Prevent access to no-longer-pinned buffer in heapam_tuple_lock().

tglsfdc · tglsfdc · commit 7b7ed046cb2a · 2022-04-13T13:35:07.000-04:00
heap_fetch() used to have a "keep_buf" parameter that told it to return ownership of the buffer pin to the caller after finding that the requested tuple TID exists but is invisible to the specified snapshot. This was thoughtlessly removed in commit 5db6df0, which broke heapam_tuple_lock() (formerly EvalPlanQualFetch) because that function needs to do more accesses to the tuple even if it's invisible. The net effect is that we would continue to touch the page for a microsecond or two after releasing pin on the buffer. Usually no harm would result; but if a different session decided to defragment the page concurrently, we could see garbage data and mistakenly conclude that there's no newer tuple version to chain up to. (It's hard to say whether this has happened in the field. The bug was actually found thanks to a later change that allowed valgrind to detect accesses to non-pinned buffers.) The most reasonable way to fix this is to reintroduce keep_buf, although I made it behave slightly differently: buffer ownership is passed back only if there is a valid tuple at the requested TID. In HEAD, we can just add the parameter back to heap_fetch(). To avoid an API break in the back branches, introduce an additional function heap_fetch_extended() in those branches. In HEAD there is an additional, less obvious API change: tuple->t_data will be set to NULL in all cases where buffer ownership is not returned, in particular when the tuple exists but fails the time qual (and !keep_buf). This is to defend against any other callers attempting to access non-pinned buffers. We concluded that making that change in back branches would be more likely to introduce problems than cure any. In passing, remove a comment about heap_fetch that was obsoleted by 9a8ee1d. Per bug #17462 from Daniil Anisimov. Back-patch to v12 where the bug was introduced. Discussion: https://postgr.es/m/17462-9c98a0f00df9bd36@postgresql.org
diff --git a/src/backend/access/heap/heapam.c b/src/backend/access/heap/heapam.c
@@ -1530,10 +1530,14 @@ heap_getnextslot_tidrange(TableScanDesc sscan, ScanDirection direction,
  * must unpin the buffer when done with the tuple.
  *
  * If the tuple is not found (ie, item number references a deleted slot),
- * then tuple->t_data is set to NULL and false is returned.
+ * then tuple->t_data is set to NULL, *userbuf is set to InvalidBuffer,
+ * and false is returned.
  *
- * If the tuple is found but fails the time qual check, then false is returned
- * but tuple->t_data is left pointing to the tuple.
+ * If the tuple is found but fails the time qual check, then the behavior
+ * depends on the keep_buf parameter.  If keep_buf is false, the results
+ * are the same as for the tuple-not-found case.  If keep_buf is true,
+ * then tuple->t_data and *userbuf are returned as for the success case,
+ * and again the caller must unpin the buffer; but false is returned.
  *
  * heap_fetch does not follow HOT chains: only the exact TID requested will
  * be fetched.
@@ -1551,7 +1555,8 @@ bool
 heap_fetch(Relation relation,
 		   Snapshot snapshot,
 		   HeapTuple tuple,
-		   Buffer *userbuf)
+		   Buffer *userbuf,
+		   bool keep_buf)
 {
 	ItemPointer tid = &(tuple->t_self);
 	ItemId		lp;
@@ -1634,9 +1639,15 @@ heap_fetch(Relation relation,
 		return true;
 	}
 
-	/* Tuple failed time qual */
-	ReleaseBuffer(buffer);
-	*userbuf = InvalidBuffer;
+	/* Tuple failed time qual, but maybe caller wants to see it anyway. */
+	if (keep_buf)
+		*userbuf = buffer;
+	else
+	{
+		ReleaseBuffer(buffer);
+		*userbuf = InvalidBuffer;
+		tuple->t_data = NULL;
+	}
 
 	return false;
 }
@@ -1659,8 +1670,7 @@ heap_fetch(Relation relation,
  * are vacuumable, false if not.
  *
  * Unlike heap_fetch, the caller must already have pin and (at least) share
- * lock on the buffer; it is still pinned/locked at exit.  Also unlike
- * heap_fetch, we do not report any pgstats count; caller may do so if wanted.
+ * lock on the buffer; it is still pinned/locked at exit.
  */
 bool
 heap_hot_search_buffer(ItemPointer tid, Relation relation, Buffer buffer,
@@ -5379,7 +5389,7 @@ heap_lock_updated_tuple_rec(Relation rel, ItemPointer tid, TransactionId xid,
 		block = ItemPointerGetBlockNumber(&tupid);
 		ItemPointerCopy(&tupid, &(mytup.t_self));
 
-		if (!heap_fetch(rel, SnapshotAny, &mytup, &buf))
+		if (!heap_fetch(rel, SnapshotAny, &mytup, &buf, false))
 		{
 			/*
 			 * if we fail to find the updated version of the tuple, it's
diff --git a/src/backend/access/heap/heapam_handler.c b/src/backend/access/heap/heapam_handler.c
@@ -188,7 +188,7 @@ heapam_fetch_row_version(Relation relation,
 	Assert(TTS_IS_BUFFERTUPLE(slot));
 
 	bslot->base.tupdata.t_self = *tid;
-	if (heap_fetch(relation, snapshot, &bslot->base.tupdata, &buffer))
+	if (heap_fetch(relation, snapshot, &bslot->base.tupdata, &buffer, false))
 	{
 		/* store in slot, transferring existing pin */
 		ExecStorePinnedBufferHeapTuple(&bslot->base.tupdata, slot, buffer);
@@ -401,7 +401,7 @@ heapam_tuple_lock(Relation relation, ItemPointer tid, Snapshot snapshot,
 							 errmsg("tuple to be locked was already moved to another partition due to concurrent update")));
 
 				tuple->t_self = *tid;
-				if (heap_fetch(relation, &SnapshotDirty, tuple, &buffer))
+				if (heap_fetch(relation, &SnapshotDirty, tuple, &buffer, true))
 				{
 					/*
 					 * If xmin isn't what we're expecting, the slot must have
@@ -500,6 +500,7 @@ heapam_tuple_lock(Relation relation, ItemPointer tid, Snapshot snapshot,
 				 */
 				if (tuple->t_data == NULL)
 				{
+					Assert(!BufferIsValid(buffer));
 					return TM_Deleted;
 				}
 
@@ -509,8 +510,7 @@ heapam_tuple_lock(Relation relation, ItemPointer tid, Snapshot snapshot,
 				if (!TransactionIdEquals(HeapTupleHeaderGetXmin(tuple->t_data),
 										 priorXmax))
 				{
-					if (BufferIsValid(buffer))
-						ReleaseBuffer(buffer);
+					ReleaseBuffer(buffer);
 					return TM_Deleted;
 				}
 
@@ -526,22 +526,20 @@ heapam_tuple_lock(Relation relation, ItemPointer tid, Snapshot snapshot,
 				 *
 				 * As above, it should be safe to examine xmax and t_ctid
 				 * without the buffer content lock, because they can't be
-				 * changing.
+				 * changing.  We'd better hold a buffer pin though.
 				 */
 				if (ItemPointerEquals(&tuple->t_self, &tuple->t_data->t_ctid))
 				{
 					/* deleted, so forget about it */
-					if (BufferIsValid(buffer))
-						ReleaseBuffer(buffer);
+					ReleaseBuffer(buffer);
 					return TM_Deleted;
 				}
 
 				/* updated, so look at the updated row */
 				*tid = tuple->t_data->t_ctid;
 				/* updated row should have xmin matching this xmax */
 				priorXmax = HeapTupleHeaderGetUpdateXid(tuple->t_data);
-				if (BufferIsValid(buffer))
-					ReleaseBuffer(buffer);
+				ReleaseBuffer(buffer);
 				/* loop back to fetch next in chain */
 			}
 		}
diff --git a/src/include/access/heapam.h b/src/include/access/heapam.h
@@ -133,7 +133,7 @@ extern bool heap_getnextslot_tidrange(TableScanDesc sscan,
 									  ScanDirection direction,
 									  TupleTableSlot *slot);
 extern bool heap_fetch(Relation relation, Snapshot snapshot,
-					   HeapTuple tuple, Buffer *userbuf);
+					   HeapTuple tuple, Buffer *userbuf, bool keep_buf);
 extern bool heap_hot_search_buffer(ItemPointer tid, Relation relation,
 								   Buffer buffer, Snapshot snapshot, HeapTuple heapTuple,
 								   bool *all_dead, bool first_call);

Original file line number	Diff line number	Diff line change
`@@ -188,7 +188,7 @@ heapam_fetch_row_version(Relation relation,`
`188`	`188`	`Assert(TTS_IS_BUFFERTUPLE(slot));`
`189`	`189`
`190`	`190`	`bslot->base.tupdata.t_self = *tid;`
`191`		`- if (heap_fetch(relation, snapshot, &bslot->base.tupdata, &buffer))`
	`191`	`+ if (heap_fetch(relation, snapshot, &bslot->base.tupdata, &buffer, false))`
`192`	`192`	`{`
`193`	`193`	`/* store in slot, transferring existing pin */`
`194`	`194`	`ExecStorePinnedBufferHeapTuple(&bslot->base.tupdata, slot, buffer);`
`@@ -401,7 +401,7 @@ heapam_tuple_lock(Relation relation, ItemPointer tid, Snapshot snapshot,`
`401`	`401`	`errmsg("tuple to be locked was already moved to another partition due to concurrent update")));`
`402`	`402`
`403`	`403`	`tuple->t_self = *tid;`
`404`		`- if (heap_fetch(relation, &SnapshotDirty, tuple, &buffer))`
	`404`	`+ if (heap_fetch(relation, &SnapshotDirty, tuple, &buffer, true))`
`405`	`405`	`{`
`406`	`406`	`/*`
`407`	`407`	`* If xmin isn't what we're expecting, the slot must have`
`@@ -500,6 +500,7 @@ heapam_tuple_lock(Relation relation, ItemPointer tid, Snapshot snapshot,`
`500`	`500`	`*/`
`501`	`501`	`if (tuple->t_data == NULL)`
`502`	`502`	`{`
	`503`	`+ Assert(!BufferIsValid(buffer));`
`503`	`504`	`return TM_Deleted;`
`504`	`505`	`}`
`505`	`506`
`@@ -509,8 +510,7 @@ heapam_tuple_lock(Relation relation, ItemPointer tid, Snapshot snapshot,`
`509`	`510`	`if (!TransactionIdEquals(HeapTupleHeaderGetXmin(tuple->t_data),`
`510`	`511`	`priorXmax))`
`511`	`512`	`{`
`512`		`- if (BufferIsValid(buffer))`
`513`		`- ReleaseBuffer(buffer);`
	`513`	`+ ReleaseBuffer(buffer);`
`514`	`514`	`return TM_Deleted;`
`515`	`515`	`}`
`516`	`516`
`@@ -526,22 +526,20 @@ heapam_tuple_lock(Relation relation, ItemPointer tid, Snapshot snapshot,`
`526`	`526`	`*`
`527`	`527`	`* As above, it should be safe to examine xmax and t_ctid`
`528`	`528`	`* without the buffer content lock, because they can't be`
`529`		`- * changing.`
	`529`	`+ * changing. We'd better hold a buffer pin though.`
`530`	`530`	`*/`
`531`	`531`	`if (ItemPointerEquals(&tuple->t_self, &tuple->t_data->t_ctid))`
`532`	`532`	`{`
`533`	`533`	`/* deleted, so forget about it */`
`534`		`- if (BufferIsValid(buffer))`
`535`		`- ReleaseBuffer(buffer);`
	`534`	`+ ReleaseBuffer(buffer);`
`536`	`535`	`return TM_Deleted;`
`537`	`536`	`}`
`538`	`537`
`539`	`538`	`/* updated, so look at the updated row */`
`540`	`539`	`*tid = tuple->t_data->t_ctid;`
`541`	`540`	`/* updated row should have xmin matching this xmax */`
`542`	`541`	`priorXmax = HeapTupleHeaderGetUpdateXid(tuple->t_data);`
`543`		`- if (BufferIsValid(buffer))`
`544`		`- ReleaseBuffer(buffer);`
	`542`	`+ ReleaseBuffer(buffer);`
`545`	`543`	`/* loop back to fetch next in chain */`
`546`	`544`	`}`
`547`	`545`	`}`