Обсуждение: COPY FROM/TO losing a single byte of a multibyte UTF-8 sequence
Hello fine PostgreSQL bug-busters, I'm having a rather annoying problem - a particular string is causing the Postgres COPY functionality to lose a byte, causingdata corruption in backups and transferred data. First, the environment - PostgreSQL 8.4.4 on i386-apple-darwin10.3.0, compiled by GCC i686-apple-darwin10-gcc-4.2.1 (GCC) 4.2.1 (Apple Inc. build5646) (dot 1), 64-bit Mac OS X 10.6.4 [steven@xxx:~]% psql --version psql (PostgreSQL) 8.4.4 contains support for command-line editing Now, the setup: Name | Owner | Encoding | Collation | Ctype | Access privileges | Size |Tablespace | Description baddb | xxxxxxx_production | UTF8 | en_US.utf-8 | en_US.utf-8 | | 207 MB |pg_default | baddb=> create table badtable (a int, b int, c character varying, d character varying, e character varying, f character varying[],g text, h character varying[],i character varying[], j character varying[], k character varying[], l charactervarying[], m character varying[], n character varying[],o character varying, p character varying); baddb=> \copy badtable from '/tmp/data.copy' baddb=> \copy badtable to '/tmp/badness.copy' baddb=> \copy badtable from '/tmp/badness.copy' ERROR: invalid byte sequence for encoding "UTF8": 0xcf2c HINT: This error can also happen if the byte sequence does not match the encoding expected by the server, which is controlledby "client_encoding". CONTEXT: COPY badtable, line 1 Obviously, this wouldn't be too helpful without the datafile in question: 1 2377510 FOURSQUARE 1403504 Pizza Hut {} \N {} {} {} {Pizza} {πίτσα,hut,food,ζωγράφου,pizza,eat,zografou} {} \N \N \N Since this is likely to be eaten by various mail clients or lost in translation, please find attached a TGZ of the data filein question. The hexdump shows exactly what goes wrong: [steven@xxx:/tmp]% hexdump -C data.copy 00000000 31 09 32 33 37 37 35 31 30 09 46 4f 55 52 53 51 |1.2377510.FOURSQ| 00000010 55 41 52 45 09 31 34 30 33 35 30 34 09 50 69 7a |UARE.1403504.Piz| 00000020 7a 61 20 48 75 74 09 7b 7d 09 5c 4e 09 7b 7d 09 |za Hut.{}.\N.{}.| 00000030 7b 7d 09 7b 7d 09 7b 50 69 7a 7a 61 7d 09 7b cf |{}.{}.{Pizza}.{.| 00000040 80 ce af cf 84 cf 83 ce b1 2c 68 75 74 2c 66 6f |.........,hut,fo| 00000050 6f 64 2c ce b6 cf 89 ce b3 cf 81 ce ac cf 86 ce |od,.............| 00000060 bf cf 85 2c 70 69 7a 7a 61 2c 65 61 74 2c 7a 6f |...,pizza,eat,zo| 00000070 67 72 61 66 6f 75 7d 09 7b 7d 09 5c 4e 09 5c 4e |grafou}.{}.\N.\N| 00000080 09 5c 4e 0a |.\N.| 00000084 [steven@xxx:/tmp]% hexdump -C badness.out 00000000 31 09 32 33 37 37 35 31 30 09 46 4f 55 52 53 51 |1.2377510.FOURSQ| 00000010 55 41 52 45 09 31 34 30 33 35 30 34 09 50 69 7a |UARE.1403504.Piz| 00000020 7a 61 20 48 75 74 09 7b 7d 09 5c 4e 09 7b 7d 09 |za Hut.{}.\N.{}.| 00000030 7b 7d 09 7b 7d 09 7b 50 69 7a 7a 61 7d 09 7b cf |{}.{}.{Pizza}.{.| 00000040 80 ce af cf 84 cf 83 ce b1 2c 68 75 74 2c 66 6f |.........,hut,fo| 00000050 6f 64 2c ce b6 cf 89 ce b3 cf 81 ce ac cf 86 ce |od,.............| 00000060 bf cf 2c 70 69 7a 7a 61 2c 65 61 74 2c 7a 6f 67 |..,pizza,eat,zog| 00000070 72 61 66 6f 75 7d 09 7b 7d 09 5c 4e 09 5c 4e 09 |rafou}.{}.\N.\N.| 00000080 5c 4e 0a |\N.| Note offset 0x62: 00000060 bf cf 85 2c 70 69 7a 7a 61 2c 65 61 74 2c 7a 6f |...,pizza,eat,zo| 00000060 bf cf 2c 70 69 7a 7a 61 2c 65 61 74 2c 7a 6f 67 |..,pizza,eat,zog| The 0xCF85 multibyte UTF-8 character was truncated to 0xCF! When I try to reimport it, it goes in as CF2C (the 2C is thefollowing comma) which is not valid and matches the error printed by the client. I can reproduce this problem using the JDBC driver as well, so I do not think it is a PSQL bug but instead a PostgreSQL backendproblem. I could be wrong, of course. Interestingly enough, this problem *does not* happen on a different machine - PostgreSQL 8.4.4 on x86_64-pc-linux-gnu, compiled by GCC gcc-4.4.real (Ubuntu 4.4.3-4ubuntu5) 4.4.3, 64-bit (stock Ubuntu package) I can reliably reproduce it on two different Macs, though. As with all random email posters, I'm not actually subscribed to the list - please keep me on the CC for replies. I would very much appreciate help tracking this down! Thanks for your time :) Steven Schlansker
Вложения
Steven Schlansker <steven@trumpet.io> writes: > I'm having a rather annoying problem - a particular string is causing the Postgres COPY functionality to lose a byte, causingdata corruption in backups and transferred data. I was able to reproduce this on my own Mac. Some tracing shows that the problem is that isspace(0x85) returns true when in locale en_US.utf-8. This causes array_in to drop the final byte of the array element string, thinking that it's insignificant whitespace. I believe that you must not have produced the data file data.copy on a Mac, or at least not in that locale setting, because array_out should have double-quoted the array element given that behavior of isspace(). Now, it's probably less than sane for isspace() to be behaving that way, since in a UTF8-based locale 0x85 can't be regarded as a valid character code at all. But I'm not hopeful about the results of filing a bug with Apple, because their UTF8-based locales have a lot of other bu^H^Hdubious behaviors too, which they appear not to care much about. In any case, stepping back and taking a larger viewpoint, it seems unsafe for array_in/array_out to have any locale-sensitive behavior anyhow. As an example, in a LATINx locale it is entirely sane for isspace() to return true for 0xA0, while it should certainly not do so in C locale. This means we are at risk of data corruption, ie dropping a valid data character, when an array value starting or ending with 0xA0 is dumped from a C-locale database and loaded into a LATINx-locale one. So it seems like the safest answer is to modify array_in/array_out to use an ASCII-only definition of isspace(). I believe this is traditionally defined as space, tab, CR, LF, VT, FF. We could perhaps trim that further, like just space and tab, but there might be some risk of breaking client code that expects the other traditional whitespace to be ignored. I'm not sure if there are any other places with similar risks. hstore's I/O routines contain isspace calls, but I haven't analyzed the implications. There is an isspace call in record_out but it is just there for cosmetic purposes and doesn't protect any decisions in record_in, so I think it's okay if it makes platform/locale-dependent choices. Comments? regards, tom lane
Steven Schlansker <steven@trumpet.io> writes: > On Aug 19, 2010, at 2:35 PM, Tom Lane wrote: >> I was able to reproduce this on my own Mac. Some tracing shows that the >> problem is that isspace(0x85) returns true when in locale en_US.utf-8. >> This causes array_in to drop the final byte of the array element string, >> thinking that it's insignificant whitespace. > The 0x85 seems to be the second byte of a multibyte UTF-8 > sequence. Check. > I'm not at all experienced with character encodings so I could > be totally off base, but isn't it wrong to ever call isspace(0x85), > whatever the result may be, given that the actual character is 0xCF85? > (U+03C5, GREEK SMALL LETTER UPSILON) We generally assume that in server-safe encodings, the ctype.h functions will behave sanely on any single-byte value. You can argue the wisdom of that, but deciding to change that policy would be a rather massive code change; I'm not excited about going that direction. >> I believe that you must >> not have produced the data file data.copy on a Mac, or at least not in >> that locale setting, because array_out should have double-quoted the >> array element given that behavior of isspace(). > Correct, it was produced on a Linux machine. That said, the charset > there was also UTF-8. Right ... but you had an isspace function that meets our expectations. > I actually can't reproduce that behavior here: You need a setlocale() call, else the program acts as though it's in C locale regardless of environment. My test case looks like this: $ cat isspace.c #include <stdio.h> #include <ctype.h> #include <locale.h> int main() { int c; setlocale(LC_ALL, ""); for (c = 1; c < 256; c++) { if (isspace(c)) printf("%3o is space\n", c); } return 0; } $ gcc -O -Wall isspace.c $ LANG=C ./a.out11 is space12 is space13 is space14 is space15 is space40 is space $ LANG=en_US.utf-8 ./a.out11 is space12 is space13 is space14 is space15 is space40 is space 205 is space 240 is space $ regards, tom lane
> We generally assume that in server-safe encodings, the ctype.h functions > will behave sanely on any single-byte value. I think this "wisedom" is only true for C locale. I'm not surprised all that it does not work with non C locales. From array_funcs.c: while (isspace((unsigned char) *p)) p++; IMO this should be something like: while (isspace((unsigned char) *p)) p += pg_mblen(p); -- Tatsuo Ishii SRA OSS, Inc. Japan English: http://www.sraoss.co.jp/index_en.php Japanese: http://www.sraoss.co.jp
On Aug 19, 2010, at 2:35 PM, Tom Lane wrote: > Steven Schlansker <steven@trumpet.io> writes: >> I'm having a rather annoying problem - a particular string is causing the Postgres COPY functionality to lose a byte,causing data corruption in backups and transferred data. > > I was able to reproduce this on my own Mac. Some tracing shows that the > problem is that isspace(0x85) returns true when in locale en_US.utf-8. > This causes array_in to drop the final byte of the array element string, > thinking that it's insignificant whitespace. The 0x85 seems to be the second byte of a multibyte UTF-8 sequence. I'm not at all experienced with character encodings so I could be totally off base, but isn't it wrong to ever call isspace(0x85), whatever the result may be, given that the actual character is 0xCF85? (U+03C5, GREEK SMALL LETTER UPSILON) > I believe that you must > not have produced the data file data.copy on a Mac, or at least not in > that locale setting, because array_out should have double-quoted the > array element given that behavior of isspace(). Correct, it was produced on a Linux machine. That said, the charset there was also UTF-8. > > Now, it's probably less than sane for isspace() to be behaving that way, > since in a UTF8-based locale 0x85 can't be regarded as a valid character > code at all. But I'm not hopeful about the results of filing a bug with > Apple, because their UTF8-based locales have a lot of other bu^H^Hdubious > behaviors too, which they appear not to care much about. I actually can't reproduce that behavior here: #include <ctype.h> #include <stdio.h> int main() { printf("%d\n", isspace(0x85)); return 0; } [steven@xxx:~]% gcc -o test test.c [steven@xxx:~]% ./test 0 [steven@xxx:~]% locale LANG="en_US.utf-8" LC_COLLATE="en_US.utf-8" LC_CTYPE="en_US.utf-8" LC_MESSAGES="en_US.utf-8" LC_MONETARY="en_US.utf-8" LC_NUMERIC="en_US.utf-8" LC_TIME="en_US.utf-8" LC_ALL= [steven@xxx:~]% uname -a Darwin xxx.local 10.4.0 Darwin Kernel Version 10.4.0: Fri Apr 23 18:28:53 PDT 2010; root:xnu-1504.7.4~1/RELEASE_I386 i386i386 Thanks much for your help, Steven Schlansker
On Aug 19, 2010, at 3:24 PM, Tom Lane wrote: > Steven Schlansker <steven@trumpet.io> writes: >> >> I'm not at all experienced with character encodings so I could >> be totally off base, but isn't it wrong to ever call isspace(0x85), >> whatever the result may be, given that the actual character is 0xCF85? >> (U+03C5, GREEK SMALL LETTER UPSILON) > > We generally assume that in server-safe encodings, the ctype.h functions > will behave sanely on any single-byte value. You can argue the wisdom > of that, but deciding to change that policy would be a rather massive > code change; I'm not excited about going that direction. Fair enough. I presume there are no "server-safe encodings" for which a multibyte sequence 0x XX20 would be valid - which would break anyway (as the second byte looks like a real space) > You need a setlocale() call, else the program acts as though it's in C > locale regardless of environment. Sigh. I hate C sometimes. :-p Anyway, it looks like this is actually a BSD bug which got copy + pasted into Apple's Darwin source - http://lists.freebsd.org/pipermail/freebsd-i18n/2007-September/000157.html I have a couple of contacts at Apple so I'll see if there's any interest in backporting a fix, but I wouldn't hope for it to happen quickly if at all... Thanks for taking a look into fixing this, I hope you guys can reach consensus on how to get it fixed :) Best, Steven Schlansker
Tatsuo Ishii <ishii@sraoss.co.jp> writes: >> We generally assume that in server-safe encodings, the ctype.h functions >> will behave sanely on any single-byte value. > I think this "wisedom" is only true for C locale. I'm not surprised > all that it does not work with non C locales. > From array_funcs.c: > while (isspace((unsigned char) *p)) > p++; > IMO this should be something like: > while (isspace((unsigned char) *p)) > p += pg_mblen(p); I don't think that's likely to help at all. The risk is that isspace will do something not-sane with a fragment of a character. If it's not coded to guard against that, it's just as likely to give wrong results for the leading byte as for non-leading bytes. (In the case at hand, I think the underlying problem is that it imagines what it's given is a Unicode code point, not a byte of a UTF8 string. There apparently aren't any code points in the range U+00C0 - U+00FF for which isspace is true, but that's not true for isalpha for example.) If we were going to try to code around this, we'd need to change all these loops to look something like while ((isascii((unsigned char) *p) || pg_database_encoding_max_length() == 1) && isspace((unsignedchar) *p)) p += pg_mblen(p); // or p++, it wouldn't matter However, given the limited number of platforms where this is an issue and the fact that it is an acknowledged bug on those platforms, I'm not eager to go there. In any case, no matter whether we changed that or not, we'd still have the problem that it's a bad idea to have any locale-dependent behavior in array_in; and the behavior *would* still be locale-dependent, at least in single-byte encodings. regards, tom lane
Steven Schlansker <steven@trumpet.io> writes: > On Aug 19, 2010, at 3:24 PM, Tom Lane wrote: >> We generally assume that in server-safe encodings, the ctype.h functions >> will behave sanely on any single-byte value. You can argue the wisdom >> of that, but deciding to change that policy would be a rather massive >> code change; I'm not excited about going that direction. > Fair enough. I presume there are no "server-safe encodings" for which > a multibyte sequence 0x XX20 would be valid - which would break anyway > (as the second byte looks like a real space) Right: our definition of a "server-safe encoding" is precisely that no byte of a multibyte character looks like ASCII, ie all bytes have their high bit set. We're essentially assuming that the <ctype.h> functions will all return false for any byte with the high bit set, if the selected encoding is multibyte. > Anyway, it looks like this is actually a BSD bug which got copy + > pasted into Apple's Darwin source - > http://lists.freebsd.org/pipermail/freebsd-i18n/2007-September/000157.html Interesting. So the BSD people did fix it upstream? regards, tom lane
Steven Schlansker <steven@trumpet.io> writes: > Anyway, it looks like this is actually a BSD bug which got copy + > pasted into Apple's Darwin source - > http://lists.freebsd.org/pipermail/freebsd-i18n/2007-September/000157.html I've applied a patch for this to HEAD & 9.0: http://archives.postgresql.org/pgsql-committers/2010-08/msg00273.php I'm reluctant to back-patch it into already-released branches, though. Given the lack of prior reports, the odds of breaking something for somebody in a minor release seem to outweigh the odds of doing good. But you could easily drop it into a local copy of 8.4 if you wish. regards, tom lane