diff options
| author | Andres Freund <andres@anarazel.de> | 2019-06-18 15:51:04 -0700 |
|---|---|---|
| committer | Andres Freund <andres@anarazel.de> | 2019-06-18 15:51:04 -0700 |
| commit | 23224563d97913aa824d04c498d59ad4d85fda38 (patch) | |
| tree | 9bec0b63d91c70997d72e1167cedec1ec8d91e3b /src | |
| parent | 8b21b416ed621501db3be38817c298c57470524f (diff) | |
| download | postgresql-23224563d97913aa824d04c498d59ad4d85fda38.tar.gz postgresql-23224563d97913aa824d04c498d59ad4d85fda38.zip | |
Fix memory corruption/crash in ANALYZE.
This fixes an embarrassing oversight I (Andres) made in 737a292b,
namely missing two place where liverows/deadrows were used when
converting those variables to pointers, leading to incrementing the
pointer, rather than the value.
It's not that actually that easy to trigger a crash: One needs tuples
deleted by the current transaction, followed by a tuple deleted in
another session, all in one page. Which is presumably why this hasn't
been noticed before.
Reported-By: Steve Singer
Author: Steve Singer
Discussion: https://postgr.es/m/c7988239-d42c-ddc4-41db-171b23b35e4f@ssinger.info
Diffstat (limited to 'src')
| -rw-r--r-- | src/backend/access/heap/heapam_handler.c | 4 | ||||
| -rw-r--r-- | src/test/regress/expected/vacuum.out | 12 | ||||
| -rw-r--r-- | src/test/regress/sql/vacuum.sql | 13 |
3 files changed, 27 insertions, 2 deletions
diff --git a/src/backend/access/heap/heapam_handler.c b/src/backend/access/heap/heapam_handler.c index b7d2ddbbdcf..fc19f40a2e3 100644 --- a/src/backend/access/heap/heapam_handler.c +++ b/src/backend/access/heap/heapam_handler.c @@ -1113,11 +1113,11 @@ heapam_scan_analyze_next_tuple(TableScanDesc scan, TransactionId OldestXmin, * concurrent transaction never commits. */ if (TransactionIdIsCurrentTransactionId(HeapTupleHeaderGetUpdateXid(targtuple->t_data))) - deadrows += 1; + *deadrows += 1; else { sample_it = true; - liverows += 1; + *liverows += 1; } break; diff --git a/src/test/regress/expected/vacuum.out b/src/test/regress/expected/vacuum.out index 21a167fc16f..f944b93fd6f 100644 --- a/src/test/regress/expected/vacuum.out +++ b/src/test/regress/expected/vacuum.out @@ -71,6 +71,18 @@ ANALYZE vaccluster; ERROR: ANALYZE cannot be executed from VACUUM or ANALYZE CONTEXT: SQL function "do_analyze" statement 1 SQL function "wrap_do_analyze" statement 1 +-- Test ANALYZE in transaction, where the transaction surrounding +-- analyze performed modifications. This tests for the bug at +-- https://postgr.es/m/c7988239-d42c-ddc4-41db-171b23b35e4f%40ssinger.info +-- (which hopefully is unlikely to be reintroduced), but also seems +-- independently worthwhile to cover. +INSERT INTO vactst SELECT generate_series(1, 300); +DELETE FROM vactst WHERE i % 7 = 0; -- delete a few rows outside +BEGIN; +INSERT INTO vactst SELECT generate_series(301, 400); +DELETE FROM vactst WHERE i % 5 <> 0; -- delete a few rows inside +ANALYZE vactst; +COMMIT; VACUUM FULL pg_am; VACUUM FULL pg_class; VACUUM FULL pg_database; diff --git a/src/test/regress/sql/vacuum.sql b/src/test/regress/sql/vacuum.sql index a558580feaf..16748e1823f 100644 --- a/src/test/regress/sql/vacuum.sql +++ b/src/test/regress/sql/vacuum.sql @@ -54,6 +54,19 @@ CREATE INDEX ON vaccluster(wrap_do_analyze(i)); INSERT INTO vaccluster VALUES (1), (2); ANALYZE vaccluster; +-- Test ANALYZE in transaction, where the transaction surrounding +-- analyze performed modifications. This tests for the bug at +-- https://postgr.es/m/c7988239-d42c-ddc4-41db-171b23b35e4f%40ssinger.info +-- (which hopefully is unlikely to be reintroduced), but also seems +-- independently worthwhile to cover. +INSERT INTO vactst SELECT generate_series(1, 300); +DELETE FROM vactst WHERE i % 7 = 0; -- delete a few rows outside +BEGIN; +INSERT INTO vactst SELECT generate_series(301, 400); +DELETE FROM vactst WHERE i % 5 <> 0; -- delete a few rows inside +ANALYZE vactst; +COMMIT; + VACUUM FULL pg_am; VACUUM FULL pg_class; VACUUM FULL pg_database; |