Assert lack of hazardous buffer locks before possible catalog read.

Commit 0bada39c83 fixed a bug of this kind, which existed in all branches for six days before detection. While the probability of reaching the trouble was low, the disruption was extreme. No new backends could start, and service restoration needed an immediate shutdown. Hence, add this to catch the next bug like it. The new check in RelationIdGetRelation() suffices to make autovacuum detect the bug in commit 243e9b40f1 that led to commit 0bada39. This also checks in a number of similar places. It replaces each Assert(IsTransactionState()) that pertained to a conditional catalog read. No back-patch for now, but a back-patch of commit 243e9b4 should back-patch this, too. A back-patch could omit the src/test/regress changes, since back branches won't gain new index columns. Reported-by: Alexander Lakhin <exclusion@gmail.com> Discussion: https://postgr.es/m/20250410191830.0e.nmisch@google.com Discussion: https://postgr.es/m/10ec0bc3-5933-1189-6bb8-5dec4114558e@gmail.com
2025-11-18 02:02:55 +03:00 · 2025-04-17 05:00:30 -07:00
parent b669293e34
commit f4ece891fc
15 changed files with 248 additions and 24 deletions
--- a/src/backend/utils/cache/relcache.c
+++ b/src/backend/utils/cache/relcache.c
@@ -2056,6 +2056,23 @@ formrdesc(const char *relationName, Oid relationReltype,
 	relation->rd_isvalid = true;
 }

+#ifdef USE_ASSERT_CHECKING
+/*
+ *		AssertCouldGetRelation
+ *
+ *		Check safety of calling RelationIdGetRelation().
+ *
+ *		In code that reads catalogs in the event of a cache miss, call this
+ *		before checking the cache.
+ */
+void
+AssertCouldGetRelation(void)
+{
+	Assert(IsTransactionState());
+	AssertBufferLocksPermitCatalogRead();
+}
+#endif
+

 /* ----------------------------------------------------------------
 *				 Relation Descriptor Lookup Interface
@@ -2083,8 +2100,7 @@ RelationIdGetRelation(Oid relationId)
 {
 	Relation	rd;

-	/* Make sure we're in an xact, even if this ends up being a cache hit */
-	Assert(IsTransactionState());
+	AssertCouldGetRelation();

 	/*
 	 * first try to find reldesc in the cache
@@ -2373,8 +2389,7 @@ RelationReloadNailed(Relation relation)
 	Assert(relation->rd_isnailed);
 	/* nailed indexes are handled by RelationReloadIndexInfo() */
 	Assert(relation->rd_rel->relkind == RELKIND_RELATION);
-	/* can only reread catalog contents in a transaction */
-	Assert(IsTransactionState());
+	AssertCouldGetRelation();

 	/*
 	 * Redo RelationInitPhysicalAddr in case it is a mapped relation whose
@@ -2570,8 +2585,7 @@ static void
 RelationRebuildRelation(Relation relation)
 {
 	Assert(!RelationHasReferenceCountZero(relation));
-	/* rebuilding requires access to the catalogs */
-	Assert(IsTransactionState());
+	AssertCouldGetRelation();
 	/* there is no reason to ever rebuild a dropped relation */
 	Assert(relation->rd_droppedSubid == InvalidSubTransactionId);