[HACKERS] Two division by 0 errors in optimizer/plan/planner.c and optimizer/path/costsize.c

[Piotr Stefaniak]

Hi,

using sqlsmith and UBSan I have found these two division by zero errors:
src/backend/optimizer/plan/planner.c:4846
        /* Convert absolute # of tuples to a fraction; no need to clamp */
        if (tuple_fraction >= 1.0)
        {
                tuple_fraction /= best_path->rows;
        }

and

src/backend/optimizer/path/costsize.c:3029
                if (subplan->subLinkType == EXISTS_SUBLINK)
                {
                        /* we only need to fetch 1 tuple */
                        sp_cost.per_tuple += plan_run_cost / plan->plan_rows;
                }

The first is triggered by this query (reduced by me from the original 
query string generated by sqlsmith):

select 1
from (
  select ref_0.location as c0
  from public.city as ref_0
) as subq_0
where EXISTS (
  select 1
  from (
    select sample_0.collname as c0
    from pg_catalog.pg_collation as sample_0
  ) as subq_1
  right join public.tt5 as ref_2
    inner join pg_catalog.pg_constraint as ref_4
    on (ref_2.z = ref_4.coninhcount )
  on (subq_1.c0 = ref_4.conname ),
  lateral (
    select 1
    from public.shoelace_candelete as ref_5
    where false
  ) as subq_2
);

#0  get_cheapest_fractional_path (rel=0x7ffff7ec32a8, tuple_fraction=1) 
at src/backend/optimizer/plan/planner.c:4846
#1  0x00000000007422a1 in make_subplan (root=0xf49778, 
orig_subquery=0x7ffff7f593c8, subLinkType=EXISTS_SUBLINK, subLinkId=0, 
testexpr=0x0, isTopQual=1 '\001') at 
src/backend/optimizer/plan/subselect.c:546
#2  0x000000000074470d in process_sublinks_mutator (node=0x7ffff7f610b0, 
context=0x7fffffffd900) at src/backend/optimizer/plan/subselect.c:1974
#3  0x0000000000744670 in SS_process_sublinks (root=0xf49778, 
expr=0x7ffff7f610b0, isQual=1 '\001') at 
src/backend/optimizer/plan/subselect.c:1947
#4  0x0000000000736621 in preprocess_expression (root=0xf49778, 
expr=0x7ffff7f610b0, kind=0) at src/backend/optimizer/plan/planner.c:848
#5  0x0000000000736700 in preprocess_qual_conditions (root=0xf49778, 
jtnode=0xf5f790) at src/backend/optimizer/plan/planner.c:893
#6  0x0000000000735ff3 in subquery_planner (glob=0xf3ef70, 
parse=0xf3e9a0, parent_root=0x0, hasRecursion=0 '\000', 
tuple_fraction=0) at src/backend/optimizer/plan/planner.c:600
#7  0x000000000073566b in standard_planner (parse=0xf3e9a0, 
cursorOptions=256, boundParams=0x0) at 
src/backend/optimizer/plan/planner.c:307
#8  0x00000000007353ad in planner (parse=0xf3e9a0, cursorOptions=256, 
boundParams=0x0) at src/backend/optimizer/plan/planner.c:177
#9  0x0000000000800d3b in pg_plan_query (querytree=0xf3e9a0, 
cursorOptions=256, boundParams=0x0) at src/backend/tcop/postgres.c:798
#10 0x0000000000800dee in pg_plan_queries (querytrees=0xf53648, 
cursorOptions=256, boundParams=0x0) at src/backend/tcop/postgres.c:857
#11 0x0000000000801093 in exec_simple_query (query_string=0xf07dd8 
"select 1\nfrom (\n  select ref_0.location as c0\n  from public.city as 
ref_0\n) as subq_0\nwhere EXISTS (\n  select 1\n  from (\n    select 
sample_0.collname as c0\n    from pg_catalog.pg_collation as sample_0\n 
 ) as subq_1\n  right join public.tt5 as ref_2\n    inner join 
pg_catalog.pg_constraint as ref_4\n    on (ref_2.z = ref_4.coninhcount 
)\n  on (subq_1.c0 = ref_4.conname ),\n  lateral (\n    select 1\n 
from public.shoelace_candelete as ref_5\n    where false\n  ) as 
subq_2\n);") at src/backend/tcop/postgres.c:1022
#12 0x0000000000805355 in PostgresMain (argc=1, argv=0xe95ee0, 
dbname=0xe95d40 "regression", username=0xe95d20 "me") at 
src/backend/tcop/postgres.c:4059
#13 0x000000000077ed44 in BackendRun (port=0xeb2f80) at 
src/backend/postmaster/postmaster.c:4258
#14 0x000000000077e4a8 in BackendStartup (port=0xeb2f80) at 
src/backend/postmaster/postmaster.c:3932
#15 0x000000000077ac2c in ServerLoop () at 
src/backend/postmaster/postmaster.c:1690
#16 0x000000000077a261 in PostmasterMain (argc=5, argv=0xe94e10) at 
src/backend/postmaster/postmaster.c:1298
#17 0x00000000006c623c in main (argc=5, argv=0xe94e10) at 
src/backend/main/main.c:228

The second one is triggered by this (again, reduced from the original):

select 1
from public.tt5 as subq_0
where EXISTS (
  select 1
  from public.b_star as ref_0
  where false
);

#0  cost_subplan (root=0xf3e718, subplan=0xf42780, plan=0xf3fcd8) at 
src/backend/optimizer/path/costsize.c:3029
#1  0x0000000000742eb9 in build_subplan (root=0xf3e718, plan=0xf3fcd8, 
subroot=0xf3f6a8, plan_params=0x0, subLinkType=EXISTS_SUBLINK, 
subLinkId=0, testexpr=0x0, adjust_testexpr=1 '\001', unknownEqFalse=1 
'\001') at src/backend/optimizer/plan/subselect.c:887
#2  0x00000000007422c0 in make_subplan (root=0xf3e718, 
orig_subquery=0xf09628, subLinkType=EXISTS_SUBLINK, subLinkId=0, 
testexpr=0x0, isTopQual=1 '\001') at 
src/backend/optimizer/plan/subselect.c:551
#3  0x00000000007446d7 in process_sublinks_mutator (node=0xf3f100, 
context=0x7fffffffd900) at src/backend/optimizer/plan/subselect.c:1974
#4  0x000000000074463a in SS_process_sublinks (root=0xf3e718, 
expr=0xf3f100, isQual=1 '\001') at 
src/backend/optimizer/plan/subselect.c:1947
#5  0x0000000000736621 in preprocess_expression (root=0xf3e718, 
expr=0xf3f100, kind=0) at src/backend/optimizer/plan/planner.c:848
#6  0x0000000000736700 in preprocess_qual_conditions (root=0xf3e718, 
jtnode=0xf3e9b0) at src/backend/optimizer/plan/planner.c:893
#7  0x0000000000735ff3 in subquery_planner (glob=0xf09740, 
parse=0xf093a0, parent_root=0x0, hasRecursion=0 '\000', 
tuple_fraction=0) at src/backend/optimizer/plan/planner.c:600
#8  0x000000000073566b in standard_planner (parse=0xf093a0, 
cursorOptions=256, boundParams=0x0) at 
src/backend/optimizer/plan/planner.c:307
#9  0x00000000007353ad in planner (parse=0xf093a0, cursorOptions=256, 
boundParams=0x0) at src/backend/optimizer/plan/planner.c:177
#10 0x0000000000800d05 in pg_plan_query (querytree=0xf093a0, 
cursorOptions=256, boundParams=0x0) at src/backend/tcop/postgres.c:798
#11 0x0000000000800db8 in pg_plan_queries (querytrees=0xf3e6b8, 
cursorOptions=256, boundParams=0x0) at src/backend/tcop/postgres.c:857
#12 0x000000000080105d in exec_simple_query (query_string=0xf07dd8 
"select 1\nfrom public.tt5 as subq_0\nwhere EXISTS (\n  select 1\n  from 
public.b_star as ref_0\n  where false\n);") at 
src/backend/tcop/postgres.c:1022
#13 0x000000000080531f in PostgresMain (argc=1, argv=0xe95ee0, 
dbname=0xe95d40 "regression", username=0xe95d20 "me") at 
src/backend/tcop/postgres.c:4059
#14 0x000000000077ed0e in BackendRun (port=0xeb2f80) at 
src/backend/postmaster/postmaster.c:4258
#15 0x000000000077e472 in BackendStartup (port=0xeb2f80) at 
src/backend/postmaster/postmaster.c:3932
#16 0x000000000077abf6 in ServerLoop () at 
src/backend/postmaster/postmaster.c:1690
#17 0x000000000077a22b in PostmasterMain (argc=5, argv=0xe94e10) at 
src/backend/postmaster/postmaster.c:1298
#18 0x00000000006c623c in main (argc=5, argv=0xe94e10) at 
src/backend/main/main.c:228


(the back-traces are slightly redacted for readability).


--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers