Skip to content

Commit c7aeb77

Browse files
petergeogheganpetergeoghegan
committed
Document issue with heapam line pointer truncation.
Checking that an offset number isn't past the end of a heap page's line pointer array was just a defensive sanity check for HOT-chain traversal code before commit 3c3b8a4. It's etrictly necessary now, though. Add comments that reference the issue to code in heapam that needs to get it right. Per suggestion from Alexander Lakhin. Discussion: https://postgr.es/m/f76a292c-9170-1aef-91a0-59d9443b99a3@gmail.com
1 parent 85c6961 commit c7aeb77

File tree

2 files changed

+27
-6
lines changed

2 files changed

+27
-6
lines changed

src/backend/access/heap/heapam.c

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7483,8 +7483,15 @@ heap_index_delete_tuples(Relation rel, TM_IndexDeleteOp *delstate)
74837483
ItemId lp;
74847484
HeapTupleHeader htup;
74857485

7486-
/* Some sanity checks */
7487-
if (offnum < FirstOffsetNumber || offnum > maxoff)
7486+
/* Sanity check (pure paranoia) */
7487+
if (offnum < FirstOffsetNumber)
7488+
break;
7489+
7490+
/*
7491+
* An offset past the end of page's line pointer array is possible
7492+
* when the array was truncated
7493+
*/
7494+
if (offnum > maxoff)
74887495
break;
74897496

74907497
lp = PageGetItemId(page, offnum);

src/backend/access/heap/pruneheap.c

Lines changed: 18 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -581,8 +581,15 @@ heap_prune_chain(Buffer buffer, OffsetNumber rootoffnum, PruneState *prstate)
581581
bool tupdead,
582582
recent_dead;
583583

584-
/* Some sanity checks */
585-
if (offnum < FirstOffsetNumber || offnum > maxoff)
584+
/* Sanity check (pure paranoia) */
585+
if (offnum < FirstOffsetNumber)
586+
break;
587+
588+
/*
589+
* An offset past the end of page's line pointer array is possible
590+
* when the array was truncated (original item must have been unused)
591+
*/
592+
if (offnum > maxoff)
586593
break;
587594

588595
/* If item is already processed, stop --- it must not be same chain */
@@ -962,8 +969,15 @@ heap_get_root_tuples(Page page, OffsetNumber *root_offsets)
962969
*/
963970
for (;;)
964971
{
965-
/* Sanity check */
966-
if (nextoffnum < FirstOffsetNumber || nextoffnum > maxoff)
972+
/* Sanity check (pure paranoia) */
973+
if (offnum < FirstOffsetNumber)
974+
break;
975+
976+
/*
977+
* An offset past the end of page's line pointer array is possible
978+
* when the array was truncated
979+
*/
980+
if (offnum > maxoff)
967981
break;
968982

969983
lp = PageGetItemId(page, nextoffnum);

0 commit comments

Comments
 (0)