BUG #15703: Segfault in cancelled CALL-Statements

The following bug has been logged on the website:

Bug reference: 15703
Logged by: Julian Schauder
Email address: julian(dot)schauder(at)gmx(dot)de
PostgreSQL version: 11.2
Operating system: Ubuntu 18.04 / Linux 4.18.0-16
Description:

Hi,

there seems to be a SEGFAULT issue with CALL-Procedures once they get
SIGINT'ed.
While currently able to reproduce with non-disclosed functions and data- I
am working
on a minimal report for public reproduction.

The Segfault occurs within ResourceArrayFree(&(owner->bufferarr)) once the
portal gets
cleaned up.

Initially this was caused by a single SIGINT to a rarely called Procedure.
Reproduction currently
requires non-disclosed data and functions, alongside a rather desperate
instumentation, but it
causes a segfault within a few seconds.

> while [ true ]; do for x in `seq 1 20`; do bash killer.sh & done ; wait ;
done ;
> $ cat killer.sh
> echo "Starting..."
> ID="$RANDOM"
> psql -c "CALL procedure ( now()::date ) ;-- $ID " &>/dev/null &
> sleep $[ ( $RANDOM % 3 ) + 1 ]s
> psql -c "SELECT pg_cancel_backend( pid ) FROM pg_stat_activity where query
ilike '%$ID%'; "
> echo "Killed"

> CREATE OR REPLACE PROCEDURE aggregate_inner(key text, minimumAge date)
> LANGUAGE plpgsql
> AS $function$
> $function$
>
> CREATE OR REPLACE PROCEDURE aggregate_outer(minimumAge date)
> LANGUAGE plpgsql
> AS $function$
> DECLARE
> key text;
> BEGIN
> for key in select distinct KEY from TABLE where date <= minimumAge LOOP
> raise notice 'Aggregating key %', key;
> perform aggregate_inner( key, minimumAge );
> COMMIT;
> end loop;
> END;

> CALL procedure ( date );

> postgres[25608]: segfault at 557a3572c928 ip 0000557a3572c928 sp
00007ffd4e79cd08 error 15
> Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <80> 00 00 00 00 00
00 00 d8 d0 72 35 7a 55 00 00 58 bb 72 35 7a 55

> (gdb) bt full
> #0 0x0000557a3572be78 in ?? ()
> No symbol table info available.
> #1 0x0000557a34c6a3f2 in ResourceArrayFree (resarr=0x557a3572bf38) at
./build/../src/backend/utils/resowner/resowner.c:401
> No locals.
> #2 ResourceOwnerDelete (owner=0x557a3572bf18) at
./build/../src/backend/utils/resowner/resowner.c:717
> No locals.
> #3 0x0000557a34c682b0 in PortalDrop (portal=0x557a35760040,
isTopCommit=<optimized out>) at
./build/../src/backend/utils/mmgr/portalmem.c:565
> isCommit = <optimized out>
> __func__ = "PortalDrop"
> #4 0x0000557a34c68adb in PortalErrorCleanup () at
./build/../src/backend/utils/mmgr/portalmem.c:922
> portal = <optimized out>
> status = {hashp = 0x557a35761f40, curBucket = 8, curEntry = 0x0}
> hentry = <optimized out>
> #5 0x0000557a34b21dfd in PostgresMain (argc=1,
argv=argv(at)entry=0x557a357244d8, dbname=<optimized out>,
username=0x557a35724418 "postgres")
> at ./build/../src/backend/tcop/postgres.c:3973
> firstchar = <optimized out>
> input_message = {data = 0x557a356da3c0 "CALL
documentation.ib_logbuch_aggregieren_jsc ( now()::date ) ;-- 15227 ", len =
73, maxlen = 1024, cursor = 73}
> local_sigjmp_buf = {{__jmpbuf = {140725920059072,
-8205351387769757095, 1, 93983371052056, 93983371052248, 140725920059936,
-8205351388738641319, -2653101812051762599},
> __mask_was_saved = 1, __saved_mask = {__val = {0, 0,
8818781457506372608, 140725920059968, 93983361064142, 140725920059568, 309,
140725920061008, 0, 140725920059936,
> 139880161943701, 206158430256, 140725920059544,
140725920059328, 8818781457506372608, 16}}}}
> send_ready_for_query = false
> disable_idle_in_transaction_timeout = false
> __func__ = "PostgresMain"
> #6 0x0000557a34aada7d in BackendRun (port=0x557a3571d880) at
./build/../src/backend/postmaster/postmaster.c:4361
> ac = 1
> secs = 606241460
> usecs = 285617
> i = 1
> av = 0x557a357244d8
> maxac = <optimized out>
> av = <optimized out>
> maxac = <optimized out>
> ac = <optimized out>
> secs = <optimized out>
> usecs = <optimized out>
> i = <optimized out>
> #7 BackendStartup (port=0x557a3571d880) at
./build/../src/backend/postmaster/postmaster.c:4033
> bn = <optimized out>
> pid = <optimized out>
> bn = <optimized out>
> pid = <optimized out>
> save_errno = <optimized out>
> #8 ServerLoop () at ./build/../src/backend/postmaster/postmaster.c:1706
> port = <optimized out>
> i = <optimized out>
> rmask = {fds_bits = {128, 0 <repeats 15 times>}}
> selres = <optimized out>
> now = <optimized out>
> readmask = {fds_bits = {200, 0 <repeats 15 times>}}
> nSockets = <optimized out>
> last_lockfile_recheck_time = 1552926214
> last_touch_time = 1552926094
> __func__ = "ServerLoop"
> #9 0x0000557a34aaeabf in PostmasterMain (argc=5, argv=0x557a356d4060) at
./build/../src/backend/postmaster/postmaster.c:1379
> opt = <optimized out>
> status = <optimized out>
> userDoption = <optimized out>
> listen_addr_saved = <optimized out>
> i = <optimized out>
> output_config_variable = <optimized out>
> __func__ = "PostmasterMain"
> #10 0x0000557a3483b4c2 in main (argc=5, argv=0x557a356d4060) at
./build/../src/backend/main/main.c:228