pgsql: Fix failure to detoast fields in composite elements of structure

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: pgsql-committers(at)postgresql(dot)org
Subject: pgsql: Fix failure to detoast fields in composite elements of structure
Date: 2014-05-01 19:19:52
Message-ID: E1WfwWO-0005lf-3V@gemulon.postgresql.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-committers

Fix failure to detoast fields in composite elements of structured types.

If we have an array of records stored on disk, the individual record fields
cannot contain out-of-line TOAST pointers: the tuptoaster.c mechanisms are
only prepared to deal with TOAST pointers appearing in top-level fields of
a stored row. The same applies for ranges over composite types, nested
composites, etc. However, the existing code only took care of expanding
sub-field TOAST pointers for the case of nested composites, not for other
structured types containing composites. For example, given a command such
as

UPDATE tab SET arraycol = ARRAY[(ROW(x,42)::mycompositetype] ...

where x is a direct reference to a field of an on-disk tuple, if that field
is long enough to be toasted out-of-line then the TOAST pointer would be
inserted as-is into the array column. If the source record for x is later
deleted, the array field value would become a dangling pointer, leading
to errors along the line of "missing chunk number 0 for toast value ..."
when the value is referenced. A reproducible test case for this was
provided by Jan Pecek, but it seems likely that some of the "missing chunk
number" reports we've heard in the past were caused by similar issues.

Code-wise, the problem is that PG_DETOAST_DATUM() is not adequate to
produce a self-contained Datum value if the Datum is of composite type.
Seen in this light, the problem is not just confined to arrays and ranges,
but could also affect some other places where detoasting is done in that
way, for example form_index_tuple().

I tried teaching the array code to apply toast_flatten_tuple_attribute()
along with PG_DETOAST_DATUM() when the array element type is composite,
but this was messy and imposed extra cache lookup costs whether or not any
TOAST pointers were present, indeed sometimes when the array element type
isn't even composite (since sometimes it takes a typcache lookup to find
that out). The idea of extending that approach to all the places that
currently use PG_DETOAST_DATUM() wasn't attractive at all.

This patch instead solves the problem by decreeing that composite Datum
values must not contain any out-of-line TOAST pointers in the first place;
that is, we expand out-of-line fields at the point of constructing a
composite Datum, not at the point where we're about to insert it into a
larger tuple. This rule is applied only to true composite Datums, not
to tuples that are being passed around the system as tuples, so it's not
as invasive as it might sound at first. With this approach, the amount
of code that has to be touched for a full solution is greatly reduced,
and added cache lookup costs are avoided except when there actually is
a TOAST pointer that needs to be inlined.

The main drawback of this approach is that we might sometimes dereference
a TOAST pointer that will never actually be used by the query, imposing a
rather large cost that wasn't there before. On the other side of the coin,
if the field value is used multiple times then we'll come out ahead by
avoiding repeat detoastings. Experimentation suggests that common SQL
coding patterns are unaffected either way, though. Applications that are
very negatively affected could be advised to modify their code to not fetch
columns they won't be using.

In future, we might consider reverting this solution in favor of detoasting
only at the point where data is about to be stored to disk, using some
method that can drill down into multiple levels of nested structured types.
That will require defining new APIs for structured types, though, so it
doesn't seem feasible as a back-patchable fix.

Note that this patch changes HeapTupleGetDatum() from a macro to a function
call; this means that any third-party code using that macro will not get
protection against creating TOAST-pointer-containing Datums until it's
recompiled. The same applies to any uses of PG_RETURN_HEAPTUPLEHEADER().
It seems likely that this is not a big problem in practice: most of the
tuple-returning functions in core and contrib produce outputs that could
not possibly be toasted anyway, and the same probably holds for third-party
extensions.

This bug has existed since TOAST was invented, so back-patch to all
supported branches.

Branch
------
master

Details
-------
http://git.postgresql.org/pg/commitdiff/3f8c8e3c61cef5729980ee4372ec159862a979f1

Modified Files
--------------
src/backend/access/common/heaptuple.c | 80 ++++++++++++++-------------
src/backend/access/common/indextuple.c | 5 ++
src/backend/access/heap/tuptoaster.c | 92 +++++++++++++++-----------------
src/backend/executor/execQual.c | 32 ++++-------
src/backend/executor/execTuples.c | 79 ++++++++++++++++++++++-----
src/backend/executor/functions.c | 1 -
src/backend/executor/spi.c | 7 +--
src/backend/utils/adt/rowtypes.c | 1 +
src/include/access/htup_details.h | 4 ++
src/include/access/tuptoaster.h | 12 ++---
src/include/fmgr.h | 2 +-
src/include/funcapi.h | 7 ++-
src/pl/plpgsql/src/pl_exec.c | 16 ++----
src/test/regress/expected/arrays.out | 30 +++++++++++
src/test/regress/regress.c | 11 +++-
src/test/regress/sql/arrays.sql | 17 ++++++
16 files changed, 245 insertions(+), 151 deletions(-)

Browse pgsql-committers by date

  From Date Subject
Next Message Tom Lane 2014-05-01 20:16:48 pgsql: Fix "quiet inline" configure test for newer clang compilers.
Previous Message Robert Haas 2014-05-01 02:56:50 pgsql: Documentation corrections for pg_replication_slots.