From c7aeb775df895db240dcd6f47242f7e08899adfb Mon Sep 17 00:00:00 2001 From: Peter Geoghegan Date: Wed, 22 Sep 2021 19:21:36 -0700 Subject: [PATCH] Document issue with heapam line pointer truncation. Checking that an offset number isn't past the end of a heap page's line pointer array was just a defensive sanity check for HOT-chain traversal code before commit 3c3b8a4b. It's etrictly necessary now, though. Add comments that reference the issue to code in heapam that needs to get it right. Per suggestion from Alexander Lakhin. Discussion: https://postgr.es/m/f76a292c-9170-1aef-91a0-59d9443b99a3@gmail.com --- src/backend/access/heap/heapam.c | 11 +++++++++-- src/backend/access/heap/pruneheap.c | 22 ++++++++++++++++++---- 2 files changed, 27 insertions(+), 6 deletions(-) diff --git a/src/backend/access/heap/heapam.c b/src/backend/access/heap/heapam.c index 972fdbcb92f..2a264c6ac1f 100644 --- a/src/backend/access/heap/heapam.c +++ b/src/backend/access/heap/heapam.c @@ -7483,8 +7483,15 @@ heap_index_delete_tuples(Relation rel, TM_IndexDeleteOp *delstate) ItemId lp; HeapTupleHeader htup; - /* Some sanity checks */ - if (offnum < FirstOffsetNumber || offnum > maxoff) + /* Sanity check (pure paranoia) */ + if (offnum < FirstOffsetNumber) + break; + + /* + * An offset past the end of page's line pointer array is possible + * when the array was truncated + */ + if (offnum > maxoff) break; lp = PageGetItemId(page, offnum); diff --git a/src/backend/access/heap/pruneheap.c b/src/backend/access/heap/pruneheap.c index 15ca1b304a0..db6912e9fa5 100644 --- a/src/backend/access/heap/pruneheap.c +++ b/src/backend/access/heap/pruneheap.c @@ -581,8 +581,15 @@ heap_prune_chain(Buffer buffer, OffsetNumber rootoffnum, PruneState *prstate) bool tupdead, recent_dead; - /* Some sanity checks */ - if (offnum < FirstOffsetNumber || offnum > maxoff) + /* Sanity check (pure paranoia) */ + if (offnum < FirstOffsetNumber) + break; + + /* + * An offset past the end of page's line pointer array is possible + * when the array was truncated (original item must have been unused) + */ + if (offnum > maxoff) break; /* If item is already processed, stop --- it must not be same chain */ @@ -962,8 +969,15 @@ heap_get_root_tuples(Page page, OffsetNumber *root_offsets) */ for (;;) { - /* Sanity check */ - if (nextoffnum < FirstOffsetNumber || nextoffnum > maxoff) + /* Sanity check (pure paranoia) */ + if (offnum < FirstOffsetNumber) + break; + + /* + * An offset past the end of page's line pointer array is possible + * when the array was truncated + */ + if (offnum > maxoff) break; lp = PageGetItemId(page, nextoffnum);