Обсуждение: TupleDescAttr bounds checks
Hi, Scrutiny of a recent test_plan_advice failure in the buildfarm revealed a bug that had nothing to do with test_plan_advice or pg_plan_advice; rather, it was a bug introduced by the virtual generated columns feature, and specifically of that feature indexing off of the beginning of a TupleDesc when whole-row attributes are present. The first patch attached to this email fixes this issue, and should be committed and back-patched to v18. I plan to do that soon unless there are objections. But that got me wondering why we don't have an assertion in TupleDescAttr to catch this sort of thing, and it seems like that is indeed something we can do, so patch #2 adds that and then cleans up the resulting damage. By "damage" I mean correcting places where the new Assert() either actually fails or could theoretically fail, because we use TupleDescAttr() on a value that we don't know to be within range. None of these seem to be actual bugs, because as the commit message says, all TupleDescAttr() does is compute a pointer, and we don't actually dereference that pointer in any of these code paths until after we know that it's OK to do so. Nonetheless, these all seem like good cleanups, so I do not see any of these changes as arguments against adding the assertion. I propose to put this in master. Patch #3 adds a test case that would have caught the bug fixed by patch #1 if we had already had the asserts added by patch #2. To my surprise, we seem to have zero existing test coverage of creating an index on a whole-row expression, so I think this is worth adding mostly for that reason. One could also argue that it's worth adding as a follow-up to #1 and #2, but we're unlikely to reintroduce that specific bug. We might, however, add other bugs that this would also catch. Comments? -- Robert Haas EDB: http://www.enterprisedb.com
Вложения
Robert Haas <robertmhaas@gmail.com> writes:
> Scrutiny of a recent test_plan_advice failure in the buildfarm
> revealed a bug that had nothing to do with test_plan_advice or
> pg_plan_advice; rather, it was a bug introduced by the virtual
> generated columns feature, and specifically of that feature indexing
> off of the beginning of a TupleDesc when whole-row attributes are
> present. The first patch attached to this email fixes this issue, and
> should be committed and back-patched to v18. I plan to do that soon
> unless there are objections.
I had just come to the same conclusion about why grison is failing.
+1 to all three of these patches. (I did not look to see if 0002
fixes every case that the Assert could trigger on, but as long as
you're only putting it in HEAD I'm not too concerned that we might
have missed some.)
regards, tom lane
On Fri, Mar 20, 2026 at 12:22 PM Tom Lane <tgl@sss.pgh.pa.us> wrote: > Robert Haas <robertmhaas@gmail.com> writes: > > Scrutiny of a recent test_plan_advice failure in the buildfarm > > revealed a bug that had nothing to do with test_plan_advice or > > pg_plan_advice; rather, it was a bug introduced by the virtual > > generated columns feature, and specifically of that feature indexing > > off of the beginning of a TupleDesc when whole-row attributes are > > present. The first patch attached to this email fixes this issue, and > > should be committed and back-patched to v18. I plan to do that soon > > unless there are objections. > > I had just come to the same conclusion about why grison is failing. > +1 to all three of these patches. (I did not look to see if 0002 > fixes every case that the Assert could trigger on, but as long as > you're only putting it in HEAD I'm not too concerned that we might > have missed some.) Hmm, I had a rougher version of this analysis (and an analysis of some the other failures) on an email I sent yesterday on the pg_plan_advice thread. Based on this email and another one you sent, I'm guessing you either didn't see that email or maybe even didn't get a copy of it for some reason. Or maybe you just mean that you were checking over my analysis, but just in case: https://www.postgresql.org/message-id/CA%2BTgmoZUN8FT1Ah%3Dm6Uis5bHa4FUa%2B_hMDWtcABG17toEfpiUg%40mail.gmail.com -- Robert Haas EDB: http://www.enterprisedb.com
Robert Haas <robertmhaas@gmail.com> writes:
> On Fri, Mar 20, 2026 at 12:22 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> I had just come to the same conclusion about why grison is failing.
> Hmm, I had a rougher version of this analysis (and an analysis of some
> the other failures) on an email I sent yesterday on the pg_plan_advice
> thread. Based on this email and another one you sent, I'm guessing you
> either didn't see that email or maybe even didn't get a copy of it for
> some reason.
I did see that, but it read to me that you were just guessing at that
time. This morning I put Asserts into indexcmds.c that verified that
it was trying to access the tupledesc for attno zero, and that proves
there is a bug there. It also seems like a plausible explanation for
why only one machine has exhibited the failure. (Your 0002 is a
better version of said Asserts.)
regards, tom lane
On Fri, Mar 20, 2026 at 12:46 PM Tom Lane <tgl@sss.pgh.pa.us> wrote: > I did see that, but it read to me that you were just guessing at that > time. This morning I put Asserts into indexcmds.c that verified that > it was trying to access the tupledesc for attno zero, and that proves > there is a bug there. It also seems like a plausible explanation for > why only one machine has exhibited the failure. (Your 0002 is a > better version of said Asserts.) Ah, OK. Yeah, I wasn't completely sure at the time whether there was some kind of TupleDesc out there that would allow zero or negative indexes safely. It seems like there is not. -- Robert Haas EDB: http://www.enterprisedb.com
Oddly enough, "adder" just showed this same failure [1]:
@@ -66,11 +66,9 @@
CREATE FUNCTION wrap_do_analyze(c INT) RETURNS INT IMMUTABLE LANGUAGE SQL
AS 'SELECT $1 FROM public.do_analyze()';
CREATE INDEX ON vaccluster(wrap_do_analyze(i));
+ERROR: indexes on virtual generated columns are not supported
INSERT INTO vaccluster VALUES (1), (2);
ANALYZE vaccluster;
and that's not in the test_plan_advice run at all, but pg_upgrade's
run of the core regression tests. I wonder if we recently made some
seemingly-unrelated change that has increased the probability of
having a 'v' in the right byte. Anyway, you should get this fix
pushed.
regards, tom lane
[1] https://buildfarm.postgresql.org/cgi-bin/show_log.pl?nm=adder&dt=2026-03-23%2002%3A23%3A13
On Sun, Mar 22, 2026 at 11:54 PM Tom Lane <tgl@sss.pgh.pa.us> wrote: > Anyway, you should get this fix pushed. Done, and I'll plan to commit the other patches later today. Also, if on any occasion you happen to feel that I'm not being aggressive enough in committing something I've previously posted, feel free to take matters into your own hands. I often wait a bit to see if anybody will object to things or comment on them, and in this case there were compounding factors like (1) the weekend and (2) being very busy looking into other problems that test_plan_advice turned up. Since this was such a simple fix and you'd +1'd it, I would have felt comfortable putting it in right away, but I simply haven't had a moment to spare until now, and I use that term loosely given that I do not normally use the time between 6am and 7am for to commit patches. Anyway, the point is: I'm virtually always happy when someone else decides to commit one of my patches; it saves me a non-trivial amount of time and I'm not offended. Thanks, -- Robert Haas EDB: http://www.enterprisedb.com