Обсуждение: UBSAN crash in EventTriggerCollectAlterTSConfig (memcpy with NULL src)
Hi,
While working on the pg_get_domain_ddl() patch [1], I installed an
event trigger on ddl_command_end in test_setup.sql to automatically
round-trip DDL. This triggered a UBSAN crash on CI [2] that turns out
to be a pre-existing bug since b488c580aef(?).
The DROP MAPPING code path in tsearchcmds.c unconditionally calls:
```
EventTriggerCollectAlterTSConfig(stmt, cfgId, NULL, 0);
```
Inside EventTriggerCollectAlterTSConfig(), this reaches:
```
command->d.atscfg.dictIds = palloc_array(Oid, ndicts); /* ndicts=0 */
memcpy(command->d.atscfg.dictIds, dictIds, sizeof(Oid) * ndicts);
^^^^^^^ NULL
```
Under -fsanitize=undefined this triggers SIGABRT and crashes the server.
The bug has been latent for 11 years because without an active event
trigger, currentEventTriggerState is NULL and the function returns early
at the top, never reaching the memcpy. The standard regression suite
never had an event trigger installed during the tsdicts test — until now.
Reproducer (crashes only under UBSAN) and patch attached:
This affects all branches back to 9.5 where b488c580aef landed.
[1] https://www.postgresql.org/message-id/CAPgqM1V4LW2qiDLPsusb7s0kYbSDJjH5Tt%2B-ZzVmPU7xV0TJNQ%40mail.gmail.com
[2] https://cirrus-ci.com/task/6170470552174592
--
Cheers,
Florin
EDB -- www.enterprisedb.com
Вложения
On 2026-Mar-03, Florin Irion wrote: > While working on the pg_get_domain_ddl() patch [1], I installed an > event trigger on ddl_command_end in test_setup.sql to automatically > round-trip DDL. This triggered a UBSAN crash on CI [2] that turns out > to be a pre-existing bug since b488c580aef(?). Cool, yeah, this is broken. I propose to add the corresponding test in src/test/modules/test_ddl_deparse though -- that way we don't need another event trigger. So how about like this? -- Álvaro Herrera Breisgau, Deutschland — https://www.EnterpriseDB.com/ "No es bueno caminar con un hombre muerto"
Вложения
On 03/03/26 20:48, Álvaro Herrera wrote: > Cool, yeah, this is broken. I propose to add the corresponding test in > src/test/modules/test_ddl_deparse though -- that way we don't need > another event trigger. So how about like this? LGTM, I had to look up the CREATE TEXT SEARCH CONFIGURATION first time I saw it. Cheers, Florin -- EDB -- www.enterprisedb.com
On 2026-Mar-03, Florin Irion wrote: > On 03/03/26 20:48, Álvaro Herrera wrote: > > > Cool, yeah, this is broken. I propose to add the corresponding test in > > src/test/modules/test_ddl_deparse though -- that way we don't need > > another event trigger. So how about like this? > > LGTM, I had to look up the CREATE TEXT SEARCH CONFIGURATION > first time I saw it. Okay, thanks, pushed to all branches. -- Álvaro Herrera PostgreSQL Developer — https://www.EnterpriseDB.com/ "But static content is just dynamic content that isn't moving!" http://smylers.hates-software.com/2007/08/15/fe244d0c.html
Thank you!
Il giorno mer 4 mar 2026 alle ore 15:10 Álvaro Herrera <alvherre@kurilemu.de> ha scritto:
On 2026-Mar-03, Florin Irion wrote:
> On 03/03/26 20:48, Álvaro Herrera wrote:
>
> > Cool, yeah, this is broken. I propose to add the corresponding test in
> > src/test/modules/test_ddl_deparse though -- that way we don't need
> > another event trigger. So how about like this?
>
> LGTM, I had to look up the CREATE TEXT SEARCH CONFIGURATION
> first time I saw it.
Okay, thanks, pushed to all branches.
--
Álvaro Herrera PostgreSQL Developer — https://www.EnterpriseDB.com/
"But static content is just dynamic content that isn't moving!"
http://smylers.hates-software.com/2007/08/15/fe244d0c.html
Florin Irion