| From: | Peter Geoghegan <pg(at)heroku(dot)com> |
|---|---|
| To: | Pg Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Bug in batch tuplesort memory CLUSTER case (9.6 only) |
| Date: | 2016-06-27 04:14:05 |
| Message-ID: | CAM3SWZR8x=e=o3o+tH6Y1Eae3kpdK4dyod8D6MYT=yC4+O7U7Q@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
In general, moving tuplesort.c batch memory caller tuples around
happens when batch memory needs to be recycled, or freed outright with
pfree().
I failed to take into account that CLUSTER tuplesorts need an extra
step when moving caller tuples to a new location (i.e. when moving
HeapTuple caller tuples using memmove()), because their particular
variety of caller tuple happens to itself contain a pointer to
palloc()'d memory. Attached patch fixes this use-after-free bug.
--
Peter Geoghegan
| Attachment | Content-Type | Size |
|---|---|---|
| 0001-Fix-bug-in-batch-tuplesort-memory-with-CLUSTER.patch | text/x-patch | 8.6 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Amit Kapila | 2016-06-27 04:51:45 | Re: Rename max_parallel_degree? |
| Previous Message | Noah Misch | 2016-06-27 02:45:13 | Re: primary_conninfo missing from pg_stat_wal_receiver |