Peter Geoghegan <pg@heroku.com> writes:
> I see what the problem is. This use-after-free bug occurs because, for
> some reason, tuplesort_gettupleslot()'s contract was not updated by me
> alongside analogous routines like tuplesort_getindextuple() as part of
> the batch memory commit. This meant that at least one particular case
> (process_ordered_aggregate_multi() calls to tuplesort_gettupleslot(),
> with distinct columns) felt entitled to reuse some slot's tuple, a
> tuple located in memory managed by tuplesort.c as batch memory.
My immediate reaction to this is WTF. It seems like you have completely
broken the expected contract of tuplesort_gettupleslot, which is that
it copies the data into caller-owned memory. That cannot stand. Even
if you are willing to hack all the core callers so that they no longer
expect that, you've probably broken --- subtly --- callers in extensions.
regards, tom lane