Prevent access to no-longer-pinned buffer in heapam_tuple_lock().
heap_fetch() used to have a "keep_buf" parameter that told it to return ownership of the buffer pin to the caller after finding that the requested tuple TID exists but is invisible to the specified snapshot. This was thoughtlessly removed in commit5db6df0c0, which broke heapam_tuple_lock() (formerly EvalPlanQualFetch) because that function needs to do more accesses to the tuple even if it's invisible. The net effect is that we would continue to touch the page for a microsecond or two after releasing pin on the buffer. Usually no harm would result; but if a different session decided to defragment the page concurrently, we could see garbage data and mistakenly conclude that there's no newer tuple version to chain up to. (It's hard to say whether this has happened in the field. The bug was actually found thanks to a later change that allowed valgrind to detect accesses to non-pinned buffers.) The most reasonable way to fix this is to reintroduce keep_buf, although I made it behave slightly differently: buffer ownership is passed back only if there is a valid tuple at the requested TID. In HEAD, we can just add the parameter back to heap_fetch(). To avoid an API break in the back branches, introduce an additional function heap_fetch_extended() in those branches. In HEAD there is an additional, less obvious API change: tuple->t_data will be set to NULL in all cases where buffer ownership is not returned, in particular when the tuple exists but fails the time qual (and !keep_buf). This is to defend against any other callers attempting to access non-pinned buffers. We concluded that making that change in back branches would be more likely to introduce problems than cure any. In passing, remove a comment about heap_fetch that was obsoleted by9a8ee1dc6. Per bug #17462 from Daniil Anisimov. Back-patch to v12 where the bug was introduced. Discussion: https://postgr.es/m/17462-9c98a0f00df9bd36@postgresql.org
This commit is contained in:
Tom Lane
parent
ea669b8088
commit
c590e514a9
|
|
@ -1576,10 +1576,13 @@ heap_getnextslot_tidrange(TableScanDesc sscan, ScanDirection direction,
|
|||
* must unpin the buffer when done with the tuple.
|
||||
*
|
||||
* If the tuple is not found (ie, item number references a deleted slot),
|
||||
* then tuple->t_data is set to NULL and false is returned.
|
||||
* then tuple->t_data is set to NULL, *userbuf is set to InvalidBuffer,
|
||||
* and false is returned.
|
||||
*
|
||||
* If the tuple is found but fails the time qual check, then false is returned
|
||||
* but tuple->t_data is left pointing to the tuple.
|
||||
* and *userbuf is set to InvalidBuffer, but tuple->t_data is left pointing
|
||||
* to the tuple. (Note that it is unsafe to dereference tuple->t_data in
|
||||
* this case, but callers might choose to test it for NULL-ness.)
|
||||
*
|
||||
* heap_fetch does not follow HOT chains: only the exact TID requested will
|
||||
* be fetched.
|
||||
|
|
@ -1598,6 +1601,25 @@ heap_fetch(Relation relation,
|
|||
Snapshot snapshot,
|
||||
HeapTuple tuple,
|
||||
Buffer *userbuf)
|
||||
{
|
||||
return heap_fetch_extended(relation, snapshot, tuple, userbuf, false);
|
||||
}
|
||||
|
||||
/*
|
||||
* heap_fetch_extended - fetch tuple even if it fails snapshot test
|
||||
*
|
||||
* If keep_buf is true, then upon finding a tuple that is valid but fails
|
||||
* the snapshot check, we return the tuple pointer in tuple->t_data and the
|
||||
* buffer ID in *userbuf, keeping the buffer pin, just as if it had passed
|
||||
* the snapshot. (The function result is still "false" though.)
|
||||
* If keep_buf is false then this behaves identically to heap_fetch().
|
||||
*/
|
||||
bool
|
||||
heap_fetch_extended(Relation relation,
|
||||
Snapshot snapshot,
|
||||
HeapTuple tuple,
|
||||
Buffer *userbuf,
|
||||
bool keep_buf)
|
||||
{
|
||||
ItemPointer tid = &(tuple->t_self);
|
||||
ItemId lp;
|
||||
|
|
@ -1680,9 +1702,14 @@ heap_fetch(Relation relation,
|
|||
return true;
|
||||
}
|
||||
|
||||
/* Tuple failed time qual */
|
||||
ReleaseBuffer(buffer);
|
||||
*userbuf = InvalidBuffer;
|
||||
/* Tuple failed time qual, but maybe caller wants to see it anyway. */
|
||||
if (keep_buf)
|
||||
*userbuf = buffer;
|
||||
else
|
||||
{
|
||||
ReleaseBuffer(buffer);
|
||||
*userbuf = InvalidBuffer;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
|
@ -1705,8 +1732,7 @@ heap_fetch(Relation relation,
|
|||
* are vacuumable, false if not.
|
||||
*
|
||||
* Unlike heap_fetch, the caller must already have pin and (at least) share
|
||||
* lock on the buffer; it is still pinned/locked at exit. Also unlike
|
||||
* heap_fetch, we do not report any pgstats count; caller may do so if wanted.
|
||||
* lock on the buffer; it is still pinned/locked at exit.
|
||||
*/
|
||||
bool
|
||||
heap_hot_search_buffer(ItemPointer tid, Relation relation, Buffer buffer,
|
||||
|
|
|
|||
|
|
@ -401,7 +401,8 @@ tuple_lock_retry:
|
|||
errmsg("tuple to be locked was already moved to another partition due to concurrent update")));
|
||||
|
||||
tuple->t_self = *tid;
|
||||
if (heap_fetch(relation, &SnapshotDirty, tuple, &buffer))
|
||||
if (heap_fetch_extended(relation, &SnapshotDirty, tuple,
|
||||
&buffer, true))
|
||||
{
|
||||
/*
|
||||
* If xmin isn't what we're expecting, the slot must have
|
||||
|
|
@ -500,6 +501,7 @@ tuple_lock_retry:
|
|||
*/
|
||||
if (tuple->t_data == NULL)
|
||||
{
|
||||
Assert(!BufferIsValid(buffer));
|
||||
return TM_Deleted;
|
||||
}
|
||||
|
||||
|
|
@ -509,8 +511,7 @@ tuple_lock_retry:
|
|||
if (!TransactionIdEquals(HeapTupleHeaderGetXmin(tuple->t_data),
|
||||
priorXmax))
|
||||
{
|
||||
if (BufferIsValid(buffer))
|
||||
ReleaseBuffer(buffer);
|
||||
ReleaseBuffer(buffer);
|
||||
return TM_Deleted;
|
||||
}
|
||||
|
||||
|
|
@ -526,13 +527,12 @@ tuple_lock_retry:
|
|||
*
|
||||
* As above, it should be safe to examine xmax and t_ctid
|
||||
* without the buffer content lock, because they can't be
|
||||
* changing.
|
||||
* changing. We'd better hold a buffer pin though.
|
||||
*/
|
||||
if (ItemPointerEquals(&tuple->t_self, &tuple->t_data->t_ctid))
|
||||
{
|
||||
/* deleted, so forget about it */
|
||||
if (BufferIsValid(buffer))
|
||||
ReleaseBuffer(buffer);
|
||||
ReleaseBuffer(buffer);
|
||||
return TM_Deleted;
|
||||
}
|
||||
|
||||
|
|
@ -540,8 +540,7 @@ tuple_lock_retry:
|
|||
*tid = tuple->t_data->t_ctid;
|
||||
/* updated row should have xmin matching this xmax */
|
||||
priorXmax = HeapTupleHeaderGetUpdateXid(tuple->t_data);
|
||||
if (BufferIsValid(buffer))
|
||||
ReleaseBuffer(buffer);
|
||||
ReleaseBuffer(buffer);
|
||||
/* loop back to fetch next in chain */
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -134,6 +134,9 @@ extern bool heap_getnextslot_tidrange(TableScanDesc sscan,
|
|||
TupleTableSlot *slot);
|
||||
extern bool heap_fetch(Relation relation, Snapshot snapshot,
|
||||
HeapTuple tuple, Buffer *userbuf);
|
||||
extern bool heap_fetch_extended(Relation relation, Snapshot snapshot,
|
||||
HeapTuple tuple, Buffer *userbuf,
|
||||
bool keep_buf);
|
||||
extern bool heap_hot_search_buffer(ItemPointer tid, Relation relation,
|
||||
Buffer buffer, Snapshot snapshot, HeapTuple heapTuple,
|
||||
bool *all_dead, bool first_call);
|
||||
|
|
|
|||
Loading…
Reference in New Issue