Do not read a persistent tuple after it is freed

This bug was found in a production environment where vacuum on gp_persistent_relation was concurrently running with a backend performing end-of-xact filesystem operations. And the GUC debug_persistent_print was enabled. The *_ReadTuple() function was called on a persistent TID after the corresponding tuple was deleted with frozen transaction ID. The concurrent vacuum recycled the tuple and it led to a SIGSEGV when the backend tried to access values from the tuple. Fix it by avoiding the debug log message in case when the persistent tuple is freed (transitioning to FREE state). All other state transitions are logged. In absence of concurrent vacuum, things worked just fine because the *_ReadTuple() interface reads tuples from persistent tables directly using TID.

Do not read a persistent tuple after it is freed
This bug was found in a production environment where vacuum on gp_persistent_relation was concurrently running with a backend performing end-of-xact filesystem operations. And the GUC debug_persistent_print was enabled. The *_ReadTuple() function was called on a persistent TID after the corresponding tuple was deleted with frozen transaction ID. The concurrent vacuum recycled the tuple and it led to a SIGSEGV when the backend tried to access values from the tuple. Fix it by avoiding the debug log message in case when the persistent tuple is freed (transitioning to FREE state). All other state transitions are logged. In absence of concurrent vacuum, things worked just fine because the *_ReadTuple() interface reads tuples from persistent tables directly using TID.
5f765a8e · Asim R P · b50c134b · 5f765a8e
隐藏空白更改
内联并排

Showing with 18 addition and 19 deletion

src/backend/cdb/cdbpersistentfilesysobj.c src/backend/cdb/cdbpersistentfilesysobj.c +18 -19

未找到文件。
--- a/src/backend/cdb/cdbpersistentfilesysobj.c
+++ b/src/backend/cdb/cdbpersistentfilesysobj.c
@@ -1567,11 +1567,26 @@ PersistentFileSysObjStateChangeResult PersistentFileSysObj_StateChange(

 		pfree(newValues);
 		pfree(replaces);
+
+		if (Debug_persistent_print)
+		{
+			heap_freetuple(tupleCopy);
+
+			PersistentFileSysObj_ReadTuple(
+				fsObjType,
+				persistentTid,
+				values,
+				&tupleCopy);
+
+			(*fileSysObjData->storeData.printTupleCallback)(
+				Persistent_DebugPrintLevel(),
+				"STATE CHANGE",
+				persistentTid,
+				values);
+		}
 	}
 	else
 	{
-		heap_freetuple(tupleCopy);
-
 		PersistentFileSysObj_FreeTuple(
 									fileSysObjData,
 									fileSysObjSharedData,
@@ -1580,23 +1595,7 @@ PersistentFileSysObjStateChangeResult PersistentFileSysObj_StateChange(
 									flushToXLog);
 	}

-	if (Debug_persistent_print)
-	{
-		PersistentFileSysObj_ReadTuple(
-								fsObjType,
-								persistentTid,
-								values,
-								&tupleCopy);
-
-		(*fileSysObjData->storeData.printTupleCallback)(
-									Persistent_DebugPrintLevel(),
-									"STATE CHANGE",
-									persistentTid,
-									values);
-
-		heap_freetuple(tupleCopy);
-	}
-
+	heap_freetuple(tupleCopy);
 	pfree(values);

 	return PersistentFileSysObjStateChangeResult_StateChangeOk;