Describe the bug
substring() may crash Apache AGE when its start-offset argument is null.
In the minimized repro below, evaluating substring('abc', null, 1) terminates the backend connection instead of producing a normal query result or a normal query-level error.
How are you accessing AGE (Command line, driver, etc.)?
- PostgreSQL
cypher(...) wrapper through the local Python differential-testing harness
- Reproducible directly in
psql inside the Docker container
What data setup do we need to do?
SELECT create_graph('expr_substring_bug');No graph data is required beyond creating an empty graph.
What is the necessary configuration info needed?
- Plain Apache AGE Docker image was enough
- Docker image in local repro:
apache/age
- AGE extension version:
1.7.0
- PostgreSQL version:
18.1
- Graph name used in repro:
expr_substring_bug
- No extra extensions or special configuration were required
What is the command that caused the error?
SELECT * FROM cypher('expr_substring_bug', $$
RETURN substring('abc', null, 1) AS v
$$) AS (v agtype);Returned result on AGE:
server closed the connection unexpectedly
This probably means the server terminated abnormally
before or while processing the request.
Expected behavior
The query should not crash the server.
For comparison:
- Neo4j returns
null for the equivalent Cypher query
- Memgraph reports a normal query error for the invalid null numeric argument
Either behavior would be far safer than terminating the backend process.
Environment (please complete the following information):
- Version: Apache AGE
1.7.0
- PostgreSQL:
18.1
- Host OS: Windows
- Architecture: x86_64
- Deployment: Docker
Additional context
Two nearby control cases behave normally on the same AGE instance:
- A fully non-null call succeeds:
SELECT * FROM cypher('expr_substring_bug', $$
RETURN substring('abc', 1, 1) AS v
$$) AS (v agtype);Observed result:
- A null input string is handled without crashing:
SELECT * FROM cypher('expr_substring_bug', $$
RETURN substring(null, 1, 1) AS v
$$) AS (v agtype);Observed result:
There is also an adjacent non-crashing null case:
SELECT * FROM cypher('expr_substring_bug', $$
RETURN substring('abc', 1, null) AS v
$$) AS (v agtype);Observed AGE behavior:
ERROR: substring() offset or length cannot be null
So this appears narrower than a generic substring(..., null, ...) validation problem: a null length is rejected normally, but a null start offset crashes the server.
Describe the bug
substring()may crash Apache AGE when its start-offset argument isnull.In the minimized repro below, evaluating
substring('abc', null, 1)terminates the backend connection instead of producing a normal query result or a normal query-level error.How are you accessing AGE (Command line, driver, etc.)?
cypher(...)wrapper through the local Python differential-testing harnesspsqlinside the Docker containerWhat data setup do we need to do?
No graph data is required beyond creating an empty graph.
What is the necessary configuration info needed?
apache/age1.7.018.1expr_substring_bugWhat is the command that caused the error?
Returned result on AGE:
Expected behavior
The query should not crash the server.
For comparison:
nullfor the equivalent Cypher queryEither behavior would be far safer than terminating the backend process.
Environment (please complete the following information):
1.7.018.1Additional context
Two nearby control cases behave normally on the same AGE instance:
Observed result:
Observed result:
There is also an adjacent non-crashing null case:
Observed AGE behavior:
So this appears narrower than a generic
substring(..., null, ...)validation problem: anulllength is rejected normally, but anullstart offset crashes the server.