segmentation fault when cassert enabled

Hi list,

When investigating for the bug reported in thread "logical replication -
negative bitmapset member not allowed", I found a way to seg fault postgresql
only when cassert is enabled.

See the scenario in attachment.

When executed against binaries compiled with --enable-cassert, I have the
following error in logs:

LOG: 00000: background worker "logical replication worker" (PID 761) was
terminated by signal 11: Segmentation fault

Here is the stack trace:

#0 in slot_store_cstrings (slot=0x55a3c6973b48, rel=0x55a3c6989468,
values=0x7ffe08ae67b0) at worker.c:330
#1 in apply_handle_update (s=0x7ffe08aeddb0) at worker.c:712
#2 in apply_dispatch (s=0x7ffe08aeddb0) at worker.c:968
#3 in LogicalRepApplyLoop (last_received=87957952) at worker.c:1175
#4 in ApplyWorkerMain (main_arg=0) at worker.c:1733
#5 in StartBackgroundWorker () at bgworker.c:834
#6 in do_start_bgworker (rw=0x55a3c68c16d0) at postmaster.c:5763
#7 in maybe_start_bgworkers () at postmaster.c:5976
#8 in sigusr1_handler (postgres_signal_arg=10) at postmaster.c:5161
#9 <signal handler called>
#10 in __GI___select (nfds=6, readfds=0x7ffe08aee680, writefds=0x0,
exceptfds=0x0, timeout=0x7ffe08aee700)
at ../sysdeps/unix/sysv/linux/select.c:41
#11 in ServerLoop () at postmaster.c:1668
#12 in PostmasterMain (argc=3, argv=0x55a3c6899820) at postmaster.c:1377
#13 in main (argc=3, argv=0x55a3c6899820) at main.c:228

It leads to this conditional test in worker.c:slot_store_cstrings

for (i = 0; i < natts; i++)
{ [...]
if (!att->attisdropped && remoteattnum >= 0 &&
values[remoteattnum] != NULL)

In gdb, I found remoteattnum seems to be not correctly initialized for the
latest column the scenario adds in pgbench_branches:

(gdb) p remoteattnum
$1 = 32639
(gdb) p i
$2 = 3

I hadn't time to digg further yet. However, I don't understand why this crash
is triggered when cassert is enabled.

Regards,