Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vrCRc-008dDO-2H for pgsql-bugs@arkaria.postgresql.org; Sat, 14 Feb 2026 10:00:08 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vrCRb-00HNYc-12 for pgsql-bugs@arkaria.postgresql.org; Sat, 14 Feb 2026 10:00:07 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vrCRa-00HNYU-30 for pgsql-bugs@lists.postgresql.org; Sat, 14 Feb 2026 10:00:07 +0000 Received: from mail-wm1-x341.google.com ([2a00:1450:4864:20::341]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1vrCRX-00000000a9i-3rfd for pgsql-bugs@lists.postgresql.org; Sat, 14 Feb 2026 10:00:05 +0000 Received: by mail-wm1-x341.google.com with SMTP id 5b1f17b1804b1-48375f10628so7853625e9.1 for ; Sat, 14 Feb 2026 02:00:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1771063202; x=1771668002; darn=lists.postgresql.org; h=in-reply-to:from:content-language:references:to:subject:user-agent :mime-version:date:message-id:from:to:cc:subject:date:message-id :reply-to; bh=XeoST94EwojPqzP2+p2Nek52O2J/YpPe1bbh4n7xiXQ=; b=dGau2Z2TOt6eqp5O9YIoZuhRTaWuMD5YWDCWZ5IrndIRkfL821PcH+eB1CbfO/JmSo ZdmUvXnjQ3+q4yZ+Y5MTgY9Em03xBdAPsbnnnsKGPmSxFHZ0Rs6bwvTvKckBPuCR19Fw yMgdUekjMaxHvyrbCpJcEwoMVF7GjpZe39H2xoaq5/jhslFFpFxySjfGB2nwMaskXO1M OGfNLunSXcPB9p2rKyFi7Mi5TvUCnimymccgrT+e6KEK8BtCs+2mMfV/kmRzwRevppzs TtJUYyFW2SX7d5HxgUDRNdMDL2PilsU+LfwuFJULyKcxHPXcL/8xm3YqJs2Wi3yyyWjC tFpQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771063202; x=1771668002; h=in-reply-to:from:content-language:references:to:subject:user-agent :mime-version:date:message-id:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=XeoST94EwojPqzP2+p2Nek52O2J/YpPe1bbh4n7xiXQ=; b=L20ycWStKXBJKL2UqXSRlHKugb982rm6/wW7E8mvQ9yZDlkx+E/k82UPRLd2SRev26 3Spu0Rn7pcA68USBlG8hrKm7JWywgLbjt/nO38IS1S5sOZtXgQnQMJmv8yUkxEW/Djxu 0lq2hiY1dDub+w9EbaYyYAP7kptI2kdTBMKXglcJtb+NqdLS09LUyl/ZA4ENYO2s5sxb CPKhAuxS4zWbRou7GyUBfJkpyMi7xOqC3mCF5F2VfMiHGPcAwb2LDQHq18k5BH/u2mVk 4HPYGYKBzpONmOmmcQKQsKH7ydpWbLgBw7ux6bj9+isMcQHQ05f5/KSsxPcA2WlnuAqm nqCg== X-Forwarded-Encrypted: i=1; AJvYcCUR0AFupksy666Vd8SGKAWNkHdy5ZbsTqbPmxOjONcHx9sM5w7E5A5s5/+4DdDiIVSU3a/a1EgVrk2p@lists.postgresql.org X-Gm-Message-State: AOJu0YwwRjR1XB9OZdtqALYTt+FpLkgJEUHWX+7FPD0QDaN4gahz2Uxb H1q3H+/ngiVowE+de2e+kqzyqIKm2PjbzHMRXrO8xM2ZJd20ThDnWJZzm4QzAj7RUKA= X-Gm-Gg: AZuq6aKRjeHaq6qBuVpcN9bAylfz76wvpSQ9/dCRxWsAcQwV3ZQ+32WM7d2+6tibvHO GFfOytCR5XoqIxSHSH5d5XA/4zNuKfSNZuRGi2HYBlPW+PXCrSylqojJyICL2UBcDJZwCAya2Zh yYvYhwzETXjoGRa6u/mU3pBhV0/Frlp0XeaaNLlfx40KkrIUvpC9eYBelAlZk6MwMc30EZ3V4fd ZLtVxBfdtfX4CSZKo1V3EC8LxqKbcj4hIQ4DBJfJXYmKKWRFRJCGm/rxb/pw/fip+JX4WyVVgG4 EnS542lmEAfgRo99q0fQi0dGwXx6jcej3V/5mEi/9uzYYAOFl/9wGlNBJsYkAB+uHVS8arZvDZP zGJiLp8hMoht3fWUalWAgE63/Zif4KdLyrKFf7Z6fZ7HrfGoXseM50tMnxgzcr/nPoIs9BuzftY OZV7tN3xLeGQlC5vA/n6IEiwsGluabISP/MaU= X-Received: by 2002:a05:600c:c108:b0:483:78c7:e1c1 with SMTP id 5b1f17b1804b1-48378c7e1d3mr40972355e9.12.1771063201733; Sat, 14 Feb 2026 02:00:01 -0800 (PST) Received: from [192.168.0.50] ([89.149.93.164]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4836cd7af87sm165071395e9.1.2026.02.14.02.00.00 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 14 Feb 2026 02:00:01 -0800 (PST) Content-Type: multipart/alternative; boundary="------------afVkH0QrvP4HmyIQKoCC3xpj" Message-ID: Date: Sat, 14 Feb 2026 12:00:00 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: BUG #19405: Assertion in eval_windowaggregates() fails due to integer overflow To: Richard Guo , pgsql-bugs@lists.postgresql.org References: <19405-1ecf025dda171555@postgresql.org> Content-Language: en-US From: Alexander Lakhin In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk This is a multi-part message in MIME format. --------------afVkH0QrvP4HmyIQKoCC3xpj Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Hello Richard, 14.02.2026 11:41, Richard Guo wrote: > On Fri, Feb 13, 2026 at 7:09 PM PG Bug reporting form > wrote: >> The following script: >> CREATE TABLE t (i integer); >> INSERT INTO t SELECT g FROM generate_series(1, 2) g; >> SELECT SUM(i) OVER (ROWS BETWEEN 1 PRECEDING AND 0x7fffffffffffffff >> FOLLOWING EXCLUDE CURRENT ROW) FROM t; > Thanks for the report. Reproduced here. > > It seems to be caused by a signed integer overflow in row_is_in_frame > when calculating the frame's end position: > > if (pos > winstate->currentpos + offset) > return -1; > > When offset is very large (close to INT64_MAX, as in the reported > case), the addition can overflow, in which case the result would wrap > to a negative number (with -fwrapv), causing the comparison to > incorrectly return true. In release builds, this causes valid rows to > be excluded from the window frame. In debug builds, it leads to an > assertion failure. > > I think we can fix this by leveraging the overflow-aware integer > operation (ie, pg_add_s64_overflow) to perform the addition here. If > an overflow is detected, we can assume the frame boundary extends to > the end of the partition, meaning the current row is within the frame. Thank you for looking at this! The patch works for me, but I've just discovered one more similar anomaly: SELECT SUM(i) OVER (ROWS BETWEEN 0x7fffffffffffffff FOLLOWING AND 1 FOLLOWING), i FROM t; ERROR:  XX000: window frame head moved backward LOCATION:  eval_windowaggregates, nodeWindowAgg.c:782 Best regards, Alexander --------------afVkH0QrvP4HmyIQKoCC3xpj Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit
Hello Richard,

14.02.2026 11:41, Richard Guo wrote:
On Fri, Feb 13, 2026 at 7:09 PM PG Bug reporting form
<noreply@postgresql.org> wrote:

The following script:
CREATE TABLE t (i integer);
INSERT INTO t SELECT g FROM generate_series(1, 2) g;
SELECT SUM(i) OVER (ROWS BETWEEN 1 PRECEDING AND 0x7fffffffffffffff
FOLLOWING EXCLUDE CURRENT ROW) FROM t;

Thanks for the report.  Reproduced here.

It seems to be caused by a signed integer overflow in row_is_in_frame
when calculating the frame's end position:

            if (pos > winstate->currentpos + offset)
                return -1;

When offset is very large (close to INT64_MAX, as in the reported
case), the addition can overflow, in which case the result would wrap
to a negative number (with -fwrapv), causing the comparison to
incorrectly return true.  In release builds, this causes valid rows to
be excluded from the window frame.  In debug builds, it leads to an
assertion failure.

I think we can fix this by leveraging the overflow-aware integer
operation (ie, pg_add_s64_overflow) to perform the addition here.  If
an overflow is detected, we can assume the frame boundary extends to
the end of the partition, meaning the current row is within the frame.

Thank you for looking at this!

The patch works for me, but I've just discovered one more similar anomaly:
SELECT SUM(i) OVER (ROWS BETWEEN 0x7fffffffffffffff FOLLOWING AND 1 FOLLOWING), i FROM t;

ERROR:  XX000: window frame head moved backward
LOCATION:  eval_windowaggregates, nodeWindowAgg.c:782

Best regards,
Alexander
--------------afVkH0QrvP4HmyIQKoCC3xpj--