From e262755bfc97f31442cc0def8098b1a7d2913355 Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Tue, 11 Jun 2013 17:26:42 -0400 Subject: [PATCH] Fix cache flush hazard in cache_record_field_properties(). We need to increment the refcount on the composite type's cached tuple descriptor while we do lookups of its column types. Otherwise a cache flush could occur and release the tuple descriptor before we're done with it. This fails reliably with -DCLOBBER_CACHE_ALWAYS, but the odds of a failure in a production build seem rather low (since the pfree'd descriptor typically wouldn't get scribbled on immediately). That may explain the lack of any previous reports. Buildfarm issue noted by Christian Ullrich. Back-patch to 9.1 where the bogus code was added. --- src/backend/utils/cache/typcache.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/backend/utils/cache/typcache.c b/src/backend/utils/cache/typcache.c index 5155a14342f..2fa6d335350 100644 --- a/src/backend/utils/cache/typcache.c +++ b/src/backend/utils/cache/typcache.c @@ -648,6 +648,9 @@ cache_record_field_properties(TypeCacheEntry *typentry) load_typcache_tupdesc(typentry); tupdesc = typentry->tupDesc; + /* Must bump the refcount while we do additional catalog lookups */ + IncrTupleDescRefCount(tupdesc); + /* Have each property if all non-dropped fields have the property */ newflags = (TCFLAGS_HAVE_FIELD_EQUALITY | TCFLAGS_HAVE_FIELD_COMPARE); @@ -671,6 +674,8 @@ cache_record_field_properties(TypeCacheEntry *typentry) break; } typentry->flags |= newflags; + + DecrTupleDescRefCount(tupdesc); } typentry->flags |= TCFLAGS_CHECKED_FIELD_PROPERTIES; } -- 2.39.5