#4190 closed defect (fixed)
Undefined behaviour in nd_box_overlap (ANALYZE)
| Reported by: | Algunenano | Owned by: | Algunenano |
|---|---|---|---|
| Priority: | medium | Milestone: | PostGIS 2.4.6 |
| Component: | postgis | Version: | 2.4.x |
| Keywords: | Cc: |
Description
There is a division by zero in the code. Detected running regress_selectivity under gcc -fsanitize=undefined -fsanitize-undefined-trap-on-error.
Core was generated by `postgres: raul postgis_reg [local] ANALYZE '.
Program terminated with signal SIGILL, Illegal instruction.
#0 0x00007f1aebd4c355 in nd_box_overlap (nd_stats=0x55c488d68590, nd_box=0x55c488d60078, nd_ibox=0x7fffc06a86c0) at gserialized_estimate.c:689
689 nd_ibox->min[d] = floor(size * (nd_box->min[d] - smin) / width);
(gdb) p width
$1 = 0
(gdb) bt
#0 0x00007f1aebd4c355 in nd_box_overlap (nd_stats=0x55c488d68590, nd_box=0x55c488d60078, nd_ibox=0x7fffc06a86c0) at gserialized_estimate.c:689
#1 0x00007f1aebd50e72 in compute_gserialized_stats_mode (stats=0x55c488d67ff0, fetchfunc=0x55c4875e5200 <std_fetch_func>, sample_rows=1, total_rows=1, mode=2)
at gserialized_estimate.c:1726
#2 0x00007f1aebd44772 in compute_gserialized_stats (stats=0x55c488d67ff0, fetchfunc=0x55c4875e5200 <std_fetch_func>, sample_rows=1, total_rows=1)
at gserialized_estimate.c:1858
#3 0x000055c4875e2578 in do_analyze_rel (onerel=<optimized out>, options=2, params=<optimized out>, va_cols=0x0, acquirefunc=0x55c4875e11f0 <acquire_sample_rows>,
relpages=1, inh=<optimized out>, in_outer_xact=240, elevel=13) at analyze.c:579
#4 0x000055c4875e0ffe in analyze_rel (relid=<optimized out>, relation=<optimized out>, options=2, params=<optimized out>, va_cols=0x0, in_outer_xact=<optimized out>,
bstrategy=0x55c488d63f70) at analyze.c:310
#5 0x000055c4876597c2 in vacuum (options=2, relations=<optimized out>, params=0x7fffc06a8d40, bstrategy=<optimized out>, isTopLevel=<optimized out>) at vacuum.c:357
(gdb) p *nd_stats
$5 = {ndims = 2, size = {1, 1, 0, 0}, extent = {min = {0, 0, 0, 0}, max = {0, 0, 0, 0}}, table_features = 1, sample_features = 1, not_null_features = 1,
histogram_features = 0, histogram_cells = 0, cells_covered = 0, value = {0}}
(gdb) p *nd_box
$6 = {min = {0, 0, 0, 0}, max = {0, 0, 0, 0}}
(gdb) p *nd_ibox
$7 = {min = {0, 0, 0, 0}, max = {0, 0, 0, 0}}
Previous releases might also be affected.
Change History (7)
comment:2 by , 5 years ago
| Milestone: | PostGIS 2.5.1 → PostGIS 3.0.0 |
|---|
Feel free to push back after 2.5.1 release.
comment:3 by , 5 years ago
| Version: | 2.5.x → 2.4.x |
|---|
The second backtrace is detected by the test added to #4144 as it tries to increase the bounds over the float limits.
comment:7 by , 5 years ago
| Milestone: | PostGIS 3.0.0 → PostGIS 2.4.6 |
|---|
Note:
See TracTickets
for help on using tickets.
Another one during ANALYZE:
Core was generated by `postgres: raul postgis_reg [local] ANALYZE '. Program terminated with signal SIGILL, Illegal instruction. #0 0x00007f1aebd5446d in nd_box_expand (nd_box=0x7fffc06a8700, expansion_factor=0.01) at gserialized_estimate.c:660 660 nd_box->min[d] -= size * expansion_factor / 2; (gdb) p size $1 = 3.3858941447373126e+38 (gdb) p expansion_factor $2 = 0.01 (gdb) bt #0 0x00007f1aebd5446d in nd_box_expand (nd_box=0x7fffc06a8700, expansion_factor=0.01) at gserialized_estimate.c:660 #1 0x00007f1aebd50021 in compute_gserialized_stats_mode (stats=0x55c488dc0228, fetchfunc=0x55c4875e5200 <std_fetch_func>, sample_rows=1, total_rows=1, mode=2) at gserialized_estimate.c:1583 #2 0x00007f1aebd44772 in compute_gserialized_stats (stats=0x55c488dc0228, fetchfunc=0x55c4875e5200 <std_fetch_func>, sample_rows=1, total_rows=1) at gserialized_estimate.c:1858 #3 0x000055c4875e2578 in do_analyze_rel (onerel=<optimized out>, options=2, params=<optimized out>, va_cols=0x0, acquirefunc=0x55c4875e11f0 <acquire_sample_rows>, relpages=1, inh=<optimized out>, in_outer_xact=40, elevel=13) at analyze.c:579 #4 0x000055c4875e0ffe in analyze_rel (relid=<optimized out>, relation=<optimized out>, options=2, params=<optimized out>, va_cols=0x0, in_outer_xact=<optimized out>, bstrategy=0x55c488e41cf0) at analyze.c:310 #5 0x000055c4876597c2 in vacuum (options=2, relations=<optimized out>, params=0x7fffc06a8d40, bstrategy=<optimized out>, isTopLevel=<optimized out>) at vacuum.c:357