public inbox for [email protected]
help / color / mirror / Atom feedFrom: Richard Guo <[email protected]>
To: [email protected]
To: [email protected]
Subject: Re: BUG #19405: Assertion in eval_windowaggregates() fails due to integer overflow
Date: Sat, 14 Feb 2026 18:41:00 +0900
Message-ID: <CAMbWs4_GnG0NYnsBZJpHG-BLo28euD6VUx0WhFd4Ur6RaLr5WQ@mail.gmail.com> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
On Fri, Feb 13, 2026 at 7:09 PM PG Bug reporting form
<[email protected]> wrote:
> The following script:
> CREATE TABLE t (i integer);
> INSERT INTO t SELECT g FROM generate_series(1, 2) g;
> SELECT SUM(i) OVER (ROWS BETWEEN 1 PRECEDING AND 0x7fffffffffffffff
> FOLLOWING EXCLUDE CURRENT ROW) FROM t;
Thanks for the report. Reproduced here.
It seems to be caused by a signed integer overflow in row_is_in_frame
when calculating the frame's end position:
if (pos > winstate->currentpos + offset)
return -1;
When offset is very large (close to INT64_MAX, as in the reported
case), the addition can overflow, in which case the result would wrap
to a negative number (with -fwrapv), causing the comparison to
incorrectly return true. In release builds, this causes valid rows to
be excluded from the window frame. In debug builds, it leads to an
assertion failure.
I think we can fix this by leveraging the overflow-aware integer
operation (ie, pg_add_s64_overflow) to perform the addition here. If
an overflow is detected, we can assume the frame boundary extends to
the end of the partition, meaning the current row is within the frame.
- Richard
Attachments:
[application/octet-stream] v1-0001-Fix-signed-integer-overflow-in-nodeWindowAgg.c.patch (1.4K, 2-v1-0001-Fix-signed-integer-overflow-in-nodeWindowAgg.c.patch)
download | inline diff:
From 7f31ab39795afa496899cef62d16852d12e2ec31 Mon Sep 17 00:00:00 2001
From: Richard Guo <[email protected]>
Date: Sat, 14 Feb 2026 18:16:27 +0900
Subject: [PATCH v1] Fix signed integer overflow in nodeWindowAgg.c
---
src/backend/executor/nodeWindowAgg.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/backend/executor/nodeWindowAgg.c b/src/backend/executor/nodeWindowAgg.c
index d9b64b0f465..06519d4df70 100644
--- a/src/backend/executor/nodeWindowAgg.c
+++ b/src/backend/executor/nodeWindowAgg.c
@@ -37,6 +37,7 @@
#include "catalog/objectaccess.h"
#include "catalog/pg_aggregate.h"
#include "catalog/pg_proc.h"
+#include "common/int.h"
#include "executor/executor.h"
#include "executor/nodeWindowAgg.h"
#include "miscadmin.h"
@@ -1532,12 +1533,17 @@ row_is_in_frame(WindowObject winobj, int64 pos, TupleTableSlot *slot,
if (frameOptions & FRAMEOPTION_ROWS)
{
int64 offset = DatumGetInt64(winstate->endOffsetValue);
+ int64 target_pos;
/* rows after current row + offset are out of frame */
if (frameOptions & FRAMEOPTION_END_OFFSET_PRECEDING)
offset = -offset;
- if (pos > winstate->currentpos + offset)
+ if (pg_add_s64_overflow(winstate->currentpos, offset, &target_pos))
+ {
+ /* overflow: frame extends to end of partition */
+ }
+ else if (pos > target_pos)
return -1;
}
else if (frameOptions & (FRAMEOPTION_RANGE | FRAMEOPTION_GROUPS))
--
2.39.5 (Apple Git-154)
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: BUG #19405: Assertion in eval_windowaggregates() fails due to integer overflow
In-Reply-To: <CAMbWs4_GnG0NYnsBZJpHG-BLo28euD6VUx0WhFd4Ur6RaLr5WQ@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox