git.ipfire.org Git - thirdparty/postgresql.git/commit

author	Tom Lane <tgl@sss.pgh.pa.us>
	Tue, 21 Apr 2020 19:58:43 +0000 (15:58 -0400)
committer	Tom Lane <tgl@sss.pgh.pa.us>
	Tue, 21 Apr 2020 19:58:43 +0000 (15:58 -0400)
commit	36714f8ca32a0c84d8bafc03278fe0f48b304d9c
tree	50b1ba8242fb32cb9d7ec17c1c43c934f2a9ac3a	tree
parent	f7b2e04a60a3d7844c5ba92470d22b53b5a9a052	commit \| diff

Fix possible crash during FATAL exit from reindexing.

index.c supposed that it could just use a PG_TRY block to clean up the
state associated with an active REINDEX operation.  However, that code
doesn't run if we do a FATAL exit --- for example, due to a SIGTERM
shutdown signal --- while the REINDEX is happening.  And that state does
get consulted during catalog accesses, which makes it problematic if we
do any catalog accesses during shutdown --- for example, to clean up any
temp tables created in the session.

If this combination of circumstances occurred, we could find ourselves
trying to access already-freed memory.  In debug builds that'd fairly
reliably cause an assertion failure.  In production we might often
get away with it, but with some bad luck it could cause a core dump.

Another possible bad outcome is an erroneous conclusion that an
index-to-be-accessed is being reindexed; but it looks like that would
be unlikely to have any consequences worse than failing to drop temp
tables right away.  (They'd still get dropped by the next session that
uses that temp schema.)

To fix, get rid of the use of PG_TRY here, and instead hook into
the transaction abort mechanisms to clean up reindex state.

Per bug #16378 from Alexander Lakhin.  This has been wrong for a
very long time, so back-patch to all supported branches.

Discussion: https://postgr.es/m/16378-7a70ca41b3ec2009@postgresql.org

src/backend/access/transam/xact.c		diff \| blob \| blame \| history
src/backend/catalog/index.c		diff \| blob \| blame \| history
src/include/catalog/index.h		diff \| blob \| blame \| history