spgrescan would first reset traversalCxt, and then traverse a
potentially non-empty stack containing pointers to traversalValues
which had been allocated in those contexts, freeing them a second
time. This bug originates in commit
ccd6eb49a where traversalValue was
introduced.
Repair by traversing the stack before the context reset; this isn't
ideal, since it means doing retail pfree in a context that's about to
be reset, but the freeing of a stack entry is also done in other
places in the code during the scan so it's not worth trying to
refactor it further. Regression test added.
Backpatch to 9.6 where the problem was introduced.
Per bug #15378; analysis and patch by me, originally from a report on
IRC by user velix; see also PostGIS ticket #4174; review by Alexander
Korotkov.
Discussion: https://postgr.es/m/
153663176628.23136.
11901365223750051490@wrigleys.postgresql.org
freeScanStack(so);
+ /*
+ * clear traversal context before proceeding to the next scan; this must
+ * not happen before the freeScanStack above, else we get double-free
+ * crashes.
+ */
+ MemoryContextReset(so->traversalCxt);
+
if (so->searchNulls)
{
/* Stack a work item to scan the null index entries */
{
SpGistScanOpaque so = (SpGistScanOpaque) scan->opaque;
- /* clear traversal context before proceeding to the next scan */
- MemoryContextReset(so->traversalCxt);
-
/* copy scankeys into local storage */
if (scankey && scan->numberOfKeys > 0)
{
-- would exercise it)
delete from spgist_point_tbl where id < 10000;
vacuum spgist_point_tbl;
+-- Test rescan paths (cf. bug #15378)
+-- use box and && rather than point, so that rescan happens when the
+-- traverse stack is non-empty
+create table spgist_box_tbl(id serial, b box);
+insert into spgist_box_tbl(b)
+select box(point(i,j),point(i+s,j+s))
+ from generate_series(1,100,5) i,
+ generate_series(1,100,5) j,
+ generate_series(1,10) s;
+create index spgist_box_idx on spgist_box_tbl using spgist (b);
+select count(*)
+ from (values (point(5,5)),(point(8,8)),(point(12,12))) v(p)
+ where exists(select * from spgist_box_tbl b where b.b && box(v.p,v.p));
+ count
+-------
+ 3
+(1 row)
+
-- The point opclass's choose method only uses the spgMatchNode action,
-- so the other actions are not tested by the above. Create an index using
-- text opclass, which uses the others actions.
vacuum spgist_point_tbl;
+-- Test rescan paths (cf. bug #15378)
+-- use box and && rather than point, so that rescan happens when the
+-- traverse stack is non-empty
+
+create table spgist_box_tbl(id serial, b box);
+insert into spgist_box_tbl(b)
+select box(point(i,j),point(i+s,j+s))
+ from generate_series(1,100,5) i,
+ generate_series(1,100,5) j,
+ generate_series(1,10) s;
+create index spgist_box_idx on spgist_box_tbl using spgist (b);
+
+select count(*)
+ from (values (point(5,5)),(point(8,8)),(point(12,12))) v(p)
+ where exists(select * from spgist_box_tbl b where b.b && box(v.p,v.p));
-- The point opclass's choose method only uses the spgMatchNode action,
-- so the other actions are not tested by the above. Create an index using
projects / postgresql / commitdiff