Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitec96e88

Browse files
committed
Fix use-after-free with INSERT ON CONFLICT changes in reorderbuffer.c
In ReorderBufferProcessTXN(), used to send the data of a transaction toan output plugin, INSERT ON CONFLICT changes (INTERNAL_SPEC_INSERT) aredelayed until a confirmation record arrives (INTERNAL_SPEC_CONFIRM),updating the change being processed.8c58624 has added an extra step after processing a change to updatethe progress of the transaction, by calling the callbackupdate_progress_txn() based on the LSN stored in a change after athreshold of CHANGES_THRESHOLD (100) is reached. This logic has missedthe fact that for an INSERT ON CONFLICT change the data is freed onceprocessed, hence update_progress_txn() could be called pointing to a LSNvalue that's already been freed. This could result in random crashes,depending on the workload.Per discussion, this issue is fixed by reusing in update_progress_txn()the LSN from the change processed found at the beginning of the loop,meaning that for a INTERNAL_SPEC_CONFIRM change the progress is updatedusing the LSN of the INTERNAL_SPEC_CONFIRM change, and not the LSN fromits INTERNAL_SPEC_INSERT change. This is actually more correct, as wewant to update the progress to point to the INTERNAL_SPEC_CONFIRMchange.Masahiko Sawada has found a nice trick to reproduce the issue: hardcodeCHANGES_THRESHOLD at 1 and run test_decoding (test "ddl" being enough)on an instance running valgrind. The bug has been analyzed by EthanMertz, who also originally suggested the solution used in this patch.Issue introduced by8c58624, so backpatch down to v16.Author: Ethan Mertz <ethan.mertz@gmail.com>Co-authored-by: Michael Paquier <michael@paquier.xyz>Reviewed-by: Amit Kapila <amit.kapila16@gmail.com>Reviewed-by: Masahiko Sawada <sawada.mshk@gmail.com>Discussion:https://postgr.es/m/aIsQqDZ7x4LAQ6u1@paquier.xyzBackpatch-through: 16
1 parentb998ce3 commitec96e88

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

‎src/backend/replication/logical/reorderbuffer.c‎

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2480,7 +2480,7 @@ ReorderBufferProcessTXN(ReorderBuffer *rb, ReorderBufferTXN *txn,
24802480

24812481
if (++changes_count >=CHANGES_THRESHOLD)
24822482
{
2483-
rb->update_progress_txn(rb,txn,change->lsn);
2483+
rb->update_progress_txn(rb,txn,prev_lsn);
24842484
changes_count=0;
24852485
}
24862486
}

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp