From d1c6edd31d6c3e6d173d47a64a3b28660705def7 Mon Sep 17 00:00:00 2001 From: Alvaro Herrera Date: Sat, 27 Feb 2021 18:09:15 -0300 Subject: [PATCH] Fix use-after-free bug with AfterTriggersTableData.storeslot AfterTriggerSaveEvent() wrongly allocates the slot in execution-span memory context, whereas the correct thing is to allocate it in a transaction-span context, because that's where the enclosing AfterTriggersTableData instance belongs into. Backpatch to 12 (the test back to 11, where it works well with no code changes, and it's good to have to confirm that the case was previously well supported); this bug seems introduced by commit ff11e7f4b9ae. Reported-by: Bertrand Drouvot Author: Amit Langote Discussion: https://postgr.es/m/39a71864-b120-5a5c-8cc5-c632b6f16761@amazon.com --- src/test/regress/expected/triggers.out | 59 +++++++++++++++++++++++ src/test/regress/sql/triggers.sql | 65 ++++++++++++++++++++++++++ 2 files changed, 124 insertions(+) diff --git a/src/test/regress/expected/triggers.out b/src/test/regress/expected/triggers.out index df6c2498e7..3fb0d3edd1 100644 --- a/src/test/regress/expected/triggers.out +++ b/src/test/regress/expected/triggers.out @@ -3027,3 +3027,62 @@ drop table self_ref; drop function dump_insert(); drop function dump_update(); drop function dump_delete(); +-- verify transition table conversion slot's lifetime +-- https://postgr.es/m/39a71864-b120-5a5c-8cc5-c632b6f16761@amazon.com +create table convslot_test_parent (col1 text primary key); +create table convslot_test_child (col1 text primary key, + foreign key (col1) references convslot_test_parent(col1) on delete cascade on update cascade +); +alter table convslot_test_child add column col2 text not null default 'tutu'; +insert into convslot_test_parent(col1) values ('1'); +insert into convslot_test_child(col1) values ('1'); +insert into convslot_test_parent(col1) values ('3'); +insert into convslot_test_child(col1) values ('3'); +create or replace function trigger_function1() +returns trigger +language plpgsql +AS $$ +begin +raise notice 'trigger = %, old_table = %', + TG_NAME, + (select string_agg(old_table::text, ', ' order by col1) from old_table); +return null; +end; $$; +create or replace function trigger_function2() +returns trigger +language plpgsql +AS $$ +begin +raise notice 'trigger = %, new table = %', + TG_NAME, + (select string_agg(new_table::text, ', ' order by col1) from new_table); +return null; +end; $$; +create trigger but_trigger after update on convslot_test_child +referencing new table as new_table +for each statement execute function trigger_function2(); +update convslot_test_parent set col1 = col1 || '1'; +NOTICE: trigger = but_trigger, new table = (11,tutu), (31,tutu) +create or replace function trigger_function3() +returns trigger +language plpgsql +AS $$ +begin +raise notice 'trigger = %, old_table = %, new table = %', + TG_NAME, + (select string_agg(old_table::text, ', ' order by col1) from old_table), + (select string_agg(new_table::text, ', ' order by col1) from new_table); +return null; +end; $$; +create trigger but_trigger2 after update on convslot_test_child +referencing old table as old_table new table as new_table +for each statement execute function trigger_function3(); +update convslot_test_parent set col1 = col1 || '1'; +NOTICE: trigger = but_trigger, new table = (111,tutu), (311,tutu) +NOTICE: trigger = but_trigger2, old_table = (11,tutu), (31,tutu), new table = (111,tutu), (311,tutu) +create trigger bdt_trigger after delete on convslot_test_child +referencing old table as old_table +for each statement execute function trigger_function1(); +delete from convslot_test_parent; +NOTICE: trigger = bdt_trigger, old_table = (111,tutu), (311,tutu) +drop table convslot_test_child, convslot_test_parent; diff --git a/src/test/regress/sql/triggers.sql b/src/test/regress/sql/triggers.sql index 06043b2020..ba0bd90548 100644 --- a/src/test/regress/sql/triggers.sql +++ b/src/test/regress/sql/triggers.sql @@ -2274,3 +2274,68 @@ drop table self_ref; drop function dump_insert(); drop function dump_update(); drop function dump_delete(); + +-- verify transition table conversion slot's lifetime +-- https://postgr.es/m/39a71864-b120-5a5c-8cc5-c632b6f16761@amazon.com +create table convslot_test_parent (col1 text primary key); +create table convslot_test_child (col1 text primary key, + foreign key (col1) references convslot_test_parent(col1) on delete cascade on update cascade +); + +alter table convslot_test_child add column col2 text not null default 'tutu'; +insert into convslot_test_parent(col1) values ('1'); +insert into convslot_test_child(col1) values ('1'); +insert into convslot_test_parent(col1) values ('3'); +insert into convslot_test_child(col1) values ('3'); + +create or replace function trigger_function1() +returns trigger +language plpgsql +AS $$ +begin +raise notice 'trigger = %, old_table = %', + TG_NAME, + (select string_agg(old_table::text, ', ' order by col1) from old_table); +return null; +end; $$; + +create or replace function trigger_function2() +returns trigger +language plpgsql +AS $$ +begin +raise notice 'trigger = %, new table = %', + TG_NAME, + (select string_agg(new_table::text, ', ' order by col1) from new_table); +return null; +end; $$; + +create trigger but_trigger after update on convslot_test_child +referencing new table as new_table +for each statement execute function trigger_function2(); + +update convslot_test_parent set col1 = col1 || '1'; + +create or replace function trigger_function3() +returns trigger +language plpgsql +AS $$ +begin +raise notice 'trigger = %, old_table = %, new table = %', + TG_NAME, + (select string_agg(old_table::text, ', ' order by col1) from old_table), + (select string_agg(new_table::text, ', ' order by col1) from new_table); +return null; +end; $$; + +create trigger but_trigger2 after update on convslot_test_child +referencing old table as old_table new table as new_table +for each statement execute function trigger_function3(); +update convslot_test_parent set col1 = col1 || '1'; + +create trigger bdt_trigger after delete on convslot_test_child +referencing old table as old_table +for each statement execute function trigger_function1(); +delete from convslot_test_parent; + +drop table convslot_test_child, convslot_test_parent;