Fix race condition in DELETE RETURNING.

When RETURNING is specified, ExecDelete would return a virtual-tuple slot
that could contain pointers into an already-unpinned disk buffer.  Another
process could change the buffer contents before we get around to using the
data, resulting in garbage results or even a crash.  This seems of fairly
low probability, which may explain why there are no known field reports of
the problem, but it's definitely possible.  Fix by forcing the result slot
to be "materialized" before we release pin on the disk buffer.

Back-patch to 9.0; in earlier branches there is no bug because
ExecProcessReturning sent the tuple to the destination immediately.  Also,
this is already fixed in HEAD as part of the writable-foreign-tables patch
(where the fix is necessary for DELETE RETURNING to work at all with
postgres_fdw).

diff --git a/src/backend/executor/nodeModifyTable.c b/src/backend/executor/nodeModifyTable.c
index cb64cfc857a379d42b20510d8387eec058174e60..d7c1e4a208bf57928ff2dfb4cfa6db89b0586a94 100644 (file)
--- a/src/backend/executor/nodeModifyTable.c
+++ b/src/backend/executor/nodeModifyTable.c
@@ -439,6 +439,12 @@ ldelete:;
                rslot = ExecProcessReturning(resultRelInfo->ri_projectReturning,
                                                                         slot, planSlot);
 
+               /*
+                * Before releasing the target tuple again, make sure rslot has a
+                * local copy of any pass-by-reference values.
+                */
+               ExecMaterializeSlot(rslot);
+
                ExecClearTuple(slot);
                if (BufferIsValid(delbuffer))
                        ReleaseBuffer(delbuffer);