Fix core dump in QTNodeCompare when tsquery_cmp() is applied to two empty

tglsfdc · tglsfdc · commit 57641a165ffa · 2010-08-03T00:10:39.000Z
tsqueries.  CompareTSQ has to have a guard for the case rather than blindly
applying QTNodeCompare to random data past the end of the datums.  Also,
change QTNodeCompare to be a little less trusting: use an actual test rather
than just Assert'ing that the input is sane.  Problem encountered while
investigating another issue (I saw a core dump in autoanalyze on a table
containing multiple empty tsquery values).

Back-patch to all branches with tsquery support.

In HEAD, also fix some bizarre (though not outright wrong) coding in
tsq_mcontains().
diff --git a/src/backend/utils/adt/tsquery_op.c b/src/backend/utils/adt/tsquery_op.c
@@ -7,7 +7,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/utils/adt/tsquery_op.c,v 1.8 2010/01/02 16:57:55 momjian Exp $
+ *	  $PostgreSQL: pgsql/src/backend/utils/adt/tsquery_op.c,v 1.9 2010/08/03 00:10:39 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -149,7 +149,7 @@ CompareTSQ(TSQuery a, TSQuery b)
 	{
 		return (VARSIZE(a) < VARSIZE(b)) ? -1 : 1;
 	}
-	else
+	else if (a->size != 0)
 	{
 		QTNode	   *an = QT2QTN(GETQUERY(a), GETOPERAND(a));
 		QTNode	   *bn = QT2QTN(GETQUERY(b), GETOPERAND(b));
@@ -247,20 +247,20 @@ tsq_mcontains(PG_FUNCTION_ARGS)
 		PG_RETURN_BOOL(false);
 	}
 
+	iq = GETQUERY(query);
 	ie = GETQUERY(ex);
 
 	for (i = 0; i < ex->size; i++)
 	{
-		iq = GETQUERY(query);
 		if (ie[i].type != QI_VAL)
 			continue;
 		for (j = 0; j < query->size; j++)
-			if (iq[j].type == QI_VAL && ie[i].qoperand.valcrc == iq[j].qoperand.valcrc)
-			{
-				j = query->size + 1;
+		{
+			if (iq[j].type == QI_VAL &&
+				ie[i].qoperand.valcrc == iq[j].qoperand.valcrc)
 				break;
-			}
-		if (j == query->size)
+		}
+		if (j >= query->size)
 		{
 			PG_FREE_IF_COPY(query, 0);
 			PG_FREE_IF_COPY(ex, 1);
diff --git a/src/backend/utils/adt/tsquery_util.c b/src/backend/utils/adt/tsquery_util.c
@@ -7,7 +7,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/utils/adt/tsquery_util.c,v 1.13 2010/01/02 16:57:55 momjian Exp $
+ *	  $PostgreSQL: pgsql/src/backend/utils/adt/tsquery_util.c,v 1.14 2010/08/03 00:10:39 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -113,20 +113,23 @@ QTNodeCompare(QTNode *an, QTNode *bn)
 		}
 		return 0;
 	}
-	else
+	else if (an->valnode->type == QI_VAL)
 	{
 		QueryOperand *ao = &an->valnode->qoperand;
 		QueryOperand *bo = &bn->valnode->qoperand;
 
-		Assert(an->valnode->type == QI_VAL);
-
 		if (ao->valcrc != bo->valcrc)
 		{
 			return (ao->valcrc > bo->valcrc) ? -1 : 1;
 		}
 
 		return tsCompareString(an->word, ao->length, bn->word, bo->length, false);
 	}
+	else
+	{
+		elog(ERROR, "unrecognized QueryItem type: %d", an->valnode->type);
+		return 0;				/* keep compiler quiet */
+	}
 }
 
 static int

Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,7 @@`
`7`	`7`	`*`
`8`	`8`	`*`
`9`	`9`	`* IDENTIFICATION`
`10`		`- * $PostgreSQL: pgsql/src/backend/utils/adt/tsquery_op.c,v 1.8 2010/01/02 16:57:55 momjian Exp $`
	`10`	`+ * $PostgreSQL: pgsql/src/backend/utils/adt/tsquery_op.c,v 1.9 2010/08/03 00:10:39 tgl Exp $`
`11`	`11`	`*`
`12`	`12`	`*-------------------------------------------------------------------------`
`13`	`13`	`*/`
`@@ -149,7 +149,7 @@ CompareTSQ(TSQuery a, TSQuery b)`
`149`	`149`	`{`
`150`	`150`	`return (VARSIZE(a) < VARSIZE(b)) ? -1 : 1;`
`151`	`151`	`}`
`152`		`- else`
	`152`	`+ else if (a->size != 0)`
`153`	`153`	`{`
`154`	`154`	`QTNode *an = QT2QTN(GETQUERY(a), GETOPERAND(a));`
`155`	`155`	`QTNode *bn = QT2QTN(GETQUERY(b), GETOPERAND(b));`
`@@ -247,20 +247,20 @@ tsq_mcontains(PG_FUNCTION_ARGS)`
`247`	`247`	`PG_RETURN_BOOL(false);`
`248`	`248`	`}`
`249`	`249`
	`250`	`+ iq = GETQUERY(query);`
`250`	`251`	`ie = GETQUERY(ex);`
`251`	`252`
`252`	`253`	`for (i = 0; i < ex->size; i++)`
`253`	`254`	`{`
`254`		`- iq = GETQUERY(query);`
`255`	`255`	`if (ie[i].type != QI_VAL)`
`256`	`256`	`continue;`
`257`	`257`	`for (j = 0; j < query->size; j++)`
`258`		`- if (iq[j].type == QI_VAL && ie[i].qoperand.valcrc == iq[j].qoperand.valcrc)`
`259`		`- {`
`260`		`- j = query->size + 1;`
	`258`	`+ {`
	`259`	`+ if (iq[j].type == QI_VAL &&`
	`260`	`+ ie[i].qoperand.valcrc == iq[j].qoperand.valcrc)`
`261`	`261`	`break;`
`262`		`- }`
`263`		`- if (j == query->size)`
	`262`	`+ }`
	`263`	`+ if (j >= query->size)`
`264`	`264`	`{`
`265`	`265`	`PG_FREE_IF_COPY(query, 0);`
`266`	`266`	`PG_FREE_IF_COPY(ex, 1);`