Fix reset of incorrect hash iterator in GROUPING SETS queries

This fixes an unlikely issue when fetching GROUPING SET results from
their internally stored hash tables.  It was possible in rare cases that
the hash iterator would be set up incorrectly which could result in a
crash.

This was introduced in 4d143509c, so backpatch to v18.

Many thanks to Yuri Zamyatin for reporting and helping to debug this
issue.

Bug: #19078
Reported-by: Yuri Zamyatin <yuri@yrz.am>
Author: David Rowley <dgrowleyml@gmail.com>
Reviewed-by: Jeff Davis <pgsql@j-davis.com>
Discussion: https://postgr.es/m/19078-dfd62f840a2c0766@postgresql.org
Backpatch-through: 18

diff --git a/src/backend/executor/nodeAgg.c b/src/backend/executor/nodeAgg.c
index 377e016d73225865fe9d0e0c7a05e430d20f3f68..c50fdef6b38f0119b3f1c97064691a9ce09825cf 100644 (file)
--- a/src/backend/executor/nodeAgg.c
+++ b/src/backend/executor/nodeAgg.c
@@ -2912,7 +2912,7 @@ agg_retrieve_hash_table_in_memory(AggState *aggstate)
 
                                perhash = &aggstate->perhash[aggstate->current_set];
 
-                               ResetTupleHashIterator(hashtable, &perhash->hashiter);
+                               ResetTupleHashIterator(perhash->hashtable, &perhash->hashiter);
 
                                continue;
                        }

diff --git a/src/include/lib/simplehash.h b/src/include/lib/simplehash.h
index 327274c2340bf90b02cdcfda268bd117d9046a8f..9622131ede6811d9c0b8cb723a6587524735f79c 100644 (file)
--- a/src/include/lib/simplehash.h
+++ b/src/include/lib/simplehash.h
@@ -1044,6 +1044,10 @@ SH_START_ITERATE_AT(SH_TYPE * tb, SH_ITERATOR * iter, uint32 at)
 SH_SCOPE       SH_ELEMENT_TYPE *
 SH_ITERATE(SH_TYPE * tb, SH_ITERATOR * iter)
 {
+       /* validate sanity of the given iterator */
+       Assert(iter->cur < tb->size);
+       Assert(iter->end < tb->size);
+
        while (!iter->done)
        {
                SH_ELEMENT_TYPE *elem;