On Fri, Oct 11, 2019 at 03:05:38PM +0000, PG Bug reporting form wrote:
>The following bug has been logged on the website:
>
>Bug reference: 16050
>Logged by: Alexander Lakhin
>Email address: exclusion@gmail.com
>PostgreSQL version: 12.0
>Operating system: Ubuntu 18.04
>Description:
>
>The following query:
>CREATE TEXT SEARCH DICTIONARY hunspell_num (Template=ispell,
>DictFile=hunspell_sample_num, AffFile=hunspell_sample_long);
>
>crashes postgres with the stack trace:
>Core was generated by `postgres: law regression [local] CREATE TEXT SEARCH
>DICTIONARY '.
Yep, I can reproduce it quite easily. With extra debug symbols and
memory randomization it produces a bit clearer backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x00000000008fd31b in getCompoundAffixFlagValue (Conf=0x2d053c8, s=0x7f7f7f7f7f7f7f7f <error: Cannot access memory at
address0x7f7f7f7f7f7f7f7f>) at spell.c:1126
1126 while (*flagcur)
(gdb) bt
#0 0x00000000008fd31b in getCompoundAffixFlagValue (Conf=0x2d053c8, s=0x7f7f7f7f7f7f7f7f <error: Cannot access memory
ataddress 0x7f7f7f7f7f7f7f7f>) at spell.c:1126
#1 0x00000000008fe627 in makeCompoundFlags (Conf=0x2d053c8, affix=303) at spell.c:1608
#2 0x00000000008fe959 in mkSPNode (Conf=0x2d053c8, low=0, high=1, level=3) at spell.c:1680
#3 0x00000000008fea1e in mkSPNode (Conf=0x2d053c8, low=0, high=1, level=2) at spell.c:1692
#4 0x00000000008fe794 in mkSPNode (Conf=0x2d053c8, low=0, high=4, level=1) at spell.c:1652
#5 0x00000000008fe794 in mkSPNode (Conf=0x2d053c8, low=0, high=9, level=0) at spell.c:1652
...
That is, makeCompontFlags calls getCompoundAffixFlagValue with invalid
pointer 's', likely after it got already pfreed.
cheers
--
Tomas Vondra http://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services