Repair rare failure of MULTIEXPR_SUBLINK subplans in inherited updates.

Prior to v14, if we have a MULTIEXPR SubPlan (that is, use of the syntax
UPDATE ... SET (c1, ...) = (SELECT ...)) in an UPDATE with an inherited
or partitioned target table, inheritance_planner() will clone the
targetlist and therefore also the MULTIEXPR SubPlan and the Param nodes
referencing it for each child target table.  Up to now, we've allowed
all the clones to share the underlying subplan as well as the output
parameter IDs -- that is, the runtime ParamExecData slots.  That
technique is borrowed from the far older code that supports initplans,
and it works okay in that case because the cloned SubPlan nodes are
essentially identical.  So it doesn't matter which one of the clones
the shared ParamExecData.execPlan field might point to.

However, this fails to hold for MULTIEXPR SubPlans, because they can
have nonempty "args" lists (values to be passed into the subplan), and
those lists could get mutated to different states in the various clones.
In the submitted reproducer, as well as the test case added here, one
clone contains Vars with varno OUTER_VAR where another has INNER_VAR,
because the child tables are respectively on the outer or inner side of
the join.  Sharing the execPlan pointer can result in trying to evaluate
an args list that doesn't match the local execution state, with mayhem
ensuing.  The result often is to trigger consistency checks in the
executor, but I believe this could end in a crash or incorrect updates.

To fix, assign new Param IDs to each of the cloned SubPlans, so that
they don't share ParamExecData slots at runtime.  It still seems fine
for the clones to share the underlying subplan, and extra ParamExecData
slots are cheap enough that this fix shouldn't cost much.

This has been busted since we invented MULTIEXPR SubPlans in 9.5.
Probably the lack of previous reports is because query plans in which
the different clones of a MULTIEXPR mutate to effectively-different
states are pretty rare.  There's no issue in v14 and later, because
without inheritance_planner() there's never a reason to clone
MULTIEXPR SubPlans.

Per bug #17596 from Andre Lin.  Patch v10-v13 only.

Discussion: https://postgr.es/m/17596-c5357f61427a81dc@postgresql.org

1 files changed, 15 insertions, 0 deletions

diff --git a/src/backend/executor/nodeSubplan.c b/src/backend/executor/nodeSubplan.c
index 62ef1385710..ede4e4bbfae 100644
--- a/src/backend/executor/nodeSubplan.c
+++ b/src/backend/executor/nodeSubplan.c
@@ -246,6 +246,21 @@ ExecScanSubPlan(SubPlanState *node,
 	 * ones, so this should be safe.)  Unlike ExecReScanSetParamPlan, we do
 	 * *not* set bits in the parent plan node's chgParam, because we don't
 	 * want to cause a rescan of the parent.
+	 *
+	 * Note: we are also relying on MULTIEXPR SubPlans not sharing any output
+	 * parameters with other SubPlans, because if one does then it is unclear
+	 * which SubPlanState node the parameter's execPlan field will be pointing
+	 * to when we come to evaluate the parameter.  We can allow plain initplan
+	 * SubPlans to share output parameters, because it doesn't actually matter
+	 * which initplan SubPlan we reference as long as they all point to the
+	 * same underlying subplan.  However, that fails to hold for MULTIEXPRs
+	 * because they can have non-empty args lists, and the "same" args might
+	 * have mutated into different forms in different parts of a plan tree.
+	 * There is not a problem in ordinary queries because MULTIEXPR will
+	 * appear only in an UPDATE's top-level target list, so it won't get
+	 * duplicated anyplace.  However, when inheritance_planner clones a
+	 * partially-planned targetlist it must take care to assign non-duplicate
+	 * param IDs to the cloned copy.
 	 */
 	if (subLinkType == MULTIEXPR_SUBLINK)
 	{