Postgres crash with ST_GeomFromGML

[mwjhartogs]

Hi,

Currently I have a quite large GMl which needs to be parsed to geometry. When I run the attached query the Postgres db will crash.

I've tested this in Linux (Centos), Windows 10 and Windows server. Everywhere the same crash. I've increased the work mem to 1 GB. increased the shared mem.

Error log Postgres: 2020-03-27 13:22:16 CET LOG: 00000: server process (PID 6704) was terminated by exception 0xC0000374 2020-03-27 13:22:16 CET DETAIL: Failed process was running: select ST_GeomFromGML('<gml:Curve id="id-69b216c9-2c07-434d-8664-e321b3697725-0" srsDimension="2" srsName="urn:x-ogc:def:crs:EPSG:28992"> <gml:segments> <gml:LineStringSegment>

<gml:posList>119675.91899999976 526436.1209999993 119676.54699999839 526439.4930000007 119676.44299999997 526439.5130000003 119676.03299999982 526439.6220000014 119675.38500000164 526439.868999999</gml:posList> </gml:LineStringSegment> <gml:LineStringSegment> <gml:posList>119675.38500000164 526439.868999999 119675.15500452081 526439.9735735222 119674.92922525379 526440.0869634049 119674.70800000057 526440.2089999989</gml:posList> </gml:LineStringSegment> <gml:LineStringSegment> <gml:posList>119674.70800000057 526440.2089999989 119674.01347910661 526440.6575801083 119673.38748824484 526441.1976901226 119672.84200000018 526441.8189999983</gml:posList> </gml:LineStringSegment> <gml:LineStringSegment> <gml:posList>119672.84200000018 526441.8189999983 119671.85700000077 526442.8630000018 119670.99599999934 526443.2149999999 119660.08

2020-03-27 13:22:16 CET HINT: See C include file "ntstatus.h" for a description of the hexadecimal value. 2020-03-27 13:22:16 CET LOCATION: LogChildExit, postmaster.c:3492 2020-03-27 13:22:16 CET LOG: 00000: terminating any other active server processes 2020-03-27 13:22:16 CET LOCATION: HandleChildCrash, postmaster.c:3223 2020-03-27 13:22:16 CET WARNING: 57P02: terminating connection because of crash of another server process 2020-03-27 13:22:16 CET DETAIL: The postmaster has commanded this server process to roll back the current transaction and exit, because another server process exited abnormally and possibly corrupted shared memory. 2020-03-27 13:22:16 CET HINT: In a moment you should be able to reconnect to the database and repeat your command. 2020-03-27 13:22:16 CET LOCATION: quickdie, postgres.c:2601 2020-03-27 13:22:16 CET WARNING: 57P02: terminating connection because of crash of another server process 2020-03-27 13:22:16 CET DETAIL: The postmaster has commanded this server process to roll back the current transaction and exit, because another server process exited abnormally and possibly corrupted shared memory. 2020-03-27 13:22:16 CET HINT: In a moment you should be able to reconnect to the database and repeat your command. 2020-03-27 13:22:16 CET LOCATION: quickdie, postgres.c:2601 2020-03-27 13:22:16 CET WARNING: 57P02: terminating connection because of crash of another server process 2020-03-27 13:22:16 CET DETAIL: The postmaster has commanded this server process to roll back the current transaction and exit, because another server process exited abnormally and possibly corrupted shared memory. 2020-03-27 13:22:16 CET HINT: In a moment you should be able to reconnect to the database and repeat your command. 2020-03-27 13:22:16 CET LOCATION: quickdie, postgres.c:2601 2020-03-27 13:22:16 CET LOG: 00000: all server processes terminated; reinitializing 2020-03-27 13:22:16 CET LOCATION: PostmasterStateMachine, postmaster.c:3747 2020-03-27 13:22:16 CET LOG: 00000: database system was interrupted; last known up at 2020-03-27 13:21:58 CET 2020-03-27 13:22:16 CET LOCATION: StartupXLOG, xlog.c:6019

[mwjhartogs]

sql query

[mwjhartogs]

Error log Postgres

[Algunenano]

I can confirm the issue in there in current master:

(gdb) bt
#0  0x00007f140ca5cce5 in raise () from /usr/lib/libc.so.6
#1  0x00007f140ca46857 in abort () from /usr/lib/libc.so.6
#2  0x00007f140caa02b0 in __libc_message () from /usr/lib/libc.so.6
#3  0x00007f140caa774a in malloc_printerr () from /usr/lib/libc.so.6
#4  0x00007f140caaa6b4 in _int_malloc () from /usr/lib/libc.so.6
#5  0x00007f140caabe74 in malloc () from /usr/lib/libc.so.6
#6  0x000055b8dd4d51d4 in AllocSetAlloc (context=0x55b8deb04350, size=<optimized out>) at aset.c:914
#7  0x000055b8dd4dc6a7 in MemoryContextAllocZeroAligned (context=0x55b8deb04350, size=528) at mcxt.c:864
#8  0x000055b8dd27ff47 in subquery_planner (glob=0x55b8deb06000, parse=0x55b8deb05418, parent_root=0x0, hasRecursion=false, tuple_fraction=0) at planner.c:609
#9  0x000055b8dd27faaf in standard_planner (parse=0x55b8deb05418, cursorOptions=<optimized out>, boundParams=0x0) at planner.c:406
#10 0x000055b8dd358e60 in pg_plan_query (querytree=0x55b8deb05418, cursorOptions=256, boundParams=0x0) at postgres.c:878
#11 pg_plan_queries (querytrees=<optimized out>, cursorOptions=256, boundParams=0x0) at postgres.c:968
#12 0x000055b8dd498df3 in BuildCachedPlan (plansource=0x55b8deb051a8, qlist=0x55b8deb05fd0, boundParams=0x0, queryEnv=<optimized out>) at plancache.c:933
#13 0x000055b8dd498639 in GetCachedPlan (plansource=0x55b8deb051a8, boundParams=<optimized out>, useResOwner=<optimized out>, queryEnv=<optimized out>) at plancache.c:1214
#14 0x000055b8dd20a501 in _SPI_execute_plan (plan=0x7ffceb9a8080, paramLI=0x0, snapshot=<optimized out>, crosscheck_snapshot=0x0, read_only=false, fire_triggers=<optimized out>, tcount=1) at spi.c:2215
#15 0x000055b8dd20a2e8 in SPI_execute (src=0x7ffceb9a8160 "SELECT position('+units=m ' in proj4text)", ' ' <repeats 25 times>, "FROM spatial_ref_sys WHERE srid='28992'", read_only=false, tcount=1) at spi.c:514
#16 0x00007f11fc5d0ffb in gml_is_srid_planar (srid=28992) at lwgeom_in_gml.c:397
#17 parse_gml_srs (xnode=<optimized out>, srs=0x7ffceb9a82f8) at lwgeom_in_gml.c:487
#18 0x00007f11fc5cfdac in parse_gml_curve (xnode=0x55b8deaf5480, hasz=0x7ffceb9a834f, root_srid=<optimized out>) at lwgeom_in_gml.c:1138
#19 parse_gml (xnode=<optimized out>, hasz=0x7ffceb9a834f, root_srid=0x7ffceb9a8350) at lwgeom_in_gml.c:1933
#20 0x00007f11fc5ce65a in lwgeom_from_gml (xml=<optimized out>, xml_size=<optimized out>) at lwgeom_in_gml.c:1877
#21 geom_from_gml (fcinfo=<optimized out>) at lwgeom_in_gml.c:116
#22 0x000055b8dd1ca50d in ExecInterpExpr (state=0x55b8deabd740, econtext=0x55b8deabdc80, isnull=<optimized out>) at execExprInterp.c:649
#23 0x000055b8dd299a8e in ExecEvalExprSwitchContext (state=<optimized out>, econtext=0x7ffceb9a7850, isNull=0x7ffceb9a84bf) at ../../../../src/include/executor/executor.h:307
#24 evaluate_expr (expr=<optimized out>, result_type=72111, result_typmod=-1, result_collation=0) at clauses.c:4812
#25 0x000055b8dd29a664 in evaluate_function (funcid=72624, result_type=72111, result_typmod=-1, result_collid=0, input_collid=100, args=0x55b8de9f8a60, funcvariadic=<optimized out>, context=0x7ffceb9a8830, func_tuple=<optimized out>) at clauses.c:4354
#26 simplify_function (funcid=72624, result_type=72111, result_typmod=-1, result_collid=0, input_collid=100, args_p=<optimized out>, funcvariadic=<optimized out>, process_args=<optimized out>, allow_non_const=true, context=0x7ffceb9a8830)
    at clauses.c:3984
#27 0x000055b8dd298864 in eval_const_expressions_mutator (node=0x55b8de9f8648, context=0x7ffceb9a8830) at clauses.c:2477
#28 0x000055b8dd22d829 in expression_tree_mutator (node=0x55b8de9f8698, mutator=0x55b8dd297c30 <eval_const_expressions_mutator>, context=0x7ffceb9a8830) at nodeFuncs.c:2762
#29 0x000055b8dd297d4e in eval_const_expressions_mutator (node=0x55b8de9f8698, context=0x7ffceb9a8830) at clauses.c:3539
#30 0x000055b8dd22db06 in expression_tree_mutator (node=<optimized out>, mutator=0x55b8dd297c30 <eval_const_expressions_mutator>, context=0x7ffceb9a8830) at nodeFuncs.c:3012
#31 0x000055b8dd297d4e in eval_const_expressions_mutator (node=0x55b8de9f8708, context=0x7ffceb9a8830) at clauses.c:3539
#32 0x000055b8dd297c10 in eval_const_expressions (root=<optimized out>, node=0x0) at clauses.c:2269
#33 0x000055b8dd2804ab in preprocess_expression (root=<optimized out>, expr=0x7ffceb9a7850, kind=1) at planner.c:1087
#34 subquery_planner (glob=<optimized out>, parse=0x55b8de9f8388, parent_root=<optimized out>, hasRecursion=<optimized out>, tuple_fraction=0) at planner.c:769
#35 0x000055b8dd27faaf in standard_planner (parse=0x55b8de9f8388, cursorOptions=<optimized out>, boundParams=0x0) at planner.c:406
#36 0x000055b8dd358e60 in pg_plan_query (querytree=0x55b8de9f8388, cursorOptions=256, boundParams=0x0) at postgres.c:878
#37 pg_plan_queries (querytrees=<optimized out>, cursorOptions=256, boundParams=0x0) at postgres.c:968
#38 0x000055b8dd35d2b4 in exec_simple_query (
    query_string=0x55b8deaf6358 "select ST_GeomFromGML('<gml:Curve id=\"id-69b216c9-2c07-434d-8664-e321b3697725-0\" srsDimension=\"2\" srsName=\"urn:x-ogc:def:crs:EPSG:28992\"> <gml:segments> <gml:LineStringSegment> \n<gml:posList>119675.91"...)
    at postgres.c:1143
#39 0x000055b8dd35ad34 in PostgresMain (argc=<optimized out>, argv=<optimized out>, dbname=<optimized out>, username=<optimized out>) at postgres.c:4243
#40 0x000055b8dd2c9ef7 in BackendRun (port=0x55b8dea1d230) at postmaster.c:4437
#41 0x000055b8dd2c94df in BackendStartup (port=<optimized out>) at postmaster.c:4128
#42 ServerLoop () at postmaster.c:1704
#43 0x000055b8dd2c6036 in PostmasterMain (argc=3, argv=0x55b8de9f1230) at postmaster.c:1377
#44 0x000055b8dd22b7d5 in main (argc=3, argv=0x55b8de9f1230) at main.c:228

In PG (REL_12_STABLE) logs: ` malloc(): invalid size (unsorted) `

This might be a PG issue. I'll try to investigate further.

[mwjhartogs]

Ps. when you remove the last set of coords in the last segment (119658.85000000149 526442.6779999994) then it works.

It's not related ith this coordpair, any coord will crash the DB

[Algunenano]

Call stack without any optimizations (neither PG nor Postgis):

(gdb) bt
#0  0x00007fba0f042ce5 in raise () from /usr/lib/libc.so.6
#1  0x00007fba0f02c857 in abort () from /usr/lib/libc.so.6
#2  0x00007fba0f0862b0 in __libc_message () from /usr/lib/libc.so.6
#3  0x00007fba0f08d74a in malloc_printerr () from /usr/lib/libc.so.6
#4  0x00007fba0f0906b4 in _int_malloc () from /usr/lib/libc.so.6
#5  0x00007fba0f091e74 in malloc () from /usr/lib/libc.so.6
#6  0x0000559e4bc1d52e in AllocSetAlloc (context=0x559e4c58b6e0, size=128) at aset.c:914
#7  0x0000559e4bc29d71 in MemoryContextAllocZeroAligned (context=0x559e4c58b6e0, size=128) at mcxt.c:864
#8  0x0000559e4b8c2feb in standard_planner (parse=0x559e4c58c928, cursorOptions=256, boundParams=0x0) at planner.c:298
#9  0x0000559e4b8c2fae in planner (parse=0x559e4c58c928, cursorOptions=256, boundParams=0x0) at planner.c:275
#10 0x0000559e4ba0510c in pg_plan_query (querytree=0x559e4c58c928, cursorOptions=256, boundParams=0x0) at postgres.c:878
#11 0x0000559e4ba05270 in pg_plan_queries (querytrees=0x559e4c58d698, cursorOptions=256, boundParams=0x0) at postgres.c:968
#12 0x0000559e4bbc58b6 in BuildCachedPlan (plansource=0x559e4c58c698, qlist=0x559e4c58d698, boundParams=0x0, queryEnv=0x0) at plancache.c:933
#13 0x0000559e4bbc4db7 in GetCachedPlan (plansource=0x559e4c58c698, boundParams=0x0, useResOwner=false, queryEnv=0x0) at plancache.c:1214
#14 0x0000559e4b7ff3ad in _SPI_execute_plan (plan=0x7ffe8b63d5d0, paramLI=0x0, snapshot=0x0, crosscheck_snapshot=0x0, read_only=false, fire_triggers=true, tcount=1) at spi.c:2215
#15 0x0000559e4b7fef4b in SPI_execute (src=0x7ffe8b63d660 "SELECT position('+units=m ' in proj4text)", ' ' <repeats 25 times>, "FROM spatial_ref_sys WHERE srid='28992'", read_only=false, tcount=1) at spi.c:514
#16 0x0000559e4b7ffbd1 in SPI_exec (src=0x7ffe8b63d660 "SELECT position('+units=m ' in proj4text)", ' ' <repeats 25 times>, "FROM spatial_ref_sys WHERE srid='28992'", tcount=1) at spi.c:526
#17 0x00007fb7feb59274 in gml_is_srid_planar (srid=28992) at lwgeom_in_gml.c:397
#18 0x00007fb7feb56ccd in parse_gml_srs (xnode=0x559e4c558c30, srs=0x7ffe8b63d850) at lwgeom_in_gml.c:487
#19 0x00007fb7feb57455 in parse_gml_curve (xnode=0x559e4c558c30, hasz=0x7ffe8b63d917, root_srid=0x7ffe8b63d910) at lwgeom_in_gml.c:1138
#20 0x00007fb7feb565e4 in parse_gml (xnode=0x559e4c558c30, hasz=0x7ffe8b63d917, root_srid=0x7ffe8b63d910) at lwgeom_in_gml.c:1933
#21 0x00007fb7feb563a5 in lwgeom_from_gml (
    xml=0x559e4c55cdf0 "<gml:Curve id=\"id-69b216c9-2c07-434d-8664-e321b3697725-0\" srsDimension=\"2\" srsName=\"urn:x-ogc:def:crs:EPSG:28992\"> <gml:segments> <gml:LineStringSegment> \n<gml:posList>119675.91899999976 526436.120999"..., xml_size=13248)
    at lwgeom_in_gml.c:1877
#22 0x00007fb7feb56276 in geom_from_gml (fcinfo=0x559e4c5424d0) at lwgeom_in_gml.c:116
#23 0x0000559e4b798735 in ExecInterpExpr (state=0x559e4c5423e0, econtext=0x559e4c542620, isnull=0x7ffe8b63dc87) at execExprInterp.c:649
#24 0x0000559e4b7979d7 in ExecInterpExprStillValid (state=0x559e4c5423e0, econtext=0x559e4c542620, isNull=0x7ffe8b63dc87) at execExprInterp.c:1778
#25 0x0000559e4b8ec46b in ExecEvalExprSwitchContext (state=0x559e4c5423e0, econtext=0x559e4c542620, isNull=0x7ffe8b63dc87) at ../../../../src/include/executor/executor.h:307
#26 0x0000559e4b8ec31f in evaluate_expr (expr=0x559e4c4762b8, result_type=72111, result_typmod=-1, result_collation=0) at clauses.c:4812
#27 0x0000559e4b8ee0e9 in evaluate_function (funcid=72624, result_type=72111, result_typmod=-1, result_collid=0, input_collid=100, args=0x559e4c476200, funcvariadic=false, func_tuple=0x7fb7fecf1ed0, context=0x7ffe8b63fa80) at clauses.c:4354
#28 0x0000559e4b8ed388 in simplify_function (funcid=72624, result_type=72111, result_typmod=-1, result_collid=0, input_collid=100, args_p=0x7ffe8b63e328, funcvariadic=false, process_args=true, allow_non_const=true, context=0x7ffe8b63fa80)
    at clauses.c:3984
#29 0x0000559e4b8e939b in eval_const_expressions_mutator (node=0x559e4c475ed8, context=0x7ffe8b63fa80) at clauses.c:2477
#30 0x0000559e4b8352ff in expression_tree_mutator (node=0x559e4c475f30, mutator=0x559e4b8e8e70 <eval_const_expressions_mutator>, context=0x7ffe8b63fa80) at nodeFuncs.c:2963
#31 0x0000559e4b8eb86f in eval_const_expressions_mutator (node=0x559e4c475f30, context=0x7ffe8b63fa80) at clauses.c:3539
#32 0x0000559e4b835514 in expression_tree_mutator (node=0x559e4c475718, mutator=0x559e4b8e8e70 <eval_const_expressions_mutator>, context=0x7ffe8b63fa80) at nodeFuncs.c:3012
#33 0x0000559e4b8eb86f in eval_const_expressions_mutator (node=0x559e4c475718, context=0x7ffe8b63fa80) at clauses.c:3539
#34 0x0000559e4b8e8e3e in eval_const_expressions (root=0x559e4c474508, node=0x559e4c475718) at clauses.c:2269
#35 0x0000559e4b8c4ca8 in preprocess_expression (root=0x559e4c474508, expr=0x559e4c475718, kind=1) at planner.c:1087
#36 0x0000559e4b8c3e8a in subquery_planner (glob=0x559e4c475aa8, parse=0x559e4c475448, parent_root=0x0, hasRecursion=false, tuple_fraction=0) at planner.c:769
#37 0x0000559e4b8c3216 in standard_planner (parse=0x559e4c475448, cursorOptions=256, boundParams=0x0) at planner.c:406
#38 0x0000559e4b8c2fae in planner (parse=0x559e4c475448, cursorOptions=256, boundParams=0x0) at planner.c:275
#39 0x0000559e4ba0510c in pg_plan_query (querytree=0x559e4c475448, cursorOptions=256, boundParams=0x0) at postgres.c:878
#40 0x0000559e4ba05270 in pg_plan_queries (querytrees=0x559e4c476050, cursorOptions=256, boundParams=0x0) at postgres.c:968
#41 0x0000559e4ba07ddb in exec_simple_query (
    query_string=0x559e4c49dbd0 "select ST_GeomFromGML('<gml:Curve id=\"id-69b216c9-2c07-434d-8664-e321b3697725-0\" srsDimension=\"2\" srsName=\"urn:x-ogc:def:crs:EPSG:28992\"> <gml:segments> <gml:LineStringSegment> \n<gml:posList>119675.91"...)
    at postgres.c:1143
#42 0x0000559e4ba072ed in PostgresMain (argc=1, argv=0x559e4c4a5928, dbname=0x559e4c4a5778 "template_postgis", username=0x559e4c4a5750 "postgres") at postgres.c:4247
#43 0x0000559e4b9374bf in BackendRun (port=0x559e4c499e10) at postmaster.c:4437
#44 0x0000559e4b936884 in BackendStartup (port=0x559e4c499e10) at postmaster.c:4128
#45 0x0000559e4b935736 in ServerLoop () at postmaster.c:1704
#46 0x0000559e4b932f24 in PostmasterMain (argc=3, argv=0x559e4c46e230) at postmaster.c:1377
#47 0x0000559e4b82eee1 in main (argc=3, argv=0x559e4c46e230) at main.c:228

The fact that it is crashing in an internal allocation (inside pg_plan_query) points to a possible Postgresql bug, but it's not obvious to me why calling malloc(8192) might crash like this:

(gdb) f 6
#6  0x0000559e4bc1d52e in AllocSetAlloc (context=0x559e4c58b6e0, size=128) at aset.c:914
warning: Source file is more recent than executable.
914                     block = (AllocBlock) malloc(blksize);
(gdb) p blksize
$1 = 8192

[Algunenano]

I also get a crash with a Ubuntu (16.04) VM with PG 9.5 + Postgis 2.2, but in this case I get a different error from glibc: malloc(): memory corruption

[Algunenano]

Does not crash with PG 11.5 + Postgis 2.5 in OSX Mojave.

[Algunenano]

Running under valgrind (which was way easier than I thought, I don't know why I hadn't done it before) show multiple errors:

mar 27 17:19:32 Mordor postgres[305622]: ==305622== Invalid write of size 8
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    at 0x4842779: memmove (vg_replace_strmem.c:1271)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x84BD3FC: parse_gml_curve (lwgeom_in_gml.c:1128)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x84BC5E3: parse_gml (lwgeom_in_gml.c:1933)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x84BC3A4: lwgeom_from_gml (lwgeom_in_gml.c:1877)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x84BC275: geom_from_gml (lwgeom_in_gml.c:116)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x4CE734: ExecInterpExpr (execExprInterp.c:649)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x4CD9D6: ExecInterpExprStillValid (execExprInterp.c:1778)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x62246A: ExecEvalExprSwitchContext (executor.h:307)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x62231E: evaluate_expr (clauses.c:4812)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x6240E8: evaluate_function (clauses.c:4354)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x623387: simplify_function (clauses.c:3984)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x61F39A: eval_const_expressions_mutator (clauses.c:2477)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==  Address 0x83a2cc0 is 0 bytes after a block of size 8,272 alloc'd
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    at 0x483B77F: malloc (vg_replace_malloc.c:309)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x9530B4: AllocSetAlloc (aset.c:733)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x9602B7: palloc (mcxt.c:938)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x855CC72: pg_alloc (lwgeom_pg.c:201)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x8595F2B: lwalloc (lwutil.c:229)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x856AC36: ptarray_construct_empty (ptarray.c:73)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x856AB97: ptarray_construct (ptarray.c:53)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x84BD2F0: parse_gml_curve (lwgeom_in_gml.c:1117)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x84BC5E3: parse_gml (lwgeom_in_gml.c:1933)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x84BC3A4: lwgeom_from_gml (lwgeom_in_gml.c:1877)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x84BC275: geom_from_gml (lwgeom_in_gml.c:116)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x4CE734: ExecInterpExpr (execExprInterp.c:649)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==
mar 27 17:19:32 Mordor postgres[305622]: ==305622== Conditional jump or move depends on uninitialised value(s)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    at 0x85A459D: ptarray_calculate_gbox_cartesian_3d (gbox.c:571)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x85A4185: ptarray_calculate_gbox_cartesian (gbox.c:625)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x85A4AF7: lwline_calculate_gbox_cartesian (gbox.c:688)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x85A49BC: lwgeom_calculate_gbox_cartesian (gbox.c:750)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x8571FB9: lwgeom_calculate_gbox (lwgeom.c:743)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x8571F4E: lwgeom_add_bbox (lwgeom.c:685)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x84BC3D6: lwgeom_from_gml (lwgeom_in_gml.c:1887)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x84BC275: geom_from_gml (lwgeom_in_gml.c:116)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x4CE734: ExecInterpExpr (execExprInterp.c:649)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x4CD9D6: ExecInterpExprStillValid (execExprInterp.c:1778)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x62246A: ExecEvalExprSwitchContext (executor.h:307)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x62231E: evaluate_expr (clauses.c:4812)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==
mar 27 17:19:32 Mordor postgres[305622]: ==305622== Conditional jump or move depends on uninitialised value(s)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    at 0x85A45E4: ptarray_calculate_gbox_cartesian_3d (gbox.c:572)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x85A4185: ptarray_calculate_gbox_cartesian (gbox.c:625)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x85A4AF7: lwline_calculate_gbox_cartesian (gbox.c:688)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x85A49BC: lwgeom_calculate_gbox_cartesian (gbox.c:750)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x8571FB9: lwgeom_calculate_gbox (lwgeom.c:743)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x8571F4E: lwgeom_add_bbox (lwgeom.c:685)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x84BC3D6: lwgeom_from_gml (lwgeom_in_gml.c:1887)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x84BC275: geom_from_gml (lwgeom_in_gml.c:116)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x4CE734: ExecInterpExpr (execExprInterp.c:649)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x4CD9D6: ExecInterpExprStillValid (execExprInterp.c:1778)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x62246A: ExecEvalExprSwitchContext (executor.h:307)
mar 27 17:19:32 Mordor postgres[305622]: ==305622==    by 0x62231E: evaluate_expr (clauses.c:4812)

There are multiple issues there. One in the bbox calculation and one in the copy of the data.

[Algunenano]

Pr with multiple fixes ​https://trac.osgeo.org/postgis/ticket/4652

In the end it wasn't a Postgresql issue, just Postgis' code overwritting memory where it shouldn't.

[mwjhartogs]

thanks a lot. That's really fast.

Is there a way to quick fix it without an update of Postgis?

[Algunenano]

I see that I linked the ticket instead of the PR; it's here: ​https://github.com/postgis/postgis/pull/550 I'll try to push it today.

Is there a way to quick fix it without an update of Postgis?

The postgis-*.so library needs to be updated / replaced.

[Raúl Marín <git@…>]

In 697a9bd/git:

parse_gml_curve: Fix multiple bugs

• ppa was leaked when lss == 1
• When lss > 1, was trying to copy an extra point at the end.

Closes ​https://github.com/postgis/postgis/pull/550
References #4652

[Raúl Marín <git@…>]

In b5cba66/git:

parse_gml_curve: Fix multiple bugs

• ppa was leaked when lss == 1
• When lss > 1, was trying to copy an extra point at the end.

References #4652

[Raúl Marín <git@…>]

In 6a790d0/git:

parse_gml_curve: Fix multiple bugs

• ppa was leaked when lss == 1
• When lss > 1, was trying to copy an extra point at the end.

References #4652

[Raúl Marín <git@…>]

In 74d8244/git:

parse_gml_curve: Fix multiple bugs

• ppa was leaked when lss == 1
• When lss > 1, was trying to copy an extra point at the end.

References #4652

[Raúl Marín <git@…>]

In cb4666e7/git:

parse_gml_curve: Fix multiple bugs

• ppa was leaked when lss == 1
• When lss > 1, was trying to copy an extra point at the end.

Closes #4652

[pramsey]

Running the #4652 test under OSX I'm seeing a complaint from PgSQL. Have you build your PgSQL —with-cassert?

WARNING:  detected write past chunk end in ExprContext 0x7fe6b280af18

[Algunenano]

Running the #4652 test under OSX I'm seeing a complaint from PgSQL. Have you build your PgSQL —with-cassert?

Yes, I added --enable-cassert --enable-debug to my build and I was seeing a similar error before the patch. After the patch I was getting only xml warnings IIRC; I'll try again to confirm it's gone.

[Algunenano]

Yeah, with master/HEAD I don't get any alerts, just this:

Mar 30 23:21:27 balar postgres[49401]: namespace warning : Namespace prefix gml is not defined
Mar 30 23:21:27 balar postgres[49401]: 34d-8664-e321b3697725-0" srsDimension="2" srsName="urn:x-ogc:def:crs:EPSG:28992"
Mar 30 23:21:27 balar postgres[49401]:                                                                                ^
Mar 30 23:21:27 balar postgres[49401]: namespace warning : Namespace prefix gml is not defined
Mar 30 23:21:27 balar postgres[49401]: 697725-0" srsDimension="2" srsName="urn:x-ogc:def:crs:EPSG:28992"> <gml:segments
Mar 30 23:21:27 balar postgres[49401]:                                                                                ^
Mar 30 23:21:27 balar postgres[49401]: namespace warning : Namespace prefix gml is not defined
Mar 30 23:21:27 balar postgres[49401]: 2" srsName="urn:x-ogc:def:crs:EPSG:28992"> <gml:segments> <gml:LineStringSegment
Mar 30 23:21:27 balar postgres[49401]:                                                                                ^
Mar 30 23:21:27 balar postgres[49401]: namespace warning : Namespace prefix gml is not defined
Mar 30 23:21:27 balar postgres[49401]: n:x-ogc:def:crs:EPSG:28992"> <gml:segments> <gml:LineStringSegment> <gml:posList
Mar 30 23:21:27 balar postgres[49401]:                                                                                ^
Mar 30 23:21:27 balar postgres[49401]: namespace warning : Namespace prefix gml is not defined
Mar 30 23:21:27 balar postgres[49401]: 4 526439.868999999</gml:posList> </gml:LineStringSegment> <gml:LineStringSegment
Mar 30 23:21:27 balar postgres[49401]:                                                                                ^
Mar 30 23:21:27 balar postgres[49401]: namespace warning : Namespace prefix gml is not defined
Mar 30 23:21:27 balar postgres[49401]: 9999</gml:posList> </gml:LineStringSegment> <gml:LineStringSegment> <gml:posList
Mar 30 23:21:27 balar postgres[49401]:                                                                                ^
Mar 30 23:21:27 balar postgres[49401]: namespace warning : Namespace prefix gml is not defined
Mar 30 23:21:27 balar postgres[49401]:  526440.2089999989</gml:posList> </gml:LineStringSegment> <gml:LineStringSegment
Mar 30 23:21:27 balar postgres[49401]:                                                                                ^
Mar 30 23:21:27 balar postgres[49401]: namespace warning : Namespace prefix gml is not defined
Mar 30 23:21:27 balar postgres[49401]: 9989</gml:posList> </gml:LineStringSegment> <gml:LineStringSegment> <gml:posList
Mar 30 23:21:27 balar postgres[49401]

This is running Postgresql/REL_12_STABLE under Linux, both Postgresql and Postgis built with -O3.

Paul, what PG and Postgis version are you using? Are you running all tests or just the query manually?

[pramsey]

I am not seeing this anymore, so closing out. Heisenbug.