| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Peter Geoghegan <pg(at)heroku(dot)com> |
| Cc: | David Rowley <david(dot)rowley(at)2ndquadrant(dot)com>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, Regina Obe <lr(at)pcorp(dot)us>, PostgreSQL mailing lists <pgsql-bugs(at)postgresql(dot)org> |
| Subject: | Re: BUG #14344: string_agg(DISTINCT ..) crash |
| Date: | 2016-09-29 15:40:46 |
| Message-ID: | 22270.1475163646@sss.pgh.pa.us |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Peter Geoghegan <pg(at)heroku(dot)com> writes:
> I see what the problem is. This use-after-free bug occurs because, for
> some reason, tuplesort_gettupleslot()'s contract was not updated by me
> alongside analogous routines like tuplesort_getindextuple() as part of
> the batch memory commit. This meant that at least one particular case
> (process_ordered_aggregate_multi() calls to tuplesort_gettupleslot(),
> with distinct columns) felt entitled to reuse some slot's tuple, a
> tuple located in memory managed by tuplesort.c as batch memory.
My immediate reaction to this is WTF. It seems like you have completely
broken the expected contract of tuplesort_gettupleslot, which is that
it copies the data into caller-owned memory. That cannot stand. Even
if you are willing to hack all the core callers so that they no longer
expect that, you've probably broken --- subtly --- callers in extensions.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Geoghegan | 2016-09-29 16:04:55 | Re: BUG #14344: string_agg(DISTINCT ..) crash |
| Previous Message | Peter Geoghegan | 2016-09-29 15:30:53 | Re: BUG #14344: string_agg(DISTINCT ..) crash |