Fix incorrect sentinel byte logic in GenerationRealloc()

david-rowley · david-rowley · commit 97651b0139cf · 2024-07-06T13:59:34.000+12:00
This only affects MEMORY_CONTEXT_CHECKING builds. This fixes an off-by-one issue in GenerationRealloc() where the fast-path code which tries to reuse the existing allocation if the existing chunk is >= the new requested size. The code there thought it was always ok to use the existing chunk, but when oldsize == size there isn't enough space to store the sentinel byte. If both sizes matched exactly set_sentinel() would overwrite the first byte beyond the chunk and then subsequent GenerationRealloc() calls could then fail the Assert(chunk->requested_size < oldsize) check which is trying to ensure the chunk is large enough to store the sentinel. The same issue does not exist in aset.c as the sentinel checking code only adds a sentinel byte if there's enough space in the chunk. Reported-by: Alexander Lakhin <exclusion@gmail.com> Discussion: https://postgr.es/m/49275921-7b39-41af-5eb8-97b50ce3312e@gmail.com Backpatch-through: 16, where the problem was introduced by 0e48038
diff --git a/src/backend/utils/mmgr/generation.c b/src/backend/utils/mmgr/generation.c
@@ -846,16 +846,21 @@ GenerationRealloc(void *pointer, Size size, int flags)
 #endif
 
 	/*
-	 * Maybe the allocated area already is >= the new size.  (In particular,
-	 * we always fall out here if the requested size is a decrease.)
+	 * Maybe the allocated area already big enough.  (In particular, we always
+	 * fall out here if the requested size is a decrease.)
 	 *
 	 * This memory context does not use power-of-2 chunk sizing and instead
 	 * carves the chunks to be as small as possible, so most repalloc() calls
 	 * will end up in the palloc/memcpy/pfree branch.
 	 *
 	 * XXX Perhaps we should annotate this condition with unlikely()?
 	 */
+#ifdef MEMORY_CONTEXT_CHECKING
+	/* With MEMORY_CONTEXT_CHECKING, we need an extra byte for the sentinel */
+	if (oldsize > size)
+#else
 	if (oldsize >= size)
+#endif
 	{
 #ifdef MEMORY_CONTEXT_CHECKING
 		Size		oldrequest = chunk->requested_size;
