Обсуждение: BUG #3675: Crash on xpath function with 2 parameters
The following bug has been logged online:
Bug reference: 3675
Logged by: Jeremy Palmer
Email address: jpalmer@linz.govt.nz
PostgreSQL version: 8.3b1
Operating system: WinXP SP2
Description: Crash on xpath function with 2 parameters
Details:
The following query crashes the backend:
SELECT xpath('/my:a/text()', '<my:a
xmlns:my="http://example.com">test</my:a>');
Server log:
2007-10-13 22:45:38 NZDT LOG: database system was interrupted; last known
up at 2007-10-13 22:43:54 NZDT
2007-10-13 22:45:38 NZDT LOG: database system was not properly shut down;
automatic recovery in progress
2007-10-13 22:45:38 NZDT LOG: record with zero length at 0/871688
2007-10-13 22:45:38 NZDT LOG: redo is not required
2007-10-13 22:45:38 NZDT LOG: database system is ready to accept
connections
2007-10-13 22:45:38 NZDT LOG: autovacuum launcher started
2007-10-13 22:45:38 NZDT LOG: loaded library
"$libdir/plugins/plugin_debugger.dll"
2007-10-13 22:45:44 NZDT LOG: loaded library
"$libdir/plugins/plugin_debugger.dll"
2007-10-13 22:45:47 NZDT LOG: loaded library
"$libdir/plugins/plugin_debugger.dll"
2007-10-13 22:45:48 NZDT LOG: loaded library
"$libdir/plugins/plugin_debugger.dll"
2007-10-13 22:46:29 NZDT LOG: server process (PID 2984) was terminated by
exception 0xC0000005
2007-10-13 22:46:29 NZDT HINT: See C include file "ntstatus.h" for a
description of the hex value.
2007-10-13 22:46:29 NZDT LOG: terminating any other active server
processes
2007-10-13 22:46:29 NZDT WARNING: terminating connection because of crash
of another server process
2007-10-13 22:46:29 NZDT DETAIL: The postmaster has commanded this server
process to roll back the current transaction and exit, because another
server process exited abnormally and possibly corrupted shared memory.
2007-10-13 22:46:29 NZDT HINT: In a moment you should be able to reconnect
to the database and repeat your command.
2007-10-13 22:46:29 NZDT WARNING: terminating connection because of crash
of another server process
2007-10-13 22:46:29 NZDT DETAIL: The postmaster has commanded this server
process to roll back the current transaction and exit, because another
server process exited abnormally and possibly corrupted shared memory.
2007-10-13 22:46:29 NZDT HINT: In a moment you should be able to reconnect
to the database and repeat your command.
2007-10-13 22:46:29 NZDT LOG: all server processes terminated;
reinitializing
2007-10-13 22:46:30 NZDT FATAL: pre-existing shared memory block is still
in use
2007-10-13 22:46:30 NZDT HINT: Check if there are any old server processes
still running, and terminate them.
I'm using the default configuration as setup by the win32 pginstaller.
Thanks
Jeremy
On Sat, 13 Oct 2007, Jeremy Palmer wrote:
> The following bug has been logged online:
>
> Bug reference: 3675
> PostgreSQL version: 8.3b1
> Operating system: WinXP SP2
> Description: Crash on xpath function with 2 parameters
> Details:
>
> The following query crashes the backend:
>
> SELECT xpath('/my:a/text()', '<my:a
> xmlns:my="http://example.com">test</my:a>');
>
This patch avoids the double free of xpathcomp and fixes things for me.
Kris Jurka
Kris Jurka <books@ejurka.com> writes:
> On Sat, 13 Oct 2007, Jeremy Palmer wrote:
>> The following query crashes the backend:
>>
>> SELECT xpath('/my:a/text()', '<my:a
>> xmlns:my="http://example.com">test</my:a>');
>>
> This patch avoids the double free of xpathcomp and fixes things for me.
Hmm, I wonder why that doesn't crash here? It certainly looks pretty
broken --- maybe some versions of libxml have internal defenses against
this.
Patch applied, and I also cleaned up some other places where an error
escape might possibly lead to double free. (The other ones are probably
not real risks, since libxml presumably doesn't elog, but we might as
well try to make the code bulletproof in case more PG-aware code gets
inserted in these paths.)
regards, tom lane