8,
self=0x55d298936cc0)
    at printtup.c:357
#6  0x000055d2966196c6 in ExecutePlan (estate=0x55d298733f80, 
    planstate=0x55d2987341b8, use_parallel_mode=false, operation=CMD_SELECT,

    sendTuples=true, numberTuples=0, direction=ForwardScanDirection, 
    dest=0x55d298936cc0, execute_once=true) at execMain.c:1582
#7  0x000055d2966172fd in standard_ExecutorRun (queryDesc=0x55d2987289d0, 
    direction=ForwardScanDirection, count=0, execute_once=true)
    at execMain.c:361
#8  0x00007f31dbea134d in pgss_ExecutorRun (queryDesc=0x55d2987289d0, 
    direction=ForwardScanDirection, count=0, execute_once=true)
    at pg_stat_statements.c:1003
#9  0x000055d2966170f3 in ExecutorRun (queryDesc=0x55d2987289d0, 
    direction=ForwardScanDirection, count=0, execute_once=true)
    at execMain.c:303


Backtrace Full excerpt:
======================
#0  __strcpy_avx2 () at ../sysdeps/x86_64/multiarch/strcpy-avx2.S:578
No locals.
#1  0x00007f31c421f4aa in restore (
    result=0x55009893ace0 <error: Cannot access memory at address
0x55009893ace0>, val=31, n=-46) at seg.c:1009
        buf = "00000000003e1\000\060\060\060\060\060\060\060\060\060\060"
        p = 0x55d29893ace8 "e+01"
        exp = 48
        i = 17
        dp = 11
        sign = 0
#2  0x00007f31c421dab9 in seg_out (fcinfo=0x7ffe3ddff6c0) at seg.c:135
        seg = 0x55d29872e800
        result = 0x55d29893ace0 "3.100000e+01"
        p = 0x55d29893ace0 "3.100000e+01"
#3  0x000055d296a40aa9 in FunctionCall1Coll (flinfo=0x55d298735478, 
    collation=0, arg1=94362989160448) at fmgr.c:1138
        fcinfodata = {fcinfo = {flinfo = 0x55d298735478, context = 0x0, 
            resultinfo = 0x0, fncollation = 0, isnull = false, nargs = 1, 
            args = 0x7ffe3ddff6e0}, 
          fcinfo_data = "xTs\230\322U", '\000' <repeats 23 times>,
"U\001\000\000\350r\230\322U\000\000\000m\223\230\322U\000"}
        fcinfo = 0x7ffe3ddff6c0
        result = 94362958816336
        __func__ = "FunctionCall1Coll"
#4  0x000055d296a42004 in OutputFunctionCall (flinfo=0x55d298735478, 
    val=94362989160448) at fmgr.c:1575
No locals.
#5  0x000055d29634a8b4 in printtup (slot=0x55d2987344b8,
self=0x55d298936cc0)
    at printtup.c:357
        outputstr = 0x55d296882235 <check_stack_depth+13> "\204\300td\276"
        thisState = 0x55d298735468
        attr = 94362989160448
        typeinfo = 0x55d2987343a0
        myState = 0x55d298936cc0
        oldcontext = 0x55d298733e60
        buf = 0x55d298936d10
        natts = 1
        i = 0


Error Log:
=========
2022-12-20 02:44:43.728 UTC [633388] LOG:  server process (PID 783919) was
terminated by signal 11: Segmentation fault
2022-12-20 02:44:43.728 UTC [633388] DETAIL:  Failed process was running:
SELECT seg_in(numeric_out(round(31,1000000)));
2022-12-20 02:44:43.728 UTC [633388] LOG:  terminating any other active
server processes

Thanks to SQLSmith / SQLReduce for helping with the find.

-
Robins Tharakan
Amazon Web Services