pgsql: Improve sanity checks on multixid members length

Improve sanity checks on multixid members length

In the server, check explicitly for multixids with zero members. We
used to have an assertion for it, but commit d4b7bde418 replaced it
with more extensive runtime checks, but it missed the original case of
zero members.

In the upgrade code, a negative length never makes sense, so better
check for it explicitly. Commit d4b7bde418 added a similar sanity
check to the corresponding server code on master, and in backbranches,
the 'length' is passed to palloc which would fail with "invalid memory
alloc request size" error. Clarify the comments on what kind of
invalid entries are tolerated by the upgrade code and which ones are
reported as fatal errors.

Coverity complained about 'length' in the upgrade code being
tainted. That's bogus because we trust the data on disk at least to
some extent, but hopefully this will silence the complaint. If not,
I'll dismiss it manually.

Discussion: https://www.postgresql.org/message-id/7b505284-c6e9-4c80-a7ee-816493170abc@iki.fi

Branch
------
master

Details
-------
https://git.postgresql.org/pg/commitdiff/ecb553ae8211e3d135e0c9d42b90cc22be51d27c

Modified Files
--------------
src/backend/access/transam/multixact.c | 5 ++++
src/bin/pg_upgrade/multixact_read_v18.c | 44 ++++++++++++++++++++++++---------
2 files changed, 38 insertions(+), 11 deletions(-)