age icon indicating copy to clipboard operation
age copied to clipboard

Published 20 hours ago verified publisher icon apache

`SET` of property to `true OR true` causes crash

Open CelineWuest opened this issue 2 years ago • 5 comments
trafficstars

I found a bug using my cypher fuzzer.

When running the following query against an empty database:

CREATE (x) SET x.n0 = (true OR true)

The postgres instance crashes and goes into recovery mode.

I encountered this issue when testing queries against the apache/age:PG13_latest docker image.

Steps to reproduce

Spin up a local instance of apache/age:PG13_latest: docker run -e POSTGRES_PASSWORD=123 --rm --name age apache/age:PG13_latest

Get a shell in the docker container: docker exec -it age /bin/bash

Connect to postgres: su postgres -c psql

Run the following queries:

LOAD 'age';
-
SET search_path = ag_catalog, "$user", public;
-
SELECT create_graph('graph');
-
SELECT * FROM cypher('graph',$$
    CREATE (x) SET x.n0 = (true OR true)
$$) as (v agtype);

Expected behavior

The query should run successfully

Actual behavior

The database crashes

CelineWuest avatar May 05 '23 09:05 CelineWuest

gdb stacktrace:

#0  0x000055766192b3d8 in datumTransfer ()
#1  0x00005576617bdef4 in SPI_datumTransfer ()
#2  0x00007f1581ec5610 in plpgsql_exec_function ()
   from /usr/lib/postgresql/13/lib/plpgsql.so
#3  0x00007f1581ed0dd3 in plpgsql_call_handler ()
   from /usr/lib/postgresql/13/lib/plpgsql.so
#4  0x00005576617832e2 in ?? ()
#5  0x00007f158ae35644 in ExecEvalExprSwitchContext (isNull=0x7ffe97658227, 
    econtext=0x557662aa4360, state=0x557662aa4518)
    at /usr/include/postgresql/13/server/executor/executor.h:322
#6  ExecProject (projInfo=0x557662aa4510)
    at /usr/include/postgresql/13/server/executor/executor.h:356
#7  exec_cypher_create (node=<optimized out>)
    at src/backend/executor/cypher_create.c:248
#8  0x00005576617904e0 in ExecScan ()
#9  0x00007f158ae36efb in ExecProcNode (node=0x557662a607f8)
    at /usr/include/postgresql/13/server/executor/executor.h:248
#10 exec_cypher_set (node=0x557662a5ffc8)
    at src/backend/executor/cypher_set.c:627
#11 0x000055766178742d in standard_ExecutorRun ()
#12 0x00005576618f332b in ?? ()
#13 0x00005576618f48a8 in PortalRun ()
#14 0x00005576618f0301 in ?? ()
#15 0x00005576618f2454 in PostgresMain ()
#16 0x00005576618794a5 in ?? ()
#17 0x000055766187a3f4 in PostmasterMain ()
#18 0x00005576615fc046 in main ()

CelineWuest avatar May 05 '23 14:05 CelineWuest

@DominicWuest Working on it.

jrgemignani avatar May 08 '23 21:05 jrgemignani

This is due to the improper usage of a function. The function requires AGTYPE input but is given something else. In this specific case, it is given a boolean, which is passed by value. However, the function is expecting AGTYPE, which is passed by reference.

jrgemignani avatar May 08 '23 21:05 jrgemignani

Created a PR for the master to correct this https://github.com/apache/age/pull/904

jrgemignani avatar May 09 '23 00:05 jrgemignani

@DominicWuest This issue is resolved in the master branch. The other branches will be updated in the near future.

jrgemignani avatar May 09 '23 15:05 jrgemignani