Re: BUG #16129: Segfault in tts_virtual_materialize in logicalreplication worker

On Thu, Nov 21, 2019 at 07:33:35PM -0500, Tom Lane wrote:
>Tomas Vondra <tomas.vondra@2ndquadrant.com> writes:
>> On Thu, Nov 21, 2019 at 06:56:47PM -0500, Tom Lane wrote:
>>> "remoteslot" will contain its very own copy of the data, which
>>> is then summarily freed by ExecClearSlot.
>
>> But remoteslot is virtual, so it calls tts_virtual_copyslot, not the
>> heap one. And AFAIK tts_virtual_copyslot only copies contents of the
>> tts_values/tts_isnull arrays.
>
>Really?
>
>static void
>tts_virtual_copyslot(TupleTableSlot *dstslot, TupleTableSlot *srcslot)
>{
>    ...
>    /* make sure storage doesn't depend on external memory */
>    tts_virtual_materialize(dstslot);
>}
>

D'oh! I entirely missed that last call, for some reason. And yes, the
new test does show we're using freed memory, the \x7F\x7F\x7F\x7F...
pattern is pretty clear.

It's a interesting it happens only with mismatching descriptors, though.
(Which the OP does not have, AFAICS.) I wonder if this might be due to
upstream being 11.6 ...

>In any case, I sure hope that Andres hasn't made the different
>versions of ExecCopySlot have different semantics --- if he has,
>he's got some explaining to do.  But at least on this point,
>it looks to me like all three versions still satisfy the
>semantics that were clearly defined previously (v11 and before):
>
>/* --------------------------------
> *        ExecCopySlot
> *            Copy the source slot's contents into the destination slot.
> *
> *        The destination acquires a private copy that will not go away
> *        if the source is cleared.
> *
> *        The caller must ensure the slots have compatible tupdescs.
> * --------------------------------
> */
>
>I'm sad that we seem to have lost this specification comment, though.
>

True.


regards

-- 
Tomas Vondra                  http://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services