Fix reference-after-free in the new btree page split code, as reported by

the buildfarm via Stefan Kaltenbrunner.

Patch from Heikki Linnakangas.

diff --git a/src/backend/access/nbtree/nbtinsert.c b/src/backend/access/nbtree/nbtinsert.c
index 7320e7cdbc02e4ef6dd9ac505eae4c1ecc9631a6..98a46ab585791ecd579de55396834955553424a3 100644 (file)
--- a/src/backend/access/nbtree/nbtinsert.c
+++ b/src/backend/access/nbtree/nbtinsert.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *   $PostgreSQL: pgsql/src/backend/access/nbtree/nbtinsert.c,v 1.150 2007/02/08 05:05:53 momjian Exp $
+ *   $PostgreSQL: pgsql/src/backend/access/nbtree/nbtinsert.c,v 1.151 2007/02/08 13:52:55 alvherre Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -953,7 +953,7 @@ _bt_split(Relation rel, Buffer buf, OffsetNumber firstright,
        xlrec.rightsib = BufferGetBlockNumber(rbuf);
        xlrec.firstright = firstright;
        xlrec.rnext = ropaque->btpo_next;
-       xlrec.level = lopaque->btpo.level;
+       xlrec.level = ropaque->btpo.level;
 
        rdata[0].data = (char *) &xlrec;
        rdata[0].len = SizeOfBtreeSplit;
@@ -962,7 +962,7 @@ _bt_split(Relation rel, Buffer buf, OffsetNumber firstright,
        lastrdata = &rdata[0];
 
        /* Log downlink on non-leaf pages. */
-       if (lopaque->btpo.level > 0)
+       if (ropaque->btpo.level > 0)
        {
            lastrdata->next = lastrdata + 1;
            lastrdata++;
@@ -1040,8 +1040,8 @@ _bt_split(Relation rel, Buffer buf, OffsetNumber firstright,
 
        recptr = XLogInsert(RM_BTREE_ID, xlinfo, rdata);
 
-       PageSetLSN(leftpage, recptr);
-       PageSetTLI(leftpage, ThisTimeLineID);
+       PageSetLSN(origpage, recptr);
+       PageSetTLI(origpage, ThisTimeLineID);
        PageSetLSN(rightpage, recptr);
        PageSetTLI(rightpage, ThisTimeLineID);
        if (!P_RIGHTMOST(ropaque))