Fix cache flush hazard in cache_record_field_properties().

We need to increment the refcount on the composite type's cached tuple
descriptor while we do lookups of its column types.  Otherwise a cache
flush could occur and release the tuple descriptor before we're done with
it.  This fails reliably with -DCLOBBER_CACHE_ALWAYS, but the odds of a
failure in a production build seem rather low (since the pfree'd descriptor
typically wouldn't get scribbled on immediately).  That may explain the
lack of any previous reports.  Buildfarm issue noted by Christian Ullrich.

Back-patch to 9.1 where the bogus code was added.

diff --git a/src/backend/utils/cache/typcache.c b/src/backend/utils/cache/typcache.c
index e6f66df9a139d4693083e1dfd84bc70e8b0a2d61..f0bfae661229fcbcee135ae80b5cf85c8f56da26 100644 (file)
--- a/src/backend/utils/cache/typcache.c
+++ b/src/backend/utils/cache/typcache.c
@@ -646,6 +646,9 @@ cache_record_field_properties(TypeCacheEntry *typentry)
                        load_typcache_tupdesc(typentry);
                tupdesc = typentry->tupDesc;
 
+               /* Must bump the refcount while we do additional catalog lookups */
+               IncrTupleDescRefCount(tupdesc);
+
                /* Have each property if all non-dropped fields have the property */
                newflags = (TCFLAGS_HAVE_FIELD_EQUALITY |
                                        TCFLAGS_HAVE_FIELD_COMPARE);
@@ -669,6 +672,8 @@ cache_record_field_properties(TypeCacheEntry *typentry)
                                break;
                }
                typentry->flags |= newflags;
+
+               DecrTupleDescRefCount(tupdesc);
        }
        typentry->flags |= TCFLAGS_CHECKED_FIELD_PROPERTIES;
 }